1f97ab373a42d9552f1e2c8d69b4836812d0a14eeca3809da97c159584c843de

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f97ab373a42d9552f1e2c8d69b4836812d0a14eeca3809da97c159584c843de.exe
Size

95KB
MD5

3ac47427059d22776ae0e5d261991976
SHA1

f02554bec945105251962b2a05fd911973cb51c2
SHA256

1f97ab373a42d9552f1e2c8d69b4836812d0a14eeca3809da97c159584c843de
SHA512

9c312895fcd550b132faf865701b7f940a53bb7be9ac1e625c67832021132962aec5dc5e7a63a42ff090bf44405f1e7f4c1334ffaebf3c954b1beb659a90a6e2
SSDEEP

1536:/MuRqacnZs8TXQOKzE+GjoNAtXyYD/jYyZk5MRQruRVRoRch1dROrwpOudRirVtB:/MacZscpKQjoNAFyYD7LZKMeyTWM1dQn

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe

Executes dropped EXE 64 IoCs

pid	Process
2716	Ebeejijj.exe
2804	Ejlmkgkl.exe
4944	Eqfeha32.exe
1388	Ecdbdl32.exe
2764	Fjnjqfij.exe
3852	Fqhbmqqg.exe
3516	Fbioei32.exe
4708	Ficgacna.exe
3004	Fcikolnh.exe
3488	Fbllkh32.exe
3900	Fjcclf32.exe
4296	Fqmlhpla.exe
3848	Fbnhphbp.exe
3400	Fjepaecb.exe
748	Fihqmb32.exe
2712	Fqohnp32.exe
1836	Fflaff32.exe
4812	Fmficqpc.exe
3764	Gfnnlffc.exe
4012	Gimjhafg.exe
3600	Gqdbiofi.exe
4084	Gbenqg32.exe
1140	Giofnacd.exe
1344	Goiojk32.exe
1880	Gbgkfg32.exe
2840	Giacca32.exe
1912	Gpklpkio.exe
4412	Gbjhlfhb.exe
2612	Gidphq32.exe
5044	Gcidfi32.exe
4068	Gjclbc32.exe
3324	Gameonno.exe
984	Hboagf32.exe
1496	Hihicplj.exe
2548	Hmdedo32.exe
4384	Hcnnaikp.exe
2100	Hjhfnccl.exe
4548	Hmfbjnbp.exe
3020	Hpenfjad.exe
5036	Hbckbepg.exe
640	Hjjbcbqj.exe
1632	Hmioonpn.exe
208	Hpgkkioa.exe
4440	Hbeghene.exe
4336	Hjmoibog.exe
3232	Hmklen32.exe
436	Haggelfd.exe
2300	Hcedaheh.exe
2044	Hfcpncdk.exe
1492	Hjolnb32.exe
3980	Hibljoco.exe
4204	Hmmhjm32.exe
3988	Icgqggce.exe
800	Ibjqcd32.exe
2004	Ijaida32.exe
2552	Iidipnal.exe
1720	Iakaql32.exe
4224	Icjmmg32.exe
4876	Ibmmhdhm.exe
2384	Ijdeiaio.exe
4396	Iiffen32.exe
3356	Iannfk32.exe
2452	Icljbg32.exe
4536	Ifjfnb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Fcikolnh.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Fmficqpc.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Ecdbdl32.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Llebfo32.dll	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ficgacna.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6764	6660	WerFault.exe	247

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 2716	3984	1f97ab373a42d9552f1e2c8d69b4836812d0a14eeca3809da97c159584c843de.exe	85
PID 3984 wrote to memory of 2716	3984	1f97ab373a42d9552f1e2c8d69b4836812d0a14eeca3809da97c159584c843de.exe	85
PID 3984 wrote to memory of 2716	3984	1f97ab373a42d9552f1e2c8d69b4836812d0a14eeca3809da97c159584c843de.exe	85
PID 2716 wrote to memory of 2804	2716	Ebeejijj.exe	86
PID 2716 wrote to memory of 2804	2716	Ebeejijj.exe	86
PID 2716 wrote to memory of 2804	2716	Ebeejijj.exe	86
PID 2804 wrote to memory of 4944	2804	Ejlmkgkl.exe	87
PID 2804 wrote to memory of 4944	2804	Ejlmkgkl.exe	87
PID 2804 wrote to memory of 4944	2804	Ejlmkgkl.exe	87
PID 4944 wrote to memory of 1388	4944	Eqfeha32.exe	88
PID 4944 wrote to memory of 1388	4944	Eqfeha32.exe	88
PID 4944 wrote to memory of 1388	4944	Eqfeha32.exe	88
PID 1388 wrote to memory of 2764	1388	Ecdbdl32.exe	89
PID 1388 wrote to memory of 2764	1388	Ecdbdl32.exe	89
PID 1388 wrote to memory of 2764	1388	Ecdbdl32.exe	89
PID 2764 wrote to memory of 3852	2764	Fjnjqfij.exe	90
PID 2764 wrote to memory of 3852	2764	Fjnjqfij.exe	90
PID 2764 wrote to memory of 3852	2764	Fjnjqfij.exe	90
PID 3852 wrote to memory of 3516	3852	Fqhbmqqg.exe	91
PID 3852 wrote to memory of 3516	3852	Fqhbmqqg.exe	91
PID 3852 wrote to memory of 3516	3852	Fqhbmqqg.exe	91
PID 3516 wrote to memory of 4708	3516	Fbioei32.exe	93
PID 3516 wrote to memory of 4708	3516	Fbioei32.exe	93
PID 3516 wrote to memory of 4708	3516	Fbioei32.exe	93
PID 4708 wrote to memory of 3004	4708	Ficgacna.exe	94
PID 4708 wrote to memory of 3004	4708	Ficgacna.exe	94
PID 4708 wrote to memory of 3004	4708	Ficgacna.exe	94
PID 3004 wrote to memory of 3488	3004	Fcikolnh.exe	95
PID 3004 wrote to memory of 3488	3004	Fcikolnh.exe	95
PID 3004 wrote to memory of 3488	3004	Fcikolnh.exe	95
PID 3488 wrote to memory of 3900	3488	Fbllkh32.exe	96
PID 3488 wrote to memory of 3900	3488	Fbllkh32.exe	96
PID 3488 wrote to memory of 3900	3488	Fbllkh32.exe	96
PID 3900 wrote to memory of 4296	3900	Fjcclf32.exe	97
PID 3900 wrote to memory of 4296	3900	Fjcclf32.exe	97
PID 3900 wrote to memory of 4296	3900	Fjcclf32.exe	97
PID 4296 wrote to memory of 3848	4296	Fqmlhpla.exe	98
PID 4296 wrote to memory of 3848	4296	Fqmlhpla.exe	98
PID 4296 wrote to memory of 3848	4296	Fqmlhpla.exe	98
PID 3848 wrote to memory of 3400	3848	Fbnhphbp.exe	99
PID 3848 wrote to memory of 3400	3848	Fbnhphbp.exe	99
PID 3848 wrote to memory of 3400	3848	Fbnhphbp.exe	99
PID 3400 wrote to memory of 748	3400	Fjepaecb.exe	100
PID 3400 wrote to memory of 748	3400	Fjepaecb.exe	100
PID 3400 wrote to memory of 748	3400	Fjepaecb.exe	100
PID 748 wrote to memory of 2712	748	Fihqmb32.exe	101
PID 748 wrote to memory of 2712	748	Fihqmb32.exe	101
PID 748 wrote to memory of 2712	748	Fihqmb32.exe	101
PID 2712 wrote to memory of 1836	2712	Fqohnp32.exe	102
PID 2712 wrote to memory of 1836	2712	Fqohnp32.exe	102
PID 2712 wrote to memory of 1836	2712	Fqohnp32.exe	102
PID 1836 wrote to memory of 4812	1836	Fflaff32.exe	103
PID 1836 wrote to memory of 4812	1836	Fflaff32.exe	103
PID 1836 wrote to memory of 4812	1836	Fflaff32.exe	103
PID 4812 wrote to memory of 3764	4812	Fmficqpc.exe	105
PID 4812 wrote to memory of 3764	4812	Fmficqpc.exe	105
PID 4812 wrote to memory of 3764	4812	Fmficqpc.exe	105
PID 3764 wrote to memory of 4012	3764	Gfnnlffc.exe	106
PID 3764 wrote to memory of 4012	3764	Gfnnlffc.exe	106
PID 3764 wrote to memory of 4012	3764	Gfnnlffc.exe	106
PID 4012 wrote to memory of 3600	4012	Gimjhafg.exe	107
PID 4012 wrote to memory of 3600	4012	Gimjhafg.exe	107
PID 4012 wrote to memory of 3600	4012	Gimjhafg.exe	107
PID 3600 wrote to memory of 4084	3600	Gqdbiofi.exe	108

C:\Users\Admin\AppData\Local\Temp\1f97ab373a42d9552f1e2c8d69b4836812d0a14eeca3809da97c159584c843de.exe
"C:\Users\Admin\AppData\Local\Temp\1f97ab373a42d9552f1e2c8d69b4836812d0a14eeca3809da97c159584c843de.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\SysWOW64\Ebeejijj.exe
  C:\Windows\system32\Ebeejijj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\Ejlmkgkl.exe
    C:\Windows\system32\Ejlmkgkl.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\Eqfeha32.exe
      C:\Windows\system32\Eqfeha32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
      - C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        23⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        25⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        30⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        37⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        41⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        45⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        46⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        51⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        61⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3940
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        67⤵
        
        PID:316
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        69⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        72⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        73⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4356
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        75⤵
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3556
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3756
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4004
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        84⤵
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        86⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        94⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        95⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        96⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        97⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        98⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        99⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        100⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        101⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        104⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        105⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        106⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        107⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        108⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        110⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        114⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5832
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        118⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        119⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        120⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        125⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        126⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        127⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        133⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        138⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        141⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        144⤵
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        146⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        148⤵
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        149⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        150⤵
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        151⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        152⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        153⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        154⤵
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        155⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        157⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        158⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        159⤵
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        160⤵
        Drops file in System32 directory
        
        PID:6616
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        161⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 424
        162⤵
        Program crash
        
        PID:6764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6660 -ip 6660
1⤵
PID:6736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
95KB

MD5
fcf73a7e2e64078b8d86d29bc2500a4b

SHA1
e5c620899d71fa6cccfc437e042847243e9bb420

SHA256
ec923786623d6673847d47c520346420b62ffdc0f1422bb078ed5be2cbe3f5be

SHA512
0bdeb670bfc959a552e9293e3179aabeec7941b242ee3961d1e0be41a1a3060d1257eb2075ce06032a40036e11e2ca62ed820af2efac09d471a18e0162dd3e68

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
95KB

MD5
8f2ae85247f39ec8d1b0a350c3d47231

SHA1
201c843a150bcc108c000f0b697eca2a7fecfaaa

SHA256
c6f415556e9bae0ac4e740e0b0890fbdbf4a6ed79ccc60e4ef108bbc998689c9

SHA512
ea82dfb4a0fa3818b52e0026f9c3f9275e978f15f5de610164c3afbb1ffc2043db1c7259497c4965f681ca6e83e845bdbd40aa8ca59e3c5a124c6edf52ae94be

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
95KB

MD5
33e156e3b8c405c04442ee42efc02e73

SHA1
21983588d13b80a6c6bc7df1c958fcc19742d1a0

SHA256
d188eb7568c4ee80ad54b7abf0fcfe8277813b38df95abe4aae9f72fc7e727aa

SHA512
5393323de5e4ac66dc5ce74c2ab78c7771bf3dd3274eb2ba41cf66b6f651950bf7b2045f4b350311d5166a023d666b893502724822470b51ebffe8e32b1372fc

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
95KB

MD5
7eac4a232be7ab4f084455227a920325

SHA1
2b3875fb55a5ea5521cb4ed1a2c696b52b41e139

SHA256
021ee7ccf47598fc438461aca7fdc179aebaa240e24733014b1ec7b7a7046e88

SHA512
815239e985f8a0081c3756090db3b3d08c9a7b0d00ece39604bcadec4a23553cb3c353f04951b3ffb8ec7becb174785fc0fa89e778f549d812d6b0df0071c683

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
95KB

MD5
c703528ba2d3fb10d278a7ddb90ded0c

SHA1
d62267c3476df00542df2050be8ef950b2bd1d07

SHA256
3f3a79194c9415036ca90b0ca9ee2710756b6aa0c50603519c6d4a6ce4a129e6

SHA512
1a9fe6f66d82289ce11add12453e3f8eb353fa0a60b377655ce192a6387f77a0b71609691c86def3d015a45c25dd638b4768e955563b5a7fb43e5f5b32a24522

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
95KB

MD5
65748f041f3cf046be585f1aa0c9bcae

SHA1
3612dfa20302552f544fdbed4ab2bdc9427a3c7e

SHA256
bc5d34927952847b4b687490f1dfb870a6541604c4b698e7876b1565de4c7ffb

SHA512
840f9c3bf0bce95260a734f6ff743dcd0a9e9283cae24ec6a88c7958a8d99000a44efdad136859cf69566a09b115be92118e6e6788d45fff2f6f62ab50c37b9a

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
95KB

MD5
d63720c7758c71badb3f0e63c360ff67

SHA1
7e47add37ced14bc9b5662853f11fb6f19b7f4cb

SHA256
b8b6f2dfcb494bee523d1dc8a4a73d43e4011e5f589d8e7ece6a78dbcfc36b7a

SHA512
fd7bb182f351efb77c2f68fe90bad0808380b0920271abd10502488f3e5632294cd168461ad6401cdac85329b7dd9a1f78344e90edaa6c501c4f2d7c8f3152b2

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
95KB

MD5
b7138f773a9f7a8d9476176a35ecb181

SHA1
a2e524e9e21870d43a06bb8b21438fc64de91155

SHA256
b36ecb51c12ded6ec71790d4fbf3ca502aba070eeff60f6cc26a8a22398ae3c6

SHA512
a463514d7b25030d403052cba732d212e536d1faea776af528aea0c2f054442dca493775238395d2635c867fdd4f6dda38357867b0e611d92b479612d47b1ef9

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
95KB

MD5
c8577d1f95414cd158303803f6824e8a

SHA1
38aba25b46284591614b5fb834fb9dbc3ce8a791

SHA256
d6b5ae1d643308180150af57ec04dbcdb3d3adcb56e85580c9f51f18f642b42b

SHA512
f227425bddedefc08bef8268b1f33dbf58d37e7e71ec4eeeb29ebf781d0d8254bbe1d70e3751489e3eb35d4ed17d9f92798a442791db180d9fc1c826fedc22c5

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
95KB

MD5
92f810c7896669368ec34527877feac8

SHA1
7244b12651c62c93d574495ed609aa31c1759747

SHA256
b827e7f895ef09a514b4f58efe2df6304f1b187f1aed14b75f0c710b9675947c

SHA512
b81147c0d838f1c4f01c9a709ce07a5ed9ececd4b3145beaec3f7b3f85121e884f968f5953d4e91b6efcb8b30a80ee8d23ea92645c63752cf107bd42472b021a

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
95KB

MD5
1b1e812f59449014da0d6637c93be30d

SHA1
8a30a4fb28fd1856728e88b8dfcaa0da6584a49a

SHA256
9c4357f47573ea78ee517aec254b6af6fbae92fab584dda4303477179550b544

SHA512
8f67b250f6131a77499dbf39cc795a59ec7707f49178578ddd9cc8ff263eaa17be75ace9d774e6b323b092e5120796c11cb83cca438d072bc30e32fee24b4793

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
95KB

MD5
7a72822d690e494302f96641ae7a3762

SHA1
6ac9592a6d71d03931e47d00b0aa5fd4ef39e0d3

SHA256
502910c4382cfaf409b934dafa840f1655493e2e509e523f655c3bf56c688177

SHA512
aad88183998f62b99245a0631a1f06c3f3847d60793697a24d200fe9a7c24485504427a184786bb378c3f64e2fcf5c35c704d149501504be070caf3158ccf664

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
95KB

MD5
4a306ff941cc224a1d29e83af49d0282

SHA1
e4c3344b1c0ea7571b2937dd64ffc5762ab4f391

SHA256
353abf3b94376bcf3ab2b9cfe490ee2151f1d27bdf891a577b042b420918b0ae

SHA512
0b03cf4329234a847c2ca6e9e712136b0a6455dcefd1d00d6f4694468218ff6de85d3710bb52391a09900582dd7acb11d554a7883feb2aaf7544dc8fd2b04d86

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
95KB

MD5
e763be8e84f2bbd3b3f8127df58ac1ed

SHA1
6459fd453c5d8d3293f20d7369e0e765dfd53a4f

SHA256
186566d2b1f549c98cf0541722a873efca30eb50f872268b8a10d3ce6a488f8e

SHA512
58e655292f2035294efffaf401bb3cd448d38f69d9d9cd2faa45e88382861a4c3db0147a953dedd71d71e313a252ca81ce9c001218899d22a644e4611d13e16b

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
95KB

MD5
f4378491d18ed3b685b76816b6ead9f4

SHA1
840ef1edb0522f3e659c02bb6cf3ee7629b693e7

SHA256
7dbec8fd96ff723878904ea394360c43a2e3a35f7582815297b745104cda6a21

SHA512
baa18a77333ce6d0595f3e7e543c75753535f487cfacec1c0de2c33a4864ee5f8d536ab8dad4dd5bc350e5fb4d1d27cee5cafbc48ba06306156c0f6bf60924a6

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
95KB

MD5
0d5e51954678e50ea949dc19eb8b1b36

SHA1
1417e8437309b113158b2d851ed2d428d5e32b03

SHA256
69198311ea52a10875f2981e83a9ca118293ecc1eb8fb60e8d44627fc3d88543

SHA512
9f872b09df64549603ceb20dff2886c21cbf9678530bbea2d97e93aec90632acc713f65d71ac4f8d2eaa54d26f26c4d7cd4f8aba29a091d9441cd676c3bde177

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
95KB

MD5
32f68b07a9bfc259aff35f896bb04291

SHA1
e0afd33201b06478f85c2473f30e361211a29dc2

SHA256
e4945abbd59b59fe623a2e852252309ae244b7e29b743fd8add00682b97b1ba2

SHA512
58ef37550bbaf9251c03ce367eeffbf82f13b9c3388d030c721d7186442c22f2865a2daf65458ce2ca06c6ce9f156ea1a578f8c39e9ace0c55aef23152cc6d38

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
95KB

MD5
761ada30f5c0dc3f23e1a92e1a467898

SHA1
4b77e3309e3329a89877b1fc8da0f61bf242bf09

SHA256
0c4ffec80cc86dcd7d3165a8f8b4a78b945094ae770132a25fa06c13c0651066

SHA512
cc84bbbc19fccb05d51911ec53f76cfe3571c30fabee4dbea071a70830b779a4c8e90bf526304f735d6af5cc68bd63a37aab88e11d08763259b3a7d97dd9c9ce

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
95KB

MD5
13bdac569771c777e29f9cacdde344ff

SHA1
d4c3a72a7200bd4dfcb81bc1dde8aa7b14bbe39a

SHA256
4cf469050d62aa2e58d37167e3c2498c557600a45509ef1e928e2356edcb3c3a

SHA512
e33a36f9f9c44482acbe29123b15e8cb69fcb8361f6bdf8d9248c566d9744a76a9d1e13bcdfa3475793217a6cb349406743a43b729cd3735aa60625516737089

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
95KB

MD5
358308b7e88b66bb506e471596c46685

SHA1
db6ab423f87ca2a22a00d458320eb37aca612606

SHA256
6bf0f9bdace6ae6ecee1e0630897e2dd8983b2ded2b8a4a7fe475e9b2ed4d16d

SHA512
113bd4d801db6ddba9fcb7529b56644f1a88fff3916951c9c787a400571ea3a20a7b53df46bcc96de438fe3297b210be4adcf9cb5e4a722e799091d72575841b

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
95KB

MD5
237c63494124487bacc130a1661a8788

SHA1
f08db1ee231b3b108a65203f2997422a9e996893

SHA256
c3832e4d0276df6a7996ccef0a5c274365244eb8309f7a00a58e2d37a1a32abc

SHA512
9e34bcbf9480fa5973895fb9dcd07e628bc08c7e478f9d07e46c54d96bb2215adb88cffbf515e8c36650ad3335a5d95a854ca3ec37eaf755936dd9892af21951

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
95KB

MD5
c9e2341fdf31be8baf2088dcee5bba11

SHA1
5b55d2077289a5d76615f4726f36690a9e5ff060

SHA256
d49cb769eefdd4e4d4b74f4e7065d07eea8636f50a73e38fca9b11cbcd86a2f5

SHA512
39b5963b6d5e1c8ea55a8e4994f6de89bac133f218af569a9e95385f99b284164be618ee95ace9f93cffb342e5583aca90d9ecd7dbccb27ab6e172fe95e865ce

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
95KB

MD5
3dc09b2cf828b285bb216766e4284f10

SHA1
564c9ce232645959d76435b7e2c89c57ee5bb606

SHA256
f7f662b381fd2adc0e83c9d9206f724317c8087114670dc506ac642020e14a37

SHA512
579b95205412ebe5847ad22b74320c2a23b2ed496d63a0285f93a41a6bf7ead2a29e9cfb9e4dab74ea9fae754042d2815990753ae81f81682aed4c253cafad91

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
95KB

MD5
0729d8a2c3088f962505a0f42c45b981

SHA1
67df25ae855b5703652b2ba43dbc2b53007cf9bd

SHA256
bf707bbf68b10084fc76e63f0dd42f91e63138bb08c3b6eabfb799288de2154f

SHA512
36353220580f20e1dfb162569cd1c8a0233db5576e7a3cc24b0722c6ea1f2d6c99d7b9eca6b19b1cb1fdd38f4417ef5d76fdf9214835624432510f1768c2c191

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
95KB

MD5
016ea381281ffaa2df732f83706b7392

SHA1
a62133645e03c61f30a7f6ceb7d87661fdd0b54a

SHA256
a8367cd95d4fae44a6fd4c31df240d234e02fc37fc6e58912ed88fe4e9caad42

SHA512
04d5f4dfb0ff3ee7a4d557037b65fe0487748d57b5c3e96fb1a34bf92716e677957ef873ba8212dbd336d7a09c335be804aebcce99c36b93fd1eac27249bfbab

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
95KB

MD5
bcd46799d321f431dbb9a0ddf0fa2568

SHA1
d448c2676488edf1b715c9848d09b9193cd1b067

SHA256
e77b8107aa217bad777b10297d35c180aa0ad6a78c52e0738c628ea777582a04

SHA512
d3c21498f49bfa80c01273636d7a7ac32dc8df2d788538fb11175fe518cef486374d4e3d7727fc05b0e67b138801dd4088687c541057f2e158e67fb7a16eff29

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
95KB

MD5
fbc8042b7f3fb509d9f803da3d0a1fda

SHA1
56b73c3bc4821a93cb36e313674289c34a7949ff

SHA256
5079bb31f81ac1b217960daa34841075c26753c9996bb61413848000282166e3

SHA512
50442b551826add7b048e99bc61b08abebd2695d40e4b05bea121f32eff58ffd4290bead4c40445b71a5b61d32dd549dc6e2b0845c1fde19984db42966c3df31

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
95KB

MD5
c2fcde1e9fff1fbe3121265ffb5603bc

SHA1
be43981bbaaf7d60ffa30513510d05bd2d2d20a1

SHA256
1f291f8535a3cebd302c509e5e2972af3cbd08417a44933c814c0fdff364c828

SHA512
b0f45ea763cd1fefcf970444e564c3925213de9c3cc4df29a5c4733c06abd4d396da25b3a7e83bd95878b3fdcf8a9875e6b81887074a5761b87a0d61e8be3314

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
95KB

MD5
7ef23b2237e496941f756e9fbba6e4a5

SHA1
d9e0856d428cb1382506fa353cee0e5dab637960

SHA256
491e130971055a6399f1a32a92018666f047364f1ab655392b578d66a60646b2

SHA512
cdfa1279f049584eced484b8f214d5a2f8fd2089bfc34ac1079af2286816d44933eca5bdcf329a477509bc509c87ab4b34c71e5498e3392d03fc22bb6a5e3c4e

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
95KB

MD5
91bbb6a8a92c21255ddf2282f022f398

SHA1
1ae375ba2ff59594acf5dec97c52ba526d94bec2

SHA256
e26ad27e049d640a5c6866fe5999a05ef06e8be0f888f8b918f4a5bb8beb238c

SHA512
692aec93dbb54de35b7f6bbf86ce19dfbb3277b572e7e40600c74670e95ef81cbe957fe5a6a356009ac911011cb344b99c162bce8b1f5d552c6b8d2ac31e4315

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
95KB

MD5
648a937e440adaa578e19a1ad97a3b02

SHA1
7778f02a651452d590909d86fc8d6e9e370fd3a0

SHA256
b08aad5bedffcd8f79356a66e052a590844ee27e35a0c40b6b9d13a6112c8f87

SHA512
2c45bccb36055de6be483d449d1be10542134e9ad4146c2972cc07dbc3f65c642a4485f42d071c8c2f234821302cc1dfc39dd7483eff426f81a6839967e2b304

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
95KB

MD5
ca6f4d1efb0fa9df0712286f1dabaaa4

SHA1
c5bf5ba08caf61b6716424e061b2bcff59aa6766

SHA256
97b9ce6c5f58770dd1b067215e042df3a54d760c25648a6b16336f500ddb1a2d

SHA512
295c553540e041783e707d92645a009848c34e7bbdc15759509bc8fb1af6c19c2a36e33466930e3b83315690bb0acbdd71daf73c5cb1deaf25afcbc31d1fd1f8

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
95KB

MD5
2d272b3842a0c8434b06cd90393b56ef

SHA1
1e43cb959fafac8237e0252e101f99b640a80230

SHA256
337ee20054a60457859be65f438132e9a7c48205bfe4502acce0629e2095ae0c

SHA512
78efda5601e98f54b4d09d6efde232d50feb9cf8d4e0eac2db8c2a67706fcd694792e5c975d075e1e24c94a904b410e39d8bd6775715c9ec851577672a3021a3

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
95KB

MD5
373d25c3d1e55976e68256369a613dc2

SHA1
95fd8d5a586960fa7b1c0480ecf12ac2d195d127

SHA256
9f6d5a58c2975f19ff93580c33fb601d629818f4adf80f200dd171318236eb7b

SHA512
03c7a1ce29304bcedd7fd0b561149950cb317a657a4534050e820229698c4bf8aa4e082c2f99d58cc13731a4debef0f11c846cbfc366ca122a578f5044403064

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
95KB

MD5
74196b2344ebd560bde7cec9dc0f6b80

SHA1
ac0df178ae7840a21dbbe23e1ca154164b2febc4

SHA256
724fd063cac0c4a5f2a9e42e247a46b314790588c8a76c80b79847587692c977

SHA512
122c4664364bb6dccd2b7fb5a79f55d0501c0d08425654266a2e70803321bd5a8941f2175f5d846e14f3aed3c0ddba973875f00ec56afbea64b56b82e7f370fd

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
95KB

MD5
d532c1be7205239ded9781eac5191ce2

SHA1
9abadf3b6da4b28ff8d4500866b507ae088c7e78

SHA256
709367dddc0ec86d6f4d2c999c3b1172d9d4ed90ce5ec9e05d257cb627929f85

SHA512
e891873444352d3f855cc7658a541d6125941b8d94ccbf56db1950c0d53abc54730d7e7fe8ba938ceae8ecb5109228c7ee9d8de5075e6b214dcb13605bdc26af

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
95KB

MD5
fb684d49d0a2a12b3eeda103619f067f

SHA1
82eb2d1f9c091ed528258e78004272cbe3eadb15

SHA256
89c79fe6947435bb15236da6d1065252fe7bd7a545661a4ba1edf88272aa8692

SHA512
22f38f7934ff7acce2a53f6a00c4e70a979f2fd1a285179daaad8f56adc8ff64e339f1349432b4ab60da2a39c073e8b21bef8e0a8a6c32bf6f066e6cc7429912

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
95KB

MD5
c56d80c9b451952d5edb18bf79817429

SHA1
740f0926e7b9789ef0bb4a82abd0ab7c4272d3be

SHA256
af46650041e186b721699bcf9d0bcb228e100d9b1631dd0d3e0a30772bb35f27

SHA512
16a174997cc84b2c76598f75f58851594c3b7f54d8083d4a3a7bf28eae8c7d1f4330b8fbbf396722fa345fb848d342bc2737e077087f0b4aca63c55baeb6c223

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
95KB

MD5
0a71e2bc879db708a3e58bc5a8622fe9

SHA1
401f32fadc935987a242aeb909f4e53e0dfd7b7f

SHA256
e8075f372d3fcfe129f2b87cf1585802341a40f2d53c3ba2f84db4e5a6a2b15d

SHA512
79862373af4b545d3599d809eac791729167556d874d7f5c6dd67c6959d36fa39b027ee98606adfaac285565531330e09a4b7325acf546d7080493e4cc7a9381

Download Submit
C:\Windows\SysWOW64\Lbdcekmm.dll

Filesize
7KB

MD5
25b9c3de5fdc033173a8af8c88e8eae2

SHA1
03370166dbcef83b37415e5d13349968fc4eba87

SHA256
d5c30b3f59f7d88ae1884c3c144e58e256eb8a2f711975d0e0523850dca5e3da

SHA512
5fb4fcb8a857b953140ecfbabd5e3ed1e4566833895d8154b7ce1fbc38433bc997b8e592074b37ca7619c2fda74ec946aabc3fcac0dfd02768ff33be2140cc6d

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
95KB

MD5
7b66800d5366f8416cc69b5b3b2a9a1f

SHA1
b61ae62571e02d7573f5390ef82b3d647a2e72a2

SHA256
c03ad1bc1065ac7f91ab94a13108645e406ea46a89a520f268ca702bc6c825c8

SHA512
14e64d33973a87ee558c1e2a51b9a732c4100ff48ff993053e330890534825955ac0fd69f7c5088df81d0988fda27e3bf3fc864583f70472e8e2b517b277b7ba

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
95KB

MD5
0f969c8156d2831ab19ef101814eeb53

SHA1
28b38882a95cbf6ffda8004c32df40bfdfa23b2f

SHA256
81ad325a3a38c86647da5ec32b17fb802c5e6759a82d4d49bba927814e22d6f3

SHA512
b5b75e384be9de2623fa9e78220ace5830ff3c1755c3b07a0fc7886a606d261d6c6dc1531d45a61c9caeeb4af01052e5da963c0a8b0ff2bab9dfa812125b1b43

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
95KB

MD5
df5aab8631a3d93744e8bec7408f92ad

SHA1
75bf0e66df6ee6cc4c033380130b61259e207d8c

SHA256
86c56c613e93313cea6cd7113aa9798958ee86c82bc208a0a10a9f49311fd78a

SHA512
04488bee9f15ff8a69b9552293d294793bb39d1eb9139c244102dba61749a57b95f6acfa92e68c1f980902adfe3eb9f689cf38ecf1896fafff5be91faa73c27a

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
95KB

MD5
7cdcefc11521e9551c3a3b6de7773a19

SHA1
5db220c447c28d83e7ea2d8d39e1b5b4472ea982

SHA256
b868911757b3cade3e4cd9683c22742af9d45a610c917addbee8211c52768ab0

SHA512
657ec978e166255ce6daad54f0c035dbcf4ff43a5bd55447e7c3df4fe82027b7a9acc86ec046870edc6abd697c26369dd8cec8d74b22c0f67916163eab77eb8e

Download Submit
memory/640-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/984-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1836-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1912-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2100-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2804-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3020-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3324-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3900-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3900-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3984-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads