2d70aab1e95fb9424059b07aa8fedd1af356acd95cce1e112d328d87349571ed

Analysis

max time kernel
5s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 18:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d70aab1e95fb9424059b07aa8fedd1af356acd95cce1e112d328d87349571ed.exe
Size

896KB
MD5

bd152c081acd1310eafbb2d513226f7f
SHA1

c19cae449d2eba4d3b7c08d8330443382bee715f
SHA256

2d70aab1e95fb9424059b07aa8fedd1af356acd95cce1e112d328d87349571ed
SHA512

7fa916f9488537b6f3dd7d09c9529f6e61eb4172561614f0afa4b354514894a88c5ef6fbdf25ef03c00d3ed8e0c1425a8e65a1bdf92748658110b9c1ce66fff1
SSDEEP

12288:nwmzHh7GByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:RzHh7lvr4B9f01ZmQvrUENOVvr1

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe

Executes dropped EXE 64 IoCs

pid	Process
1144	Ejlmkgkl.exe
1712	Emjjgbjp.exe
3764	Fqhbmqqg.exe
652	Fjqgff32.exe
4784	Fcikolnh.exe
992	Ffggkgmk.exe
3568	Ffjdqg32.exe
3272	Fmclmabe.exe
2012	Fobiilai.exe
2016	Fbqefhpm.exe
2504	Fijmbb32.exe
3312	Fqaeco32.exe
1696	Gcpapkgp.exe
1804	Gfnnlffc.exe
2732	Gjjjle32.exe
4872	Gmhfhp32.exe
1672	Gogbdl32.exe
3744	Gcbnejem.exe
4936	Gfqjafdq.exe
1692	Gjlfbd32.exe
3692	Gmkbnp32.exe
2252	Gqfooodg.exe
2144	Gcekkjcj.exe
3780	Gfcgge32.exe
3660	Gjocgdkg.exe
1080	Gmmocpjk.exe
3600	Gqikdn32.exe
2520	Gcggpj32.exe
3892	Gbjhlfhb.exe
2700	Gfedle32.exe
2088	Gidphq32.exe
1656	Gmoliohh.exe
2136	Gqkhjn32.exe
4336	Gcidfi32.exe
2500	Gfhqbe32.exe
828	Gifmnpnl.exe
4084	Gmaioo32.exe
244	Gameonno.exe
232	Hclakimb.exe
2268	Hboagf32.exe
1336	Hjfihc32.exe
4824	Hmdedo32.exe
3196	Hapaemll.exe
2556	Hcnnaikp.exe
4456	Hbanme32.exe
3164	Hjhfnccl.exe
3792	Hikfip32.exe
4080	Habnjm32.exe
3776	Hcqjfh32.exe
2216	Hbckbepg.exe
4836	Hjjbcbqj.exe
3044	Himcoo32.exe
3804	Hadkpm32.exe
3932	Hccglh32.exe
452	Hbeghene.exe
4948	Hjmoibog.exe
4368	Hmklen32.exe
2248	Hpihai32.exe
1660	Hbhdmd32.exe
3956	Hjolnb32.exe
208	Hibljoco.exe
760	Icgqggce.exe
4264	Ibjqcd32.exe
5084	Ijaida32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Icljbg32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Fqhbmqqg.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6392	6276	WerFault.exe	245

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Hibljoco.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1144	1228	2d70aab1e95fb9424059b07aa8fedd1af356acd95cce1e112d328d87349571ed.exe	88
PID 1228 wrote to memory of 1144	1228	2d70aab1e95fb9424059b07aa8fedd1af356acd95cce1e112d328d87349571ed.exe	88
PID 1228 wrote to memory of 1144	1228	2d70aab1e95fb9424059b07aa8fedd1af356acd95cce1e112d328d87349571ed.exe	88
PID 1144 wrote to memory of 1712	1144	Ejlmkgkl.exe	89
PID 1144 wrote to memory of 1712	1144	Ejlmkgkl.exe	89
PID 1144 wrote to memory of 1712	1144	Ejlmkgkl.exe	89
PID 1712 wrote to memory of 3764	1712	Emjjgbjp.exe	90
PID 1712 wrote to memory of 3764	1712	Emjjgbjp.exe	90
PID 1712 wrote to memory of 3764	1712	Emjjgbjp.exe	90
PID 3764 wrote to memory of 652	3764	Fqhbmqqg.exe	91
PID 3764 wrote to memory of 652	3764	Fqhbmqqg.exe	91
PID 3764 wrote to memory of 652	3764	Fqhbmqqg.exe	91
PID 652 wrote to memory of 4784	652	Fjqgff32.exe	92
PID 652 wrote to memory of 4784	652	Fjqgff32.exe	92
PID 652 wrote to memory of 4784	652	Fjqgff32.exe	92
PID 4784 wrote to memory of 992	4784	Fcikolnh.exe	93
PID 4784 wrote to memory of 992	4784	Fcikolnh.exe	93
PID 4784 wrote to memory of 992	4784	Fcikolnh.exe	93
PID 992 wrote to memory of 3568	992	Ffggkgmk.exe	94
PID 992 wrote to memory of 3568	992	Ffggkgmk.exe	94
PID 992 wrote to memory of 3568	992	Ffggkgmk.exe	94
PID 3568 wrote to memory of 3272	3568	Ffjdqg32.exe	95
PID 3568 wrote to memory of 3272	3568	Ffjdqg32.exe	95
PID 3568 wrote to memory of 3272	3568	Ffjdqg32.exe	95
PID 3272 wrote to memory of 2012	3272	Fmclmabe.exe	97
PID 3272 wrote to memory of 2012	3272	Fmclmabe.exe	97
PID 3272 wrote to memory of 2012	3272	Fmclmabe.exe	97
PID 2012 wrote to memory of 2016	2012	Fobiilai.exe	98
PID 2012 wrote to memory of 2016	2012	Fobiilai.exe	98
PID 2012 wrote to memory of 2016	2012	Fobiilai.exe	98
PID 2016 wrote to memory of 2504	2016	Fbqefhpm.exe	99
PID 2016 wrote to memory of 2504	2016	Fbqefhpm.exe	99
PID 2016 wrote to memory of 2504	2016	Fbqefhpm.exe	99
PID 2504 wrote to memory of 3312	2504	Fijmbb32.exe	100
PID 2504 wrote to memory of 3312	2504	Fijmbb32.exe	100
PID 2504 wrote to memory of 3312	2504	Fijmbb32.exe	100
PID 3312 wrote to memory of 1696	3312	Fqaeco32.exe	101
PID 3312 wrote to memory of 1696	3312	Fqaeco32.exe	101
PID 3312 wrote to memory of 1696	3312	Fqaeco32.exe	101
PID 1696 wrote to memory of 1804	1696	Gcpapkgp.exe	102
PID 1696 wrote to memory of 1804	1696	Gcpapkgp.exe	102
PID 1696 wrote to memory of 1804	1696	Gcpapkgp.exe	102
PID 1804 wrote to memory of 2732	1804	Gfnnlffc.exe	103
PID 1804 wrote to memory of 2732	1804	Gfnnlffc.exe	103
PID 1804 wrote to memory of 2732	1804	Gfnnlffc.exe	103
PID 2732 wrote to memory of 4872	2732	Gjjjle32.exe	104
PID 2732 wrote to memory of 4872	2732	Gjjjle32.exe	104
PID 2732 wrote to memory of 4872	2732	Gjjjle32.exe	104
PID 4872 wrote to memory of 1672	4872	Gmhfhp32.exe	105
PID 4872 wrote to memory of 1672	4872	Gmhfhp32.exe	105
PID 4872 wrote to memory of 1672	4872	Gmhfhp32.exe	105
PID 1672 wrote to memory of 3744	1672	Gogbdl32.exe	106
PID 1672 wrote to memory of 3744	1672	Gogbdl32.exe	106
PID 1672 wrote to memory of 3744	1672	Gogbdl32.exe	106
PID 3744 wrote to memory of 4936	3744	Gcbnejem.exe	107
PID 3744 wrote to memory of 4936	3744	Gcbnejem.exe	107
PID 3744 wrote to memory of 4936	3744	Gcbnejem.exe	107
PID 4936 wrote to memory of 1692	4936	Gfqjafdq.exe	108
PID 4936 wrote to memory of 1692	4936	Gfqjafdq.exe	108
PID 4936 wrote to memory of 1692	4936	Gfqjafdq.exe	108
PID 1692 wrote to memory of 3692	1692	Gjlfbd32.exe	109
PID 1692 wrote to memory of 3692	1692	Gjlfbd32.exe	109
PID 1692 wrote to memory of 3692	1692	Gjlfbd32.exe	109
PID 3692 wrote to memory of 2252	3692	Gmkbnp32.exe	110

C:\Users\Admin\AppData\Local\Temp\2d70aab1e95fb9424059b07aa8fedd1af356acd95cce1e112d328d87349571ed.exe
"C:\Users\Admin\AppData\Local\Temp\2d70aab1e95fb9424059b07aa8fedd1af356acd95cce1e112d328d87349571ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\SysWOW64\Ejlmkgkl.exe
  C:\Windows\system32\Ejlmkgkl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\Emjjgbjp.exe
    C:\Windows\system32\Emjjgbjp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\Fqhbmqqg.exe
      C:\Windows\system32\Fqhbmqqg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:652
      - C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        23⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        27⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        31⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        33⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        34⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        39⤵
        Executes dropped EXE
        
        PID:244
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        48⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        49⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        51⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        55⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        63⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        65⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        67⤵
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        68⤵
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        70⤵
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        71⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:316
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        73⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        74⤵
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        75⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        76⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        77⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        84⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        85⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        87⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        89⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        91⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        94⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        96⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4516
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        98⤵
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        99⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        100⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        101⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        102⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        103⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        104⤵
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        106⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        107⤵
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        108⤵
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        110⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        114⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        116⤵
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2508
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        119⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        122⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        124⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        125⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        126⤵
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        131⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        133⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        134⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        135⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        136⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        137⤵
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        141⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        142⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        143⤵
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        144⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        146⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        148⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        149⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        153⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        156⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6276 -s 412
        157⤵
        Program crash
        
        PID:6392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6276 -ip 6276
1⤵
PID:6344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agbpag32.dll

Filesize
7KB

MD5
b1862367e6ec364f3cb0de0d8e5c5e5c

SHA1
2eea5d9419b47af5f3bf6338d69594f93aa106cb

SHA256
22fbe18ebd3da3c898a0d0fe6d1496a16a36b4ce454e4508b3dfae77cb5294a3

SHA512
f903b632a501debcdbeb3e847162e2afc119ce7c760824f92aa49d56500a14db26bdeaf8f96456315cc61ac9913e1c7e0fc754a8b56729a79e35323edcda5bf2

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
448KB

MD5
1d76de928dfd0c14370cc97940304738

SHA1
123c0e954cbcc7f39898a55bc5ca415f84602294

SHA256
c6be1c88b516ab7520e7b49a1c87ac497d5149eb9d666dedbf5966a0b57e5573

SHA512
213958501560510a37b13eaf76ae21c5c8346bf1f8db6f32b290e66e74fee68724d854b6a37e41d0de458eceab97209e280e5187f80568ef0f09f7f54b63817e

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
320KB

MD5
e7388bb839852879683a4784f6111866

SHA1
15d076f03c92f9f8cd0790bff7eb5b944bed6d32

SHA256
100b1bc9788d5fac02196fc7e8c7e862f74ad82f0e7bf16ed7ac0443ba39fdae

SHA512
cf3ed35046c89cc12fba59bfb0a8b76193c35321fe2b4758b0f546221d3f040e7500e7531248d5a56ecd6be87e65c23870921989e39b7f0ecca2b6f024aaf112

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
896KB

MD5
353cf08e3f2af23741e6ec406702315f

SHA1
a478c18d057c81e0bd2a7015c2fcaf329ba5f16a

SHA256
7242a9823a077f56a12262e93c17765da808fc3e2ca0ce9625479eaf060ee702

SHA512
fe73cc84b2074a906de15af3e03cc6de7fa6d8dbfa3d8a097dbdbbbf7b9ed095873981848787fd23c384dc66f7586caf3e6fcc844ba4c74b811930d203bafbc1

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
896KB

MD5
1bd6ff1b412b2293363130b5fee2fced

SHA1
c3c420342aee978dcfc244e935ccc3c295146889

SHA256
0b44abf31070e1efda3d06cb2b19e805760df606d684f86a0603e510ad514562

SHA512
36c35595e654582bfb77de0b2dad515dcd6dc5fb805bbc1dd6f3ee1b824cd4715ee2f19519ef8b54afef41495e7ec51c6ae12cfd35bdbbf5d106273000eb9933

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
896KB

MD5
9d59f6d11a4091b02833e69b4d520a7d

SHA1
0d59f5f3688aa28541beb0ccf532749b92cdd470

SHA256
187da24a44a1d54e285087ee7db7253cb8fde993b6f4f0b45813afcf990424f2

SHA512
bfebdaa805187d6a566ad7750dccbdcb8f00b1eedd19e66b4b6ac847c8310c8e32c9ff6cb196426977dba2b97f45c88fe7298aec5fe456d65dae8e93e206a416

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
896KB

MD5
d87b4effa10838ca2c4cc0a3a9eb5b5d

SHA1
a59c082fed6ddc6bc5cf30317d184ca975537c47

SHA256
26b4ea2e86b99d459a8f16c5b92769626c8b7df100f9fcdccbfed6f4eeed508a

SHA512
1fb53bba999447f80f98f1c93a18e18cb62d6c367472e9467deef2393ad7cab95095a8afd3d9928a7466677ba9387b833ef056afcd2e96b3dc460cff48354159

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
896KB

MD5
1e9f53a2b4a33dc68a265e6b6728eabf

SHA1
62de000e0042e1cc2bbef72abea89aeb47687724

SHA256
95b58b4d69fda6266f459c07144e326dfb45dd16fa59766f8f7dc5261ab4a93d

SHA512
d684d30dc4710febeb9ba1c15cc609816f19ba6b9f3e0c41f5331c61704569b94d0e7b3969c97776820d1050277063f412bf46f3b574379b7f104a29cbe8d61f

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
896KB

MD5
fae8bfeeb7b37d50ec7e2e3d151d9a96

SHA1
197948517c8a15b100f6b7d1753274bb47e0e550

SHA256
b32040a797f4e1d9b0f0b6bf479d83d77e7abcbbe15ccef0a2e1a128eae83fe1

SHA512
d0aeb67e3955e989bfc36a296d1a4eee89e8572795c15495dde15b2587c0107f31ac3306f0effd9fddcae9393cae1742334c2751691fcb98e2e500c45c657aa4

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
896KB

MD5
b060159c1d21994ce903a81790783775

SHA1
6417d6207257f441e38db9b53719d281adb360be

SHA256
923def58265027de2eb024640f9fa041be1c622ef499eefe9a7f2086d14f9f57

SHA512
fdcdc2a391bd6f0f18dc345252fdb6092b56c70fba4bc6d7f9c26765c1e93306dffad45ab9534012401503bba2fc20a4becc849b5c17f220a02d8e5884674d3b

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
896KB

MD5
8a70b7bfba9d064e20cc9ca21e96baf5

SHA1
2d0288d1052f06df04cdbacb2a17053ce1bada28

SHA256
ebed28d4d76c66dafa80bd8f7d0bf381b10725668f2b3ca2b57e6e3a925a9ff3

SHA512
b48d1993f44a5515615f16c68b44939f62c72a5d95222b5f045fa4ab24cc89551890db33fcb36bd124357b5654a498cdd06f00047729db51ec908e696900d5b4

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
896KB

MD5
dc12648673971848d8d6e6a6c9961122

SHA1
5c29850f17d0077c34a1bf46b76cd29ad747f650

SHA256
f270ced035a300c81263bec535495bf16a140ad6c9900d5fdd710428eac595e5

SHA512
084f2ced12964f562fa75f23092303ed1bcd0626743012439a84f06d87132ac9aeb2d94fe973b0914fc889cfe8de81c667d1108d37104cb5acd258bc18c85881

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
896KB

MD5
388f551a2558cd659c62ebc27d6ad2ad

SHA1
63092ca3b17092e2255cf6168232c632e5710736

SHA256
190214848934bd6392c72a3fba0ade24acb50616cd2c153d18ba0b2a6dbeb47e

SHA512
cc1203f9dd1e495c40479e449513b893dc168fbeead34e1915ecb2df036f53a34a9a0c8310571538e4e3493187bfce4882b9a7082152b680f33fc36941a00945

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
896KB

MD5
8e9201b5e6a5b219975075cb2606d339

SHA1
2204ab75238b152d51e850b351cce1e37a18a269

SHA256
00d82fd37180b8168ba613695611f055b0c33e202ec54add24012e5a72a73d6c

SHA512
f1bcf280f475f4b4372ae93505bff419a769883739cd2737bc86b669d828efec12de6b4b45dad804bf2bce9582e111f204e08564959fcc923b15c7047a7338ca

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
896KB

MD5
d8b0d0d556b9e444da51a3d4802278de

SHA1
11c38f1a28b34f9b2b1de5e55f47dfe04af7d416

SHA256
ea473a13d7be4bd0ee49fbe3d6a6417b30e0aeb94c1c96deb90944d15cb908b3

SHA512
a891660a3c9fcf1c9ee9a6b6b34a4741e703e5c1074f46ee642fbfdc90b2f075eacdf6bc5e61dc34f5016f3afc715083c8633cbebe671c16c32ae5b85d4d927a

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
704KB

MD5
78094691fbccf8840b35f9661f1a3006

SHA1
898256a391aac20bce963a6625962ca51f10b163

SHA256
badb20868948924b30c80cf1404837cbb6e3dbd90459e298a625f72ed51a8f81

SHA512
7c7d02565a687e675e0cf6120ef0514e6e59e2a72b4a5d3587e2dffaceb26485e14f907b1df19c4ba5c24d2fb1bfce9d210b7314323909597685b5bff96984ab

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
896KB

MD5
143ec078ca1ffa673df3eea103a95e66

SHA1
7a55edad124a720a0b44e8dfea5864b9670ba255

SHA256
234665df1ab5a0a3e652bfb9f7330bd0523c9a4571b1ff2bbe86022f7a43850d

SHA512
4f7cf3a12473069bc3669e12010975c1fb91e8278699de17c5deff09edf3d32f5ab64a5ea88b4196986527e2e68c3dd49c1d7663c1628160dd1841743b4cf663

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
896KB

MD5
87eb2422abbe5309b6de2f834472f81a

SHA1
9a4ca257017cc343171de6d8f1ea7fdf13e0ba56

SHA256
53588cc75ee05e049e4849b0b6652ebb5c2c238a08e3b5b5e0de0386ed3425c5

SHA512
a6d09f57fd03cfcde2de8a72e720ada3be2aedcb8f88295084456eba078f0f5386bae52f0fd6f637482a3628d3a47bff41036711b7ef33939fd014617c8a4076

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
896KB

MD5
f4402ef349e72a8477d4243f7d181177

SHA1
0706b44305b459b02778846062cafe9688542d98

SHA256
8a1061a2673c92744bee0128eb00898fc667e529eede8d933c1f20d8213cc282

SHA512
d309683a9ba7ca2d06316442ee317bd1d96a55996511064a31869a51b6552ad498d412892e00f67742ea111dee6ebf595f26a6322bf18692e9024fec29206983

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
896KB

MD5
29c55af9045a328865867767e257a41c

SHA1
66060b6f646dd4049835ce1f281a7529d8c9be42

SHA256
c4d8fd2de29d088cf25e1c5777b782a5220f2b30c7b9bf6f47d10d6d047f790b

SHA512
319357eb29608022aacbb46e5e1e13c060e9bc6020786d4f44d51274a27c29c6c9c49890b73f974c44db015d7416a06877de83135b4828da52ef6bc9a76b7bc9

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
896KB

MD5
c0caf3a37df9121f8c12ce0ff64556f6

SHA1
19474fb475a91ae425dcb8a064e911a457c9dbc4

SHA256
2eba1f373c94fcda1217cb9f9774666ab9ec39b92bc8e5674032c7a4d80f0b98

SHA512
05ef52cfb158999f264944fb0beb99d14ba6d89bbcec4d843283c2ebdcc53b2a005a5b1b93d1d8b411d6ff37b7d533c88ee4795eb2504975429028af8281f843

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
896KB

MD5
b4e48bd650d2129683482a8b74c629d0

SHA1
ffc0940d005190725c75af2b2195393580ec99d6

SHA256
11c815f50580087a6a9b57808c3d75605c7831afe40931a5a88e873dd2f883dc

SHA512
fba287ff24a63ae834ab6a441ce2667b40d278adbe806fab006fefccd303e2fabb2dde0d03f77c5931795e93b3147a2e1451d6ff2e3eb36bb1cf13756b38a0ee

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
896KB

MD5
c88f55abe72000e963ffab941c95be5a

SHA1
41ca144508fbd4c3bf0ae12844c8ad7aa54aceee

SHA256
921b41bf33e93b0de8b81c50fdda6293dd2ee9ef1887c4f727281767d59b630e

SHA512
678a90cbade7a0b15184c331d5d28161f2b5ddfa6cac562d8c2bc14c648b053d0451d627d1339e91412f4f3e79e73fb78532768fc309dc64aa3ff65671f9b56d

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
896KB

MD5
5d498f9fb4a5e3ab8c15a2ced5004976

SHA1
a804aa57e165d12bf76f70e8fe92118004193c8c

SHA256
d7e570f26a89f1343eb8a57a6e1c17154b7ccdb6598acfaa19c68dc7451082b7

SHA512
58e48363639b5201d13aa9e89500890e1eedaa82141f04d7c29f0e8fdad81384d68c59c656f6ee1806a8ff91cfb8597d9355e6a0effd6cbe4ef8ce9e213ff01e

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
896KB

MD5
78f69860850c1d035408d01315f460e4

SHA1
cd2da029a8fed53a827e7f046627b3b0e88b6e7c

SHA256
6a3a8489e8ea8b1f725aa72222f997c48868c4a383140a43bb2faaf85b289384

SHA512
9ffea7a964922228ac83244279dd1807591369c842fe2d9e4d9801990430d09c95506a0bc14a87ae29756aa4f51242d53df3587927efb1faa79dbeed715e0ebe

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
896KB

MD5
97907adfdf10b641bda788152b4283ee

SHA1
0b1d9fa9a486b8b19570f207521d71bca13248e0

SHA256
8b17811898c31725f1aa9c2a68fc7de451f6a6eed78eba5641766bf375ea2e06

SHA512
225e081c18bc3066bf396a599e793aa58bf34d10a97564b7ee2d06fe296a617c49419a006455836d020e8e374b118672097913f96de8fbb34978f90a010d6db2

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
896KB

MD5
f4f864c7cb16f183c9f14f8f38d308ee

SHA1
f02f1e956214ddc716c416039b38723f2f01d481

SHA256
47d08edee0a10abc9b1868e44eba23996ba8a74ed12933533ef569a88b51b588

SHA512
5898136c69ca096e96bf2728e3bf391b5a783f63c1cbc30ec330d0cc7b6f8912edaee4af8eaf46e227da81ab62c9cec6cd26af336c08b54695709fc64427b56d

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
832KB

MD5
9c0c2b2ecf6d2638ed160cde2b9ac18b

SHA1
77279481d1677f38c1350e3b3f7801624311f7f9

SHA256
ce51f7cec3793f22b926d00989dd4c4a9517e494f1f5d7d0c68dae5a8630b777

SHA512
5d842924e85e632c1f3c0e4d83f6a94c6229dedd010b4bb0a0fdae7c2ae3986b3ba641ee7d06ed1c9674182cde614aa7dee1a83946b1553edf024a0bae16d741

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
896KB

MD5
38783b84149f5f30d757216a72f5f871

SHA1
29eba7cb0bc880cab4df6eae3fb7334793af39b7

SHA256
4180590f4aa51c6b459bd37bb5cef92c31a638d328687c309aba6eb2367dfb7d

SHA512
3c5ea4afab96ed51ac2a6fbbacf52d4f96539550d12f3b88de0502728818e1824b1f23b8b13ba2241fde18e45849af35864e9c7a16831865cfab6607ac9527ab

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
896KB

MD5
f5a03bf627b6249d642fe3e02845dabb

SHA1
f2465d5504b13f922c72d1807f4b96a08a5ab655

SHA256
3d5f373a2e01fa156fd2afcc5fd35a1cdeca0930c5fcd5f2dfcec0e72efc44fc

SHA512
9716f6301b94f08b9cddee6651c9dc031b48ad5f9953cc1868fef92e4741d31c99625160ef4d8fc74540964c24db72172e3630a467d2e04b06aa332b6e0dafb0

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
896KB

MD5
2cb0a58e0a363fe87ee81f4aa7591574

SHA1
6cf5e92a9f4e2bf7114cd652b4c5fb0f9d91befa

SHA256
3b323758f188e4b564d3245204b4e8e68db8f19126cc7c9a3bd31a0f68a06779

SHA512
41de80d1596abc6ee62d06c6cf1ff3c6910dbd4f1ce3ba05b31d71ea1476cae0d432f54f0785c53be4a29ddc024d7c8df7746b2cde0a01d1488c5d3a8644f635

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
896KB

MD5
966271602f6248dfc38b682fe73e912a

SHA1
6c069a0ff8a1d43b6da838bc5ada45523573210e

SHA256
7949702b00b722d1193ac927d0437908c30c1bfeed03157a289350a55bd6c85d

SHA512
147048f1c298e8bfc83e5e31b4d01c27a3737e1666c45f96a1f1dc632a84dd4b117ef0b43b77a5ea92bcf7e20db68c449d633fa1414c7968a971823bc323a3d7

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
704KB

MD5
2acce4b0c54e23461dda3108ecb36729

SHA1
c6af15d2e6c50b26c71add72c5a703981111acfc

SHA256
dc34181177fe34cd1b91399e31d24f399fecdefe4ea37505b7e5b2282a28f278

SHA512
d0708573193432d84262e6ddac950cdecf5343ae938028ba113fe23c774ae429babe6fda3da150a6b8bbac8fed655e02ba159ac702785b8ad8680d95780b3e88

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
896KB

MD5
6e3358129aa093322c3f2c2481fe353d

SHA1
1036ae4c7faed7601f031b1ac8fda058f8d6b707

SHA256
2bb35c1bd4fcbe409dea12eb48d6e45069dc11ab3f017b5bf11e6237e88c9df9

SHA512
86449fbd3b0fde76d81032fd4aad003024d7da9f919fcf1c68f97fd7ed331a090f12367400bb78df2f2ee9a795c7dcd9dfe5d9e542c66bcec309b18dc1cd12e1

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
704KB

MD5
f61a7116fd0e5419877db0114710707e

SHA1
3695a7d6ea15d2ffbe1f4c7c260d02bc139413b3

SHA256
38000a943e909fd138700291978d9d42e7b7c07a3f70457e1ee94698852ef9f9

SHA512
a54bf68ae58966698aab26a698d55bd3453cf11d98fdcec97bf5f84a0dd132cf90d38af7eefb56240d370bc8a094722f6ae6a2abf7569f159d2728101c084ea2

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
896KB

MD5
e0376b5685b76ff43d3ef61af8965d8c

SHA1
e890dc22f95a712dd939259eff80e13c206434e7

SHA256
1b1d5ec3c41e903a10dece255ceb718134d69cd8b992cf0f00188977c0d3e1e4

SHA512
234d18ff3baea7b6d601b37dadaaf8c917d135427e3aa3eba8bc0fd163aa362b0aa129c7d1aefe5411076cc73335b009a7a7a478a48b24171a0646788b60f2c8

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
832KB

MD5
78294a0e9ae9b615f7e23555edc9d64e

SHA1
4bc45f85904c9d6fe41db75eeaddd6f174eb1d27

SHA256
82b76dd85e173c2db4fed5b446bd6a6f33d63071f7141c4fb4d73f7ec5422a65

SHA512
492afcb1c0bdb3aa33e8d57774085bec4fed2c64c8e895482f3a81f3261108189353c1afd055cc88db67e919a4ea8f30fc7f4618ddd3a8f288942b6dc1ca60ec

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
896KB

MD5
d4a639724bfcc4e50e73c28568f29d87

SHA1
c5cee932004bf2342f5a4c58e2b72da356b1c85f

SHA256
d52ce46fed469a8564366c8245dab627774e8a5686f0e8daefb2be023bb6bc15

SHA512
9ca5cfb9e30fbba73a7399fb33ce4c18908c9331fd3d0a26920785acdbb5d0117946c396f0c76d43710163aac95f79e7d2f913d9cc148ff17270e38f4d5bcc15

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
896KB

MD5
f18bf9d0dd52eb86a1c2d05e15b11c50

SHA1
82933c240a61b0661cb96f56d463c7428ff98dcf

SHA256
c3830b64e65420a0f26b7da2ee5bcc66afa7254161a38db8927938915b736f84

SHA512
1e8aeec4b6142174c76c3829da04fdaf83b79b177bf2395a786dff16af8153c3297ff21dca53113281a270b71da4e343c76e0fd5700eaa0ffac78347d15c6d7b

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
896KB

MD5
128ff06e151da1e039a792b35983b772

SHA1
8a5315b28d2d00ca59a8bf788d1f21a1770e389a

SHA256
ca310e9fd02145336e63d16473ad54fcc1aea04360ade74116c7473e2b81c1a8

SHA512
1b13ba65f0cd44810d3c910822202240a9c633e4a872130768f82d338721096a4b39fbbaf5e63589d4d1d79ebe1cbd96d6670ea151d3f43e780b68776573e680

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
896KB

MD5
faebfbb4acf2faef16806101aa269a23

SHA1
67d8fa006cdf85d1e5ddb9b01a718695918637ae

SHA256
c58c60d9ca6c3302f6d19ee1edde5e70250adf9169ff5b5f5766fb7d5fbb5083

SHA512
6510f9d649e1e54eaf01ede95c09ec64a54d818b7022b7ae57298262907a265b2109ba7f52f6e24edf6d3a5309428c02518f328d8f59dba4c834e1cbe7c604cd

Download Submit
memory/208-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/244-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-596-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-613-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-1026-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-605-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-1024-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-1033-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-1009-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-1032-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-616-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-1007-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-606-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-1025-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-1018-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-614-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-1034-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-1001-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-1017-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-615-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-1008-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5264-1030-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5336-1028-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5344-1003-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5376-1029-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5420-1014-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5500-1006-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5504-1012-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5612-1011-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5676-1039-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5692-1002-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5788-1035-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5804-1005-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5816-999-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5820-1004-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5936-1036-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5948-1000-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5960-1038-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6020-1037-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6096-1010-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6116-1019-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6128-1015-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6152-998-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6188-997-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6232-996-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6276-995-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads