042349edf8f98e84e8b0fb1b90c90db2c8387395b75a2480c7051213092798f5

Analysis

max time kernel
109s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 21:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b7a16430087e37688005497d74d4050.exe
Size

56KB
MD5

0b7a16430087e37688005497d74d4050
SHA1

5c2a3534dc9634319c23070613bb57a7ada7f0d0
SHA256

042349edf8f98e84e8b0fb1b90c90db2c8387395b75a2480c7051213092798f5
SHA512

5446bbccc4bdf63f53b502fffaac3b39e143fb6c277d886b18ea1c51714e98db3f024c9b661dd0137831e07cc611f291a6be74a4931b54b0dffa8fefb0605d2f
SSDEEP

1536:+YWgyKiuDuUrXjorF3AsYP/gshBLXZIXpSwP:W5puSEjorF3AjhPI0Y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe

Executes dropped EXE 64 IoCs

pid	Process
4956	Fckhdk32.exe
3440	Fjepaecb.exe
4008	Fihqmb32.exe
3500	Fqohnp32.exe
3960	Fbqefhpm.exe
2492	Fflaff32.exe
4696	Fijmbb32.exe
3872	Fqaeco32.exe
2644	Gcpapkgp.exe
3144	Gfnnlffc.exe
1540	Gimjhafg.exe
2176	Gqdbiofi.exe
4776	Gcbnejem.exe
3268	Gfqjafdq.exe
1224	Gmkbnp32.exe
372	Goiojk32.exe
3256	Gjocgdkg.exe
1128	Gmmocpjk.exe
2884	Gpklpkio.exe
1172	Gbjhlfhb.exe
1084	Gidphq32.exe
1412	Gifmnpnl.exe
3064	Gmaioo32.exe
3576	Gppekj32.exe
2760	Hfjmgdlf.exe
4400	Hjfihc32.exe
2508	Hapaemll.exe
2336	Hcnnaikp.exe
4332	Hjhfnccl.exe
380	Hikfip32.exe
3640	Habnjm32.exe
3464	Hcqjfh32.exe
2260	Hjjbcbqj.exe
2844	Hmioonpn.exe
4076	Hpgkkioa.exe
3316	Hbeghene.exe
1640	Hjmoibog.exe
2964	Hippdo32.exe
4452	Haggelfd.exe
4768	Hpihai32.exe
3052	Hfcpncdk.exe
3728	Hibljoco.exe
2976	Haidklda.exe
3932	Ibjqcd32.exe
2940	Ijaida32.exe
2392	Impepm32.exe
1932	Ipnalhii.exe
2240	Ifhiib32.exe
4764	Imbaemhc.exe
4440	Iannfk32.exe
3516	Icljbg32.exe
4784	Ibojncfj.exe
116	Ijfboafl.exe
3900	Iiibkn32.exe
2112	Iapjlk32.exe
1232	Idofhfmm.exe
4600	Ibagcc32.exe
1080	Ifmcdblq.exe
1812	Iikopmkd.exe
3252	Iabgaklg.exe
1680	Idacmfkj.exe
2896	Ifopiajn.exe
556	Iinlemia.exe
1972	Jaedgjjd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6792	6676	WerFault.exe	254

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4956	4812	0b7a16430087e37688005497d74d4050.exe	85
PID 4812 wrote to memory of 4956	4812	0b7a16430087e37688005497d74d4050.exe	85
PID 4812 wrote to memory of 4956	4812	0b7a16430087e37688005497d74d4050.exe	85
PID 4956 wrote to memory of 3440	4956	Fckhdk32.exe	86
PID 4956 wrote to memory of 3440	4956	Fckhdk32.exe	86
PID 4956 wrote to memory of 3440	4956	Fckhdk32.exe	86
PID 3440 wrote to memory of 4008	3440	Fjepaecb.exe	87
PID 3440 wrote to memory of 4008	3440	Fjepaecb.exe	87
PID 3440 wrote to memory of 4008	3440	Fjepaecb.exe	87
PID 4008 wrote to memory of 3500	4008	Fihqmb32.exe	88
PID 4008 wrote to memory of 3500	4008	Fihqmb32.exe	88
PID 4008 wrote to memory of 3500	4008	Fihqmb32.exe	88
PID 3500 wrote to memory of 3960	3500	Fqohnp32.exe	89
PID 3500 wrote to memory of 3960	3500	Fqohnp32.exe	89
PID 3500 wrote to memory of 3960	3500	Fqohnp32.exe	89
PID 3960 wrote to memory of 2492	3960	Fbqefhpm.exe	90
PID 3960 wrote to memory of 2492	3960	Fbqefhpm.exe	90
PID 3960 wrote to memory of 2492	3960	Fbqefhpm.exe	90
PID 2492 wrote to memory of 4696	2492	Fflaff32.exe	91
PID 2492 wrote to memory of 4696	2492	Fflaff32.exe	91
PID 2492 wrote to memory of 4696	2492	Fflaff32.exe	91
PID 4696 wrote to memory of 3872	4696	Fijmbb32.exe	92
PID 4696 wrote to memory of 3872	4696	Fijmbb32.exe	92
PID 4696 wrote to memory of 3872	4696	Fijmbb32.exe	92
PID 3872 wrote to memory of 2644	3872	Fqaeco32.exe	93
PID 3872 wrote to memory of 2644	3872	Fqaeco32.exe	93
PID 3872 wrote to memory of 2644	3872	Fqaeco32.exe	93
PID 2644 wrote to memory of 3144	2644	Gcpapkgp.exe	94
PID 2644 wrote to memory of 3144	2644	Gcpapkgp.exe	94
PID 2644 wrote to memory of 3144	2644	Gcpapkgp.exe	94
PID 3144 wrote to memory of 1540	3144	Gfnnlffc.exe	95
PID 3144 wrote to memory of 1540	3144	Gfnnlffc.exe	95
PID 3144 wrote to memory of 1540	3144	Gfnnlffc.exe	95
PID 1540 wrote to memory of 2176	1540	Gimjhafg.exe	97
PID 1540 wrote to memory of 2176	1540	Gimjhafg.exe	97
PID 1540 wrote to memory of 2176	1540	Gimjhafg.exe	97
PID 2176 wrote to memory of 4776	2176	Gqdbiofi.exe	98
PID 2176 wrote to memory of 4776	2176	Gqdbiofi.exe	98
PID 2176 wrote to memory of 4776	2176	Gqdbiofi.exe	98
PID 4776 wrote to memory of 3268	4776	Gcbnejem.exe	99
PID 4776 wrote to memory of 3268	4776	Gcbnejem.exe	99
PID 4776 wrote to memory of 3268	4776	Gcbnejem.exe	99
PID 3268 wrote to memory of 1224	3268	Gfqjafdq.exe	101
PID 3268 wrote to memory of 1224	3268	Gfqjafdq.exe	101
PID 3268 wrote to memory of 1224	3268	Gfqjafdq.exe	101
PID 1224 wrote to memory of 372	1224	Gmkbnp32.exe	102
PID 1224 wrote to memory of 372	1224	Gmkbnp32.exe	102
PID 1224 wrote to memory of 372	1224	Gmkbnp32.exe	102
PID 372 wrote to memory of 3256	372	Goiojk32.exe	103
PID 372 wrote to memory of 3256	372	Goiojk32.exe	103
PID 372 wrote to memory of 3256	372	Goiojk32.exe	103
PID 3256 wrote to memory of 1128	3256	Gjocgdkg.exe	104
PID 3256 wrote to memory of 1128	3256	Gjocgdkg.exe	104
PID 3256 wrote to memory of 1128	3256	Gjocgdkg.exe	104
PID 1128 wrote to memory of 2884	1128	Gmmocpjk.exe	105
PID 1128 wrote to memory of 2884	1128	Gmmocpjk.exe	105
PID 1128 wrote to memory of 2884	1128	Gmmocpjk.exe	105
PID 2884 wrote to memory of 1172	2884	Gpklpkio.exe	106
PID 2884 wrote to memory of 1172	2884	Gpklpkio.exe	106
PID 2884 wrote to memory of 1172	2884	Gpklpkio.exe	106
PID 1172 wrote to memory of 1084	1172	Gbjhlfhb.exe	107
PID 1172 wrote to memory of 1084	1172	Gbjhlfhb.exe	107
PID 1172 wrote to memory of 1084	1172	Gbjhlfhb.exe	107
PID 1084 wrote to memory of 1412	1084	Gidphq32.exe	108

C:\Users\Admin\AppData\Local\Temp\0b7a16430087e37688005497d74d4050.exe
"C:\Users\Admin\AppData\Local\Temp\0b7a16430087e37688005497d74d4050.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\Fckhdk32.exe
  C:\Windows\system32\Fckhdk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\Fjepaecb.exe
    C:\Windows\system32\Fjepaecb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\SysWOW64\Fihqmb32.exe
      C:\Windows\system32\Fihqmb32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3500
      - C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        23⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        25⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        28⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        30⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        31⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        35⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        36⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        39⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        41⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        44⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        45⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        47⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        48⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        51⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        52⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        55⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        58⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        66⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        67⤵
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        68⤵
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        71⤵
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4724
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        74⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        75⤵
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2796
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        79⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        80⤵
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3008
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        82⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2500
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        84⤵
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        85⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        86⤵
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        87⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3488
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        89⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2724
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1668
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        94⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        95⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        97⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        99⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        100⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        101⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        103⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        106⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        108⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        114⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        115⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        120⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        121⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        122⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        123⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        126⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        128⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        129⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        130⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        131⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        138⤵
        Drops file in System32 directory
        
        PID:5852
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        140⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        142⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        147⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        148⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        149⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        150⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        151⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        153⤵
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        154⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        160⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        161⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        162⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        163⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        164⤵
        Modifies registry class
        
        PID:6592
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        166⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6676 -s 400
        167⤵
        Program crash
        
        PID:6792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6676 -ip 6676
1⤵
PID:6736

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:6508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
56KB

MD5
dc078c8bc180b151ea44866df751fb8b

SHA1
ec804258d2d8958b9b54f460e81af25365d06591

SHA256
edb5a47d5c45a31bbfa70f235a53b45d10e20ce393adad3662c7f6f610b6b15e

SHA512
38e68f6ce39ad3c1d19002f63048e4110fbcae6ba85f7cd8a59905e38416fdf5b0f5418f9979debe02aa19548f05e4ad56d59027de433abea20c3da771b732d5

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
56KB

MD5
1bdcbb8652a45d4885e2cb117367a606

SHA1
003f3d80d33fdf82048342f50139b64ee9a43908

SHA256
83e557d01bff73c517d636af02d7354df3f8e617defe777b222d113cede81168

SHA512
4655047a4b94b9f90268a1a8c9d54206f9c84f9bc9be6d07b105f2bc4b9ef3c4822b452f2a0f423bd069aa51b0703f5cc38868d350a5f202231e4ff07c7131d8

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
56KB

MD5
e341e4b531680ec39f4052ffc5b6c2ea

SHA1
1fa07dab5d0380c2f2153e41c54de385b0973767

SHA256
e276b745ee8fd744f1ab808c69d987715ecebaf87098fe70a4ad658e79cf32cf

SHA512
cce49bbcdd73a2d3fb866f19e153df9ece63185c92afeeb2199f68300e73fe9f292387d663ff86a432d041f8ec5db2b9f3e26270963fb92d4153f4ed2b61360e

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
56KB

MD5
f3eb3dcb32926b784dda7fae749efa66

SHA1
652af0a8eefda479937cdf57606a4b1b76dc90dc

SHA256
3a01fdd965ce23858ba3617ba8516e8eb116a4bf7b952de6767f323449f8db3f

SHA512
736314aa1c143c849757ed6487b7edf063d7b50ab7988b90a3a913321aa14cdd29adc0ba8e6138b4fffb4d830e2fe43e4f0d124065c42db1a1ed0295ea83fe55

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
56KB

MD5
e7cdfeea47cfe1d66ffecaeb2727c1d5

SHA1
e0625173b82541d0336f7b33a03604f5e88a09b0

SHA256
11f28130ce84744d5451cf04b4d7d533b2e94e26f3d701539692714bbe43c833

SHA512
36f980e39916221729531454f04fdf19208bf3d9286194eceaa391b497a9337c44aad5f63a3f3b2739cb845ed0bfdd9530a21268085dd3bb44e71f7423819611

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
56KB

MD5
6552597c43a54472f29736481b1d527a

SHA1
70e986c5b6bbc556b743b93d3a9e4e5e7bcc9477

SHA256
d8b435eabc281e820868477b36df23f31750646604e3251cfd5d27f4c8742e2b

SHA512
3b93deb06a938b9d871656ca699ffb614fecad1aa1d896f7e880acf409f42843fa33f44328ea56d31735f78e7c7d170353437609633e04aee7d8f68002ab98c2

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
56KB

MD5
140e85403a39045fe020fbb47ba9713f

SHA1
24fd94f1990365a0daffa5d509eec780eacf9868

SHA256
c0f2bb665337903db27c17e211308bba5e329fd96c0ac5ec4487087a391a7d32

SHA512
71e51c201492db4982f32b4180bdaf6c09d4d72ff746215aa80b8e4124142397c9942ea1c4cf57464ee67d43efb913f64af3169002620d4797a593dd673705b6

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
56KB

MD5
d86f2dfd15412cbf37549f392ff9f7a6

SHA1
070c0129796c6c2c40199b12dbf245f8f27e163c

SHA256
521e6abc4c8b63a69d3959f4d0386e159abc1e25f7086cee1026b1cf1beaf693

SHA512
5c1c3db1c2bbd9caac4687f901d580cde6260cadc5e045793f8444b72603ed041c79fca3bec6828119bac016fab55137829054d6fc18da7520cc5a6ea63be997

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
56KB

MD5
3813e1ed14ef0131eb0f9f973cb7fbca

SHA1
823e7d212dde6bc109d0426b0dae3fb0726aa42f

SHA256
f6418290f5824ecf8705c03448d85618e887c23d63f413eb79f2755fd5b73c71

SHA512
b3cca5f19c5d9f94990f61887a658e5b3842e298c465f4347a26835b0bb9d6604864b566439fea6624543ed3e1cb310e6860fb45666bb4058a4f2c79425835ae

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
56KB

MD5
7d5d54abd9ecc7bc6ae23b55d3a890cc

SHA1
c084dd98e5b9228d7e130261f9390824cac0cde3

SHA256
15d558b7b170e38d18f747d8d8f22060140d024c07435523b7f675f235f5167c

SHA512
9c1bd0d1eafaac03449a551796762079042d4ef331a42870510a633f111463c5180dde67897475d35bdd55a7c8cae1cf2fee28b38715eb2e79fb484a443c03b7

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
56KB

MD5
fc77ad0fe3a3d610995c233a45f5fdbf

SHA1
6571fd954181aeb2f07f91c2bef6c6d1dc8226f5

SHA256
6702e88f159a510c2a11a87e2af7d45bed7f32c3cefa1ce440be3569b4ea5085

SHA512
a98bfc5126ae83c341346bc1658cae32967c70b43d6d45cf1ca2c42b3915e5d85dc622ed4c26544fa68dad647e4c10028eee7cc2a95219e94ee45a7c38e0e5b5

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
56KB

MD5
7dfdbea108c643229be95a0891ff8f65

SHA1
6f382ea506986c08599c7bb66a2bc00d83148828

SHA256
be53a924e705004c2ea3c631c820cbe5b9f3d8bf28bcbaf1000d4754a03b1a43

SHA512
3c79e00635d748dd97bf6d9c42af5ee1984b1f960bca86fb3ae40f113f586647c245286cb77941033b6f5e8e2106e2573c56e98e82b45d85d9271a1c150047b3

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
56KB

MD5
8670b2c6e7e594f2a4179a071694c9ab

SHA1
736f0835d579cca179cdda1ed37a9a2a4475fe32

SHA256
a713487aeb6f6db452577d42f8955679da5d4eca48b7743dab5be48e77d6fe0e

SHA512
d3381c395cdac44f62359c3fcdaa808a13a794507b000d05ced21b061072740bbc324bd95c860c5763080d9cbd670d7223efeb0e22be7d37861323837645cada

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
56KB

MD5
9279402b7106f064e221279fc634f796

SHA1
5329299a06f897f2a39ada789321c94a295f3185

SHA256
4c8d8fb8f9d806e0b2f6cae0093128ee195d998422636490495bf6a229c0e687

SHA512
3095e55e9ade7020fbfcdc910082fc429c34d23332bed4923352f0854074b9c6d4a868ebf12d62712216af41180f0a5475b06e99d611d106cd45b581e4cdaa87

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
56KB

MD5
6091d0485ee40af769fcbbdc6bb24381

SHA1
0d32a0e7323c527e770bd682df8ff20071d8871e

SHA256
baed860d094027e802e92476b03322aa7e7fc6844cfdfeb0950e8abf559bb1bf

SHA512
812187db961329baa27f6313d8dce3ae00125456d02f8186dea1fd12cf80567c3f9bf3249b80ede2d484388c11b4922c46ce2f438dec7db38fd59fe1ddac39fd

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
56KB

MD5
1cb68c03c2a4f92288311b0c3f5a70bc

SHA1
2ac16cc7e206ba8e7a4d35a2cbe1a47815151050

SHA256
1a2ea55e8990e163bb616b7e07d6f0dde882743b8a317ec47f1fc498f3f3ef9b

SHA512
838c89e38374cc25e8405859feef77f3730692f90e5b16444032f46c7d08c5e1b5cdcdc6cb46b75cdb4938edf1b549b7b5f848811fa681a0e1efb51865b6a639

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
56KB

MD5
98667105f58c887fc843d95787314756

SHA1
d71f5485fad7e55bc4679a13fa7a14c06c6e7531

SHA256
88ac6134f6bdc28d68387bca5cfc3e84e02353fa4a3753dbc0caa0c2fc442632

SHA512
f1476da1cddf84a50527c6bd3168428cbc163aeea6056dc5ea8b886b234ed8ab27640b43fcf79cff84e4144a3ff0f19afbf72186b3a0b0314309a0efbe159ece

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
56KB

MD5
2a9e90b0becfb4dbb01f75cc8f71bc47

SHA1
bc28e5c4b97ca8658db37f9b07ee2c7964f36116

SHA256
bf90fe175caa9a158dc355d6bd20503eea0ba6abd5c125a0c133606661974a45

SHA512
f36403e637e9fc6782f9c64c30d4fefa70fcb4b3595179906e3f118e235bc6f2786a7178133e5d75e72add06ef96f015b100db6e497609081992afedb064060a

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
56KB

MD5
2e2f8dde1d6de1507db0e8593a98018a

SHA1
fad93775cfd8a56da236ae9bf750e9e665139bc7

SHA256
fbce171bc8c443e9ce6d04cfcac2bf7df8decc03115412fc81b8a475eac591c0

SHA512
0b89e50dc532aa0eedfd2bcad3ca120a02c1d06ecee5ca36ef339c1ef1a45f731e1c1dfe3ea81ef3c07a16c7ab975d261e409816a502665172f0b2abf912ca8a

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
56KB

MD5
6f5c4864014cb8096b9d6518748c0cd2

SHA1
a28a0e5fdf17f22cf3aed166b04111e2c865f9da

SHA256
bfbd0c2503986a546f7e4b82e2620ffd4f1997197172a12bbc3d1c2b6e0cfa81

SHA512
b2435c2923a7cee306b885675a5642829df2ff4fd960768218fd6d4a18c54f5ba9ef8cb97ffca320c7bb5b63cbe145688b5fc327f71738b832381bd88cc1599f

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
56KB

MD5
720934853327d6fb0cd40428855d1eaa

SHA1
d68f324db77bb3aaa4a609094bc521f959e92871

SHA256
0f0471c6d4ba964f0b9afcd5d0a40ef2b96718451b6d63b947918fc592faaf25

SHA512
4a6c0de6e0b2e20678f1e0d65dba1c8de61cddcb367d8d3448097431ac06fb3b924b9abb44b48d6f33c92c66397ab417b1bd38726c7baaccba82e1f689b2273f

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
56KB

MD5
ebb191edc75bbae336a71ea906fe15af

SHA1
dae2c5e4371dddc3d5cc1a2ed36b8327dd5d5cfc

SHA256
704f1ab735ab4446c3e7a065b790bbac08f0a3b423384a3e5d2915ddbddb2d2b

SHA512
8d8d75cea842c8bd3457eede54e4ab6d4c84ea5e09c083d4fd567f1e224f8a5f9c4d545ab4ac9e1dec74dbbe912c0ef072403c4500b434c247dcd73909a9dee1

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
56KB

MD5
d8977c929a0ae035cae491a8c8adb8af

SHA1
731888fe5193780d5243f32b89d97df69a74e275

SHA256
0b87a7f05a0e5234bc6805c9ee2497cbd78016c7296d5d2deda9ecb658354a26

SHA512
7542d5be91b482a2af4feb429efc0e9b99df28723af098321ce4d4b1055d4bd76982f00b7a85e1afd4c6f37282c3edaf2c924eef52ebfc0e9f25d0182a773d68

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
56KB

MD5
11ca976e0c63fbf7e5452001b4ba6796

SHA1
1fff52447c23c772c6147aa6e7890a69dffe5703

SHA256
3a0a58365c21c7fffb75f0246146574303f4a3debbc6bb4d7c37d9f5343ea609

SHA512
879692fd4979fa6bf327f07a0dac771781c543b02a1892463d35f5df6ca8301e40d1d8dc7108c5317deabf80ea29aed2c29dbb85ed5a35552c91cc7ee4dea58f

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
56KB

MD5
ab95c61589217d461de65c620933e757

SHA1
a1573672b7cafa67c4b0a36cc880e73e31614ba7

SHA256
1fba5b7298160060a669cd48ad503d693a37942bd94640d487385da402b5d782

SHA512
cb5a2e5be6ad6a23d4bffc111dcc397c5a07ed6d96246c4a68f4b130d76a2a8852ed977b283c9002960f4e9b7a216f19c77ba0d46de74ed1af96253ca4c7ff0f

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
56KB

MD5
fef23b6f6c2ea7aae1f12b85d7613e73

SHA1
bc48c8a198e583aa6f587399c82a03f461e2c3cb

SHA256
4c5153f10c9876e1f47a1769550a5f6e30c1c330bbe3e2f77a12b7ba4dfefc4f

SHA512
d2fe1d612cc6440fe14f223652f397028a2fba9ad458ab664e39896fc52b03cd8974f9db453970c4323824943e1d43c7608b40aa1052d9958c5be72c7af9eef2

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
56KB

MD5
6315d221a5ad2a9f7fc5961bf023f1d7

SHA1
def7eecd9bb27766727efc43f5abc9ea3e81960f

SHA256
7f06d690dbc2ca3eb02598dcb9d081613800fa342f7298d812ee3b56959db5d3

SHA512
d8918bda9d963ccf347d659e589591491d9f31ab43ebf75cd01eb06da2b80fee3954de45629c40579ed841a2463f974a7b526d1b1622d7638c0bb6dc991caf30

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
56KB

MD5
ed57656c77aed8dad2ed3c6fd2a3bfe8

SHA1
cbeab518bc0263fa31b87038079de6275ad43339

SHA256
9fcc2c988b2eac09ce9671ce49cd9c178c92e63697b3242ad7fb4423e2a4bfb9

SHA512
0c82231db62fd2103c40c2f099e5bf1787dc953912c81acfa1f0d72c310b251fb247abf9c9e692427c0e5c7764753f27cc24d5040af3e7dddac145b18e8ab61e

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
56KB

MD5
58c303cb8d25bc161ef836cba4e19378

SHA1
767173ccb8ee7ea46ccc98cf67b68723156e12bf

SHA256
f50a17a507829db267ad0a4e629924e1005af5548cfad547dd2c78a92aa92419

SHA512
5f7f56cefb6b08b11b5849ef02ddb6c7614d0a90822bea0e4adcc1e92d13691768785f036d03d073627fe9c16e159c9953accfe2cb25a290e1ecff8c8653aad9

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
56KB

MD5
0c46d15f08b60c1d0084cddb048ca116

SHA1
9575db3c24cefe9c34d34aca399a2a91b38673b8

SHA256
b07cfcdf8079f257d9db9df56a70c8b991a6b1df33b2c7d98a1394261d23c327

SHA512
b702d9581da1ab3c65417769c22a815694b23bfec3594b2b470398f7649eb3028a7245e49919ccfd893a13c7c9810c9f52ffe262a68e68695fb3bbfbad49dc8a

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
56KB

MD5
833654b492b26b250fe3ae7c2c6f6b4d

SHA1
2ff70cdea198e18c7eeaf89783a430af1f1a9b1d

SHA256
1740cbd6cfbeb558e9dada8f06788c9e5806b5d04f51898d5d8424dd77950900

SHA512
85d2dc98f602f7a739ff6588695557726f6dc9f3b05253525a5a05c82c827a1eaf4a1497979187a9c21447ca01de867f54c1b93e46dd5a37f1d4872c9e163a0d

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
56KB

MD5
d40e4f8df62594f8d452344358c56160

SHA1
ea8ba05f7283c0e16c917f7d56ce88d0f79576f6

SHA256
61e659570ae43e4665b3da0a2ed2b8c1e8e9b79883ef703faa7c8fd05695cffb

SHA512
c51652b5c3609c62fd0fd083d0837374d872e985ef303abcc874991e138fe9b302de00bb64091b23ea1d4adf9fcd4fc06e3e13331ec991dc4842e373ecee1602

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
56KB

MD5
b4f2ee6cd73d841c4a3128476c25988e

SHA1
a656cabd9c7fcd4f889adebdcebbb64fd58645d0

SHA256
5b422eba26be2321d3be0bb4da2282c0eaaddf5882ac0275127d4409a745728d

SHA512
d4b9b89c5accd9c4e1cd0b5a77d03435f006102e5f242d664426ccb26e37b651a946c2e3258a386a377f98d0988863bd08d51a4af69a43d989f05aa80ecf3829

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
56KB

MD5
bac21be7d5d06de128853469c1bad8b6

SHA1
0c6e44703c501011fd844c65c24a355168585a82

SHA256
1371b226ab308cae67b2f999b2d1fed923d92b2970c4a9701de2d8405ac8fe95

SHA512
7fb5f9f2fcab7cf90086a70870e330d7ed6ddb288685e334819d325494aa9dd6c77665043c05a7a8c55d72b709867f1cec40f503f5dd5cb2a463539c1fd7c16c

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
56KB

MD5
15af5f82f181893dc8391c68e1e6fa37

SHA1
18ea02698661975e342c89b65f46f579bc582eb9

SHA256
a6f8e1a45333341dcafbf232732f73436461141ee1906889a7a9230a4b68ef2b

SHA512
e59f84a260aa56bdcf66b13bb02bb796930a91637071eb35fda4aec4d9d4b4be52965db9c34e96386adb93c0f63c699ad11cf1e2ea8524f094e3b51e09970fd4

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
56KB

MD5
28b7aaaedfa8443c6897e0951396fc6a

SHA1
a0c890c710a64e84dc09c19e9fd101915f319d81

SHA256
b0b2886b32a3a8d21dc33db4060d71cf775535d827cb6c1aef6bc7261129ac9d

SHA512
ba083e2efecc1e6b313ba944529d5eaa3c8260f71f5f332b28d4ba1ee60e5e7d1075dee48f2fafaacd13ff5bb09ce3e36534a522f600a62ebc8c645e7e939ad0

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
56KB

MD5
dd965259857ab105de01b38b607aa03a

SHA1
14d312184500742b359be8d83cb1c2646c7d127b

SHA256
55d885733e573176ae9046c6c1aa95c79c57e35317368d92835011cd3753683d

SHA512
64df30b7d4f765daf24cf54c156fc439b220b3638e1f943aaf30d076994779aa85766ce4e4cb4792b06a44d35d97bb9b3261111f6f833c740272d1e59b889323

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
56KB

MD5
4157fece9092200041a658d7b2ab7be7

SHA1
8b5a18db8f0117c34f85a2c2699839b096bc7c13

SHA256
7e2b9d775d635df0dc817ed244abd94f4ac659c4a120b8c6ba3c0244cb7b601f

SHA512
48ccd2d1a4600692522cd1bf18fb8c00c0ce07e33bd1434bc3808b7331b1be47b5aa3a08da0d0c2573c5b39f3c7b15a927ccb48fef0a13c3fb9e8f64fe1c3aea

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
56KB

MD5
17a5761b597dae6b340a2f71b4efee31

SHA1
4b208d38163bca09d28330dcae7679dc8dbf73f6

SHA256
f50e8359b9d452885f1daf52bc64f43a530743bd0e1efc939ac4f00311f4dc98

SHA512
80751ebd1d89d5acd7279dc52f9aa5370e20386668f2c4e4f3fd75202afd8c6a7c6d2f7b75859ae6b7ba3eb53f99051ab7cc3f20dc5669e741eefaf16ef4ecea

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
56KB

MD5
8b6a918817fff2511c74fdf2182fcc20

SHA1
3ba114690510c7b53e4cf5c466e2174bae9a72e2

SHA256
c3c4de67d70476681132da0cc8f3a0b811a2eada896695d77fd1cea1f74768f2

SHA512
977016e837bfe2a366e9c09f0053a81230a480e4be01e602f390d17c79610a81f1ae0a6a7bb0a79ddb192b11f5c9d14b01273b2723d4bcb8c6be7a6d3352526b

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
56KB

MD5
1e85f428f97d114cefc05d3052680754

SHA1
c2c52799f2930d99f99524af0291efe9d99ed4f4

SHA256
e319733c6a885384262f422a4a84909966dca39c8afccbe1e7d3bc058e0d49a1

SHA512
fc94236d7cb1469e9ead04d7b2a6469c65087bffa130dc862de55f482bb8a5803d7d2d4806915b86825e6e3693f50def95ba1aead3c10ef3ff0eac0057a17c7a

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
56KB

MD5
7850e07c2a562f6feb497a83be01e92a

SHA1
8d653a5f077fbbc5259272aabe6885704234290a

SHA256
b176deb439ae1f3f67b3ee05f89dabb27084a95d6a07fa542c35680bd09774a6

SHA512
c5fcf9c9900e96ad3b14207315ef6a5252408dcb7a1fab449c729850d10f8788fd544498aa2a9c0222d00a85afd827a56b856654910117b899ef472253b7c30f

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
56KB

MD5
f8b8e937587abcc780d8c54d5110faca

SHA1
abdb519283d9d53a5d5a07dd06fd141f16ca680e

SHA256
e34ee6306efba7d9ac30528c88f4a84bf5ff3598d2b8d4faaf0befc0c5e21c57

SHA512
532db8d1368d33f27a04d001567d09881fb013371ea8c763fe4750ce390c781fd7a9de56b04ba9c98c1ebf4d47a4d93bbb98fc7c7ed030e468552ea95e0610f5

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
56KB

MD5
4be93a0fdc4bd1dcb7ee04e05016c398

SHA1
abb10e2662549056c289d0618873ff77416de674

SHA256
94df716f72eaa0ee3afb0347e84a86de35505c51be7446ca94dd54f12ccb6be0

SHA512
37f44ca56d10b540c1d9363af7077965321aa6f210ddcfb82f791c98330108d9f7bf76f92977314bd08dbfebf6f6d026d69effa49ec8c5518189e501c97260be

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
56KB

MD5
7b6e9d81859f3c2415eb2a34399b232a

SHA1
26516a3c527a7da83e6443fe96581bfafd40b618

SHA256
44c866a829f9822155ec153765fc99ec90feb2901161568101784558505dfe9a

SHA512
52d5d09d016e7a9bf07aaa2771b6e361cce789bc1a19b943fe084f9e5e504e740d42b8774d451bdc22b638deb74fc8028a79917486d41e4db762de2e992dd713

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
56KB

MD5
76577b0e4fd2c5a525c66ce1de966053

SHA1
5a9e6f8efecbb7c0739b111c6fe6ed584a035def

SHA256
ebd2d0a57adac945fbac3160cb05f833cc5ef5d639534df2856845591d7e7102

SHA512
c8169275a31c933c4affae5f16ff526fa5ca7904ecc14efd3d38bb4ad2c2ae2881853417c808e0d72f738e35f7af28c548d7d0b8105cd454e2c9694a2a297d74

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
56KB

MD5
a8579b6a013d63d8975f07b4195564eb

SHA1
f5902647c8111b934a8fa9b35a186cb85220c814

SHA256
4d766aa2f743d7375cc63dfcb7458fcc97eae2d99add62cb43bfbfec88a00817

SHA512
f45e559ffd93e4ed34902c13cc25659618dada133ac927b19cefdcc63b2611c1ab5ddebe0dbac212c965c8ae616830f8838677cd31debf44f478310d80035dd7

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
56KB

MD5
dd9241fae8a63801fe04d9bca2b470d2

SHA1
7baf602b9661467d598a008cb293e4c1b19036f8

SHA256
a4325474b50aa72d2aa0f1632c0d412a70b06d9ea3f9ae97145211d78832a6a8

SHA512
fa0db36b9315b524c06967c219bec8bfd115a0c84b4b9b04d201c1b3ec2caa3f38a56bb7b65ce5c260da14628ee03957bfac7a12fa0bb2b321d9d64db0b6525d

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
56KB

MD5
d6e4f53c2c7532c371d5b14a0845520a

SHA1
04a00f00f52e3197fbb6084941a4827b16ae65f1

SHA256
13a869116d82d61f53b99343706a13bb85363a5c64de4987810f3f672d67c592

SHA512
2add7273e579e1e82411c04e4fb1084c6886770a13338f650dd00d204bf585075681110d62b00547f1d8640fcf26d62129fb1122a155ad017e640405ca1e2f00

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
56KB

MD5
ad58d82acf2810810336b271819a5f48

SHA1
881dd09ce256746c3bac264c086447c6b76f47ee

SHA256
5b1bf5f8a711b32932490a1c1a48757c927deb81dd0e9e3c8005c1dc3f629216

SHA512
b367d17220fdf830deb1a951fd54a48edd7786984e7f876186117b114f2e26f8847d48429187f0322e8fc81861207fe5aa83eb9a175a0e33badbf77d348076c8

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
56KB

MD5
9c467cce1da6ccbb7f4a8c8a4ab27728

SHA1
f80c29e5f6a6d53c7ae2f1299f1aab3487c8fede

SHA256
eb3ef978e538e20d177cd59f95009e273ed056a9e370506961ef94a28bcb34ce

SHA512
b9cd6ba1b4134d2eb97ee783de2c6a2bb6de66601db6e079034db75f4b42cdf01674aea21ef4f473f5f04af843bfb352c9c42438079c7aad3d62800ad0234b1f

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
56KB

MD5
ec78e8374319802ec92edc6975face09

SHA1
d40a45a42abe0c25a97be82b3f4cc189a873082b

SHA256
12b94b30b8f0e6e22d464efeac682524d853bec1c9e4c88e4d4a043190f4e638

SHA512
63d67936301dd3227c485323b59b72b0a5eed7f94dc25e78da1ab7bb0c555618aa27079f095224c7ff21ff1138eb9cae7fb21e5bfd060a19bbda33cd3daa12a2

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
56KB

MD5
1be60c7ea9b85915e53e2e27c7b7ca8f

SHA1
66214691b63b2e823005a02fe187e9eb2a1d9c60

SHA256
f36005a3ed3bdcab735a67e1e0e48f0180e0c7ae131baa49d41b22b8fa9d9d5a

SHA512
b57d2c29b4effe7c997d1cde61343970791f3ac75abf17f69b2aacab0a56b1ba3f8cad4242176fc18948fc1a9591a9c765e28b1aff8d026e72731246064f3e2b

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
56KB

MD5
17df832fff0033acddd3c298079a93c9

SHA1
0872ff936780c8f9af3b50b8d13df8fff747de10

SHA256
b12758bd204b70050f15a536725591da6a24b604b3638bf5cc11276b8e92ee6b

SHA512
b7a78a5d8763b0056799c378cc1f64e2184117dd4f15ac419156a9b10921fd1d2743ced0f005ddee9a1d3aa60e50fbe5762f40fb3697edf3d644f6b92e3e286b

Download Submit
memory/372-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/372-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/380-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1084-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1128-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1172-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3576-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6288-1153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6368-1151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6420-1150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6464-1149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6508-1148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6548-1147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6592-1146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6676-1144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads