718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e.exe
Size

96KB
MD5

febd0c9f8451c4c04b392d6341e478e6
SHA1

66367bba925a75a368cc2d1d6aed370faf420d1e
SHA256

718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e
SHA512

6c9ea1cec48470689b0c91843283bc7433dea72873fbd40f22407cef56123641aeea7c0103232707ecba83637636656d17ac714427f6faa12295ced73bbf2cd6
SSDEEP

1536:0NZIv3HU3ZH2kvWdazdTH0BO4idZcNAg5ZU5fppppppppppppppGQwkhrUQVoMd2:CZIv3HGNs+dTgJNAg5ZILwkhr1Rhk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlojkddn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elccfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eodlho32.exe

Executes dropped EXE 64 IoCs

pid	Process
1492	Djpnohej.exe
4412	Dlojkddn.exe
4920	Domfgpca.exe
2976	Ejbkehcg.exe
5056	Elagacbk.exe
1368	Eoocmoao.exe
960	Ejegjh32.exe
5040	Elccfc32.exe
4944	Ecmlcmhe.exe
2652	Ejgdpg32.exe
4520	Eleplc32.exe
2852	Eodlho32.exe
2448	Ejjqeg32.exe
2548	Eofinnkf.exe
1416	Ebeejijj.exe
2412	Ehonfc32.exe
4448	Eqfeha32.exe
4424	Fbgbpihg.exe
1204	Fhajlc32.exe
2772	Fbioei32.exe
2320	Fmocba32.exe
676	Fomonm32.exe
3476	Ffggkgmk.exe
3124	Fifdgblo.exe
1900	Fopldmcl.exe
3832	Fckhdk32.exe
3552	Ffjdqg32.exe
3260	Fihqmb32.exe
2672	Fcnejk32.exe
3536	Fflaff32.exe
3976	Fmficqpc.exe
968	Gcpapkgp.exe
3828	Gimjhafg.exe
4376	Gogbdl32.exe
3600	Gbenqg32.exe
3648	Giofnacd.exe
3144	Gqfooodg.exe
3996	Gcekkjcj.exe
4492	Gbgkfg32.exe
1664	Giacca32.exe
5028	Gpklpkio.exe
660	Gbjhlfhb.exe
4480	Gjapmdid.exe
4464	Gqkhjn32.exe
724	Gbldaffp.exe
3544	Gjclbc32.exe
1200	Gameonno.exe
4360	Hboagf32.exe
1632	Hihicplj.exe
712	Hmdedo32.exe
1896	Hcnnaikp.exe
2936	Hfljmdjc.exe
1112	Hikfip32.exe
604	Habnjm32.exe
3664	Hbckbepg.exe
4600	Hjjbcbqj.exe
2760	Hccglh32.exe
3608	Hfachc32.exe
3624	Hmklen32.exe
4964	Hbhdmd32.exe
4716	Hjolnb32.exe
1188	Ipldfi32.exe
4076	Ibjqcd32.exe
2572	Ijaida32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bppheeep.dll	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Ejbkehcg.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ecmlcmhe.exe	Elccfc32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Aiagblgj.dll	Domfgpca.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6272	5488	WerFault.exe	267

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjdddho.dll"	718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inomojol.dll"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Domfgpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1492	3432	718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e.exe	81
PID 3432 wrote to memory of 1492	3432	718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e.exe	81
PID 3432 wrote to memory of 1492	3432	718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e.exe	81
PID 1492 wrote to memory of 4412	1492	Djpnohej.exe	82
PID 1492 wrote to memory of 4412	1492	Djpnohej.exe	82
PID 1492 wrote to memory of 4412	1492	Djpnohej.exe	82
PID 4412 wrote to memory of 4920	4412	Dlojkddn.exe	83
PID 4412 wrote to memory of 4920	4412	Dlojkddn.exe	83
PID 4412 wrote to memory of 4920	4412	Dlojkddn.exe	83
PID 4920 wrote to memory of 2976	4920	Domfgpca.exe	84
PID 4920 wrote to memory of 2976	4920	Domfgpca.exe	84
PID 4920 wrote to memory of 2976	4920	Domfgpca.exe	84
PID 2976 wrote to memory of 5056	2976	Ejbkehcg.exe	85
PID 2976 wrote to memory of 5056	2976	Ejbkehcg.exe	85
PID 2976 wrote to memory of 5056	2976	Ejbkehcg.exe	85
PID 5056 wrote to memory of 1368	5056	Elagacbk.exe	86
PID 5056 wrote to memory of 1368	5056	Elagacbk.exe	86
PID 5056 wrote to memory of 1368	5056	Elagacbk.exe	86
PID 1368 wrote to memory of 960	1368	Eoocmoao.exe	87
PID 1368 wrote to memory of 960	1368	Eoocmoao.exe	87
PID 1368 wrote to memory of 960	1368	Eoocmoao.exe	87
PID 960 wrote to memory of 5040	960	Ejegjh32.exe	88
PID 960 wrote to memory of 5040	960	Ejegjh32.exe	88
PID 960 wrote to memory of 5040	960	Ejegjh32.exe	88
PID 5040 wrote to memory of 4944	5040	Elccfc32.exe	89
PID 5040 wrote to memory of 4944	5040	Elccfc32.exe	89
PID 5040 wrote to memory of 4944	5040	Elccfc32.exe	89
PID 4944 wrote to memory of 2652	4944	Ecmlcmhe.exe	90
PID 4944 wrote to memory of 2652	4944	Ecmlcmhe.exe	90
PID 4944 wrote to memory of 2652	4944	Ecmlcmhe.exe	90
PID 2652 wrote to memory of 4520	2652	Ejgdpg32.exe	91
PID 2652 wrote to memory of 4520	2652	Ejgdpg32.exe	91
PID 2652 wrote to memory of 4520	2652	Ejgdpg32.exe	91
PID 4520 wrote to memory of 2852	4520	Eleplc32.exe	92
PID 4520 wrote to memory of 2852	4520	Eleplc32.exe	92
PID 4520 wrote to memory of 2852	4520	Eleplc32.exe	92
PID 2852 wrote to memory of 2448	2852	Eodlho32.exe	94
PID 2852 wrote to memory of 2448	2852	Eodlho32.exe	94
PID 2852 wrote to memory of 2448	2852	Eodlho32.exe	94
PID 2448 wrote to memory of 2548	2448	Ejjqeg32.exe	95
PID 2448 wrote to memory of 2548	2448	Ejjqeg32.exe	95
PID 2448 wrote to memory of 2548	2448	Ejjqeg32.exe	95
PID 2548 wrote to memory of 1416	2548	Eofinnkf.exe	96
PID 2548 wrote to memory of 1416	2548	Eofinnkf.exe	96
PID 2548 wrote to memory of 1416	2548	Eofinnkf.exe	96
PID 1416 wrote to memory of 2412	1416	Ebeejijj.exe	98
PID 1416 wrote to memory of 2412	1416	Ebeejijj.exe	98
PID 1416 wrote to memory of 2412	1416	Ebeejijj.exe	98
PID 2412 wrote to memory of 4448	2412	Ehonfc32.exe	99
PID 2412 wrote to memory of 4448	2412	Ehonfc32.exe	99
PID 2412 wrote to memory of 4448	2412	Ehonfc32.exe	99
PID 4448 wrote to memory of 4424	4448	Eqfeha32.exe	100
PID 4448 wrote to memory of 4424	4448	Eqfeha32.exe	100
PID 4448 wrote to memory of 4424	4448	Eqfeha32.exe	100
PID 4424 wrote to memory of 1204	4424	Fbgbpihg.exe	101
PID 4424 wrote to memory of 1204	4424	Fbgbpihg.exe	101
PID 4424 wrote to memory of 1204	4424	Fbgbpihg.exe	101
PID 1204 wrote to memory of 2772	1204	Fhajlc32.exe	102
PID 1204 wrote to memory of 2772	1204	Fhajlc32.exe	102
PID 1204 wrote to memory of 2772	1204	Fhajlc32.exe	102
PID 2772 wrote to memory of 2320	2772	Fbioei32.exe	104
PID 2772 wrote to memory of 2320	2772	Fbioei32.exe	104
PID 2772 wrote to memory of 2320	2772	Fbioei32.exe	104
PID 2320 wrote to memory of 676	2320	Fmocba32.exe	105

C:\Users\Admin\AppData\Local\Temp\718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e.exe
"C:\Users\Admin\AppData\Local\Temp\718852b9bd09b5974630c38ecb83ebc0dc8329f0891eb1b29c506d4247e46a4e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\SysWOW64\Djpnohej.exe
  C:\Windows\system32\Djpnohej.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\Dlojkddn.exe
    C:\Windows\system32\Dlojkddn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\SysWOW64\Domfgpca.exe
      C:\Windows\system32\Domfgpca.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        23⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        24⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        25⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        27⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        29⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        30⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        31⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        33⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        35⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        39⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        40⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:660
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        47⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        52⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        53⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        57⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        58⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2572
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3768
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1572
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3940
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        71⤵
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        72⤵
        
        PID:408
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        73⤵
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        74⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        76⤵
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        78⤵
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3588
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        80⤵
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        82⤵
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1564
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3132
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2288
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        86⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        87⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3372
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        89⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        90⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        92⤵
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        93⤵
        
        PID:952
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        94⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        95⤵
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        98⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        99⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        100⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        101⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        102⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        103⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        104⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        106⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        108⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        109⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        114⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        116⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        117⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        118⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        120⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        121⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        122⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        123⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        124⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        127⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        134⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        136⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        139⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        141⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        142⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        143⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        146⤵
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        147⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        151⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        152⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        153⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        155⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        157⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        158⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        159⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        163⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        164⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        166⤵
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        168⤵
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        169⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6656
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        171⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        173⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        176⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        177⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        178⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        180⤵
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        181⤵
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        182⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 420
        183⤵
        Program crash
        
        PID:6272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5488 -ip 5488
1⤵
PID:6240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bobgoedj.dll

Filesize
7KB

MD5
730b0ca67cd511d3fc4e17b4bae67044

SHA1
2e6988d9553bc15f6231771314a77b382be2b937

SHA256
b4ffaedb609e38a65ae31cda446cd373cfa7e35e2b6d543e9a847c1558f499ac

SHA512
b61dcb076604836ad4eab6e0d4a9b16b4aabd136e1f0da978ba49f4146f9a8a24534f7dbb0ad38e1812c2926291a843d7bcfb2dc7fab83a85ed376abc8b9cc47

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
96KB

MD5
17df8cc240609718f5e0784dceece8d7

SHA1
edaf1d93145ae23165a256bc248f9f81beefc77f

SHA256
c36b68f823769de41e209b7b4412519e3a1048155085ca7a530b5b2df72f7d4a

SHA512
42f9e91360394db0aeb2b3490d4f4a55d81998f7328dbe2a1a094b80465bb4e8fdd1fd6e8b7a7038625485b689658d32216fc493be10febe6fce5c02990e0735

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
96KB

MD5
8beaee050a20410b32f7c13743c17bbf

SHA1
0f3386db88607dd878d86b477cc9de5a23932c2a

SHA256
9b2fe76463659d6b74470eabda78f68bef4b64a19201f78ec267c02d153288d3

SHA512
49a6068a3777d277382cd20117b0469912f7d38478e31cbea3b58ce4703231bb2de0dd8682c95b179cf4b90ae83438c625850883ce3d802227383e4c8cef8ed6

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
96KB

MD5
8d1d16de1177f9ba62a58262ef626a91

SHA1
1fcf562265994aebf176967fb34712afe50fc957

SHA256
7146cd14f5b23f7d3e3081890011451848a1c102253776e9aa99bcad5f8d1d5c

SHA512
d27d7b336ff934bd449f060d2e5ab064e6fadc5336e77b42c612ff6046b1fff12fd9050eaeb08c591f0de42cc18cba5c392b61e50a627cd51d0a95da1e576dd0

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
96KB

MD5
e4693fea624852f9b66d08436f651859

SHA1
eab6b41784494627e4062c6460f657a62c13b91e

SHA256
6d96787fa1a80c594afd2cecdfa24de19b1994810cebeb8ae386d1ebc6d7b0fd

SHA512
d3575fac84f42842d8bf5750d8e2e4bc1d26330fa0024b9e0fd5596390a5d676ec8067e9f88da63d2d997ec367bedb57ab2cd38550f72cb908f285deb94ac68f

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
96KB

MD5
2e4a52bb7758975245a4368096463c69

SHA1
17e53be9641a819331d97ea4748e28b658a48936

SHA256
4e0e275df67cc308496dbb04db932e1e2e44e01f9b849b2518dbd94b62ca85bc

SHA512
b484afb8d36536821592eb900ce3f575f67565f1f15e092422225b5a1c81ee8a6befda35f95b31ac66d6921f75639993303c8f01369c2f80511f30fac6cbf8c2

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
96KB

MD5
ef9a8140c79da07b2f53b97ab4f25b56

SHA1
f36382ab826d686ff7067b3fc27008927e4aadc4

SHA256
b371a72ad9416a6a8a358f8da24904795bf6a202defec66631effd8615541343

SHA512
77f64a3ceb36f7e1bf76e11ad6b16ef8240b96d1c37f26dcd26af005631fe2ea51487d51e3f6a5521441df0cfd082fc4f4d52bf9a91564633c18eb6fe50c8195

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
96KB

MD5
fcd60b3ab7378927aaa9448ee4409adb

SHA1
6e79a7db45e54ad48083f5af2b55e1206abb6452

SHA256
39e5e6ee275b9d5381e96ada7a03298e0e9501143ba150609e5a528d0a4acc5e

SHA512
6e7ba0a8a5d4aafbc09e9f32fc4dc30d56b88eb3bbc26014df2d8b7079fc055ef14bf5e6468262b1910cfc4f612a244cdda61d3ea16846a073fb0a2e201d75a4

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
96KB

MD5
fcdc57163deb5b570ed488bd8a9e5d83

SHA1
abee9c7d8264d0f88b31eb543cf898652ead4a45

SHA256
e2771244cff373224d0e244eeb3c3a54f5c658746046c1b096cd0f698d9661f2

SHA512
74cbe459f35c3a0994f9e9a3a84bc6fa268e160a80c9921689246233ae8b776ac3419393f8e03d3cd7bbc7ed70102f06ff2b4dc956f142c49cf84f534ebfe502

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
96KB

MD5
3bf9bbcf3414f590d40ef07e59d5595a

SHA1
425327851d0b511c069b59ef998e87b0179b0ee7

SHA256
8816a4346e91f90fb82ef359a5bdb70d50c1531e17d54ac33a2a6a853c70a7da

SHA512
a1a84c695ec39f0c7c3b65e983466ef442d794c1297efc9dbd2b15a0f07aa8b99c3d706d462f80b982810f27b1ed98c488b2c8b311e9a8d077a3ee0c23963c33

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
96KB

MD5
4b447c1d306d9472ad0bc31ff929ed6c

SHA1
71463e60ed71d8906e285275322dcfc5e4c6eb5a

SHA256
ecf6078aae9bd0d94a2001ad66ec544c406f4e4111d40413faa65586ce017951

SHA512
ea15665257ece70ccb87ab53eae2a061716a7a4e5e1b920d7b7560c2f301588c9f1faa5d294745dd8a5e140e57597de288f7286af454b9ed1761b92b204d8cad

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
96KB

MD5
8755e9f9805f655216bc29c8717e6bba

SHA1
cf72fcffb1adb32a573666077a94e1416046d229

SHA256
60108a15f11c1fc2f67df62cdba217c0031fc0bcc18f14710b19cce41aa1d379

SHA512
a82fbfd185c0041765e85958eaaa5775b817f60b26af9a6b671aac44d6b6e9e4bb11dc3a10539557094941ef5aa51902e9f71a0a63349c797cfaf6a1abf05f19

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
96KB

MD5
5f483002af9b9a579d908a94ee02a61a

SHA1
6af447038f53319c24c1d011e0db3a2874c0acd5

SHA256
20d4a1d1cc6bcb42feb2e116f8b75001ea47de068a91683a233df810c00213e9

SHA512
ed73d344e06df2a9524eb380075a96598bdecae6670432995f83bdecfda0b591c52156690f19ce0907869c60337d223ea00ce4696acfc41447b1d8e340c17faf

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
96KB

MD5
3d4e18773ef493fe1120747ef1360106

SHA1
53f92080ba9075a6ec6314a65b6143003b88d6ec

SHA256
bc02d177b6a9a91bb0f7a13048609944c59f2d12381ff00614c7179b8af0f7eb

SHA512
e785d1689697356cc81c8d20103e5c5c447f3d077632fd0586dccb9e129330f3433accf83c55fd4935cca85e30e5e1875bf5af09fceb6b515bce36f5bd1ed09d

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
96KB

MD5
84d50afc72639af5de4249705ae29c19

SHA1
1dc37cccd54a42111f896db10332d721885450e3

SHA256
71b63f6feab8410491fedf775ca808ae15a8043c64571dd8aa3136977561d36b

SHA512
5bd39bc7496ef944ebd5d49ee3db1f359b438eedaefabec325670f1aa41222451d4f67a222cc917480aec75f63fa8ff41702fc66dc1639f7bddc0eebb4a8b541

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
96KB

MD5
7d4dc65bd98b706c265907fa495fa69c

SHA1
cae797f4b3c0428ccdb245ff7e541bbb7b447740

SHA256
f80b9517d12598e55306f4ccc5966e3f4826c81c274b71215782ddfb9d10697f

SHA512
65541bee52a2d9cf43a01cf14b49da8d32b8adcb1a58a36864f038d0b355134e8ba329ac1803a6b62f9fe5d013d4cd1cde9d038b849f2ce6302bb860420bdfbf

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
96KB

MD5
438ad2de232aa884173a24ecadcbcbc0

SHA1
6a620b7ca6bd16f4ea246d5a322840138ee9db2a

SHA256
9a518f86325908b01f23d150b522138a5d9adc04a68898d362631848ad699782

SHA512
e1d0ba6d2564cc0258eb770da02ee656e7fbce14f1f592b5ebaa97f434758ea9dd45c993d8f047450140f5c6b715e926db1d1db1a1e39d533ad5a56245364595

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
96KB

MD5
628705ed56b627081b8eccf3a25ae939

SHA1
f157937f3c685ec1fff582c6945671a8d03ab273

SHA256
98bae594376c1ffc749c8f8b0e11c11f4f752e1912d688ae08d8ffb34c0d7d7c

SHA512
9091f62b9127b41ca6f2acd7ffff1982c2a8b5a5637684f9a2fad09d1c89ab2ac761437f0fe838ff0a3eec0c4f9d248dd419115c723a30a0a202ff8f008703ae

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
96KB

MD5
a10e91bb2fe04b3a503f8d447480733b

SHA1
d8c40c2feb047db89f93efaf59c183dc76ae48c9

SHA256
040816869d9462b30ede67c0d367dfbedd24afd28ec3f4b4e84b95f28c3cd314

SHA512
6c08777b9ef4cce7b9bbb28749a6ee8682dd4f9f764114e5ac486a446c4df0a266546d2fb379a1a8e97d2556c06771dec3e90825e460d69292bf605fb7151c8b

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
96KB

MD5
00986f27a6bd112aeac6079000a56f80

SHA1
7b11f80d55baeb97b79d18d3541f4e882b46c844

SHA256
c2ddfb60529d4f470436090d6959aa57d0b3d18bb5104e4456479bcd48b2c075

SHA512
85ef14d1d08118f1874391fc2c0cc1cb56d93b9c0404540f453ebad1d04d18cccdac0c895a5b815a652dd8be67c6a442fb2c721a746871dc85a5b8a60164f1b9

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
96KB

MD5
efdd40ac433f683cf1ca4d7f5c2adfc0

SHA1
bbe6552b55b7dda0b5b84d9859d3818966e56f79

SHA256
dc0a7919c5b1b4112ef6e370700d6825db941a10d9cf4239ea39e51011c7c659

SHA512
78a2ed0b9657d7ae2e7e84ff1c090c8ad9951a723c62010e9e8c09b5232839b3f24d1514e00f0e91db372d5d035440261e8aa5cac3ffffa1662ab61977aa5a95

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
96KB

MD5
d8d7ab022844c4cdce51b2116f65ebde

SHA1
71a9b6e2ce7012b72888b8205a0df1246fb2175b

SHA256
30152deee27ca40f11fe68819f6820191fe72b7b87d36e7d67a31fd205cd5d17

SHA512
55c1ef0227ee4027b6b4e90ebd5988cdde5e51366b6323e57f8a07a24a5eb1cb139a29e3d5f84850751c7fbac554eff10c28ffbfb96ee0903ba8ec6c79345440

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
96KB

MD5
bb58848f43bb4f5658a64f1fd8ba065d

SHA1
f31daa593f1bc7f3174554658e6e63b52a62fbf8

SHA256
12463c5720e6294178f1b45b4c065b726a35d0535dbf33c1e499e8cb2093dd44

SHA512
f0d929e17518f1ca4bf8c08bbfd3579a9093b5280bb8e311e50e68f11adcdf3a15d2f8c95f663b344a941037a6e6448670887ac75a0ad5911470b63f29dc46d8

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
96KB

MD5
f8d40b9eecb4fdc5efff373efe26d135

SHA1
de4a527395c252749094ff030bed09258975adfd

SHA256
51f5e694dbe744887ed7ada18ac74d9e1756475d4c8bc9b842cca807b446cd73

SHA512
73213fe95153c2842a75b5d1590cb23a0908b541898784d74bbbba662deb9f957963dd07e52234e0e19588498b5fae54c0b46b486828820fe2b3b848cbf47b2f

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
96KB

MD5
3499f60928b5241cc1ddb0be9bcf3919

SHA1
3d899065b605fcfc509bfedfe6f679b5f6aa8e0b

SHA256
fca2ac4a80d8b8cef6dbc6c9ffb32ba37d842b61b039adaa31eeb0453dd29306

SHA512
65c9fc15f0a11c7311d9f44dc7f0f1e45c9f904e93d2f53a27d6f664fae866459c4152d59e319f542c1ec48eb0de62d8ccbcefe2eb24ab0d8fd26f0669c1d26d

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
96KB

MD5
20880a3b6f991ba2f18518cc6ab999ce

SHA1
c51a3718398431a1256522bcd9fcfa5ed2654e17

SHA256
2a4f6b4ded71a2ed690d4230d0db50c614328dfc057649fec117df0e0b63262d

SHA512
5a8ea9a328a7fa9069a8c5bbd3db3c3eb5254da8f806fff77d3b460e50bd4b0b5cdcf3d43c94da2568af2a481e6ea9fc85b2b1d9283ce18e80f56344f397ddfb

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
96KB

MD5
7aa9aba13f12b5496e7c6626872b0ef6

SHA1
f3f5f2ee72fac0e180e0491f0049e7e39eb9ecaf

SHA256
171f60b8c479b4e2f07420ff81ad9fb8a20f44b828e1d8ea6b90817f678f9df7

SHA512
9b075232d904eb892d3db4e64ad6861dc38712355dba1fa7d2912119ebb516115e6e1b515c17f978d2888e0f6999377e60346b3dd20a7560a298f84f7767771a

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
96KB

MD5
e642faf47e655f45bcc2e3ad760f4aa1

SHA1
bf6a843bcc146b940464a69ae8b5e0c357b821bc

SHA256
8a36c2863aa8120c70a66d1bcea6da09dec13b68c89b95232065c9fa0d713a65

SHA512
f4f514be0c7e97ed73ca4d9e70b8f0a6c50a048ce14276225196110729a37639b184216d7fcf59748bd7abecb4971fd2caf71c9c853aa80592e8072b7c70d49d

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
96KB

MD5
c6839ed3da760acea22e580c5ac8a51d

SHA1
b555fde37b89c77639b186e11dad509b35804215

SHA256
f517edae58d4ad8903244a686f3768f713933cd52a448f576423a66d34bfcbe1

SHA512
0bcafab3e8adb23600b13444c1f75b8418637f6d50edf26ffb1ad36553791cd5f587e03afd199908f9f2077cc9ab7c1a3e9f6077897b60a8d15feb9c0f68e502

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
96KB

MD5
204e50f4777a823e4c117db346f75286

SHA1
93396e9c5b59d25cb9dfc473211c2afb35616489

SHA256
6d16120dced68418b45ca4a9e7d4347c0e1df2c927014a1c46d13138c6c1de52

SHA512
47b604645c310926791df2d68ae5cdd4b0da253e6dd6438158a0894867e1c0bfab3bcc188e46afd865be67d8b94e8bc9dfe6fc24609ffad0a8c1afe2c263de0d

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
96KB

MD5
ca1b77bb0e1d2b10768025c01715fcca

SHA1
05fd65ca31ff84df44e39ee72c0432cb648588e7

SHA256
5c0568704f878de43504b7be85f6e95858cde961176cd679eea5328829e50d52

SHA512
04b6159d2fd437f4d0cbe9b12ab90b133c54b57c589c278fe3c3ad4a2bd8fe1f189653c958530a73903cb89a9fc5ef4edce169e1bf7c54803cb95865441fc0b4

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
96KB

MD5
7b69fec2cc1c975d8e68fc929b6fe992

SHA1
dc2d2b8019eb8cb6a0f8fb6c65a065e6fac4ade5

SHA256
d1a71179625af257509af85a45cca9d2d7c71e862a5fb416b47d66fc34a3aed4

SHA512
c0e7261a9515a15ce67a10b5bda1e97a9b6ecd325dc49657663bfac3b96e2fc1dc223a2aa9f786f2d021d8b0782bc2334102388a3874c10f8963f7d2ef453e18

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
96KB

MD5
9f092c0b4ce7829c624c9e8ba0a0281e

SHA1
63f6f6d0570606dd02ce17aa25360fa1e0041f18

SHA256
674bd21c5dbe706e29949fcef7802cbdbf1ee6c145450a1eee99620cf50ee5f1

SHA512
7a4bbe497c091c005b12d5b44e7cd1d165d1fea0ef306a9acd2dd9ea0158b4f513ef94ce5f64eec927493685a589ea76baec348b27815642f825f9144f0a3051

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
96KB

MD5
c406f7b17a8f11b208b96c4e275bc54e

SHA1
8f93a8b490644472c5e234dbda68eb5f80528346

SHA256
ae2de4cc2443e417120dbecf04f58e5bef68cf87dd70120b7290a3ab58e917bc

SHA512
aa0a9d06dde711a061332a0f92fc45654816b4fb4b35fda799241cf050fb860aa095afca7d9d47a3af2ed9d8eb5bdd56dc5ab6a6c3873cf7328e794e666e6426

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
96KB

MD5
743387f36844d614b4af1e877b156b4a

SHA1
1026a0d25bad00041fe42b9e6da9e7dc66967f16

SHA256
dfd51c825d44751b36b10deef9c1ab3e972709257444ae6e7f4de6e324cea501

SHA512
cfa295eb244df732d5cfdf3e48c33ede503a71a0d77dfc9d8ab65e0cebee196bf2352510fe1f4d55f0b462b0da7d409912afca20d5c197e1094d81791cbd1e94

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
96KB

MD5
32dc40ef850144735b2f437b8a5f77aa

SHA1
f3366e1424bdfa5d2a2a7c3d2a115215dfa17fdb

SHA256
06001bd1b2d8c7173be138e55ce053dbf61f7999679a5821c9f49a2c2815532e

SHA512
85a06ced2967fee0356729478d6a45dd1a4be3e9434a7415a012e411e5a8fd06e7ade52131ef77e80132116aae10556f2e9da3b072111cbdd04e3d81967ed932

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
96KB

MD5
c26ec8db2cf840de59116e7286fb432e

SHA1
c8c4259602875e2328510fa6a6daa58357fb8d74

SHA256
ec62cb96a969421c5c817aac1c175355b231fad3375bfea11ba974341e903ee0

SHA512
7bcd404fb94e47e54a000951c13e6fdb384f5db052930b530a3fae2594b15691f83f10d07bdcaae43c2021f66b913b124f7ee5f23e1fb53447fc3af2ac3b7992

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
96KB

MD5
c43f8f8fe8bbb879b361fc522c2606ba

SHA1
1b202e76edce7fc87d2abce087f842bd2f11ae62

SHA256
3095c96e27445f5671a295d12a6042dc2372b7bddd7966f73f8e14ce77e8651c

SHA512
f7212ea832821337ba3145fad26433ee3a1957180e064860dffcdd87b5a64542363e4d26485529f42750d691ddde2f599dc9ba25b8537461388def88a07d4fdb

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
96KB

MD5
0ff64f0b5067f9957f95f2aaef7d47fc

SHA1
6d1c4ae0581e1a4725e5a9cb41744eb1438e5629

SHA256
6417ce9d934ec7aec3a16dcf0d8ef696e809f40905e471fc958904c423b6e818

SHA512
3a0a5d5170f21ce696721d125f350ac40810ef5caff45d742d417d7316370a97f2f4bf4f03fd76b97270d1d8a340bb4a9955f2d71e2c6a8d665a1734d4bb048a

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
96KB

MD5
7fddabc23dcc1371b3b67ef9193847ee

SHA1
f305b04eb25c0e51cf0fa5f060b82d4c6c000670

SHA256
4b8744eb14cc092a483bf87733fda2da4ff68c3346bb8495f562d81fa4424fd4

SHA512
ef8a487f96631dc134b4554559e9b73c77880ccf6d3f38c160ab6815394655c5d7630797774477b5bdc9206623cc251a362b8817466d8551809a2742d1a4a812

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
96KB

MD5
f6b630a7ca1ee1230a4d2cda99223635

SHA1
0891905ed7b0f59e74d1470242697dc70e2b2d20

SHA256
c5fa3cc27736ae963f082193f0a4ba208d5ddf891d0615abd0664cd7401747fb

SHA512
7927097f66b5205cf767d2d1f551722e46db3bd7a371f85bd29516789902c75ca45ae4bc9e2aac8760f0029c3c870d72bad0f3f21bdda2cb5c6a3e98e20bcfe7

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
96KB

MD5
be2c94e1299f6ee25776dee140edb179

SHA1
41a3c9c2846b35cc0af7283164963a563b7352b8

SHA256
64946018cb64e01aa09838b7676aa11ab78180b2288785210378d7b71e8885cb

SHA512
498019a4f95390f5d7b699b9095da8ba21f1d3ecf5a417d3f34f4eb2eeffa45bffc57a2da125eb03151130ef5676f32247d14ae3927aecff555c0b2737374d0b

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
96KB

MD5
f0049418f46ca86398338d588bb1a29a

SHA1
a446f76308e9f074f8298e10d3f97e2abe7c51a8

SHA256
df0923bb8280ae6849571e516e96c93c7e849733712264da1dab89a62843aa4c

SHA512
98f98bbc8fe55dcb6dac6c14d2a8f33130f057b0c4019754e11473d626a2b65c7b2e9b8a8d6c519f1eff4a6d92f0bfb5f20b77d7b494b17c9b98be62bb3d4e43

Download Submit
memory/408-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/604-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/660-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/676-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/684-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/712-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/724-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1188-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1264-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1376-495-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1572-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1660-507-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1896-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2412-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2448-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2672-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2936-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3132-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3144-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3260-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3340-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3432-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3432-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3544-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-531-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3624-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3664-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3768-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3828-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3832-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3976-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4076-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4168-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-557-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-577-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4476-584-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4480-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4520-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4540-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4920-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4920-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4964-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5028-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-598-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads