83efbf5477ab9062d4de3c6f2d019217035b0c111d4309864c548580b4f1a934

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83efbf5477ab9062d4de3c6f2d019217035b0c111d4309864c548580b4f1a934.exe
Size

117KB
MD5

2d96275fd103ea7d788004a6c9a8fbe5
SHA1

88ec36594d2172ee96825e8ead0ed2b8fe3b9bf1
SHA256

83efbf5477ab9062d4de3c6f2d019217035b0c111d4309864c548580b4f1a934
SHA512

f33afcb24de0b23ddae7dc2ab99bf8f46062e13312b481ee239981b9d2aaab1b49dd372842b40647576f2252d3fae89c45c601e563105635b73534bbe3f9bf30
SSDEEP

1536:0f0y1BIlJfKPlQ7dozTS2bcVrt6TZ/RAJx6c+A5AsaFFfUN1Avhw6JCM:0f0yPIlJ6O7iz++OBeW5AzFFfUrQlM

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fodeolof.exe

Executes dropped EXE 64 IoCs

pid	Process
2524	Fjcclf32.exe
3012	Fqmlhpla.exe
1036	Fckhdk32.exe
3296	Ffjdqg32.exe
3308	Fmclmabe.exe
968	Fqohnp32.exe
4148	Fbqefhpm.exe
4916	Fjhmgeao.exe
3740	Fqaeco32.exe
4756	Fodeolof.exe
1604	Gfnnlffc.exe
208	Gimjhafg.exe
1700	Gqdbiofi.exe
4084	Gidphq32.exe
3532	Gqkhjn32.exe
4976	Gcidfi32.exe
4292	Gjclbc32.exe
3188	Gifmnpnl.exe
4424	Gppekj32.exe
4532	Hboagf32.exe
2000	Hfjmgdlf.exe
3992	Hihicplj.exe
2272	Hpbaqj32.exe
1500	Hbanme32.exe
3712	Hjhfnccl.exe
5036	Hmfbjnbp.exe
3708	Hcqjfh32.exe
2888	Hfofbd32.exe
4848	Himcoo32.exe
1644	Hpgkkioa.exe
1608	Hbeghene.exe
5084	Hippdo32.exe
3476	Hmklen32.exe
1088	Hcedaheh.exe
4028	Hmmhjm32.exe
4044	Ipldfi32.exe
4924	Icgqggce.exe
1624	Ijaida32.exe
2208	Iidipnal.exe
4868	Iakaql32.exe
116	Ibmmhdhm.exe
2240	Ijdeiaio.exe
4316	Imbaemhc.exe
4060	Ipqnahgf.exe
3312	Ibojncfj.exe
2168	Ijfboafl.exe
924	Imdnklfp.exe
3812	Ipckgh32.exe
4224	Ibagcc32.exe
2872	Ijhodq32.exe
2964	Iikopmkd.exe
3412	Iabgaklg.exe
1772	Idacmfkj.exe
1496	Ifopiajn.exe
3728	Ijkljp32.exe
4488	Jaedgjjd.exe
1696	Jpgdbg32.exe
2564	Jfaloa32.exe
3980	Jiphkm32.exe
4632	Jagqlj32.exe
2288	Jpjqhgol.exe
2816	Jfdida32.exe
4428	Jibeql32.exe
1224	Jplmmfmi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Cfjbmnlq.dll	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fjcclf32.exe	83efbf5477ab9062d4de3c6f2d019217035b0c111d4309864c548580b4f1a934.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6108	3864	WerFault.exe	240

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbbnj32.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijfboafl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2524	4824	83efbf5477ab9062d4de3c6f2d019217035b0c111d4309864c548580b4f1a934.exe	86
PID 4824 wrote to memory of 2524	4824	83efbf5477ab9062d4de3c6f2d019217035b0c111d4309864c548580b4f1a934.exe	86
PID 4824 wrote to memory of 2524	4824	83efbf5477ab9062d4de3c6f2d019217035b0c111d4309864c548580b4f1a934.exe	86
PID 2524 wrote to memory of 3012	2524	Fjcclf32.exe	87
PID 2524 wrote to memory of 3012	2524	Fjcclf32.exe	87
PID 2524 wrote to memory of 3012	2524	Fjcclf32.exe	87
PID 3012 wrote to memory of 1036	3012	Fqmlhpla.exe	88
PID 3012 wrote to memory of 1036	3012	Fqmlhpla.exe	88
PID 3012 wrote to memory of 1036	3012	Fqmlhpla.exe	88
PID 1036 wrote to memory of 3296	1036	Fckhdk32.exe	90
PID 1036 wrote to memory of 3296	1036	Fckhdk32.exe	90
PID 1036 wrote to memory of 3296	1036	Fckhdk32.exe	90
PID 3296 wrote to memory of 3308	3296	Ffjdqg32.exe	91
PID 3296 wrote to memory of 3308	3296	Ffjdqg32.exe	91
PID 3296 wrote to memory of 3308	3296	Ffjdqg32.exe	91
PID 3308 wrote to memory of 968	3308	Fmclmabe.exe	92
PID 3308 wrote to memory of 968	3308	Fmclmabe.exe	92
PID 3308 wrote to memory of 968	3308	Fmclmabe.exe	92
PID 968 wrote to memory of 4148	968	Fqohnp32.exe	93
PID 968 wrote to memory of 4148	968	Fqohnp32.exe	93
PID 968 wrote to memory of 4148	968	Fqohnp32.exe	93
PID 4148 wrote to memory of 4916	4148	Fbqefhpm.exe	94
PID 4148 wrote to memory of 4916	4148	Fbqefhpm.exe	94
PID 4148 wrote to memory of 4916	4148	Fbqefhpm.exe	94
PID 4916 wrote to memory of 3740	4916	Fjhmgeao.exe	95
PID 4916 wrote to memory of 3740	4916	Fjhmgeao.exe	95
PID 4916 wrote to memory of 3740	4916	Fjhmgeao.exe	95
PID 3740 wrote to memory of 4756	3740	Fqaeco32.exe	96
PID 3740 wrote to memory of 4756	3740	Fqaeco32.exe	96
PID 3740 wrote to memory of 4756	3740	Fqaeco32.exe	96
PID 4756 wrote to memory of 1604	4756	Fodeolof.exe	98
PID 4756 wrote to memory of 1604	4756	Fodeolof.exe	98
PID 4756 wrote to memory of 1604	4756	Fodeolof.exe	98
PID 1604 wrote to memory of 208	1604	Gfnnlffc.exe	99
PID 1604 wrote to memory of 208	1604	Gfnnlffc.exe	99
PID 1604 wrote to memory of 208	1604	Gfnnlffc.exe	99
PID 208 wrote to memory of 1700	208	Gimjhafg.exe	100
PID 208 wrote to memory of 1700	208	Gimjhafg.exe	100
PID 208 wrote to memory of 1700	208	Gimjhafg.exe	100
PID 1700 wrote to memory of 4084	1700	Gqdbiofi.exe	101
PID 1700 wrote to memory of 4084	1700	Gqdbiofi.exe	101
PID 1700 wrote to memory of 4084	1700	Gqdbiofi.exe	101
PID 4084 wrote to memory of 3532	4084	Gidphq32.exe	102
PID 4084 wrote to memory of 3532	4084	Gidphq32.exe	102
PID 4084 wrote to memory of 3532	4084	Gidphq32.exe	102
PID 3532 wrote to memory of 4976	3532	Gqkhjn32.exe	103
PID 3532 wrote to memory of 4976	3532	Gqkhjn32.exe	103
PID 3532 wrote to memory of 4976	3532	Gqkhjn32.exe	103
PID 4976 wrote to memory of 4292	4976	Gcidfi32.exe	105
PID 4976 wrote to memory of 4292	4976	Gcidfi32.exe	105
PID 4976 wrote to memory of 4292	4976	Gcidfi32.exe	105
PID 4292 wrote to memory of 3188	4292	Gjclbc32.exe	106
PID 4292 wrote to memory of 3188	4292	Gjclbc32.exe	106
PID 4292 wrote to memory of 3188	4292	Gjclbc32.exe	106
PID 3188 wrote to memory of 4424	3188	Gifmnpnl.exe	107
PID 3188 wrote to memory of 4424	3188	Gifmnpnl.exe	107
PID 3188 wrote to memory of 4424	3188	Gifmnpnl.exe	107
PID 4424 wrote to memory of 4532	4424	Gppekj32.exe	108
PID 4424 wrote to memory of 4532	4424	Gppekj32.exe	108
PID 4424 wrote to memory of 4532	4424	Gppekj32.exe	108
PID 4532 wrote to memory of 2000	4532	Hboagf32.exe	109
PID 4532 wrote to memory of 2000	4532	Hboagf32.exe	109
PID 4532 wrote to memory of 2000	4532	Hboagf32.exe	109
PID 2000 wrote to memory of 3992	2000	Hfjmgdlf.exe	110

C:\Users\Admin\AppData\Local\Temp\83efbf5477ab9062d4de3c6f2d019217035b0c111d4309864c548580b4f1a934.exe
"C:\Users\Admin\AppData\Local\Temp\83efbf5477ab9062d4de3c6f2d019217035b0c111d4309864c548580b4f1a934.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\Fjcclf32.exe
  C:\Windows\system32\Fjcclf32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\Fqmlhpla.exe
    C:\Windows\system32\Fqmlhpla.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\Fckhdk32.exe
      C:\Windows\system32\Fckhdk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3296
      - C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        28⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        29⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        31⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        32⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        36⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        37⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        42⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        49⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        51⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        52⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        57⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        64⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        66⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        68⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1444
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        70⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2420
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        73⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        74⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        75⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        76⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        77⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        79⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        80⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        81⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        82⤵
        
        PID:704
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4816
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        84⤵
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1288
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        89⤵
        
        PID:684
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        90⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4796
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        95⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        98⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        99⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        104⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        108⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        111⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        113⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4640
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        115⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        116⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        117⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        121⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        127⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        129⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        131⤵
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        134⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        135⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        136⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        138⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        141⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        143⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        146⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        147⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        150⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        151⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 420
        152⤵
        Program crash
        
        PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3864 -ip 3864
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
117KB

MD5
31f2f2006a58e158a59be241abf21cc3

SHA1
4eb38312c3056f7b7a6b67908a13d3f45f2fee20

SHA256
d816e94ebc6eb964f50c4d0d2608857b10c229b2898c581fa7af41e47bd81a03

SHA512
2365002f949a592a499a355dcbc4f9936c0ad3357160455fdfee33e9c3966dd77b7b4000b3113b551a6d290bd29473aad8bb38d7a625ef53157d30338b3a52ca

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
117KB

MD5
ac3093094b48f46dfed74cc84078a137

SHA1
489493a313b256ad1ce384d1ceaff1756689b441

SHA256
a3a5b3370b3710e12cf8bf539ae4aaf3241535bcfcaf0e3ec64ba2c607c565de

SHA512
5d00fd4fd5133ce3fc6e8e2a602555991c0591f4ddde138a0ec4cf54146d91fe156445f7f6b4b802cd1ebfd07de4a409ae1a58c84e8318e8d337e3be56111a15

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
117KB

MD5
3eb0fb98090e4cea38798b558736c05c

SHA1
0409253d494d185bba02808095c962d3e335e73a

SHA256
ac8a8650ee779722f898e332ed35958003c91359d0db9cfc046deb18713019ad

SHA512
0dd40ab41524d01cb95c26db9fe9dea2da63e0cc3771f86ca93868e6c48b8e832f3185099997612056f5bf4cd073b6a28ddc426309662397dc5de35e52432133

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
117KB

MD5
6cde73cf8d65039ab2ebbc8191957438

SHA1
4ffd9773da7d53f505bb0bea56316c040ad65b29

SHA256
6d24f1ef4baee75c0c963ef067fc6fbc2938a846ae8301923b9c286a24bc915d

SHA512
44a2f3ac2afb68dac93104ec30083982ce9f56dc6bfdfd79155a1004c187846de21e8bd7d2b51fa939f94829b324127a937f4b7c944e0e47e0045b717811d92c

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
117KB

MD5
13e126a883ef0b10df6bd0f2967c31f0

SHA1
0de98252fb4b67ec7d6d1c0c1152b9b49aec89fb

SHA256
75cd81fc06252bf09665c3b4029b4bbe7b1f337a22cb292db081592badf3185e

SHA512
7837932d2f1e6eb1da54dcd657d3c5cad1a0d3c2278a8f662d4e690efb6cfe8347cd269bda9d993874389def73c7e33337d4b2642b666cad77b02e6261fd186d

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
117KB

MD5
709ffaa59674a59edf0e102b5ba66e52

SHA1
e847bf4e1ff385a24702c8f2ed1ba92fc65093e6

SHA256
79bc2aa7937ab6a7ff90a536ab588121749b54a09da70ebb31215359fc985a5f

SHA512
08f2c7ee37ea4208d6af78ad49193707cf51587d5894e6b813c283a24bc1c17ad538e291f56dcbd96851a9cd050e476f0736e415c82409ebd08af87e0de77b1e

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
117KB

MD5
de003fb7b0c19b01e85fbe321c72d2d3

SHA1
34929a6ddb9d0d5035a89bfe61cfacc36e84fb1c

SHA256
c15daf20a4f7cbfdb9211caa2d3fb484e06bd9deccb8013a301799f1f856a009

SHA512
b3e8003a47280736b16425a3b9b5b49f72485a5718bf9388b0c7f9e854e889b3c90d0f7c21fb8e9ddb01f637ae07f1cb4a309f25e26a1ddfa0747aa0ec127c3c

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
117KB

MD5
b205bae3c07c44d0a735beff3d242022

SHA1
752467805e8d75de05d2fd09cf670ab04150cae4

SHA256
70dc3c2f861d354c1d01ab7dbfc63cca18ec5798ae2bf73b644ddd960e9f6455

SHA512
7adc32b86616036ea1b89e2fbc454dd52239ba92c2846d6725ab214f72c3bc03667833d1784bc6bacb67a6efc580e054e674c582df63f1aca984be1a40d63038

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
117KB

MD5
75591ca6891519032720c1bb070cf934

SHA1
46cf8ffe06e06ab8a0b3b275806e23c27d674427

SHA256
8661589e2fafa31b3ad3fb60d86691ad2c4d5c981f8c822e4b5829726af1d783

SHA512
dada734c4fdf2cb63cef7cb77f65025909d4b2aecf957eba193a060f4a28ce185cde3e1459f7c143e89c4be814eaf759bf2e8c18f89aed36c59f63c93d4f983f

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
117KB

MD5
af02004bd42ea0e4b93b04f28fb85e3d

SHA1
b67885fc9e13be05afe4e3b692f18c1dd746f350

SHA256
6a78f4eca5d1312aa73ab7014e2cee513a81e6904a12a63d421500fbfa9cdea9

SHA512
8250d3523a3acc794c117ac70aa5c17fac79f3871f8c717f6fa61800026ab1a23a6b9d13be2dd9e60ccdcd1f589be099a60a2516f19a1e5e7153c9ef803fb780

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
117KB

MD5
7132ce69aad6b1d5f2f6d1801c519962

SHA1
04a223d4963b839dabe4fb43e2417310473b0e9d

SHA256
b258e19c44a5569822fa1dcc8cbbbf4b20ac21e7e2b9993b3a54146d9e08b0e1

SHA512
74b535189571f6d18c884cf4dfadaf67fa469da9a8e01bf48c865437048fe496f03b823d165135c1d7b42a162a68e76dd4befdfee1cc3f1849a8663f852fb94e

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
117KB

MD5
55bc4d0da221e13990cd49587dede5cb

SHA1
089bc3b37531156e5750d7679ddb7716d803074e

SHA256
5a5924db6ea2793dae2f97f715c22a464c48abf69430eb4da62a0f3a68c1d6aa

SHA512
6357cd2f3e911cbbc4adfa8521416bafb52200615353439d0bcdb47aa29a6a92652f1a0c0da83856c17c1309e59164d9541708edbcbff78804b531205d8e7c58

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
117KB

MD5
c729035508d39271dea50acd6d9f4bc3

SHA1
e067e5fb9262a6b98c8501f05b4ebd7d03969a8f

SHA256
d331e3a284d3bf9d6064b34c8daf07057d4b47e2fc86811c764fda9d98d40cd5

SHA512
98968cd9b78eaced30493835df082236dc843f43d7abfd752d9050d67a186a165af049929975a2975d9f7aa964d63fdc959a049fed2fd0dfff507920060ea525

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
117KB

MD5
8d5e995f39f351fe27f4200747412798

SHA1
df1f5febd8b9c07b9922a6f9a4cf1001baf51961

SHA256
96c1b5238191ddabe1670c5b0c5347c8d8df4d1cbddd6e39b61d67226361e53b

SHA512
c3ed33f5867728015d40fcf22f0b555a03238a508df442952548eb3786ea16917af26c16bca9e469def5cc0ff8b0a7e9f8f253fb53e173fb8fbd4439f61ecce7

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
117KB

MD5
8f58aa0f0362630fba0f6b0e928922e9

SHA1
ff577d96e4527ae3796c45b8982e739a1afd8904

SHA256
f44d2220a51a5d5887a4c89f96f96c429fc6690f56fbffab5e6f33d697733cb8

SHA512
49fb019957f591a64917eac218d0d402b0e060809ab06e377b5984086803b93bfc2ab8322bfe7e388bd408e1f3abcedb2b2d32099b9f0ae6a09e05ecb1cd30ff

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
117KB

MD5
ad24ed0caa45486d73fac66831dcbd56

SHA1
9a6f9c5f1b3433bc1f3af5461d84cb0711d52b50

SHA256
bae8aaf3d18a3de9626659d622017ca903d1eacc8403da89bf81f9559a066f37

SHA512
85e627b2056fd7b1dee72b86e76c059314b132df4079d00a504812e479a82b6e55d0a530bc0d50765739f583040c434b84f917a6997bbce7ac7aaf9a853b2a5f

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
117KB

MD5
b0ddc31aaf26d0cab7b17df76e464d06

SHA1
17f2ecb09aa2f446d85a06b83e796f79a450d6ba

SHA256
f8d070cd32d3252d29bf75c09c54f32237d598db8fb3fb87cd44d79d278a11d1

SHA512
f07cd8f90feec216637d3fcbde23c59fbfb0fb88c8d3a5c1b60955aa08a6ab298f838536d63c8420f5f3e10af3c6a919bc5058a544507f47ebe05963921a2047

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
117KB

MD5
3d9b47a2037bd0985087de627f9050b9

SHA1
e16b1fc1b6aa7af1a2790d417bd78127f1b4472d

SHA256
235c895024f20c30ddd6e2ee6b433d01db1587ac0b45e2ca751239cb64ab1598

SHA512
aca6c2a87dd7d90e45648dcba66f10e5cfc1bf60642fdb60a32db48efdbd7bcf57a37a41d30649b753ab92eb1a3ffeece4eaad384c2c25a5665baeaf2825d6de

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
117KB

MD5
3dc1f2e67cefbdbc07844b33701f60ba

SHA1
54e14caa0860fc238471c4fa12b1ce499e6cec6a

SHA256
818f23e2a1b4e468f07b2ebd259d9db109934385e3b2e860326cf2a6a639ea21

SHA512
7fd7b1d8a2f11535b663e74b7359fbfef4efe71bfab5b7bfc61ac269ce047d5dff85969ad594a62c88b10d82c4ae465be67950ebe0074e649a93e03b40ad4302

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
117KB

MD5
6ebbcf174052990f6b18eff4791a5070

SHA1
1df3be23929cc87a8966bed9c6ea11c373d72c91

SHA256
f7862e428a25b2fbf7b6b6644eb2b42f6b93e321ed8df6baf7b3137ff51cd2c3

SHA512
271d371e1a907270ccc3fbe50f1e4b0e95bbd1fe2981883f60c008c9f6149ae7f37e5f40edbf9486bee5102cde98db79b010d986f331625f7b762dc3dd8c86a4

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
117KB

MD5
f25aac2cd116988215866d2d166fe953

SHA1
671a8cf4cbd7a603f654d95ef4a0c796d0f4d02f

SHA256
f477e7eb7140e5db9674b20f4a3113304379a47557501c82c578dbd8b70ca80d

SHA512
fc477c1720ed881f331350ec399d17c3f461fe7b8c4473bfff9d3b0061ac146af00a397372f5dd8c04fce78713fd4eb867aa17e2e82b276deb42ab5cfbde0e10

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
117KB

MD5
2370c8a99d74d50bd89cd97063680465

SHA1
a6710e088ff5eddbda2c16f3991447a0e3411ecf

SHA256
4879692302a54c86ca80abca12933eecf36ad2802724869b55d0924918769bf1

SHA512
8eeeb6df1e3538b412acf2b54d799330234090cbb55a5cc4f52fd06856c9de610cd38077434ba6b5f3cc5f4de7aaaeb362578278debb446eec3fda5d627cde06

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
117KB

MD5
14857912c7b4f7feea8c8a94b58a33bd

SHA1
af1e9a43066372003418c242794613931f1c5047

SHA256
326912d0a82c69b0dac88d4427a817ee71d44b923e9dc6d736d1e1e2feb026d5

SHA512
f4efdf7bfc8c60d906748d39f8f9845a0d455ab814708da8ce7b61f5ff97edeb92c561cc8ee651cf1761b915f1c339a7759e4e606dbb7385a95dffa0f6bb2779

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
117KB

MD5
d940a2388585aed1a3fb461900a4ef4d

SHA1
ecb2f58984272f45d5738a67419a8b9e333b0338

SHA256
f89116eca955439cccfb6438a69b17d263f195268625f99c74ea34eae22c8fd1

SHA512
2fe784e962b04dd5a78df0b0e4690e9ab887e5bbce878c030e7d491d1fec0e78cbad016d686d27d121f069bd33193953bf647703faeb4e2ebc1194801cd0be8e

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
117KB

MD5
b9bb5d9845b5c7ea6b536fdd9eff25ff

SHA1
f1172ae8ea8ef5aaf642c440422bf13218cb5fc7

SHA256
82c3811f8599beef05335468ebaada281c8426084e7f32e5dbc414d92209206d

SHA512
259303c7c33ee28ac043ac2c6911283c10f3c13f901cae47b922cee82b28e882c6edd54b1136941cd7bcb11bdfdde2f1332aad93579cdb5e16c2169679a82a86

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
117KB

MD5
6ccb7335a089b3e07d2a354eaaa2b41d

SHA1
8ba93ccaf322f579dbf3e2f655350e1661d56b89

SHA256
8b71d4b16ae3f75947a39c61857ef8b44ff30491b2bd0d8528220adadb638869

SHA512
61fe1fa59872c1ce2b5196c2054a7c51527ffa0b15bc037cf5c35a2563b041dc4dcf07a785c56c1f110b846f497e6be01835ff4dc6d36d9e0911b2a7e11103d0

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
117KB

MD5
8f96ba5acbf851686779407c63b0b72a

SHA1
3ed4744ab27afe09533c061e93ad71bbd17b7a17

SHA256
d53e7ab6e057668a82374822406cabd1b9469ae8448a3d29bb408fd48edabec4

SHA512
2f1ccf34ce4423c0087b452644621835d53064619d0dfcddf27a7b1dd1020d18538ccd2a4716fd5d54b2b7e76630db5e2b863421c754f06aaedd7458e95f8023

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
117KB

MD5
b066fdb13d9e62d5d50bc1b40e7f496c

SHA1
8aad38b3acf4189fcda92273ab2faac447058a44

SHA256
2308e058996a6771e65c9b31b25d50cb40a5f6435dce2a2516cb1d0291cad00a

SHA512
07a03026ba217a28aced626f83eeb68d976909aa3128dedb1f6da229879e95b4a355d40bf495eb5122a60b5a75916ddedb1d62887e4dbb1acbb9cd2f55aa9d29

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
117KB

MD5
f0a5c47446b0ea83e8817a13d44bfae1

SHA1
5411ea01ba4404fb34e69ab10d0e5d124a1bdf18

SHA256
dfe667e5f32506ad974d677ab35122585306f0d6d471b2e5466b099708a7ba25

SHA512
e862e4500534ed3514c54ae1818435afac66716f6d240a4dbc7b36f72091e2cfd3ef24e793b3e453e8f859b3fe087f4f991302338d2fc02ac1facaad1aedc59b

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
117KB

MD5
1f52f5d4bc0952f2286defcd0a01c6b9

SHA1
8631794d25b22249c07d0393786e419828165432

SHA256
1da954b279301adfb7755a9d1ce2cf9a2fc7261fd4fe9b485c92919600caa752

SHA512
056f079ae500f400b84d6960b882de2b2dc6af00cf834ad04d3b63edd45b8566e298410de5929a19344db64db3a6d1c2edfe4d1d5536069f450d20c22c62ba87

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
117KB

MD5
9c281f891af08c4f86571d7958279bba

SHA1
d91bc91ebf89ea9b2d8189d0b69e5c9133e167f8

SHA256
4c7d29a5a11b67001c8d4a13a1b1300e99d4c4ecdbff9a2d31be4179a59274eb

SHA512
1d9b777842858685bd3a47d038f97f6c598fec6cf2e496124277c4328cd80ec1d8dc61609a56966fcb0094c08c7d5b5bff7720f82c5358d1a01918584354acff

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
117KB

MD5
58e0eb13f9fffadf46ba1b485e9a721c

SHA1
7b7173ce2fadf956bdb397091f6fb50dfa59fe79

SHA256
069e3c8c63b14f8d0e3de12bdf162d537d7bd8e4333cef3d99648e31311589d7

SHA512
2658d8a726338702c7251c62b493460ebefca229006696eb3b747c6919729902876e7c16d0441180851ac6326216265b181fee345ff5833e547d6f563e976fca

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
64KB

MD5
4e112a7d7e8ddfd0b3828a2ff6d995eb

SHA1
eaef089945fdfae68dec7a336845797e39c59348

SHA256
1f3877a519177253b6ce52b5f48cf01da841449917b5a4a3af133d32aa270098

SHA512
f184c1f29a08dbe78e45a18671509d3f614b289bdcd38691dcebf3b894cf8b75027b58326c423c1d5bedf78d7c0953b1f9bd1a61fdc9116d9ed843d6c6382683

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
117KB

MD5
45acc9d6a3bab804a3a2d72212735036

SHA1
d3c5e0cd102489653f2274a9fcbb846fa6d8d487

SHA256
a330091b3ee1147e44b27a517ab3e20af1d788287adfbfefecf31899a96b23f5

SHA512
8ad118046dd00dd0c68ef23e12683b80a9adae7e13420d7e9d2e3aefdcfd56b36e16f0fd3c24df1a3cc60de8eba32d7f33fb3275b1ff87de55fbf1ae329c307b

Download Submit
C:\Windows\SysWOW64\Kibpam32.dll

Filesize
7KB

MD5
3ef9199728eb8ae06ddb4ba7ea419004

SHA1
2ac4a48e3c922c4579725a481a27b8c06c3f217a

SHA256
2328003c45f60074477923453f1348e1a3ae5f76766d53f4924cda599742902a

SHA512
f02bb1bad2ca81248d18ac50d6d06f68ae59f4b5e495a37872c3be3074c0ea1dc0236371f5d7db6522918eb7fe7c2c80bb06a54a42782e0598a4230bcd1f2cf1

Download Submit
memory/116-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/208-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/924-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/968-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1036-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1088-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1500-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1604-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1624-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1696-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1700-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1772-386-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2168-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2240-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2288-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2524-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2816-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3296-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3308-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3412-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3532-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3708-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3712-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3728-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3740-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3812-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3980-422-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3992-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4060-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4148-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4292-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4316-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-444-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4532-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4824-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4848-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4868-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4976-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads