92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29.exe
Size

98KB
MD5

a3ece1d1ccce5ebb555f3c0869bfb621
SHA1

f97c8c65887c61bbcb7a23e8843bdad873272bd2
SHA256

92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29
SHA512

0f15d55a302815faf117321ed0c30eeb35e88788377e267728ea90c7b596cf1de0a7b9b069f240b6fcefff33487eb9c070117b95edb2f5984be56a98d9f9e342
SSDEEP

3072:920VpvfKJCVNePCA+GL312g9P5NU5zEgeFKPD375lHzpa1P:gGkUNe6A+GLog9xNMEgeYr75lHzpaF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe

Executes dropped EXE 64 IoCs

pid	Process
2800	Eqalmafo.exe
2564	Ecphimfb.exe
4800	Efneehef.exe
4064	Ehlaaddj.exe
1016	Eqciba32.exe
5052	Ecbenm32.exe
4872	Ejlmkgkl.exe
1892	Emjjgbjp.exe
2108	Ecdbdl32.exe
5108	Ffbnph32.exe
920	Fmmfmbhn.exe
2992	Fqhbmqqg.exe
848	Fbioei32.exe
3560	Fjqgff32.exe
4612	Fmocba32.exe
1332	Fomonm32.exe
2032	Fbllkh32.exe
3968	Fmapha32.exe
3480	Fopldmcl.exe
4788	Fjepaecb.exe
3456	Fmclmabe.exe
1628	Fcnejk32.exe
1664	Fjhmgeao.exe
1600	Fmficqpc.exe
1072	Fodeolof.exe
2196	Gbcakg32.exe
4560	Gjjjle32.exe
504	Gmhfhp32.exe
5036	Gogbdl32.exe
2140	Gbenqg32.exe
2792	Gjlfbd32.exe
4036	Gmkbnp32.exe
2868	Goiojk32.exe
5040	Gbgkfg32.exe
3496	Gjocgdkg.exe
1948	Giacca32.exe
2568	Gmmocpjk.exe
4400	Gcggpj32.exe
1548	Gfedle32.exe
4232	Gidphq32.exe
4364	Gpnhekgl.exe
1688	Gcidfi32.exe
3720	Gmaioo32.exe
2572	Gppekj32.exe
792	Hboagf32.exe
1960	Hjfihc32.exe
2164	Hapaemll.exe
2508	Hbanme32.exe
4060	Hikfip32.exe
1988	Hpenfjad.exe
2536	Hbckbepg.exe
4668	Himcoo32.exe
2816	Hadkpm32.exe
1936	Hccglh32.exe
3016	Hfachc32.exe
1468	Hjmoibog.exe
4424	Haggelfd.exe
3616	Hcedaheh.exe
752	Hfcpncdk.exe
3772	Hmmhjm32.exe
4116	Ipldfi32.exe
2396	Ibjqcd32.exe
3440	Ijaida32.exe
4220	Iakaql32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Emjjgbjp.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Ecdbdl32.exe	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bejnmepn.dll	92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Fmmfmbhn.exe	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Efneehef.exe	Ecphimfb.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Imbaemhc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7036	6880	WerFault.exe	265

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfnlmai.dll"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 2800	940	92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29.exe	88
PID 940 wrote to memory of 2800	940	92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29.exe	88
PID 940 wrote to memory of 2800	940	92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29.exe	88
PID 2800 wrote to memory of 2564	2800	Eqalmafo.exe	89
PID 2800 wrote to memory of 2564	2800	Eqalmafo.exe	89
PID 2800 wrote to memory of 2564	2800	Eqalmafo.exe	89
PID 2564 wrote to memory of 4800	2564	Ecphimfb.exe	90
PID 2564 wrote to memory of 4800	2564	Ecphimfb.exe	90
PID 2564 wrote to memory of 4800	2564	Ecphimfb.exe	90
PID 4800 wrote to memory of 4064	4800	Efneehef.exe	91
PID 4800 wrote to memory of 4064	4800	Efneehef.exe	91
PID 4800 wrote to memory of 4064	4800	Efneehef.exe	91
PID 4064 wrote to memory of 1016	4064	Ehlaaddj.exe	92
PID 4064 wrote to memory of 1016	4064	Ehlaaddj.exe	92
PID 4064 wrote to memory of 1016	4064	Ehlaaddj.exe	92
PID 1016 wrote to memory of 5052	1016	Eqciba32.exe	93
PID 1016 wrote to memory of 5052	1016	Eqciba32.exe	93
PID 1016 wrote to memory of 5052	1016	Eqciba32.exe	93
PID 5052 wrote to memory of 4872	5052	Ecbenm32.exe	94
PID 5052 wrote to memory of 4872	5052	Ecbenm32.exe	94
PID 5052 wrote to memory of 4872	5052	Ecbenm32.exe	94
PID 4872 wrote to memory of 1892	4872	Ejlmkgkl.exe	95
PID 4872 wrote to memory of 1892	4872	Ejlmkgkl.exe	95
PID 4872 wrote to memory of 1892	4872	Ejlmkgkl.exe	95
PID 1892 wrote to memory of 2108	1892	Emjjgbjp.exe	97
PID 1892 wrote to memory of 2108	1892	Emjjgbjp.exe	97
PID 1892 wrote to memory of 2108	1892	Emjjgbjp.exe	97
PID 2108 wrote to memory of 5108	2108	Ecdbdl32.exe	98
PID 2108 wrote to memory of 5108	2108	Ecdbdl32.exe	98
PID 2108 wrote to memory of 5108	2108	Ecdbdl32.exe	98
PID 5108 wrote to memory of 920	5108	Ffbnph32.exe	99
PID 5108 wrote to memory of 920	5108	Ffbnph32.exe	99
PID 5108 wrote to memory of 920	5108	Ffbnph32.exe	99
PID 920 wrote to memory of 2992	920	Fmmfmbhn.exe	100
PID 920 wrote to memory of 2992	920	Fmmfmbhn.exe	100
PID 920 wrote to memory of 2992	920	Fmmfmbhn.exe	100
PID 2992 wrote to memory of 848	2992	Fqhbmqqg.exe	101
PID 2992 wrote to memory of 848	2992	Fqhbmqqg.exe	101
PID 2992 wrote to memory of 848	2992	Fqhbmqqg.exe	101
PID 848 wrote to memory of 3560	848	Fbioei32.exe	102
PID 848 wrote to memory of 3560	848	Fbioei32.exe	102
PID 848 wrote to memory of 3560	848	Fbioei32.exe	102
PID 3560 wrote to memory of 4612	3560	Fjqgff32.exe	103
PID 3560 wrote to memory of 4612	3560	Fjqgff32.exe	103
PID 3560 wrote to memory of 4612	3560	Fjqgff32.exe	103
PID 4612 wrote to memory of 1332	4612	Fmocba32.exe	104
PID 4612 wrote to memory of 1332	4612	Fmocba32.exe	104
PID 4612 wrote to memory of 1332	4612	Fmocba32.exe	104
PID 1332 wrote to memory of 2032	1332	Fomonm32.exe	105
PID 1332 wrote to memory of 2032	1332	Fomonm32.exe	105
PID 1332 wrote to memory of 2032	1332	Fomonm32.exe	105
PID 2032 wrote to memory of 3968	2032	Fbllkh32.exe	106
PID 2032 wrote to memory of 3968	2032	Fbllkh32.exe	106
PID 2032 wrote to memory of 3968	2032	Fbllkh32.exe	106
PID 3968 wrote to memory of 3480	3968	Fmapha32.exe	107
PID 3968 wrote to memory of 3480	3968	Fmapha32.exe	107
PID 3968 wrote to memory of 3480	3968	Fmapha32.exe	107
PID 3480 wrote to memory of 4788	3480	Fopldmcl.exe	108
PID 3480 wrote to memory of 4788	3480	Fopldmcl.exe	108
PID 3480 wrote to memory of 4788	3480	Fopldmcl.exe	108
PID 4788 wrote to memory of 3456	4788	Fjepaecb.exe	109
PID 4788 wrote to memory of 3456	4788	Fjepaecb.exe	109
PID 4788 wrote to memory of 3456	4788	Fjepaecb.exe	109
PID 3456 wrote to memory of 1628	3456	Fmclmabe.exe	110

C:\Users\Admin\AppData\Local\Temp\92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29.exe
"C:\Users\Admin\AppData\Local\Temp\92bfb25aee5b1846c4451b0265731870f3b6a33c698911bd076513a35733bb29.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\SysWOW64\Eqalmafo.exe
  C:\Windows\system32\Eqalmafo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\Ecphimfb.exe
    C:\Windows\system32\Ecphimfb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\Efneehef.exe
      C:\Windows\system32\Efneehef.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        28⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:504
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        33⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        36⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        38⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        47⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        53⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        54⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        55⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        60⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        64⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        65⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        66⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        67⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        68⤵
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        69⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        70⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        71⤵
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        72⤵
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        75⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        76⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1368
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3368
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3036
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3144
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        82⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        84⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        85⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        88⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        89⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        93⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        94⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        95⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        97⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        100⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        101⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        103⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        105⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        106⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        107⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        109⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        110⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        111⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        112⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        114⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        116⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        117⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3876
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        120⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        121⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        122⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        124⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        125⤵
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        127⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        131⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        132⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        133⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        134⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        136⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        140⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        142⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        143⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        149⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        150⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        152⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        153⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        155⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        156⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6896
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        158⤵
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        159⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        160⤵
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        161⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        162⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        163⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        165⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        166⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        170⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        171⤵
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        173⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        174⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        175⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 424
        176⤵
        Program crash
        
        PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6880 -ip 6880
1⤵
PID:6984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
98KB

MD5
367065ef75fcaba316131d78b0b3744d

SHA1
b1e3317ce182bd9c05aacc4e1e211b7d25929f8b

SHA256
a9bb0bb1cd04e2e0c324e4098ac9b358099d56acd58fd39d308d198e39f553de

SHA512
1958f028e627bcea53a08ea49596e880b36586d1b4be14d74580808a0b0366eea34cfa8081ab8e8a8f873eae8f98fa02c542f164005517606dffcea5b5773b09

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
98KB

MD5
47c87b2914cd91370ebc7b0d82c9cf21

SHA1
6f7a573f72aa2566bfbbcf2c6f1df146dbe84d89

SHA256
86ec709637b9321278d61f71ab5b3eb372321768428190477799e47b81461be6

SHA512
dc0ede87854120f00b99c0a30d8f9a43b87959789379840a86c218ded03874713827d8fff71ab373990ae9c74d776aa0ce8cfba4dbf8e38179e2cfca9771db22

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
98KB

MD5
54a30cdd2ace5d92a933a62cf1c66352

SHA1
9df70569854b1a2383f7069ae7f4328022a029a2

SHA256
f8cced4c90005fba6014cc53ce93a610ea73c902e2c65f2843ec27b143cb7bcc

SHA512
bf178472f72d8bf71d234d8ddbc2cf7e6f6e3e17a87b46f5f1f37da7caf7a1f5b7f2838498e5190fc6c9f719f50b5e1b5d0eb9b38bcc0c6ad399dd86aea084a2

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
98KB

MD5
335fdc9c8e754f118ddc04d7e5f23920

SHA1
97bff2844992908cc80d2a11522531efa586e230

SHA256
e01cbf00f7776344d081fa5e95fdd66a9792fabd64b2a92b673b8fb2118840d4

SHA512
2a6d071d5e3267dba65ec9a7df9138506f7b3fb2e84ef56bd0a42f72dee79edb971cafd21f3688fb30583042c94b44b30256b6029410829e0147d34c1d205c63

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
98KB

MD5
ebfd06fd0ffc72e56b3574263fb1ab59

SHA1
3166cdd78320acc69667aaacea00d62c1cc54f80

SHA256
eef4da989c8b6497a78bfa7e6c403f89837d54b657faf946fce045ab4c78d841

SHA512
6389c543366d29943df6911c1332839760412577ff9d4ee40a4185e223b477a589e88a9f8d1a04fda4c91ccfec26a184c6aa5efe162a41e65c04c52c0197e26c

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
98KB

MD5
feaaefc74f0786b80cb7f8e94a6a4c53

SHA1
25dd68cf2cc9d96cca9923fca28b0df1b728157f

SHA256
aeb318bf03a6f602c68405db0c756e22c6316f551fc1caffd2f2e753664e875a

SHA512
05791fce8f7e4a94c0a387ef1031a7a8ea92235944aaaf76e1a84911f97689dc626af7666da5a5e8770c9eb77ec26d04897688f2ac7e29e6c68686d1e05db453

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
98KB

MD5
4424cbbbb4f8f643b29e47767c621bbd

SHA1
37a083392d1863caa3253302f87df552d3c40ac0

SHA256
e73e2f7d54c4f2cbcdc9b643f5d538573f84bcde5e3c5f0524ac00b28dabe2c0

SHA512
e011dbaffd0fa348c428a70ae094fa7ebda6ff50b6429108173bbb838878472acd67e591331da55e15870921c5f507e0a831924b69bead915d5e6b40c304225c

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
98KB

MD5
4f217dcb00ea12e2883059df271731b9

SHA1
7474c8f7a86b95346339bc52d14d93ee5c925735

SHA256
851b8a1534f44355749e7dda9f7b558b9a1e10062b5fc3d0c4c0152e6165c181

SHA512
8d58050d4bff9438dfb2aab89d464408cfed871ce8563682b4175847ccd61789bc115e3d1787ae8a776a56b4ef58c118b708cd4ccf49a6708d6240e331bb4221

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
98KB

MD5
f81a03ea450502ce50f054bc7fe666ce

SHA1
02fcc79f194935ece1b74384df666dd1de30cff6

SHA256
d6137caa63a559d632ce9378087210c367b27b1575abb7e4cbfa812f7f901ddf

SHA512
f7906aa9de1656a364cb1b4196eb029f8c42695781c1aba661706116050c8108f98a80d6281074db773499fbf73f35c43e8136cad73e61c6ad141f69ef3322ea

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
98KB

MD5
329f73d872f26e758b0df6221c8698ad

SHA1
34aaf590693a4ed043faf4615371f7f9e4383d12

SHA256
86977e5447c7e09fbe5344d7ca0202241f6aa3ff234dd7caecfbc14f81d4f22f

SHA512
6b54ec3d7eeb8bba0e9c8b0ee6a2f1538657e8906f879cc2414dbfa9abe673f1d54d096c152e26132bf69ef93153f8a45da45d82aa8b8d39fa53e0e6294fecfe

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
98KB

MD5
8b11d9aa3bf101079112514ef4eb871f

SHA1
ef11ec756ac49830797fcb1a269d2ab288021a7a

SHA256
54a2a76ce9d9128fe19b2bf037c1a42de90510de27e52b257c26f7685f54ed17

SHA512
f30cd615d89546590925831f142777036767b121f220997b1a31c4e3f086955d461a90cfe1800a0266048a0e8686df4f8c16b902e34f646b7ae34bf66e1ba2bd

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
98KB

MD5
5f83116421fca7b8c4d4ec39a919599c

SHA1
b127f0d7eeb39237820f9d5b541bdf459e40cded

SHA256
d9603ac234a660e65aeca051264138970215e953461ec1a063b605f43490a429

SHA512
3acdd3e57bfe48d66740a163e4a396d96761047e8a6df9b4b83863053e3972e0e3cfb07cc61b36f321dec9d48539e9556cab940873302d0366513629be246b7e

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
98KB

MD5
11464ac4626423ca0974e87f7b04f141

SHA1
eebe7780588959a9298c015a02bc410884a541b7

SHA256
5b44dd3d7b32a005e64a02f3bc157ca354303f08544c0d0c42635e0d5b6dd686

SHA512
178a5a3726e071320f9f5f7867ba955b351884f3a0744b06d7ea5990c3e67b9b1fe493e947df2e484a232b40903aeed1daff14f06649806a5096d3a6177ec9b2

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
98KB

MD5
be864482ed0ab74819ddfae9382936e5

SHA1
d455dde8b72a19f106fcc310717bb4b73f268d6d

SHA256
1ebdc428601f77a9ad93f21d5f1fe678a90b5b69dac38bd25cca71a8f4288540

SHA512
ab276b980d101e6f3252116b48aa18349611d2689ad84ed6c1188800770b12c20a296c7f38ce9a896aae34baca62c701b0b9867af846212e109bcabf36bf5141

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
98KB

MD5
96e3a7039ea8d9d63f20946367c79ec4

SHA1
4cd6b423d87717657a5db255ab5b5afbb8bd4e61

SHA256
c340d0d4c8eb269c59c40ce8ad749b5eae62a76586916c3de6a3125a797413ed

SHA512
9c58dbc84678a305771d04b67dd5fc311bfb2d6fd02a9c54d2207d9ddf8d0c08cec8e10fb3e9f3708ae02eeacb4db39d8d10a4d1a8e6fef406726888b0584320

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
98KB

MD5
b21fe8eab2ef0214973a8161e5ba07c7

SHA1
c8dd29a3697bcfdf53c8db7a913e3a073faedb1f

SHA256
9b2b262f4bc747cc30a7cdef887461356dd6583bda902ee311f238e66349941d

SHA512
68b1f18a329c378f5c2e681d96ceab677bcc94c99ef7484742c1526ca3a0e126fb903bf01d4546bf46db9a9da9dc335048109620c99dabc1afc69bab532c7a13

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
98KB

MD5
4e69b5e45f04e070d608e6b46736a9fc

SHA1
03b2677f5251ebcd048ae7722902b334e395ed14

SHA256
d0d947fafb1979c249040055ebc7d2d1b177fd6d84da6ca86bacba5fc69a3fb4

SHA512
386ce40bb2c6e9ca6211f445a2cc9db5e6090e4183ef5c21800188ce9f55216da34fb8d39bf181a5a05ff909077d541ab29d513af417905b8eec526b4b51adfd

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
98KB

MD5
2426975c2196e8c313418b9bd62d4159

SHA1
7a66f2a522354ab02263606aaa6293a575cbf54c

SHA256
4de75b4d281e5acf8b3e78ab707b9f32831831edfbe74603a30f519f8197131e

SHA512
cc3602072a4e20b5652e9c96bb3f319b8e85e5831dcf50f3ffcdb4b02177145c6a6b6bad112b5306c7fd24181328366297ddd59c4e9c872b7c5789b4203adffa

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
98KB

MD5
1fc736a5609fa8828af67c81efc183db

SHA1
801f7db7f2df5c24b9e9fb6ab741f042e077a6ff

SHA256
17a8a0bc0fb080e1e6f44ef86bb1adafed77cfc589ff962b57503d8158965b33

SHA512
ddd92fcfa3cfa61e0a499694df562e18662a4c94b42e2509be0e0cf730aed4d36cdd5d41acabc457c2b44870faa542ceb36a48ed0e1ab88ba1e871aafbe7d664

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
98KB

MD5
56067ab0376f44ab7f33c9407d2b5049

SHA1
4b04f3e097e65aeb04f6b3831f3723b97ada9ae6

SHA256
bfadf37bcba9f6c2a8a4068f202ace15b91b2917ddbfc1733a73e168dbb72b43

SHA512
26172b65da8976e8b967c2700fc384a40bdd6b65d865eb828036fe89e546fa94f7234f150f31a4f101a399524db638190ef299458d42f278396b5f58453b14bc

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
98KB

MD5
1defff0233dab3721a064add64385eae

SHA1
d59e1d17324ea006d4518b227af3aa14fd3e4bdd

SHA256
af4c619d88d30de5c2ef631f8525e6f07924bb1e92e1d501d4acf9b13c3aca99

SHA512
9b1470b9ee2c72f7144acfe1f860898edeae3c6dce720e0a38151b351f298231619970d4890a395ad5acd3c93f2a271de5e59844f25426eebb9147e8ada9157e

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
98KB

MD5
1777835771c9115aec1498a56d54a523

SHA1
1bf9d198935c5d4f076a4dcde63fc567404ba9dc

SHA256
7bf434eee4f559753eebb9f3e624abc66ac2fe593857af565f777e8d1a1f191c

SHA512
79b3b1370e8ec468d222b8012ae89234ed74c0f6b062cb41a6d85cbe5fe11906da3dfa01975f3441c470938714d46132910f01e6ac3ea4f593d9e05abfae9d24

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
98KB

MD5
72d19a1aa853755af8e30b32580e3539

SHA1
80ec605f24f730ed8715a499dfcec4a25b8b34c6

SHA256
bcf6f8267c9b6f5dadd3f2441081d988f74f4afc59ce497138481556b03276ad

SHA512
b92dd54d79b6279f6043d197f75a1cf02685c44a7dc2c50c12ab1d00473016f011473e9d9b10fa992bbf2a305cc2aa1cbca941c6cf510b9c98b722ef17a538a4

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
98KB

MD5
ddbf02ff4117feca4a63e1600a353568

SHA1
be54ebca8ba510d2838988c6bbde4a3583c787c3

SHA256
eb40c78ef3d3b396e5234625bd59be5e45f33de9df74c1ee3f2cdaddbd21f40a

SHA512
10af2102554979b1e145f5365f0416e563bfeace1232389f1ccc8606904664296018d25be44ea4a913e920c76851c3f42c35a9943fd33d6c354093acc1354482

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
98KB

MD5
b30e0f48d73546eb10165bcd4401bf9e

SHA1
06302890573864a02bceaa595464b900db21e1ed

SHA256
4a52221d2361303b1b8af62887cc6fdebe28b00e49b94f51040b8c7457afc425

SHA512
b4098aae5921ec3d00d07a540c59ef9f3105e2e3e4092b55eb48d19d77c264f22e5eba6565ffb13243c4ad25a939135ce1f3ccc29f29b80b198722a7bbca0272

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
98KB

MD5
c262a1b6fad7dd4806a8ea3ccc2ee0d7

SHA1
b2943d870108836d38ed0a7d7587f475cbc009b3

SHA256
3c77263e7bd7420ea6caa09746acbf70801a311af067dd9c23ba3666fc8b22ce

SHA512
b3426f91b0c8553be31976f113871df1e0ffacc731b1e8fb9aa19193af33245762eaf4a31abb5710d1f7a9be11acbeff86e8a297eb5fe72fba61dde2e1d5b7c8

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
98KB

MD5
977139f54d17458a1d8cff81ca170fff

SHA1
c3d4192fb347eac5597be0ac5d3f5e6134b21913

SHA256
f79cf514f95578378f3910b646f22490a64e4a22d3979530f572e36bd3a6c8cf

SHA512
3dac4dccc75f7ae997afb68812653724008c548547eeda0019984e72e5853dc7ada96ad774325a4e6581c160ca2209291ac665321150d827e65130aec802a229

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
98KB

MD5
ea182cf9fb6946702f3ed3110ec9a900

SHA1
39968123e1e4a818651bb480e00dec8402d3c812

SHA256
80e657a8c24e65eb3b6985b3cfb4f59753111e28c0eccbc93e0ca6454fbed955

SHA512
d84ddcbac1ae43ce167490a771f129c8b0da755e99c8c7e3b386ab826dd5b321e206716b327b50edb5b49b2d5acddb0e2bc5be52836f2b6e788bdce5959c0304

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
98KB

MD5
bd045c728180d1b07e043740faae10d2

SHA1
baafa9eb1ba0b2e6505d456a9ad342cc44c2d2ae

SHA256
44c34feb58086f0874bb6278fea3586ce05c9c6f543f262f3e3785895f1c7dde

SHA512
b25b284af06c0b8ef44b385bb344fc5a96c98f61fdc78c0c237d7c92204641985e86cf3a4588a07d52984a7f17511ef38f9e42542536baf5c3c52e6a1730fb0d

Download Submit
C:\Windows\SysWOW64\Gmggiogn.dll

Filesize
7KB

MD5
9a1de0b5211612fbf83943eac64c2932

SHA1
75a46280156853e447c06304747898dbd3b22097

SHA256
17d4af62bb3f1d36713009bc023a78d90fba3472c2745a4ffe59e3a3d024ab36

SHA512
d39152628d9fd1c212cff83523561e1ffa89978d402e3c8d25a03a4c4c6a7c3e8f84f477fd62bc0db43462966e9802bb1aa5d6c592f0514511f0a9ff53f3c1b6

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
98KB

MD5
d4016d94b9f05e64ea1c822b87d38857

SHA1
fe5950bb2b714fc7d2a59d1de9a57cfd5907671a

SHA256
50308696c19b6d774c11c4bee70d9340b0d91351b4ff885198c418956e33a333

SHA512
490f006059aa3b0853455a8730dbead768576cdb9d64208b00ac18b23393d47367c3a46f5cfcbf1778efaed81a95fb5e0731db30fef2988fee65375dacfa94f4

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
98KB

MD5
f58adee5808d6817fd3d85a7aeddb86a

SHA1
9df2aca3b3fb8ac35654950666d34fafd7c0e043

SHA256
1f955628c09f08c4d70fede8fa0a5d1ea4120b2b517e35c66e1077e4fd5f54f0

SHA512
d748b5c1ce3c8d692a23ff2cbf8b4eb4601eb108624a2f27e55946b1e7cfd5bde0a528d7c0d456c25902ff76a9880bfa39f5ec159606806ed064957ba7785412

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
98KB

MD5
970793a7a01fc56316003efb862be7c1

SHA1
a57d15bafbf48dd510661ae2b299f605aee5b36f

SHA256
d855bceed2cca2fa3adc38d18efae56b2a99079c82c4ccfeae66c94021a8c602

SHA512
675af580c5eb5ae9e99353a02b0032d0622be6327df254ed0933fff4877e0f56ff2f895a3ada178b7f95c5b58202f55e1de2dcb47f1000bb1f895ab6ac6abb90

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
98KB

MD5
5c856086aef0e5805bbc6add45329429

SHA1
4f7d071683553d45058ba62a04c242727239736a

SHA256
4089a69945d83b7ef455ddc8941b07328b7fe42bd896ed80b752bf17106224ed

SHA512
6d0a87dda01d6e4cd4e9161238945820ab8f9f7877a1380e1eec4a73c68f055f222b94d6c53a5bbdc2682e09dbda183c999176844e64a00372c658aae7110c33

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
98KB

MD5
b740a3dbc057be2723e9151adee5ed5a

SHA1
28bd5928dae0dc6492f20e2b82db120372903e2a

SHA256
1fa3bc4d59bf4a908efd5876d116f753c964018d14226a7c72a015706a0430cb

SHA512
757b2255202f8ee5eb805715095a35ff204145305dbfb554ed17e3de6ed36c0da8ab59846f7729b31312a8b80f108833c569a960b934829cb480cce4a6cfcf17

Download Submit
memory/504-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/752-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/792-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/848-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/920-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/940-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-43-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1072-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1332-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1548-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1600-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1664-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1892-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1948-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1960-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-369-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2032-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2140-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2196-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2396-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2508-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2536-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2792-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2800-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2816-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3016-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3440-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3456-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3480-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3496-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3560-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3720-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3772-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4060-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4116-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4232-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4400-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4424-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4668-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4788-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4800-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4872-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5052-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5108-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads