246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926.exe
Size

198KB
MD5

f4254e55632f637461ba1d579250b23f
SHA1

69f31a95a4927ec959bb475b2d41c151a27311c4
SHA256

246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926
SHA512

42aa7f1d5bb874142c617766a98337b2330690e05d71c82d50ae4bcb2c8ccf9c71808fb0c7142aac76d82638298b91b80af63203374124f311a72765b79cc8ef
SSDEEP

3072:4YL+AZKOfu63xseCuY1dG1+ih4Sp+7H7wWkqrifbdB7dYk1Bx8DpsV6OzrCIwfE:4Y1gCY1y+ihBOHhkym/89bKws

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe

Executes dropped EXE 64 IoCs

pid	Process
4732	Eckonn32.exe
4464	Efikji32.exe
208	Epopgbia.exe
408	Eflhoigi.exe
2448	Ehjdldfl.exe
2524	Ebbidj32.exe
5056	Ehlaaddj.exe
3888	Eqciba32.exe
2312	Ebeejijj.exe
2156	Eqfeha32.exe
4756	Ecdbdl32.exe
3384	Ffbnph32.exe
1048	Fhajlc32.exe
2652	Fqhbmqqg.exe
4312	Ffekegon.exe
3148	Fqkocpod.exe
4104	Fcikolnh.exe
1816	Fjcclf32.exe
4028	Fmapha32.exe
2124	Fopldmcl.exe
3324	Fbnhphbp.exe
4452	Fihqmb32.exe
2632	Fcnejk32.exe
3876	Fflaff32.exe
1448	Fmficqpc.exe
4072	Gbcakg32.exe
3756	Gimjhafg.exe
1724	Gogbdl32.exe
1648	Gfqjafdq.exe
4624	Gmkbnp32.exe
2452	Gcekkjcj.exe
4280	Gjocgdkg.exe
4392	Gmmocpjk.exe
432	Gcggpj32.exe
4800	Gjapmdid.exe
2896	Gmoliohh.exe
4472	Hpgkkioa.exe
884	Hccglh32.exe
4820	Hfachc32.exe
3064	Hippdo32.exe
4188	Hmklen32.exe
4008	Hcedaheh.exe
5084	Hjolnb32.exe
3540	Haidklda.exe
3552	Icgqggce.exe
1268	Iffmccbi.exe
912	Iidipnal.exe
2128	Ibmmhdhm.exe
4932	Iiffen32.exe
2536	Ibojncfj.exe
4760	Ifjfnb32.exe
2088	Iiibkn32.exe
5104	Ipckgh32.exe
2480	Ibagcc32.exe
2300	Iikopmkd.exe
2556	Iabgaklg.exe
4516	Ipegmg32.exe
5048	Ibccic32.exe
1036	Iinlemia.exe
2696	Jpgdbg32.exe
4032	Jdcpcf32.exe
3392	Jjmhppqd.exe
448	Jagqlj32.exe
2396	Jpjqhgol.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Fbnhphbp.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Efikji32.exe
File created	C:\Windows\SysWOW64\Ampkqqjm.dll	Epopgbia.exe
File created	C:\Windows\SysWOW64\Lfhilofo.dll	Ehjdldfl.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Ecdbdl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6832	6724	WerFault.exe	245

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4732	3440	246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926.exe	89
PID 3440 wrote to memory of 4732	3440	246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926.exe	89
PID 3440 wrote to memory of 4732	3440	246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926.exe	89
PID 4732 wrote to memory of 4464	4732	Eckonn32.exe	90
PID 4732 wrote to memory of 4464	4732	Eckonn32.exe	90
PID 4732 wrote to memory of 4464	4732	Eckonn32.exe	90
PID 4464 wrote to memory of 208	4464	Efikji32.exe	91
PID 4464 wrote to memory of 208	4464	Efikji32.exe	91
PID 4464 wrote to memory of 208	4464	Efikji32.exe	91
PID 208 wrote to memory of 408	208	Epopgbia.exe	92
PID 208 wrote to memory of 408	208	Epopgbia.exe	92
PID 208 wrote to memory of 408	208	Epopgbia.exe	92
PID 408 wrote to memory of 2448	408	Eflhoigi.exe	93
PID 408 wrote to memory of 2448	408	Eflhoigi.exe	93
PID 408 wrote to memory of 2448	408	Eflhoigi.exe	93
PID 2448 wrote to memory of 2524	2448	Ehjdldfl.exe	94
PID 2448 wrote to memory of 2524	2448	Ehjdldfl.exe	94
PID 2448 wrote to memory of 2524	2448	Ehjdldfl.exe	94
PID 2524 wrote to memory of 5056	2524	Ebbidj32.exe	95
PID 2524 wrote to memory of 5056	2524	Ebbidj32.exe	95
PID 2524 wrote to memory of 5056	2524	Ebbidj32.exe	95
PID 5056 wrote to memory of 3888	5056	Ehlaaddj.exe	96
PID 5056 wrote to memory of 3888	5056	Ehlaaddj.exe	96
PID 5056 wrote to memory of 3888	5056	Ehlaaddj.exe	96
PID 3888 wrote to memory of 2312	3888	Eqciba32.exe	97
PID 3888 wrote to memory of 2312	3888	Eqciba32.exe	97
PID 3888 wrote to memory of 2312	3888	Eqciba32.exe	97
PID 2312 wrote to memory of 2156	2312	Ebeejijj.exe	98
PID 2312 wrote to memory of 2156	2312	Ebeejijj.exe	98
PID 2312 wrote to memory of 2156	2312	Ebeejijj.exe	98
PID 2156 wrote to memory of 4756	2156	Eqfeha32.exe	99
PID 2156 wrote to memory of 4756	2156	Eqfeha32.exe	99
PID 2156 wrote to memory of 4756	2156	Eqfeha32.exe	99
PID 4756 wrote to memory of 3384	4756	Ecdbdl32.exe	100
PID 4756 wrote to memory of 3384	4756	Ecdbdl32.exe	100
PID 4756 wrote to memory of 3384	4756	Ecdbdl32.exe	100
PID 3384 wrote to memory of 1048	3384	Ffbnph32.exe	101
PID 3384 wrote to memory of 1048	3384	Ffbnph32.exe	101
PID 3384 wrote to memory of 1048	3384	Ffbnph32.exe	101
PID 1048 wrote to memory of 2652	1048	Fhajlc32.exe	102
PID 1048 wrote to memory of 2652	1048	Fhajlc32.exe	102
PID 1048 wrote to memory of 2652	1048	Fhajlc32.exe	102
PID 2652 wrote to memory of 4312	2652	Fqhbmqqg.exe	103
PID 2652 wrote to memory of 4312	2652	Fqhbmqqg.exe	103
PID 2652 wrote to memory of 4312	2652	Fqhbmqqg.exe	103
PID 4312 wrote to memory of 3148	4312	Ffekegon.exe	104
PID 4312 wrote to memory of 3148	4312	Ffekegon.exe	104
PID 4312 wrote to memory of 3148	4312	Ffekegon.exe	104
PID 3148 wrote to memory of 4104	3148	Fqkocpod.exe	105
PID 3148 wrote to memory of 4104	3148	Fqkocpod.exe	105
PID 3148 wrote to memory of 4104	3148	Fqkocpod.exe	105
PID 4104 wrote to memory of 1816	4104	Fcikolnh.exe	106
PID 4104 wrote to memory of 1816	4104	Fcikolnh.exe	106
PID 4104 wrote to memory of 1816	4104	Fcikolnh.exe	106
PID 1816 wrote to memory of 4028	1816	Fjcclf32.exe	107
PID 1816 wrote to memory of 4028	1816	Fjcclf32.exe	107
PID 1816 wrote to memory of 4028	1816	Fjcclf32.exe	107
PID 4028 wrote to memory of 2124	4028	Fmapha32.exe	108
PID 4028 wrote to memory of 2124	4028	Fmapha32.exe	108
PID 4028 wrote to memory of 2124	4028	Fmapha32.exe	108
PID 2124 wrote to memory of 3324	2124	Fopldmcl.exe	109
PID 2124 wrote to memory of 3324	2124	Fopldmcl.exe	109
PID 2124 wrote to memory of 3324	2124	Fopldmcl.exe	109
PID 3324 wrote to memory of 4452	3324	Fbnhphbp.exe	110

C:\Users\Admin\AppData\Local\Temp\246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926.exe
"C:\Users\Admin\AppData\Local\Temp\246e739a38b4aba2a1fe1364a1b7e91463cf72229bd3c7a9ffb77c10c50e9926.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\SysWOW64\Eckonn32.exe
  C:\Windows\system32\Eckonn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\Efikji32.exe
    C:\Windows\system32\Efikji32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\SysWOW64\Epopgbia.exe
      C:\Windows\system32\Epopgbia.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
      - C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        26⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        27⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        28⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        32⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        35⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        36⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        37⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        38⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        40⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        42⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        43⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        46⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        47⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        53⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        56⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        57⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        64⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        65⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        66⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        67⤵
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        68⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        69⤵
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        71⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        73⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        74⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        75⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        77⤵
        Drops file in System32 directory
        
        PID:3900
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        79⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        81⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        84⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        87⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        89⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        90⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        92⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        95⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        96⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        97⤵
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        98⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        101⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        102⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        108⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        114⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        117⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        120⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        122⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        123⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        124⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        131⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        136⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        137⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        140⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        142⤵
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        143⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        144⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        147⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        148⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        150⤵
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        153⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 420
        154⤵
        Program crash
        
        PID:6832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6724 -ip 6724
1⤵
PID:6796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
198KB

MD5
ad015e5dca7835d007c03d1dcd0b6dc0

SHA1
3ab7c18714e81a95418dbaf1538e0b17fb82a9b8

SHA256
af001465d649dabb76e6b65cfdf080665e19d0240af2a234895c83eac19e9812

SHA512
0023fc6efc2dd22dd4fb5418e2091012d45e2f30657601499ac7e4b44696f6246f4642ff638cba8ecacd5997fe1792d821364c48f39d7ea61a474f978514e858

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
198KB

MD5
86f6f8509194965439870ecdbfd17e18

SHA1
c2bb105ff4cb8097159b150632a0030ad74880fa

SHA256
1435b30b0d705f6e4a980587ad2ac6c7491f941f2eab0ada453bc8421b79061d

SHA512
0a9450ae957cb96da4667d1e028ecc1bc7ce3eaa6a8f28afc4ad3ded3cda5415eec4162c631109db0b322051a746a0e02b128ce5221cc96bd90c7795a862c4e3

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
198KB

MD5
cd3c41dd2a0d1bb6bef37c763b6b4b9a

SHA1
d262c8e95a338a13a0bb230bd1e368e46fe8b3d9

SHA256
8a52605290f19ed2bfa1cfc12873178aa4202e07657285dd5437114b2553b0f8

SHA512
efb07ffe2aeeaf0614aae0610cfbacf13c13bae3db9d1ca51447d77634d15a9500f5bd2145d41855356a04cb35f5acf3e6081e136bbcc138763462061ee37316

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
198KB

MD5
2e0f53913aa86b6661752c0a0edb00e5

SHA1
3f5446a93994f4a9a64985d5531423920b1c38e1

SHA256
347fe96495378f20363d70ecbf00c10e4302925cd38882e6b57b574a9fd2c689

SHA512
1fd68a213a1bf892302689197a1f2c82bdef7578c2d701f91aa92e8caf028fb6bf18cc0a379f29145c97daf5fc9d1e9e4bcd8a1df04d0d2471c6d44241ab9f5a

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
198KB

MD5
1956297542f98c4f16d8e5b6b7f9e014

SHA1
44a5363a4ce089b73239f0c7ba6b70ee121374cd

SHA256
8a0490a38f98295a338b7c32f9366f7a9c9b1bf2d1bf946a164e7461c2f1e128

SHA512
7f13ca36dd384fca432ceaa3896c2fe718a2bd98d939696357f178a88d66d5dad2bd3b443e374089f1e2cd8395ed2bdd58150a5a76ba0ea273cda69170eb42a0

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
113KB

MD5
a0ddd34f62a4f0116da41d3851b7a64f

SHA1
7682b3cbfefbda0be4a1316d5b38bcb268471cff

SHA256
43bf46877b55f07976132bc979dca3798a6934465523f4c08e6ade2a04b6806d

SHA512
b51c23ca1e728e50d73aac4e7c3aee2f95d1702f5aab8644c0d5f403db426f9d08f252a4011465eba7eece8353449703187c61d3150563eb478147d6d5553a54

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
198KB

MD5
a8e08ce05ce1bfd66df43175e5b57782

SHA1
d2e6d57777937fb27e4878958de4d709e7de8b08

SHA256
950108037837876dac9d8d8711b65a351381d59dc77bb455d4ddffa49f441e73

SHA512
27c6dd7ddbdcfb898bf816d6ab273486196b94a13b362e5b7b7fc23b0d6ba730d6c867361085e0a5af3911b5f72b2380d70a21ac13488f5e40fa459b2142f474

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
198KB

MD5
6d6e09371817108fde9b3d077eec148c

SHA1
a8d3bc984c505f3b9b8d0187d77585625a579710

SHA256
a6d1d855ae38f15a5f46f4673a9e8b09d5064b53b3a4e9420c4b8247ef2ff55f

SHA512
5714735642ee7aa8ad7ddf38c71b16d77fd89f1ee770f8f0247b439f76fc1e9c5f71d0f50287d1f784ae8c0f0411d6a11f446ce1fe68cfa33816fed7cb47b41b

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
198KB

MD5
4ec107cf266b5043036fcc31208ef5e3

SHA1
7323a63fd5dfad86af02d1c0fc52df1ebb19baa2

SHA256
3032b0c1a4ff947bd75e6fa1efebbacd04d83e65cea030d3a4b840079aff9a56

SHA512
0f09739fe203419d3af5ac48e86ca953950e00eb861b007f2b1acad48063c80e07ebef32f041f721931e02deead4a1a3aa9135ad8885e0b45fdf0eb892f5c117

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
198KB

MD5
feaf3d0a75eb1f668d8bc8b7d8ff39ff

SHA1
1ce613fbbb99872dbee9ed269d3d9ea5600ec199

SHA256
da0754ee8f457d4a286746b04fb47d64f10828c2fe161b6642dcea642a0b0602

SHA512
723a675514bf90732a069eb4784eccdd55d53f76bde2bd50156be1a88d99d83c7e8747703db867708b2a4bc44fa8f9f3e95d9eb3b4d39372838567abf91b4e37

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
198KB

MD5
d784f4f33fd27734e90e1339e73e9d77

SHA1
b70048a1f16080fb85b9c622c6675fd369a46d5a

SHA256
dfa4436366ab86060089bd937bc045317b7552c226bf0abf15e80ac31c178662

SHA512
4ab00db621cd8c64bb1b9b92f8f3eae09b1862981bbf467690fe3e44d0ec28c3a830d4917d8f081b0ad3853b757f55000e73e2195e2458b0d78e159d1b6a7df4

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
198KB

MD5
62f7ab79a5057821c1e4136891e26689

SHA1
2d0bbf2159da6ead3ce89f7271c49a3486b06286

SHA256
3e5c8b5fe6874c553ca008eb38100a5d573492334e6c5a2c2a040ab2076976d6

SHA512
dc744acca5e69d6d2b4f12c76be5eee0d8027e531ea2c963d580c52f83ecc56a4cdef79594ee93b7ffdba3827b8e926e24df2dcbefb447672cbdb5cb36a542da

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
198KB

MD5
f61d707c906b0da126116e4e8d8a4b28

SHA1
4af029dcfcf8bb00ca4f84a4055b0c8a5851707e

SHA256
b1d22c92fe798088f999ff946aa68856dba7917d4e3bc1f552e3883de6e8381e

SHA512
bef57396b173d7004eb0ab29c44730d5b67dcf2e5007ae7462f8fd12f38e2477acef1c1f678091c1c5a8cee36c2c3b4f52f4642aba9e9e644cae4360a8b8258c

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
198KB

MD5
0aafbf3388e06638a93aeab394d3143f

SHA1
680e1b87df381e6b010648d1b311f9dbed6baddb

SHA256
f8ff5207880515096146732bdfcdc7e4fd4cca0e49c2a23f1de4a92ba0c44cd0

SHA512
ea135d2b0add075b45ad9f533a777ff3e0312fa89f0ece6df850aa1f36dcfd12e0b56ae1a23598c94fb7ad91a808152ab8e9377b9dc11cca372f5a1055f7cdd0

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
198KB

MD5
92f0454903a5c559a8dedd59fcdab960

SHA1
aef7f42cfe3bcf2077fed76f83e68e301fc11f1f

SHA256
347f6733d3150e31e2fe02832500d78384f3a31be95f44ef33f5ed28a4407875

SHA512
5972fbd1c0c37887e86fb400901498c0bd15abc387e5b270bbc81686c04c98e6c4f77471d8ea0c2b4f52d27d799528dcf6348bd51e22123229d64cd20ffa48c0

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
198KB

MD5
5c29a60c2335caf45e5097c3a959860f

SHA1
e78352651bde6af8c10cff1cf58b364827031359

SHA256
70a1fc04a981f89cc32c8fba1fd48cda2fd4ca68d800b614d7ca120d3e6fa488

SHA512
f0388c569ab2959280e950c5e0943367e2e790e26be8c798209fa67e3bd49a0b6f1a4c27791bb9a3c4829efefe158b8eb3c3ea816624c50f1bb395d668390c70

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
198KB

MD5
d186ccb49359e517d085d456a583de8f

SHA1
fe4ed11200fa78371d6fbcb57e5289387036613c

SHA256
df260f72c1d46deeaf64a366beb0ed0c7b009fe6abcab41662655fdbca13d0fc

SHA512
6065b9ef589378f409e02bbe6f05ee50c46a12ea9f7170bbc37620f01437a3aa97874c963b398fa5261fbcd170cb6dce278da3b6c313aa157c2edf478ccd4111

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
198KB

MD5
81dcb2b1835b910cfa3a9c8543e7a204

SHA1
59d6151cb75968e8163239986e63ac6be6c2cff6

SHA256
b9c4e1838e2381290d022fbd37b7616bd05359be50223ab27eb48353330b291a

SHA512
2c2e3a58b0e0ea3d4b215605af9d6489f1224c7510c8f66b924e307079768baa7ab7c06550dbed1e7e559952417b61d3044f428dd4242b20cce78cd32d430dc3

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
198KB

MD5
fc4a4c386ef67969efa7cb255be982f1

SHA1
b4cab28a3c2e6b1bbcdcd1e0c9885121b1377801

SHA256
83116ce8c582a6312910b86757de5b7a47bc683394282998dca850aa214ce029

SHA512
229cb392e1d502d0771c406dac6681a95603a353550cc0e16f90011678920f6d74e7fbbe969b2eb27ad0645e5db046ef007c82c3d3da573fdffe2e71a19ef1b8

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
198KB

MD5
994f454687852a0aa0cd4939522ff4aa

SHA1
461b509b8ebc06d3763e850c5cd0ddc7ad3d5b16

SHA256
006535be612c9f33a7edae488434eb4fd3fa9a4639e555f7dcdf7f8dbcdeb91c

SHA512
788f705715b064eee5e93a84b310dc8aa078c1c597eb3465dddb6e75d8fb53624271133ff6a4820f3937158a890007f6fe1f28f32f339c71893a8c741863a449

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
198KB

MD5
ddd71d23996625807d848831d9899162

SHA1
0147f59725af79799ec60621236a4937037551b5

SHA256
85eb424c3d7529c8eae80a3ff50cb748515f2e98a83bc1e02ba3c69a87f28eab

SHA512
f959da2cd5bd435ac57aae21e39b1753f8ae897f0554be812435db0bcee894ba4d5055e9795de658896f7a8c4491419e0a3c7ccf03e196c1b77da16185446a9c

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
198KB

MD5
e7063f1098b504db1b44300e9ca13da1

SHA1
d8f12f3aedacaa192bc8eb3652a49720fb0cb836

SHA256
efc87759fb33745a717af77df7f9a3dc21814838a6d635d626a4f59a59e0a1a9

SHA512
f569b4980028c03096262ec4e1f0fbc91f59ac9b19f0592b98518e7a1c71fe49679556a8629be94b597e98d38e80a8a81bfe6ff5131bdcc07a08cf20c0ca6505

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
198KB

MD5
a1366a13a70210a4c2c96b2c805701e6

SHA1
e43f44262b05c255b66cf6868ed0fd7896325f01

SHA256
1c9cec2a4595ce7a5d71ec5315577d7e1d34b39d53c5560997d76e538a6cab3b

SHA512
adadf60c17491e9c5d0f8799aaf69d9e14bb8964bca6abc9eb2686ab64bde682f861f7165daf0000fdb338a71d8e21f4ad26460834894bc2dee6b471962b38ac

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
198KB

MD5
1289c2bf86952b223d5da482d8f75a54

SHA1
b471e7898f6a456ca2b7b405975999bba36eb6b3

SHA256
2fd6f0c5031f4ec7ae08db26bdad10bb91a842a6def7ae286ce564c6a2487dd7

SHA512
1c2dbfe9b4cdbe24f37daed43ed3cb75ae1b9a2a24088c0f412eeffa09376436ab550cc31f0add6ccb4a9ff59081d8f7668259d4ce1070e7d4f39975e447d345

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
198KB

MD5
86c2c999a290814e13446d260be4701d

SHA1
1d449e00981440ba663b533071ea54768af2b227

SHA256
2333a228d8737f6ce75a61718a768f57259a8f8f5b69f1a6a22d37756b828228

SHA512
4cb91d68066d95c3329ef179eefc61918c8a29d4d4368ad14069a60e150954646788069674e729892234ac72f2b35c83fd824e62844304126cf848c9f11cdf95

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
198KB

MD5
49c4017a5e63e0e362c7853bb7ea1da7

SHA1
c5bc3fc475f106dbc20fff74b98d541362adc6eb

SHA256
730d9b0f3dbe205133122c0247c4bf87f07cfef79b31ad5638cf9dc3497f9cc5

SHA512
d70fb7668a66846d6b8650565d15ad17e365b9368f0c245706ab0109ec8a77fcac3e3d1ed2a9509116010cad0ee26eae4e5a091b71b8b41921dddde2c76e1464

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
198KB

MD5
41607ffbe3feedb451898b08e3621cb8

SHA1
2128267abb9faac137cd2ccef29222a15ea94813

SHA256
139fcec3564bee67abe535d9daa5bc20a19e9534a06a27861866afee2b5d6547

SHA512
11af2e8163e81081567a9dd1c2cdb5c1a8859a96d62b303ebd64a2284273b4fbaaf47444e53776f59f3ab7db0ac7f47eb7068b656a071a63c4a086fb37a0674f

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
198KB

MD5
ed94585391c8f2d11f09d5bdfe24e7d6

SHA1
197e544a7c38eb09f9210469dd315c3b0edd4369

SHA256
31eecafb3fd6e1a73a4d5c4483870e137972936f1d6624ac81ab8a7b685834ab

SHA512
e594c6c59ae91984cf66b4faba9af948b088adcc1ca892bd70088eaf6bb44b3c95a6c0b70aefef9ef9f95d7fb0e5b68b8133e4057fe3fd2371944bdfe7d0ddb1

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
198KB

MD5
c1e34d1a2a5d117a5137756565736443

SHA1
fe6d8d0c3b7d5ac2164e6227c6d69188283357e0

SHA256
8d7bb7d3b0141f0f33d9ea2094daaf175152f30d2d7c4c08c8c10eb9314cf665

SHA512
0f1b18be15424ce95829fb0852287241306653ad5c8f42e494bb36388113a500a2f383a47ac041c7a282fd5f13e7aa134a54b0e6a361c1010bfe1bdc4aba3456

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
198KB

MD5
5feb1f49c6a96d306ec07c2fa26da50d

SHA1
a5011a83e4c4bc7e280fea3510bf1dfe59e543c3

SHA256
4052527932b3a2b8ec0d657eab3feae197a1ad508f13fd2daca459a13b780fde

SHA512
fd0e525de11cf2cff0c8e136c919b1ef3f151d180b6761774552b90314588127b109f291d3cdc0a4c40c41f7b98a3babcc8566c33e7797f4c0bf5cf161f0b109

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
198KB

MD5
0727beed55f882f1cdfa962c8f0459bb

SHA1
6de02211a756a6c1d8e6c739a00f7411cb89caa8

SHA256
e3ec1609da8fd8b00c047ee1ede2eff471d43a2a66bce09f6cef712381ab338e

SHA512
2229990fe437b6fb64b44137c8672f1975839ca8b4638a650d1f4eb601bc1aaad6d3ddee2a510776a7793530bdf270b066b039b361f7f548fb4960924756873d

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
198KB

MD5
8965a0b1e22514d2c886fb487460874b

SHA1
178a3f3a62b1f66cf73a47e58c21f86057476d6e

SHA256
4dacc4a61b420174987e6ff58830e458129282c73c69e342323f991f87f405e5

SHA512
dd6ae80ea9f3e516488e805165bd1e8060987f060682e517120f41e65d0b71db176d1251565b34d6ab52675d9eefbac2c21671bb3210f589f644c06dc4e24a4f

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
198KB

MD5
a7c92e7c442c6072a7ca4939a4a764b7

SHA1
303c5a1418f4416c15c0c4da35b8c0764b942f1c

SHA256
9f5876c1cae826fd39813e4e8e66742e7375c54dd965dc330ea8bc43eefecefb

SHA512
caa73d8207bfa7fbe53e1fe314ee7406c195fa727172699b5fabd5f337c8ba34d5f6972e2568a1762182120dff077fefb9fed7ebaba7d98ed00a06c5de19b4fe

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
198KB

MD5
81e03169dae57f2230ba531d8ebd6993

SHA1
c1a371b4d43133ad2688d36c2f65381edc025513

SHA256
3a290529dacc13e1441020b8b7be783421ab510d4c3c400fa10844fb8f6fbff4

SHA512
177ba1364ffcdfd7e3644df86cd03d3555c0a1ec15755a54d344901942e25bdf094081db0f98c11ae4cc9bfc5089b2c614a496964cba279d2f5a4dc3fe399d7a

Download Submit
C:\Windows\SysWOW64\Jqqjmnii.dll

Filesize
7KB

MD5
f48766888551eae573d584d8ba935ac5

SHA1
ed470430da31bf73677e18d5bd9dd25d43a2a309

SHA256
cff15fcd99bf43b67e7bdc76d3d84b6ef574e339fbd55ad536b0f8b9fd469649

SHA512
e8ed81e0f49882677a892d3def3075da5148a928057527a1490af7c4313fa0ed19b56db0abd293159f930ba247a0e047681ff57f873af2d044fd4c7a33092d44

Download Submit
memory/208-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/432-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/448-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/884-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/912-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1036-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1268-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1448-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1648-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1816-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2124-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2156-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2300-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2312-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2448-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2452-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2480-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2536-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2556-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2632-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2652-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2896-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3148-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3324-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3384-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3392-440-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3440-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3540-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3756-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3876-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3888-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4008-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4028-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4032-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4072-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4104-137-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4280-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4312-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4472-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4756-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4760-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4800-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4820-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5056-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5084-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5104-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads