977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8.exe
Size

91KB
MD5

e0d121a5f2e6a1a462a0b1fcc93e7fbc
SHA1

e65ee5d03826c3296fa5a3bdd804d76d0d143e1e
SHA256

977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8
SHA512

4cbdb5e8fbecd71ceeef19ce501bded85b630811076bb176d59e24eaab8fb7a89ecb92c3281c56454339b560da3ec44b51c22f510ad4e427973ab8aa1c2d4a3c
SSDEEP

1536:nTemPalZiksT5m/7glLBsLnVLdGUHyNwtN4/nLLVaBlEaaaaaadhXd45J:qhGkslAglLBsLnVUUHyNwtN4/nEBlMdQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe

Executes dropped EXE 64 IoCs

pid	Process
3292	Ffggkgmk.exe
536	Fifdgblo.exe
2104	Fopldmcl.exe
900	Ffjdqg32.exe
3944	Fjepaecb.exe
5052	Fmclmabe.exe
2768	Fqohnp32.exe
3988	Fbqefhpm.exe
8	Fijmbb32.exe
4492	Fqaeco32.exe
4352	Gcpapkgp.exe
4468	Gjjjle32.exe
1364	Gmhfhp32.exe
2652	Gcbnejem.exe
4500	Gfqjafdq.exe
2604	Gmkbnp32.exe
2564	Goiojk32.exe
2500	Gfcgge32.exe
2396	Gmmocpjk.exe
1056	Gqikdn32.exe
2244	Gbjhlfhb.exe
1352	Gjapmdid.exe
3048	Gidphq32.exe
1568	Gqkhjn32.exe
4744	Gbldaffp.exe
2760	Gifmnpnl.exe
4668	Gameonno.exe
2680	Hboagf32.exe
2116	Hihicplj.exe
1388	Hapaemll.exe
5112	Hcnnaikp.exe
976	Hfljmdjc.exe
3052	Hikfip32.exe
64	Habnjm32.exe
1976	Hcqjfh32.exe
3712	Hbckbepg.exe
2468	Hjjbcbqj.exe
2184	Hmioonpn.exe
4524	Hfachc32.exe
1008	Hippdo32.exe
3140	Haggelfd.exe
4880	Hcedaheh.exe
3284	Hfcpncdk.exe
1076	Hibljoco.exe
3728	Haidklda.exe
1616	Ipldfi32.exe
216	Ibjqcd32.exe
2492	Iidipnal.exe
4736	Iakaql32.exe
2884	Icjmmg32.exe
4960	Ijdeiaio.exe
4032	Imbaemhc.exe
1628	Ipqnahgf.exe
4816	Ifjfnb32.exe
3480	Ijfboafl.exe
468	Imdnklfp.exe
1640	Ipckgh32.exe
4420	Idofhfmm.exe
1868	Iikopmkd.exe
2288	Ipegmg32.exe
32	Ifopiajn.exe
4616	Iinlemia.exe
1200	Jaedgjjd.exe
3860	Jdcpcf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fopldmcl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6808	6720	WerFault.exe	247

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 3292	3268	977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8.exe	90
PID 3268 wrote to memory of 3292	3268	977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8.exe	90
PID 3268 wrote to memory of 3292	3268	977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8.exe	90
PID 3292 wrote to memory of 536	3292	Ffggkgmk.exe	91
PID 3292 wrote to memory of 536	3292	Ffggkgmk.exe	91
PID 3292 wrote to memory of 536	3292	Ffggkgmk.exe	91
PID 536 wrote to memory of 2104	536	Fifdgblo.exe	92
PID 536 wrote to memory of 2104	536	Fifdgblo.exe	92
PID 536 wrote to memory of 2104	536	Fifdgblo.exe	92
PID 2104 wrote to memory of 900	2104	Fopldmcl.exe	93
PID 2104 wrote to memory of 900	2104	Fopldmcl.exe	93
PID 2104 wrote to memory of 900	2104	Fopldmcl.exe	93
PID 900 wrote to memory of 3944	900	Ffjdqg32.exe	94
PID 900 wrote to memory of 3944	900	Ffjdqg32.exe	94
PID 900 wrote to memory of 3944	900	Ffjdqg32.exe	94
PID 3944 wrote to memory of 5052	3944	Fjepaecb.exe	95
PID 3944 wrote to memory of 5052	3944	Fjepaecb.exe	95
PID 3944 wrote to memory of 5052	3944	Fjepaecb.exe	95
PID 5052 wrote to memory of 2768	5052	Fmclmabe.exe	96
PID 5052 wrote to memory of 2768	5052	Fmclmabe.exe	96
PID 5052 wrote to memory of 2768	5052	Fmclmabe.exe	96
PID 2768 wrote to memory of 3988	2768	Fqohnp32.exe	97
PID 2768 wrote to memory of 3988	2768	Fqohnp32.exe	97
PID 2768 wrote to memory of 3988	2768	Fqohnp32.exe	97
PID 3988 wrote to memory of 8	3988	Fbqefhpm.exe	98
PID 3988 wrote to memory of 8	3988	Fbqefhpm.exe	98
PID 3988 wrote to memory of 8	3988	Fbqefhpm.exe	98
PID 8 wrote to memory of 4492	8	Fijmbb32.exe	99
PID 8 wrote to memory of 4492	8	Fijmbb32.exe	99
PID 8 wrote to memory of 4492	8	Fijmbb32.exe	99
PID 4492 wrote to memory of 4352	4492	Fqaeco32.exe	100
PID 4492 wrote to memory of 4352	4492	Fqaeco32.exe	100
PID 4492 wrote to memory of 4352	4492	Fqaeco32.exe	100
PID 4352 wrote to memory of 4468	4352	Gcpapkgp.exe	101
PID 4352 wrote to memory of 4468	4352	Gcpapkgp.exe	101
PID 4352 wrote to memory of 4468	4352	Gcpapkgp.exe	101
PID 4468 wrote to memory of 1364	4468	Gjjjle32.exe	102
PID 4468 wrote to memory of 1364	4468	Gjjjle32.exe	102
PID 4468 wrote to memory of 1364	4468	Gjjjle32.exe	102
PID 1364 wrote to memory of 2652	1364	Gmhfhp32.exe	103
PID 1364 wrote to memory of 2652	1364	Gmhfhp32.exe	103
PID 1364 wrote to memory of 2652	1364	Gmhfhp32.exe	103
PID 2652 wrote to memory of 4500	2652	Gcbnejem.exe	104
PID 2652 wrote to memory of 4500	2652	Gcbnejem.exe	104
PID 2652 wrote to memory of 4500	2652	Gcbnejem.exe	104
PID 4500 wrote to memory of 2604	4500	Gfqjafdq.exe	105
PID 4500 wrote to memory of 2604	4500	Gfqjafdq.exe	105
PID 4500 wrote to memory of 2604	4500	Gfqjafdq.exe	105
PID 2604 wrote to memory of 2564	2604	Gmkbnp32.exe	106
PID 2604 wrote to memory of 2564	2604	Gmkbnp32.exe	106
PID 2604 wrote to memory of 2564	2604	Gmkbnp32.exe	106
PID 2564 wrote to memory of 2500	2564	Goiojk32.exe	107
PID 2564 wrote to memory of 2500	2564	Goiojk32.exe	107
PID 2564 wrote to memory of 2500	2564	Goiojk32.exe	107
PID 2500 wrote to memory of 2396	2500	Gfcgge32.exe	108
PID 2500 wrote to memory of 2396	2500	Gfcgge32.exe	108
PID 2500 wrote to memory of 2396	2500	Gfcgge32.exe	108
PID 2396 wrote to memory of 1056	2396	Gmmocpjk.exe	109
PID 2396 wrote to memory of 1056	2396	Gmmocpjk.exe	109
PID 2396 wrote to memory of 1056	2396	Gmmocpjk.exe	109
PID 1056 wrote to memory of 2244	1056	Gqikdn32.exe	110
PID 1056 wrote to memory of 2244	1056	Gqikdn32.exe	110
PID 1056 wrote to memory of 2244	1056	Gqikdn32.exe	110
PID 2244 wrote to memory of 1352	2244	Gbjhlfhb.exe	111

C:\Users\Admin\AppData\Local\Temp\977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8.exe
"C:\Users\Admin\AppData\Local\Temp\977c0a2b92b65bc5be2860ca954b26eb070bcf66eb828dda0909f3d78314c5e8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\SysWOW64\Ffggkgmk.exe
  C:\Windows\system32\Ffggkgmk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\Fifdgblo.exe
    C:\Windows\system32\Fifdgblo.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\Fopldmcl.exe
      C:\Windows\system32\Fopldmcl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        24⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        25⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        28⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        30⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        31⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        33⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        37⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        39⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        40⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        45⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        48⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        50⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        53⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        60⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        61⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4216
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        67⤵
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        69⤵
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        70⤵
        
        PID:932
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1424
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        72⤵
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        76⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        77⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4828
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        81⤵
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        82⤵
        
        PID:804
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1848
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        84⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        85⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        91⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        93⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        97⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        98⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        99⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        100⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        102⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        110⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        114⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        115⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        116⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        118⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        121⤵
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        122⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        123⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        124⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        125⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        128⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        129⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        130⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        132⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        134⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        135⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        139⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        144⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        146⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        149⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        151⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        155⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        157⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 408
        158⤵
        Program crash
        
        PID:6808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6720 -ip 6720
1⤵
PID:6784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
91KB

MD5
d65f8423d3907d0cb11f1bc67d67966b

SHA1
4124a7841ee223773d1abf117b1b4ffced0e7e19

SHA256
422ecc6828392061c3c5efe3e745098a99927faab9e6b4a4fc8aae798d1fe2cf

SHA512
54c7e65a33e495adc202cba4f7f74af488100a2b0e0238353c1d29030733041624b10a6ac8b6dc9e1da215c3b7fb09866e2d6069fe23b7b3a118ee0ae649859c

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
91KB

MD5
7d94b976bf66974bab6df3df390d585a

SHA1
ed619003513a5b1a90e7eac5357a63f4cb464713

SHA256
1d74acd68051c9293f2b4e91946f62f04870a0ef1832e1e42f56b77516a1e980

SHA512
2f9a770d9243784d76306e2d55886ada0b580e10130fcf0c72cfa194e345a2722fce812744dcecead6dc759fb2c7e32ba3d77ce7f1fd9c626f6eb05b9f56ca07

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
91KB

MD5
cc6c1a96316124e49c62b1108fa078b0

SHA1
f0f94c3f203627f889c016d8d5d317e79d9cf1f5

SHA256
fe8e307307ce4d8b6b1cef583b5e4c2490907388b26acf19b76930cca30f6916

SHA512
91ce26a8ebc6356b0e9a885ded9ebedf9f0289075cee8c8ba3311578cebc235e2d0513ca049e39d8f2b724d9fbec50bbff6f230e826cca62b5189489c18691fe

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
91KB

MD5
ddf4c0cc7aace4ac31cf96db45c44049

SHA1
2b1fb77404dda7ae3bb25a80fe359aefc0f5a8c7

SHA256
3e48088be4f1ef44875a67bbc7a1f4334bd10d0b8c4539da791f097f0cf445b8

SHA512
80f3469a99175c1d90b0fb4856d841b09bb35174e77acac84dbe4d46422bf70ec0b89cd4706af28d7b68dce03fc141b0a17e466dff0f9ecadd145b78ceaf235b

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
91KB

MD5
757139ca8d00bbb107fdf6e2f553e9e4

SHA1
cee1cafcf06e77f8b092bd74ffb44034306872c2

SHA256
5d675b2e261ad19716055aaed4bc265ea0f144695e3651f7617804416869f81f

SHA512
bb66d9126ae96f21736c15c82b8298f0286c9e65948b7e0dc002c560dd6f6622461b58133c06d78808fe256499a03a5af7a85ee044de08d697caf638ce396dcc

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
91KB

MD5
6dffde21680e37dde682c13112a14c4e

SHA1
ec1b77859ce789ed4a7e59ea944c2b0f46f92d73

SHA256
c4f4ceb723b663ee0a37e1cd69f4cfa8c2a5543db3cbc43e8c904b9aadce6eac

SHA512
0271724cee9ab7bc5c6442e99941c72e7bc03a84e304a24d28d1d9d2b52598dd3b0ad293e7b6dfe7cf5a64fb12b805ebf0a4610b6e4fb1e68bf50c888a5cd083

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
91KB

MD5
a74cbda6249d4463bbe0dab529b9fd05

SHA1
37324bff808ca78457090a6a14a49cc532b5d951

SHA256
1cd6539bc5af4ba67dbda61c764d0e1774a63f48df13f59291f35ba8f0d9ec6a

SHA512
48565459145da8a384d80a107a31eafcb73719de76a790d48c154b500f016303e43e20e02174e9620039f99317182a004b234d7bbaefa4f23f87e7989d9277aa

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
91KB

MD5
f3e74fc8b56afe53e5630c7b72a6f513

SHA1
1371628cd7ce8b863dc4c8e5ea0f0767c8274435

SHA256
88696422ea2be436b3a69435dd17f50e5d29074d63fbecf5bfb27c05ee9743e7

SHA512
cd74ca13e965a613f4186f759c4d765fa6ed8002caa393e7310604b9843f9bc8bfb66cdb9fd5622b11c8e9c4d775b06b2cdc1072670e87a11edd8231c8ba4ef7

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
91KB

MD5
31b99d1564a4578f543d1e018a2a6a40

SHA1
3a6317e644536a1b9302f2d8482c4028ac45d574

SHA256
bbfe08f90c186aa882d436cd9e0a9602211b44fb55d069d778e19f4b0290eda4

SHA512
51423b1f785677b478e7bb8208b59816ac2cd8795336aa2c8c723e4d8b187b8722f45a8c7358db7cea8d8d64163925accd382c48de61f58118209dba1e557f81

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
91KB

MD5
4843865dd916b69379ca0bf5eff7aa5d

SHA1
e84fe7f73e8f28ac39bfde840e605636abaff177

SHA256
0483efe6f4a8a7cc4ff522c4bd5771db6ec487e3aaf00e67d2d539f58b24f43a

SHA512
ba3777a6d2905143a1910d34de6b19bafc464d4dc4f8030e1645aa9af3426a8ee1fdabd8e3f467afef6b1041c78f972a936836126297ccce2a7c70118e119eee

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
91KB

MD5
362fdefaecc7e6d94490abe58b5b34ce

SHA1
141d5d74b2e1bd7267179ffa70230a542854f827

SHA256
7cc8583431c179dda34dd21a818a57b4a82005a392c4f8987de0c65a0ab57f42

SHA512
67c5a73febbd6c32f3ce7df3c90e6c90d7b747991aa7cb57422bcf793ba73d6f1c33ee52053ebe8c7b9e0179abdd8b32f72a9e9cab02d70f9d34fcaaf93b1a0f

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
91KB

MD5
ac64157d40b18c207203858cb108eb44

SHA1
840ada3686d0813b7f8b590d92ee6a228f2bd284

SHA256
cc5a47a7ea14d1c1e05d234734f225493dac210bb16dfef5e2a17ff76ff7c01e

SHA512
0d576af58b56b3505d27758de9679811f9a1a8436fa946988f41b52dada80f714b808339e224aa41f61385d52cc24858fd62daec5a06db995bc358553a4eb53f

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
91KB

MD5
bc0486876fffee45a70ae2289ef9a75a

SHA1
8f769a9addf01f57e63eddd1a3d541819b0ffae0

SHA256
4dfc5cdd87d63a97ba2896ccb8fae3cc6ffc6c9227f2da8780e303a7b78d94e9

SHA512
2a4127aac35ac4349087395e5001b33b3c764b65ea61ec36eb6edb3076329fbf3138335a6bc68a853ff67343da57178f8b26ff76aa0868bf2360a87d2b7cae59

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
91KB

MD5
cc40d3483f19a1c5c9eca050f21d64d5

SHA1
167dc2d4483e6bc80859040062ac9464659a7881

SHA256
7e8aeeac9d776296cdb272df0fe1071a12836fff28301e3b9ea07f65bb68107f

SHA512
a0505ac24176d08683f95d5d23b6f90fdcd3b32f8825eba5be5b09d72ebc78895c637716e374e066f4f1130dc008c7b70c2164257105f730333d307ca56ca33c

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
91KB

MD5
343c928fa441f8430146037a90b2b597

SHA1
35330abecf13bf16f643c8aaff39abc085e90054

SHA256
3078ebb688f1cf63f20d74882de4d10be95b6f29dca8f7972ac12aa1b3990853

SHA512
120bd5905df0885ca9d7aa8b41c6ec83ffaa9a9bb34e656455793ca2fb784647099e8e4e70f7255168ed95560b7e29e72b8dffed41b570187f63bbad27a36017

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
91KB

MD5
0a03ec7b585a4a311390ff165dec2b86

SHA1
3abc9c1ad1b207d39879bcf28ee1147b543c5359

SHA256
7c8cef6eccfcc3bfdf1593df2ff3b3bdcd7139c0bbde4a20f64dc99d0f92fd57

SHA512
1ae997af2fbf819a6ac04e8505b88a7176a77ba57dd047b8487406f61ab635f3c79d3aee024928a2dff9a294ece4632a64307b2dd4a942f6ba4bc508a29f906b

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
91KB

MD5
b870e12a12e0f1eb6a537f7102de1dad

SHA1
7d0083b3153544939c5ee0f03e58fcdd78825405

SHA256
bcf87e8f8393d3f286f423a956ea73da784d06617d6c5efde91c23dbbcca46c9

SHA512
da58b53a953a1ffa39418c1cb5870eae60af8fe8bb02cf3e68b4de7b15275f9f9fe44653add52396b449a51fd6bb106b2b3e2fff70b8e168e40c964dcd8a7207

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
91KB

MD5
780ffad5996fb7e3aa419756ef7d5800

SHA1
9f148d6cec635476d7995cafee8feeba43bb2ff4

SHA256
78169054d99ec4e29a9e2696fe8f8e3dbd6c47f990863cccbd5a01f1e6f0e208

SHA512
f01f6567c90e930eeb785de134a911d7c5581ee463d4c4df1c8ec3c069c92f7c1737aa8d1e4baef922c4f44332b946a0595f6084ad5af12de72d704867a2ddb9

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
91KB

MD5
3ee086159ade40e06f83555ff1b2b170

SHA1
2b29f35d45fa9308d06cf82aab4ab6c4e78f97b2

SHA256
3f22728227e1cddd55f2e590469b0f96e2c9320e82db4b1f186ddc6d7f5ee53e

SHA512
0cd0d2e618b4add78b1184bb35d138d908491e33ce16ac027b2fe57e4942703a5a58e6c1d51c3a22e85e94a606e40a3bb8c53b218245267b0643dda6dd941a40

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
91KB

MD5
82814a29b02815c51e0f7a16ca8736d1

SHA1
6ed6e3ea0ece0a36e4b82591178ed4617e3f0550

SHA256
953857c88e3b785798f0c0a057b2389cb806162dd69bdea318c1f814d7a655b1

SHA512
b8b52740d7d35812b94778776bdfa3d43decf253a0edb59667ab2f95f019193e15acf144b80ffdb476d12e82abfc5efbb2f50760745c3c2250638313266f4555

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
91KB

MD5
6043a85a14653d469d92d7945e828e42

SHA1
c954f3c64296495cdc1271f2567e8a555691e098

SHA256
40ab628e9e808afa265f3f811fc49ca3fcd063ac878df9a3c34a9a1703cea4d4

SHA512
ce62ecb29e4f42f48596769c9a0e589314b5e5c32b08c1d0bc097caae388c07607ad3f6943ae3dfdd3d36b98d2689c87b5142bcd876b67caef5ec388901b6720

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
91KB

MD5
e24c4b515d3477925b4ed755ccee085b

SHA1
71d856858d43745f0684129dc216036383d26ab8

SHA256
35a6721801ea8c412f7c56feb912f970007623c8ded5a9479ffd8b25d2de2f28

SHA512
fe5c8d486d25add2fbdb42794aa163306187480d05d9868c0a9c151537cf22ecafd8663ff312f12bae82d26d4949dbcd6b0769dd9e256053d26563efa2f6f2f6

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
91KB

MD5
7513ccc839536eaed15f5d758fe44a9a

SHA1
eefd74da4c418e145e14b74a95a51585c6c7b0a6

SHA256
d129db1711bcb16568852f7ea24d911048d6496a3896a77757f55d07ec68da71

SHA512
4010a6f65377ee5209555620164b7ef3f7d9f0c1f0767e2cfb9fa75c65533b247986358bc937d33ce747fcbcaa79e565223cdd1adcad052f36f16c7afab9af77

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
91KB

MD5
76b2b4a219574483a8176793384b73a0

SHA1
59af4445100b2fc33d4896b4b33ad9221da22f25

SHA256
e4e1699850dd3b563da9cdda3cdb04f80c08ec23ecf9b93f2bb43f362e68877f

SHA512
28b489c977535574970afd82f9295ba73862bcf6434c53e6618853f17223d5fb6e03babec865a6bba4e13413e40be40ca3ef75705edc815974ca54b8d78dff33

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
91KB

MD5
a539227fa4cbcf335e9663ae0beb7b7c

SHA1
4d64cbd33354eba6de2e80e4b90de12ba63a8b1e

SHA256
4e9d6351ba334e7b9e359f06aec3e301636a6742c1ead291bddd12acd46d915b

SHA512
6ee267334cbad2ea42b805a5534b56805034e6f20815ae4d3866545bc356f39606d53889b433ed0ce8d8dd8567b5a53673c79667de436dc05863a54585006998

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
91KB

MD5
6722fe308084b71c5a053627c8f9d722

SHA1
6ef13af73e4ace96980186f9824efb05709d55be

SHA256
ecc389fac662abc89f8df3db6a4ebf9ec19cca015889a97cb54f777a66847cd2

SHA512
a20bdf3fade61addff67a3383d24f6bc8b22669d18580b0f655face60f6e8182b742fc762d7f3acf5d9f2a4912ab9bbcfb279f58457e9fcb14603fb6bfc5191e

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
91KB

MD5
32c911c760951d4186681ec2e4855cd3

SHA1
ee29acaedad77762b1ca0695140b6bde698f3e0e

SHA256
3f2565d80c51ca51f62106e103048e26ffe92672eb9f5bfc305167417049d83f

SHA512
1e19b5e5e09020bfbd45acb027ad03fed082ed4c834db4cbd1e354d782a63aabf8c21a1621bd13047b44835a57d02c7fac1b3ef043024ddd332c709fec214c6a

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
91KB

MD5
1bebb2c27600e305c296ae43346dfa3f

SHA1
1478cdf2dc5fa84f41dcf7de3b308b5d87b381b2

SHA256
9365733a32bf1092fdbab2ec3bf5e62422058128939ab619b2a7f889b980e294

SHA512
023a7a996367a5bfcaa1463aed40f1396a2d58cd9f3e9e89495acac3ec4d6d414660b2f6fbeb76a20af381172d2909d8e2ece06df948eb5ad2a93e3b978455d1

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
91KB

MD5
35fb8cde6839942de733a070d4296ac1

SHA1
31fa29c1806e5b0768ddbafffd649fa483d92d8a

SHA256
86815766ceb1f5982ae3180b5e4731288712116f5448f9144f20656ef6d7992b

SHA512
1f6fc4f171764e18e7310cb4679c860037424d78bbfb123473dfc35b3dfa0b786c03448b77d647a2fedec716c2f708044641e52ae3f922b0fdbe2d30bac4af8c

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
91KB

MD5
96d920dc08405221dbb1c5825d8e6b5f

SHA1
ab81a4d685bd5911934ad944857819de2d10384e

SHA256
5f9c11f89dd8d23b1ed7000358e88bfa16de99f1a6d749ba0d5ee22ef7b11de8

SHA512
ff6ef6011c82d634ecd8cb01a6130cfab43af3f1e93924f0449309d691d263de90759ecf407995735aec7c4c895373ae30869b6753f9f8cb86e67fa0a77d9580

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
91KB

MD5
bfe8f53157ca7464fcedb00d1ae1dc2d

SHA1
10c400dd33f788ba931aa4bdc5a1b6b671d1ab80

SHA256
dbf1cab1a03076f97b55b4f025a816f32db0a97f62413b0611ae42b9cbf60f14

SHA512
de0106a5b4a6dffe2e717a5d95589f037b1f952fa7e1b1a493dcffb3fedd272a4b7b3e82fc54d4cac9fe0379bcf1b2904ca49176f007d573d66ab92e4ea2d482

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
91KB

MD5
3e4a8b5deea7cb44c0499ec22d49c51d

SHA1
a6460344b4d2c4b499beff479cb60063e019de32

SHA256
09a240d04b3a4efefc7d320475b5673c897dca02099b4af5944b6600083cd42d

SHA512
f784164a3039c8950353516010af2de130df53352af3e81d0a37a763e7892b03b0f2662b3a4998989cf825998ed8ccff50d4ebcfc1b1a0e61fbb4535e2418189

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
91KB

MD5
fe555ec271b936e9cf9eedf05052c53b

SHA1
05815f2d6ca3b13f8203ad72315111e763e559e7

SHA256
8bf4f10e0365708afde9f8946a7d98480cbb4d5b6cc63e575b2ab65299502d5d

SHA512
584d0331cc553e13350d769a18f7d22317d0a7a24dd8832bba32d290c6f6b8f45e6069d1af9853568798231211c2ddb3d61a685453e3d730a05c4d63b961daad

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
91KB

MD5
1e274f5c309110e8b64447f33c8aa7b7

SHA1
0cd3791d0095dc5e07340e7a3e2c6be09ee18e3a

SHA256
f42f4de19efaa549d2dad22568b5957357f862c86c81567d90e75e8a2a9ff7b8

SHA512
ac73217f551128f44953f7d42cb8e7e52a1b75c8cb10b66047af30499ad2197bd5f0feb0d50f083596c880ed1b96ed96e629cdb393638b364348640f2f2d60a8

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
91KB

MD5
ca12393c62ef5a1dbabc3919a816f4f8

SHA1
a4af5b85b24d028813184fc6b88cb418d8ea3727

SHA256
7413d58a60e12126ced14249aa82835e8e948e7417325e45ad2fe4cd6b18f64f

SHA512
eff369d997fa057bf6e5bdc32ff9517d0f98d7731acc47a5c5579b4e4c870a1c43bf8e7cfc4bf29beb100e65462ef8371bfb44823d48bd2d5fc39daefb55072f

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
91KB

MD5
753b280bff6c98644ef750ac7d6be67d

SHA1
aaf5fda3f3fe9736db6cd1119e9dd40e56eb818b

SHA256
bd412656aa1ecc9ab5aea364e61a3eb9fff9b1f62207158019cce047ba139204

SHA512
0d5e7efeb496dec7c76c77b5939603c12e5e0fb59a322b5359794f1d3ae638106b285b5e3d5911d276acd0450b748a5852ebe0bcbbeddb77a36c97f1eb85811e

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
91KB

MD5
9743ef3eef6e128c8619de39073e355f

SHA1
7a761c0432e93cb6be35d128c3bee7633375b442

SHA256
0251cf194a7bca89c804d88d5d05178c62cccdac4947de23cf506a8ea884eb07

SHA512
76c7daf9eae898a4aea00e8cca03af7f24b9f35a54cf0ef2ccb6d23d7031aa8bc93ff333a4e21a37127363d41231a97144c2d834383646be32f54a602005ef6e

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
91KB

MD5
140edec79420f60c8c62819b10412dbd

SHA1
2e1b30c5615d774b541676824d97d0cedd905979

SHA256
8df1ad1b18bcefe87b4a69c27ec341cc57475dc470b2b1f05572607f5a6a3a99

SHA512
5bbd7474891853d93c373e4eb23662c80b0529a4ecb735ce7251e478814ec471447cdcd0fcd54c6f0a2846fae286f1a12882d3f4c12af04c705186f50cfe9723

Download Submit
memory/8-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/32-435-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/64-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/216-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/468-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/864-1093-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1868-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-428-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2564-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3140-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3480-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4736-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5240-1075-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5272-1078-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5408-1071-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5604-1119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5648-1118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5688-1088-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5716-1081-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5736-1116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5776-1115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5908-1080-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5980-1111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5996-1079-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6036-1073-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6048-1095-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6052-1110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6140-1072-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6204-1069-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6464-1063-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6508-1062-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6552-1061-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6676-1058-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6720-1057-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads