49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3.exe
Size

487KB
MD5

df5ced48c99a55ce810ea1f5c7a4c67d
SHA1

7d60fca6ff91b7450c3b2b05e34c7305699c640e
SHA256

49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3
SHA512

2feaf4af3d803d19676113c9eae04c1175a67a5cac86b370e90ef1a4d07baac2c6f159f3487f39260b3098e1673a7163a8f14ec5191a800f07cd8f1298cf5466
SSDEEP

6144:J5WuGUunfAGbM2yJT///NR5f7DM2y/JAQ///NR5fLYG3eujPQ///NR5f:J5WEFoM1z/NzDMTx/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe

UPX dump on OEP (original entry point) 56 IoCs

resource	yara_rule
behavioral2/memory/3224-5-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/files/0x000700000001ebc7-7.dat	UPX
behavioral2/files/0x00070000000231fa-15.dat	UPX
behavioral2/memory/1964-17-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/files/0x00070000000231fc-23.dat	UPX
behavioral2/files/0x00070000000231fe-31.dat	UPX
behavioral2/files/0x0007000000023200-40.dat	UPX
behavioral2/memory/3064-39-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/3312-49-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/files/0x0007000000023206-64.dat	UPX
behavioral2/files/0x000700000002320a-79.dat	UPX
behavioral2/files/0x0007000000023210-99.dat	UPX
behavioral2/files/0x0007000000023216-120.dat	UPX
behavioral2/files/0x0007000000023220-156.dat	UPX
behavioral2/files/0x0007000000023222-163.dat	UPX
behavioral2/files/0x0007000000023226-177.dat	UPX
behavioral2/files/0x000700000002322a-191.dat	UPX
behavioral2/memory/764-414-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/1724-451-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/1524-468-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/4988-525-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/3228-547-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/5132-589-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/files/0x00070000000232cb-670.dat	UPX
behavioral2/files/0x00070000000232bd-631.dat	UPX
behavioral2/files/0x00070000000232fc-806.dat	UPX
behavioral2/files/0x00070000000232e4-738.dat	UPX
behavioral2/files/0x00070000000232e2-732.dat	UPX
behavioral2/memory/3412-538-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/2840-510-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/1892-503-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/memory/4328-443-0x0000000000400000-0x000000000047B000-memory.dmp	UPX
behavioral2/files/0x0007000000023236-233.dat	UPX
behavioral2/files/0x0007000000023234-226.dat	UPX
behavioral2/files/0x0007000000023232-219.dat	UPX
behavioral2/files/0x0007000000023230-212.dat	UPX
behavioral2/files/0x000700000002322e-205.dat	UPX
behavioral2/files/0x000700000002322c-198.dat	UPX
behavioral2/files/0x000700000002322a-190.dat	UPX
behavioral2/files/0x0007000000023228-184.dat	UPX
behavioral2/files/0x0007000000023226-176.dat	UPX
behavioral2/files/0x0007000000023224-170.dat	UPX
behavioral2/files/0x0007000000023220-155.dat	UPX
behavioral2/files/0x000700000002321e-149.dat	UPX
behavioral2/files/0x000700000002321c-142.dat	UPX
behavioral2/files/0x000700000002321a-135.dat	UPX
behavioral2/files/0x0007000000023218-128.dat	UPX
behavioral2/files/0x0007000000023216-121.dat	UPX
behavioral2/files/0x0007000000023214-114.dat	UPX
behavioral2/files/0x0007000000023212-107.dat	UPX
behavioral2/files/0x0007000000023210-100.dat	UPX
behavioral2/files/0x000700000002320e-93.dat	UPX
behavioral2/files/0x000700000002320c-86.dat	UPX
behavioral2/files/0x0007000000023208-72.dat	UPX
behavioral2/files/0x0007000000023204-56.dat	UPX
behavioral2/files/0x0007000000023202-48.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
4500	Fmclmabe.exe
1964	Fcnejk32.exe
3660	Gcpapkgp.exe
3064	Gfnnlffc.exe
2268	Gimjhafg.exe
3312	Gcbnejem.exe
5036	Gfqjafdq.exe
3004	Giofnacd.exe
1232	Goiojk32.exe
764	Gbgkfg32.exe
3360	Gjocgdkg.exe
3408	Gmmocpjk.exe
2892	Gpklpkio.exe
1332	Gbjhlfhb.exe
3544	Gfedle32.exe
4960	Gidphq32.exe
1296	Gmoliohh.exe
2140	Gpnhekgl.exe
1588	Gbldaffp.exe
4328	Gjclbc32.exe
3124	Gifmnpnl.exe
544	Gameonno.exe
1724	Hclakimb.exe
3472	Hboagf32.exe
2496	Hjfihc32.exe
972	Hihicplj.exe
3784	Hcnnaikp.exe
4528	Hfljmdjc.exe
1524	Hjhfnccl.exe
3068	Hikfip32.exe
2704	Hmfbjnbp.exe
4864	Hpenfjad.exe
5044	Hbckbepg.exe
2620	Hfofbd32.exe
2276	Himcoo32.exe
532	Hadkpm32.exe
2716	Hccglh32.exe
772	Hbeghene.exe
1892	Hjmoibog.exe
4976	Hmklen32.exe
2996	Haggelfd.exe
2440	Hcedaheh.exe
892	Hbhdmd32.exe
2840	Hjolnb32.exe
740	Hibljoco.exe
4464	Hmmhjm32.exe
2772	Haidklda.exe
1812	Icgqggce.exe
2408	Ibjqcd32.exe
3592	Ijaida32.exe
4988	Iidipnal.exe
1668	Iakaql32.exe
4460	Ipnalhii.exe
2036	Icjmmg32.exe
1556	Ifhiib32.exe
436	Iiffen32.exe
3412	Imbaemhc.exe
2236	Ipqnahgf.exe
4636	Icljbg32.exe
2044	Ibojncfj.exe
3892	Ijfboafl.exe
3596	Iiibkn32.exe
1004	Iapjlk32.exe
704	Ipckgh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jdjfcecp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6776	6672	WerFault.exe	252

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4500	3224	49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3.exe	91
PID 3224 wrote to memory of 4500	3224	49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3.exe	91
PID 3224 wrote to memory of 4500	3224	49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3.exe	91
PID 4500 wrote to memory of 1964	4500	Fmclmabe.exe	92
PID 4500 wrote to memory of 1964	4500	Fmclmabe.exe	92
PID 4500 wrote to memory of 1964	4500	Fmclmabe.exe	92
PID 1964 wrote to memory of 3660	1964	Fcnejk32.exe	93
PID 1964 wrote to memory of 3660	1964	Fcnejk32.exe	93
PID 1964 wrote to memory of 3660	1964	Fcnejk32.exe	93
PID 3660 wrote to memory of 3064	3660	Gcpapkgp.exe	94
PID 3660 wrote to memory of 3064	3660	Gcpapkgp.exe	94
PID 3660 wrote to memory of 3064	3660	Gcpapkgp.exe	94
PID 3064 wrote to memory of 2268	3064	Gfnnlffc.exe	95
PID 3064 wrote to memory of 2268	3064	Gfnnlffc.exe	95
PID 3064 wrote to memory of 2268	3064	Gfnnlffc.exe	95
PID 2268 wrote to memory of 3312	2268	Gimjhafg.exe	96
PID 2268 wrote to memory of 3312	2268	Gimjhafg.exe	96
PID 2268 wrote to memory of 3312	2268	Gimjhafg.exe	96
PID 3312 wrote to memory of 5036	3312	Gcbnejem.exe	97
PID 3312 wrote to memory of 5036	3312	Gcbnejem.exe	97
PID 3312 wrote to memory of 5036	3312	Gcbnejem.exe	97
PID 5036 wrote to memory of 3004	5036	Gfqjafdq.exe	98
PID 5036 wrote to memory of 3004	5036	Gfqjafdq.exe	98
PID 5036 wrote to memory of 3004	5036	Gfqjafdq.exe	98
PID 3004 wrote to memory of 1232	3004	Giofnacd.exe	99
PID 3004 wrote to memory of 1232	3004	Giofnacd.exe	99
PID 3004 wrote to memory of 1232	3004	Giofnacd.exe	99
PID 1232 wrote to memory of 764	1232	Goiojk32.exe	100
PID 1232 wrote to memory of 764	1232	Goiojk32.exe	100
PID 1232 wrote to memory of 764	1232	Goiojk32.exe	100
PID 764 wrote to memory of 3360	764	Gbgkfg32.exe	101
PID 764 wrote to memory of 3360	764	Gbgkfg32.exe	101
PID 764 wrote to memory of 3360	764	Gbgkfg32.exe	101
PID 3360 wrote to memory of 3408	3360	Gjocgdkg.exe	102
PID 3360 wrote to memory of 3408	3360	Gjocgdkg.exe	102
PID 3360 wrote to memory of 3408	3360	Gjocgdkg.exe	102
PID 3408 wrote to memory of 2892	3408	Gmmocpjk.exe	103
PID 3408 wrote to memory of 2892	3408	Gmmocpjk.exe	103
PID 3408 wrote to memory of 2892	3408	Gmmocpjk.exe	103
PID 2892 wrote to memory of 1332	2892	Gpklpkio.exe	104
PID 2892 wrote to memory of 1332	2892	Gpklpkio.exe	104
PID 2892 wrote to memory of 1332	2892	Gpklpkio.exe	104
PID 1332 wrote to memory of 3544	1332	Gbjhlfhb.exe	105
PID 1332 wrote to memory of 3544	1332	Gbjhlfhb.exe	105
PID 1332 wrote to memory of 3544	1332	Gbjhlfhb.exe	105
PID 3544 wrote to memory of 4960	3544	Gfedle32.exe	106
PID 3544 wrote to memory of 4960	3544	Gfedle32.exe	106
PID 3544 wrote to memory of 4960	3544	Gfedle32.exe	106
PID 4960 wrote to memory of 1296	4960	Gidphq32.exe	107
PID 4960 wrote to memory of 1296	4960	Gidphq32.exe	107
PID 4960 wrote to memory of 1296	4960	Gidphq32.exe	107
PID 1296 wrote to memory of 2140	1296	Gmoliohh.exe	108
PID 1296 wrote to memory of 2140	1296	Gmoliohh.exe	108
PID 1296 wrote to memory of 2140	1296	Gmoliohh.exe	108
PID 2140 wrote to memory of 1588	2140	Gpnhekgl.exe	109
PID 2140 wrote to memory of 1588	2140	Gpnhekgl.exe	109
PID 2140 wrote to memory of 1588	2140	Gpnhekgl.exe	109
PID 1588 wrote to memory of 4328	1588	Gbldaffp.exe	110
PID 1588 wrote to memory of 4328	1588	Gbldaffp.exe	110
PID 1588 wrote to memory of 4328	1588	Gbldaffp.exe	110
PID 4328 wrote to memory of 3124	4328	Gjclbc32.exe	111
PID 4328 wrote to memory of 3124	4328	Gjclbc32.exe	111
PID 4328 wrote to memory of 3124	4328	Gjclbc32.exe	111
PID 3124 wrote to memory of 544	3124	Gifmnpnl.exe	112

C:\Users\Admin\AppData\Local\Temp\49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3.exe
"C:\Users\Admin\AppData\Local\Temp\49677d52d3e044f9cae410ad73855a8a9cd939470a2a217b64ca9c881c0c5cd3.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\SysWOW64\Fmclmabe.exe
  C:\Windows\system32\Fmclmabe.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\Fcnejk32.exe
    C:\Windows\system32\Fcnejk32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\Gcpapkgp.exe
      C:\Windows\system32\Gcpapkgp.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        23⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        31⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        35⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        36⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        38⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        39⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        41⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        47⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        48⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        50⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        54⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        55⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        63⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4376
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        68⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        69⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1552
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        72⤵
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        74⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4896
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        76⤵
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1924
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        78⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        81⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        83⤵
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2552
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        88⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        90⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        92⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        93⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        95⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        97⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        99⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        100⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        101⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        104⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        106⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        109⤵
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        110⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        112⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        113⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        114⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        115⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        120⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        121⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        122⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        124⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        125⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        127⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        128⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        129⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        130⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        131⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        133⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        134⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        135⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        136⤵
        
        PID:60
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        141⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2196
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        143⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        146⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        147⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        153⤵
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        154⤵
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        156⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        157⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        158⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        161⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        162⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 400
        163⤵
        Program crash
        
        PID:6776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6672 -ip 6672
1⤵
PID:6748

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
487KB

MD5
1319246f4028192be792faf08392f17f

SHA1
aa115ed2a615ae8bace1ed4ab6806bee367c376a

SHA256
794bc274e070f69b1106b0541ba266ce4eeb1f593a914fb6766bca095ceff3dd

SHA512
9c8cc97a9c4af557efc745da8d1e7a9c5f8855e02278125be3856601ac97c8752a7af694d245ddcaa4a2bdf271826d2fe82d6e5dc60cd36dc295039a0699cc1d

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
487KB

MD5
b136bedade87c027dea65d6bec9da976

SHA1
49305e1a4220909d62482451eb3ed638fba25bfd

SHA256
f5c200235c013c0c9c45a7404695302bd8020dc6753a07ebdeae35b79e637911

SHA512
0b6f445eba964fd7db5a14a4c2d07eb376ca3942b088714e2650821470a640881cc98f13c76bfaabf43ed1d5b57086c5c313bf81935abffb421547854b94cb28

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
487KB

MD5
298a96a410d37b48494c1ecc663ddec8

SHA1
e9957d4023645b320f27dff0e97b21cf5f61350e

SHA256
742ad4cf98c62e43b8d479c3c179155e09ab02d9e84c919a7941878f94017b6f

SHA512
26db87f0f8e44bbb5b305c7045f147680b4038e46841dd79d532b7482bd4898c9f856bd525b7a365d0c5ebfdff848987454b97a596703480a76a0f62f64eeba7

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
487KB

MD5
83357ff5723181220d38f17bc9abe4e3

SHA1
9572916dd07c9743d4fb38f25747814e69633863

SHA256
02f521902566a75b2d4d1bcf18a145ed0ca6f81dcd07b6c29d6d30a3fba71cc9

SHA512
b4b365ae5dc94bf41950d1c9e13fb775d771025705b4e329cbb18a3f44724168f8b08414f8149bdc62682843c764f22cfd49d68901ef6eb1764bd02d8f445193

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
487KB

MD5
bfcfc7d753c052dca47a67bbd989bd49

SHA1
4ea951d995cc002d699a6e29c84328b80733e8e3

SHA256
a8b0c85b318948f748516457778ca706756663f00e1f5763f978280df14c536f

SHA512
1bfa54e27c6d16d51a2384fd125f53df28fcb8401cfddd7e3e9274b6a8ca0cba91c1de2712358d9cbbc6b1d89e0855db92320f2ae405718048fa58b179007b1d

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
487KB

MD5
a74e236569bb848f7bec0081d97c67f9

SHA1
ee08cffc377632aa8186d747542c3bdb6d70804c

SHA256
7b3f3d1d15dcc19ae557bfe4b6a4fb081e66255ca4138f5cdb22282570a262af

SHA512
811851c7be2e930fbefe536109aba2fb4bfcbf4aec1a556e3bdd346401e6b20ac180073462b0b78c4e6ed1da68b66d6a9776d8038cae57e7f2270d10f5e9aaa5

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
487KB

MD5
fa3d080d83f48183a8946ad7b7444c94

SHA1
5a9bcf60c271c41c3bdc9b628c46712c76b40b3c

SHA256
f5dc3e9ab29e2e94d913310f06ebac0c0d7f257d1030002976de5d812626e58d

SHA512
950605b3a40b14ff2b697052b098d61081c240902eccefdcbbe64bd1700ba32d48a7df8847882abd6a20a75027b50d322e29d3b299c43fd2d791171c147a8d0e

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
487KB

MD5
c235a155a3125ff0e6f4eb18f121933a

SHA1
d1c25b0ccd1f2e9479380f983a34aec1d4733df5

SHA256
339f8da0831a5b02432a18ce2fb592d549c7c2843bd031c640ffcf62805524c9

SHA512
d565ce3936d5be9cbfeea52072b6de16cf3d46cda8a66f7258ecb364ed012dc0753eb7b2fed77a3a3fb768d64343365283a5aabc942a69eabf8bc7315b8f4b6e

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
487KB

MD5
a97ec47146bb7497420a294ac12303e7

SHA1
74467b79a34c32344743d149b000c5e8f5cc4ce1

SHA256
929b2b475e78e897fb76616e6fd84ce53c24518444ed00139209d32a97bd6b37

SHA512
8b5d284e9e87c7c9efe278f471f116e8a1d7322b0102091c7d7bc86466d19f3bff07cafac22125502cd018e845b60d795db2d7f99037644a5efd21be99922bbd

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
487KB

MD5
bd876646c737255be3694ad9fbee7db9

SHA1
218a1e1804abcdb9f28310b84d8eedef5dbf8b05

SHA256
0aa48f363559bc799e3dca8ebd43cb9e6fcdba0c8177b68df611bdba9886ee6f

SHA512
3781a8777bb4bf26e8a6b5549c0cf045bb53011e8a0d4932bf5c6159a1bd51800068179e4686cc53b2a33f1a1e34d3cdbb85b1909a937055a847fa5078c7708a

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
487KB

MD5
bbbf7264c30beab53aea5f3ccdd729c9

SHA1
8c9beb02084a3b2618c085dc3f702d35d6929ebd

SHA256
4b31761be7a27f5de68517a35dbecbc3c487794bc4b6095f1bba6c3ac3247f71

SHA512
b7a70fb0b61efcfcdee672b751369ea20cd4bc40e1085f04a96b645b520b1d932ef340a30ad124a8e4a7332eb6796f5ad7b53bee3c9f066d339149147aceb9c9

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
484KB

MD5
3ad1edd05fc9b14b74b42120d569e6c0

SHA1
28f8afc968f4a887fcb74c09fcbf6e630fc1acfc

SHA256
7e98f605e5f3c5f1a0bdb4d54d96c620f5ea66c78805b48ed9141ef9233f7e41

SHA512
5650b26effe683f761d9e468a931d573d50dfb0a87f7b00a7abbd66b0baa7f43f4c19bd83dacd6c9f7d3e9f8189549366c5c965f18a9846e443ed05346cd735b

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
487KB

MD5
458c7c4203fd70e28d7a48edeafbbbec

SHA1
a156520d46bcfb782a75dc18c407ac6d4d58848f

SHA256
23ac660fc3bf86965548972e22d81573000f0357817c78acaaac4a4c42e59881

SHA512
2c444fed849cda9572fbbe594aef5842aea8682199fad81a01474b8e06c055387edb430959bb6d17ef434f2eb216b6ab970ac9fae61dcbedf4d13acfe6b7d29d

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
487KB

MD5
f92ad6b35511f4aab802766af61a5775

SHA1
346574227893383b80eb7bcdf9239e6d2960f4fe

SHA256
7a861cdc26d07d790937521af1eb3ed700d0435dc689141293f46854f3c2fecf

SHA512
7af0641031dbc9698263a6d50f375853d277c6b5348884ac4f806ebd9c32bc55fbd419a2b475057f8211375ec55785c04dbf121ae5646c0fbb56c6bacd903c22

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
438KB

MD5
01bec4232a1e295b5a7a25e6d6ab1bf7

SHA1
fcde51af0eef1c6d7ebbb934eb69f6ab190e475c

SHA256
9ea7fe502bcdf443483ce8d90588de7b0c21861a93bd198ebc2fe3d1d46bd443

SHA512
42708d049b71bf7e43f5ed551638cccf15d16727722e857ea6f25bc254ce2b86604eff1f24d9dcf1a67ddc1d20015d67ff47362e39531a78da7ec7aa0be53d48

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
487KB

MD5
1b39327aa4fe4ae2022920ebd8028c6b

SHA1
cef965572815cfac7f4605741e7466084e358d82

SHA256
b2d74c103b28e129134866eb55e4ee96c86126f3aecd30250a6ce829312efa17

SHA512
a0bf12759d2e3141d75b6ee78071ac2db95c7f1b98b1160f1d8681ab47e9b68e7ea509dbfd9274bb2d5b2789c9fc5fc8cc59907402a78ff1492adb1140c5a669

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
487KB

MD5
a640ba87820aea0f291378a598350d8c

SHA1
c3dc808a54a5bba99dadfd3ead0e310fbffe6535

SHA256
a46392afffe5eed97dca3905e76d23f297fd61f4d17d2e00082f416221029a8a

SHA512
fab913e3aecc57628760fd9a2414ed7f2d68ecf0cf29413f76aa0485c67a20afc40283aed1c92d0e4f7a89d508f44f1194e6fc5b0149bc4d559fe95693928d9a

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
487KB

MD5
074a558012f8726b17c845a8211a3120

SHA1
34f9d52ecc0576c5c8c392903f447286c1fe9c7e

SHA256
23a3160cf12c7decb3343ce95a94491de21d2f64e727c738155136ec0497cece

SHA512
8e5e2c209bb78fa2b8108c2f55daa683ba3f6d00a94d97a069b63b6b84b8191f971010decb96bb71c4904f70bea63247d64394a0ec32ef5a39bba7e783fbfdf0

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
487KB

MD5
93924b5ae52c65d7eb871a21318382cd

SHA1
c66a87fb3a9ad1544db57e21a5d3602429e6078f

SHA256
949a252b366097b4656d9853ee69a01928ea8e07235fd5644b6d4a73c7a78431

SHA512
b66ea866e76281d7fea7fa0be946025ff55e06c9541b62b1d58e1cb0d0ef2e2e775a27273439e0f9566b4517cb490e04d599411289aed84ac068cad537204cf5

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
487KB

MD5
9e5bfa0d516f37596929f9ef7fb12b9d

SHA1
fad03e1834567b7d5bac0d424ac943503a2a5492

SHA256
d3a9b12fc46d68d3626cf92d6a9b06dc311bda0c45b0e6b235be35f75dc01112

SHA512
d279a19077839d8e00906c0364b043b728819db8c1f9930864aaea51e3a9dea6a8bfcbcf1cae1001f80f9da000c364407cc4e2f44f784a20685b37fc83566a4d

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
487KB

MD5
b1d31907c1f9f701ee2e0196f5f7512b

SHA1
b4f53129621bacab20f1b970fef2eadcb41fcafb

SHA256
2e293418eac77928431d221920412ae1846c7e885a513983eb1d28be6eb11f57

SHA512
31dd87cf9176bb2a912ba9dcf01f847166f01fdf2a84fb3c24d1ccab129b7b258d16d13ed50f86cdf72457a3bbe44ba6ced8449eaf4e0d7b39d2574963464223

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
487KB

MD5
3002d3c24a57228bc3e3b93dce0c0a38

SHA1
3db9182295e32ecb771874264087b59103168c71

SHA256
7d71293f5070145c09bcafe685a68902da9e84d5d0720896914fbacd54ddb4ab

SHA512
952a94b1b72e0c8792b1821044665b076f10a07beb8e9ede1cfc1e6c119004b2cea78bdc3d0f96352c62b8b4fb946e1083a00cef011bf84b8fbb5ef769e8b593

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
487KB

MD5
f5d6e8e1259c360f26c63a4c85f96cf7

SHA1
24fb138a172f56709114b17d598cfaf738a263a5

SHA256
26b755a9ee861d0568556b4b101a87b79edd7eb798fbaeb5d97dc47da21fa7ac

SHA512
d15ab9f0ab200672db2243aea779a76d1e09ee48f67cdd95caa5c9f802577113468f3265e6c0e1cd6f11d90c40199587311603c2f65026da9615b853fb393e22

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
462KB

MD5
3983dfa34a9dab83edc1af371741e9f2

SHA1
b156133d70a9121192082651341bf0c70da21a24

SHA256
7612e02a1cf92236574e3c1fc65b6c426d902f78e0f1b8698aeb3b83e927f89f

SHA512
4890997d2957ac4e85b9899bf19dcf12d978a14e9cd02140bf171f6f93d9cc62fcd7e534ce6944ee877434909b093c96a07cf23008ec66cf63058aebb1370ea2

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
487KB

MD5
73d47ae74236343a71b6346ad27c720d

SHA1
60ba31fde4716c38131c1df8cd4289309320b25d

SHA256
b0fde2588b0e32897502a86fd596372a4644bc25a87e1c3870136931acbb17a9

SHA512
0af0fd47100405e29dbc648737680f5e29fb85dab958a22fc0ba3b4fc385b607e224edba3c9be17c5fa16dedc0bb48aaa8765fd34e1226d460530ce843964bf2

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
487KB

MD5
31ef8a8f602113ad330d255d6d1ce83e

SHA1
685153c8a63f225fe1dbc6d038e1311cabda91d9

SHA256
297784731c29164c4b254e8992ff3c8f73670a8a250b1318c217dd2fbb998bfa

SHA512
543765c44b0c9dad7fde5c7bd0dbdcb2e3d528148f73afb6d325a6d2f731eb3fee2e17713aa4679751bd177041998e2b3c7394f6b4141063a2b766be142d1456

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
356KB

MD5
e2dd0f1aecaaaa0296399c86bb1965b5

SHA1
0ced9f48d990ee5adaecad18d12447ef387a5619

SHA256
110dac67a060dad64f65b215c9f40dde71983ad911667cfb993e43b9bb020471

SHA512
129740eb3e93919d64a3189aee05592d5df10530b6861abb9f7be8269564dc74ce197677417db184619de0a2dfd64998bfbfc5d023a2bd1d72ace8f46e8a9d45

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
487KB

MD5
eb69cbfcf3318872a7fd418998670fe0

SHA1
2c1751937bc6628bdc88e6a3a6f36d7d06e20fe5

SHA256
5514aa1fb4c0c67b05d776553d1cd5c7cf06436153e6bb15650372c810c8f17e

SHA512
b6309bff1fa5cb30c8636cf34285e0bee7f7f68802db889ab35c14a825c9ced29be406685d769d104125216c8d5aabbd44f230c7c72826e85012745b416466d0

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
487KB

MD5
a5455ca1178fb3a8f5a813aeb745cff3

SHA1
d08fcc5d71e15a3ebf8755ec80f03516a45c28f7

SHA256
afe0edcfeb993796b483ca9fce6721a798cfaccf7f07fe12d0281239811833a3

SHA512
ee8300fda9b02908a2082d98f9fc54dc1f45b100a16c2418ed6cd9d734f19fcbe3c32bebdd372f20f0d5f42bc63cb218e3386eb702889c2477c2a0994151ecbe

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
487KB

MD5
1de0ce2bd6a78563e4b43fa13cdd57b9

SHA1
23d0da2713132422f748832bfed18cadb84775d7

SHA256
1b247b1eebc5629fccd806d7ffa7853f50bdf4fe5698d2d43f6d7e080cd4f6c0

SHA512
10c07f7962696f88d151d5997d8b9b26aa75e10987d60090f00bfe03bd0009ac688c58c0ed33a57efe84db52537f59fd6d066e9bfd3b5e55da7615681061a3bd

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
487KB

MD5
bb74b00dfefe410f31c358f1d8f8dd78

SHA1
f453b61cd87cbb8e5016436d1f364d863cf77e93

SHA256
b8366b3c20041596a037cb0394b874eb53f30ea648a77c56cf53b02ba617af25

SHA512
fc6855fd81679cc508b58ef36b57ee6befa45b48d26de28565ea99c48416ca57d04af3a4245fed6f83bfab2ac2898ed5254708727b851a99e2ac9e9f621c8438

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
256KB

MD5
0eb72b70705b9c09a9e491531e542bdc

SHA1
ff4d120194ab098ccb9a2485d5b298d02488bb7b

SHA256
5d545b6074e16bca2393ef531587e91f87ea07f8741a6faccde9841f14023612

SHA512
5ff4a791071c937a846768f0b6886c6ba616ce23a7c76437ea63b7c3a1caf172961c1ea39572b71fb22d972b22413cba4899da0842e5322d25c1c9a5258f4ff8

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
487KB

MD5
19aa3224b5b54702cb4684be911bea26

SHA1
32c20c9cf191d6f712fb780c3d5bac65bc66ebaa

SHA256
e2aca13c82369cd789ef8a0b4f0430c67c4f8e1dadc6c327032e9c1d70d5e18f

SHA512
6d9179086bdc1418bc29a8f0ca2178231754d14bf6e256c6519ec82045c48ddfdd03f4004ec6cf9a627f4339110c910023a107ebe011aec41448ca79d55d8fa0

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
487KB

MD5
b6219dca74ba3dbfd6ca212acd4d3dff

SHA1
056c837d0b18d0ceca7169f33c76af86ba9a9f98

SHA256
0eb59c5eadda85245f6d64dd279e50e244f8ea442baf21429699d546f383962d

SHA512
4b62485ad8b1bab788a3c24bcb9ca7abe2d2cd722f9f02588ef89414ab486b5d208ef0a68b428fe7f88222f2b8ed65436551905eceeb4fe7b1941f33d7484513

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
487KB

MD5
978d8a68975a17b514809f3439fc519b

SHA1
45ea2d9018d0e5767042ceb181b36c2e33778f9e

SHA256
e08edd8246a842b510b8cb9ec4b68aa8cd1ed8da0441d4bdff85d7e4036c8fb8

SHA512
5ce098d9558413120641fae6d925a4e482fb8f9e215ec5dcbe34c3a0efe25b10a5d1ac9b754f3bf6e18efc250110d2e5472a351d00fe98b502d61cf521d898bb

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
487KB

MD5
663d95f6690ceb42d98fae32a260b1d7

SHA1
6750c5c0d5d4f7e2ff80b77c4c275bdad76ff4d5

SHA256
a5cf276d4d86b7d6b062cf06f8ece6cd0c677f0ab32adadc5c139fba32f99fbc

SHA512
687f15cfdd921e538a13eca3426e6fa9793d2e1754fa080230244e4b59b687d4b1f2e727275e1b74143d4a131e95a0a9fe81ba4df9b9adbc4c53505c1260499b

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
487KB

MD5
75529d4557b4f2546bb43cb9a2e59b82

SHA1
54e1e74397b66cfa74a989dadc0e37c888692b7f

SHA256
d3def19be85eeaf8d0734badd8ada154d201a0c9ded4585a6b394612fc91c90f

SHA512
1500909812a2d4c9bad480fdcfe9fa9fa36d2a309cc87a44910804654d92bf6cef37348a3827b77a07d34d49aa39e8094e7b863a1b7f608656cc36e3e78d828f

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
487KB

MD5
5a6e63658c35c57c4aec6212fb1ccc82

SHA1
fd12d5470aff6345f4e6686f1fcf03431d7d7c32

SHA256
bd9364af315bf83005e38be8f27e056b89d39dd22181a45eca2fb351f3c39b89

SHA512
e78a1b79639df2b0ef7c4b7d28d679b1c3d0ccbacb74fa270fdeb153869a6537425799436b70ba6ef0d3d2b0b4ce6fa1557a99b618564cbab44b73bf9eccd311

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
487KB

MD5
e8da7080cbc32cae6c3731f8a3591db4

SHA1
697fff78b7bd30aacd8147d9ae2f744f69c1d69d

SHA256
b07ddaa8259ed247d547298bd0ef5f3de73c1a46ba37aaa3b21c4a3b4ba17bc1

SHA512
9deb64d8fd4e3ffcee552d75228e1728de2148b0b2fe9c8f6a4113e71722687d8b2df48444378c0606e88ab7c2651c7fa8e3ef8a120e686c1489ea904b64dafc

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
487KB

MD5
379aabc92163df754fde183dc978c2d0

SHA1
30b9acfd361742f5c5d70d7e58bc3f039a825798

SHA256
e0832e739538cbc4bbc1d862168c417c45a2b68dcae777746ce6595ad687dc6f

SHA512
5d4acdeb6028a07cbd20f4aa266269f89b07a2d4b8ffa2c3ca5df37465eeb1c2fc554e991a505794b0d955b31a6b01165ea2ad4c1af98f7484dc7d2b76db08ea

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
487KB

MD5
afe0bcb6a8859a72a16a7d7cfcddc81b

SHA1
4710f80cb09f52ae72414c3503b6e476a7ee9f11

SHA256
ce4d4555baf756460210f17ff5174ab434990ba811ceb4c30955d6ed67a6337a

SHA512
7ae38e3d2bee7da091cbbd4e2b17b40d7a59b5fbea4e7862ed0fc07bf9a2a0936de275451fb78afc2e49f66206c333ef9e0cb1fa4e709d9cf26b608d0927224b

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
487KB

MD5
9160b044fe55059cab4c67faa01d41eb

SHA1
e8f44959a85a0735b974f46aa857e13ca7b9b8ad

SHA256
708cd386689142d6735f389c020290a8b32ef739fb8f05fb43d612d7b2ee3708

SHA512
793e7c0b66971a4af09d496d4c8971b9585ff37af90fb7e8e25f5fc2167df9741b0893ccee8392fe82e6b5d946897036aac9db41e0bdb6af5ef6daadb591113a

Download Submit
memory/436-533-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/532-482-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/544-446-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/764-414-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/972-459-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1004-545-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1232-549-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1296-435-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1332-428-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1524-468-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1552-555-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1556-532-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1588-438-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1724-451-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1752-573-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1812-518-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1892-503-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1964-17-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2036-531-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2140-437-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2268-41-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2408-519-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2440-504-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2496-454-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2552-584-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2620-478-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2704-475-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2772-516-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2840-510-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2892-427-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3004-70-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3064-39-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3068-469-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3124-445-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3224-5-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3224-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3228-547-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3312-49-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3360-420-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3408-425-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3412-538-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3472-453-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3488-550-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3492-566-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3544-432-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3660-25-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3784-461-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3852-557-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3868-565-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3892-540-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3996-567-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4108-558-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4328-443-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4440-548-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4464-514-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4500-9-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4528-462-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4896-564-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4960-434-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4988-525-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5036-59-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5132-589-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5228-591-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5284-592-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads