4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a.exe
Size

128KB
MD5

ef4f5f2687e759280b02977587614669
SHA1

922c94dabc1e65e91aeff7680d6ea220f99fe268
SHA256

4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a
SHA512

87e0f0f231075cc5c1a47fbdab1128190b85ae91aeeafa5709e713b69f670aad7e54858bb8306a92f9aab6a870d25cb09696f95e9bd1e9c2c4379186368fd68a
SSDEEP

3072:6HdsC3e+IiQa8nG86qBzo7hNRe1AerDtsr3vhqhEN4MAH+mbp:6HdsLf1G81ufe1AelhEN4Mujp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe

Executes dropped EXE 64 IoCs

pid	Process
1420	Eoifcnid.exe
4512	Ffbnph32.exe
916	Fjnjqfij.exe
3604	Fmmfmbhn.exe
3312	Fokbim32.exe
2600	Ffekegon.exe
4392	Fmocba32.exe
4956	Fomonm32.exe
3060	Fbllkh32.exe
860	Fjcclf32.exe
4764	Fmapha32.exe
4908	Fckhdk32.exe
548	Ffjdqg32.exe
1412	Fihqmb32.exe
2972	Fqohnp32.exe
2296	Fcnejk32.exe
2476	Fflaff32.exe
2064	Fijmbb32.exe
892	Fqaeco32.exe
4316	Gcpapkgp.exe
4784	Gfnnlffc.exe
3244	Gimjhafg.exe
4912	Gqdbiofi.exe
4652	Gcbnejem.exe
3212	Gjlfbd32.exe
2676	Gmkbnp32.exe
4448	Gcekkjcj.exe
2648	Gjocgdkg.exe
2324	Gqikdn32.exe
2180	Gbjhlfhb.exe
3496	Gjapmdid.exe
4132	Gqkhjn32.exe
4992	Gbldaffp.exe
1976	Gfhqbe32.exe
3540	Gmaioo32.exe
388	Gppekj32.exe
2692	Hfjmgdlf.exe
2340	Hjfihc32.exe
2076	Hmdedo32.exe
2444	Hcnnaikp.exe
3548	Hfljmdjc.exe
2628	Hjhfnccl.exe
632	Hmfbjnbp.exe
1008	Hpenfjad.exe
4504	Hcqjfh32.exe
4860	Hjjbcbqj.exe
2540	Hadkpm32.exe
3696	Hccglh32.exe
468	Hfachc32.exe
2124	Hippdo32.exe
2152	Haggelfd.exe
2320	Hbhdmd32.exe
1772	Haidklda.exe
1332	Ipldfi32.exe
2260	Ibjqcd32.exe
3752	Iidipnal.exe
4716	Ipnalhii.exe
2464	Icjmmg32.exe
3040	Ifhiib32.exe
1844	Iannfk32.exe
2364	Ibojncfj.exe
696	Ijfboafl.exe
3760	Iapjlk32.exe
4296	Ibagcc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	Fmmfmbhn.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fflaff32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Ffekegon.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Ifhiib32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6964	6860	WerFault.exe	251

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 1420	2780	4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a.exe	84
PID 2780 wrote to memory of 1420	2780	4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a.exe	84
PID 2780 wrote to memory of 1420	2780	4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a.exe	84
PID 1420 wrote to memory of 4512	1420	Eoifcnid.exe	85
PID 1420 wrote to memory of 4512	1420	Eoifcnid.exe	85
PID 1420 wrote to memory of 4512	1420	Eoifcnid.exe	85
PID 4512 wrote to memory of 916	4512	Ffbnph32.exe	86
PID 4512 wrote to memory of 916	4512	Ffbnph32.exe	86
PID 4512 wrote to memory of 916	4512	Ffbnph32.exe	86
PID 916 wrote to memory of 3604	916	Fjnjqfij.exe	87
PID 916 wrote to memory of 3604	916	Fjnjqfij.exe	87
PID 916 wrote to memory of 3604	916	Fjnjqfij.exe	87
PID 3604 wrote to memory of 3312	3604	Fmmfmbhn.exe	88
PID 3604 wrote to memory of 3312	3604	Fmmfmbhn.exe	88
PID 3604 wrote to memory of 3312	3604	Fmmfmbhn.exe	88
PID 3312 wrote to memory of 2600	3312	Fokbim32.exe	89
PID 3312 wrote to memory of 2600	3312	Fokbim32.exe	89
PID 3312 wrote to memory of 2600	3312	Fokbim32.exe	89
PID 2600 wrote to memory of 4392	2600	Ffekegon.exe	90
PID 2600 wrote to memory of 4392	2600	Ffekegon.exe	90
PID 2600 wrote to memory of 4392	2600	Ffekegon.exe	90
PID 4392 wrote to memory of 4956	4392	Fmocba32.exe	91
PID 4392 wrote to memory of 4956	4392	Fmocba32.exe	91
PID 4392 wrote to memory of 4956	4392	Fmocba32.exe	91
PID 4956 wrote to memory of 3060	4956	Fomonm32.exe	92
PID 4956 wrote to memory of 3060	4956	Fomonm32.exe	92
PID 4956 wrote to memory of 3060	4956	Fomonm32.exe	92
PID 3060 wrote to memory of 860	3060	Fbllkh32.exe	93
PID 3060 wrote to memory of 860	3060	Fbllkh32.exe	93
PID 3060 wrote to memory of 860	3060	Fbllkh32.exe	93
PID 860 wrote to memory of 4764	860	Fjcclf32.exe	94
PID 860 wrote to memory of 4764	860	Fjcclf32.exe	94
PID 860 wrote to memory of 4764	860	Fjcclf32.exe	94
PID 4764 wrote to memory of 4908	4764	Fmapha32.exe	95
PID 4764 wrote to memory of 4908	4764	Fmapha32.exe	95
PID 4764 wrote to memory of 4908	4764	Fmapha32.exe	95
PID 4908 wrote to memory of 548	4908	Fckhdk32.exe	96
PID 4908 wrote to memory of 548	4908	Fckhdk32.exe	96
PID 4908 wrote to memory of 548	4908	Fckhdk32.exe	96
PID 548 wrote to memory of 1412	548	Ffjdqg32.exe	97
PID 548 wrote to memory of 1412	548	Ffjdqg32.exe	97
PID 548 wrote to memory of 1412	548	Ffjdqg32.exe	97
PID 1412 wrote to memory of 2972	1412	Fihqmb32.exe	98
PID 1412 wrote to memory of 2972	1412	Fihqmb32.exe	98
PID 1412 wrote to memory of 2972	1412	Fihqmb32.exe	98
PID 2972 wrote to memory of 2296	2972	Fqohnp32.exe	99
PID 2972 wrote to memory of 2296	2972	Fqohnp32.exe	99
PID 2972 wrote to memory of 2296	2972	Fqohnp32.exe	99
PID 2296 wrote to memory of 2476	2296	Fcnejk32.exe	100
PID 2296 wrote to memory of 2476	2296	Fcnejk32.exe	100
PID 2296 wrote to memory of 2476	2296	Fcnejk32.exe	100
PID 2476 wrote to memory of 2064	2476	Fflaff32.exe	101
PID 2476 wrote to memory of 2064	2476	Fflaff32.exe	101
PID 2476 wrote to memory of 2064	2476	Fflaff32.exe	101
PID 2064 wrote to memory of 892	2064	Fijmbb32.exe	102
PID 2064 wrote to memory of 892	2064	Fijmbb32.exe	102
PID 2064 wrote to memory of 892	2064	Fijmbb32.exe	102
PID 892 wrote to memory of 4316	892	Fqaeco32.exe	103
PID 892 wrote to memory of 4316	892	Fqaeco32.exe	103
PID 892 wrote to memory of 4316	892	Fqaeco32.exe	103
PID 4316 wrote to memory of 4784	4316	Gcpapkgp.exe	104
PID 4316 wrote to memory of 4784	4316	Gcpapkgp.exe	104
PID 4316 wrote to memory of 4784	4316	Gcpapkgp.exe	104
PID 4784 wrote to memory of 3244	4784	Gfnnlffc.exe	105

C:\Users\Admin\AppData\Local\Temp\4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a.exe
"C:\Users\Admin\AppData\Local\Temp\4487eaf39713672c4fd75ef0a8628e8cd6eae821ad3848106c0b274d7304208a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\Eoifcnid.exe
  C:\Windows\system32\Eoifcnid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\SysWOW64\Ffbnph32.exe
    C:\Windows\system32\Ffbnph32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\SysWOW64\Fjnjqfij.exe
      C:\Windows\system32\Fjnjqfij.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        31⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        36⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        40⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        43⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        49⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        50⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        52⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        53⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        57⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        58⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        59⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        61⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        62⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        65⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        66⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        67⤵
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4616
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2700
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        73⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        74⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        75⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        76⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        77⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1156
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        80⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        83⤵
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        85⤵
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        86⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        87⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        88⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        91⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        93⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        94⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        97⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        98⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        103⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        104⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        107⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        108⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        109⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        111⤵
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        112⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        113⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        114⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        115⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        121⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        122⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        123⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        125⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        126⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        128⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        130⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        132⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        136⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        139⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        140⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        143⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        145⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        149⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        150⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        151⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        153⤵
        Drops file in System32 directory
        
        PID:6356
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        154⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        155⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        159⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        160⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6816
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        164⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 420
        165⤵
        Program crash
        
        PID:6964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6860 -ip 6860
1⤵
PID:6932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
128KB

MD5
b01313cd02b408e260a16e7231e68aac

SHA1
6312b2473ed1052cc85f9ce4addcc97a84b1603f

SHA256
aec42ae2a95b36cfde4d71f2e81d9005105ba89856561e01173ee630ef075e46

SHA512
d5e39b6c314efa004540e514a407d8df2c47158aac4bcdc70283ccf377f9bce26d49c3163cfc775d86425b35a94a0ebe6b73bdcb7146de8fd98ede3d8d82f23c

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
128KB

MD5
5cd91639e46d254f64c43ed476a1e08b

SHA1
02f24f270c5ca3dab9d64a905c912ce1d6b2ff20

SHA256
6134b95352f58273a6ee88d2926f3ce67bbf824ec71bbaa494bed18be26fea31

SHA512
9c9ce7232e0ac7461c8538bc9b50f9be79d782ee1012d8b09df2eab16fb33a8c8542b8b774fbe473293190670ffc60e6370c94fdc63706c19e82130105f3f783

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
128KB

MD5
adcbdd548397248a1061296fd7b69b05

SHA1
99a01043cdfeddeb04bcbb0509f9e73d8981585d

SHA256
3204a1edb89cc07d9ac7f70398d5796cf8d9a4407999d3ba4422211dce2c9beb

SHA512
e286de50d91838ce1b49d408264a1f380300c0f4da76a382d645cb4d36f8929d394fa2b22587a8df913a9e8ce8a4ec4dbab216dfdf25204c4dbc71ef5f4623c6

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
128KB

MD5
2d5368f025dffd132d725713acf76425

SHA1
16e7c2a1135c3f4aed91ad557c9aa9130e7d605f

SHA256
133439ba0b18b5677c002ad72f91e6c6238152bcb922acb96f4c63d6b9945ed5

SHA512
2ef8c451cad4221823ec105c5da87047785995708641f23409b96c87781106fefd1547021ba11d9a8d36b802a4bc7295f6ca5bf9343a1468dc6a15cab6ab1037

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
128KB

MD5
e497eff36e6aac02f1864743f55a7391

SHA1
09a7fe178ad5ef5909828fd713a4f56987209ac8

SHA256
4daa72272bf0d6edee6b1ead92dac7829050bebbc0eac91d82771beeb3f0f7c0

SHA512
99ff47597bda18e42b57bd7a879d1c1b6b4b099a1138499ad4033348e242c237e83ccdb9562eeece809f73e5fb0c9bed114ac4afa580c97698ea0c11d7d80ab6

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
128KB

MD5
5a68e178ac79d0d9f5748903ea44fd65

SHA1
bcc6c1b223d01e26496484430f8393c96dadb165

SHA256
71404c2e3d765580e244057a6d2182ee11f31d58977f36af887f691806dc0e8e

SHA512
a05ddd9171ce2fb399a0004affc635540d3494005060052c7a04b9b703b00bed0c769f12829793e42caa395547d4097b128edb3e95344404f50c8b5f987c7853

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
128KB

MD5
3c9a37b317c8f2f5b37704de4492f430

SHA1
0cee9c705a23b5219f709b82d60682b1d364fadb

SHA256
940159a97bff99f8eff14f711b2178c9910e251b67df82d171e875b53e6a10e1

SHA512
2503dccb8ea821b26b0344ae3d93e315ebefe9fdf2ccfbbe6ecfed7b0d13f3541b77a3cedf158d6caadc02f0afb130efc6f0fb62b691521ac1dda6e202ab7762

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
128KB

MD5
f4f5fb009c3be83b2f85942556a0770b

SHA1
3cd0096f89789c85a399ec8044d00533f7ca50c5

SHA256
c7b9689191d0fae774987e56e8c9c8176ac7e97dff332f231ae2d9d5112067d5

SHA512
00626e4ac6cc6b8aee6afac219d5f7d2bba8bff80bfdcf132505464fa9372d24b4f6b40a1e53b71cf000a5672c726f81711d9ea4df4281523dda4ab16a9c1f1d

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
128KB

MD5
05011c785668442b7a6ea6570dc481c0

SHA1
86006af5c78ac4bdb696bb40e494851e821ca522

SHA256
437c0cbf0c0a2dac9020bcfb8be4d1e6a7021d2d80dcaa8c1497fcc79c2a2377

SHA512
2da5494f030a3449750a1d99761132b2e6e88d2ca68658ae5f46111f72de487567a8a2cfb561402620915ed198352d7ee08c2d75e5de351b362911f2a612806c

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
128KB

MD5
560ef445558dbdf1217399571c76f3a4

SHA1
62c34f351106f954ac7b01bd3ff62978d4de1381

SHA256
15dc537126d8b0626f698e3823a815f468bea15b68e9f98b5685cb8da9441b71

SHA512
9cc00040a36971658a0e82872e6699353b8dfac810275cbd622278ab89b7a5edbe645bce46e120e053090b153577f45db9b6b1d55a1f8ff31f0e2c337d0208ff

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
128KB

MD5
5c45023071ea489b36ca124708875bf1

SHA1
8ec543341a09867e37fc0bb464bb531d5f24859a

SHA256
d2f4e9821ac31bd35056c8f25840480781550e38a32e4f9a5de5402e50ef4ebb

SHA512
c0c5df285b7a7fce0864421284f611d80278e79f46d59082a996d1be9885716fed8ddfc96f96d0a70459c73177ce05878dcb0299a4bf714c38ac1ebb378b25d6

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
128KB

MD5
952b90550c333e593c2692e96a6921d6

SHA1
51db362d367c158e0d6d519a28b6b296c8b36e00

SHA256
b29b751303bd67b97fcb7d5bd4e73ec429bdfe42ce5d6e09709a662f565ba953

SHA512
d155317e19b6f92af9c2fc68e5c534e4c322e86c10aa3b1d9de575a7df5c5ae922ea9401e1e2329ac98691feaa989dbe316906ed87d6cd259740b6dd4189d3b6

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
128KB

MD5
b6264fc2bfb441f7ff018e1eb65fe93a

SHA1
e62204e26e6c1c72210c4423c42b13a43aea5156

SHA256
13914a944f65618ec28de837bcada57052fb4e3905836ac8f2b4ff7fac284475

SHA512
d5a24d63d2c84c97829e52b76de9e01ce1992379a0a2f2fbe98a454ff99ef2aa37c599d46e0bfbc18f30102150334c9ada99d84a4eb4b214709d301e06f24c9e

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
128KB

MD5
684fd832d751a3d3a78d17dd321f6ebc

SHA1
b7fbf5252fd62b041cd29d155647d2e81154dc08

SHA256
090a47e3505c57efda3afbacaceab979d73b8c95de74d00e98315dbc211821b2

SHA512
f0af44ced92f361a232e9fc4e2b60c6580fa8ec18c972536c80c21af1d0fd9dafcb7b9ff9aab170d431c5de1ea21494dda652af86ebc923a3a2475f2912a2408

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
128KB

MD5
8eb8cc0931af0d6710ddf63a81facd8c

SHA1
7021f33124d9a6912c274f0e17461947448419f7

SHA256
7a282a420e97a9a54d7636515d3f286ac80a508e569e9c2d5dcf9e9705357eb4

SHA512
a1d18f07ca4c36490819dfe057288f0e6093254daaf22bb005f90df404d95e3687a5b4257393128a6a9a9fd774b974baf3ce1029727ca0fe8ee9b9a1129bf5aa

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
128KB

MD5
dc4d31fd48c394f80abee2f4e2a765cd

SHA1
8eb387cc2dd726bce217bf0a1573ba309022b50d

SHA256
d86b2d9fb67080673efbf822b6653ebf079dad03caadf8c6b4f65fc8424360b1

SHA512
0d03a00c4c40da8f3977a0a4faeeca8f0ad054dc88484a56abdc4da72ddee0a219efde59a54f3e0fd004a8ec0996c0d11e7d625fb8edaf5d50f68a5a44984c01

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
128KB

MD5
c872fa8b7ed0b2e6cb52e74e7cb6dfd4

SHA1
e885ffa9edbf8a60f2a89434eb63082eec96278c

SHA256
fc3964c9a21b3aa91cb51f441edb5bc01cb721afd48b2aaf47e6949f71cec9de

SHA512
e6f6732586b87d3c35a2b47690ed39a278f834b32db52bbff14e4e882d3ec488818cff8fa496c2d3a2f1e1a59055d40a484775ea5208e520e8f23822bbc0c2e6

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
128KB

MD5
2e12d51b05742b98f21835b5554dbcec

SHA1
e8d8df749d20a016ec15cb976d08c2d7ab0a4174

SHA256
a6c55ff0d670e27705fbd7d59bde1d39b049c78e2348ff468816021c67904db4

SHA512
ba237b465f53f958ac2431945ba4e36c8cc8bde660728f2f6f969e7be0d37b26953b47d8282e065940a8e4f2a9a781112d802cc8ad35c4e81f898fa3062debeb

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
128KB

MD5
c506985552cc80fbb89210829de8e9d7

SHA1
fa410d6015ab2e1821feafda681221b15182c5c3

SHA256
f6b1422c0e996afe00bb1ddefa6eb7998591f0e50c7088ecb9f027d93eb4a081

SHA512
cfe5b06de2ebc3527617ddeedfe0a3516b2c599157a4af4e0845665efb2fb5b4fe41d06174e5d1a2803e5d164b9e2a68801aa0400d6f2ee52828ceb61560707a

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
128KB

MD5
78f791079114ff536c5d7547337d8541

SHA1
d6ce56112778cf0abb3b04a684634176b1f6aac6

SHA256
c0d58727be1fbe85df3f6a6fb2d31c56f85fa8358df316668a2f5c790c87ec72

SHA512
ef93f1f4dfdf0627929f7cabd1893b245e01c699c1343a22cc4df2ca152b30d253596dcc56e1303b4ce26be8981c13ba5ca651308fbb9c49bfaaf422e1cebf8d

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
128KB

MD5
60055986e8283c2dd06e8d8181044cb6

SHA1
9b055163673da09df5266bbaafd7e5acb892968b

SHA256
958904ec94b1d19b45b1b5f2a91eacfa2aaf53fc4cd5ec3d1a1709de839c013c

SHA512
50d9447d18794974133127cd6584bd906b4fb94a6daa5bbefd1b1488bac3cb22b3947c95d1a7f33298df7a227853af603b0d6b77d955e075603022b481a731f8

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
128KB

MD5
115d34ec6bbac2c23e90b02e94fbb3d1

SHA1
0327e5f891a295dd71ae7ff5aaf3caa5b3559ef8

SHA256
734ac235d6e8676b527ada9dc1f7f2ab68fc2f7bde6ade0736784cfc7aa86fab

SHA512
38c45a8c7164a153ec0306fb38f83cd174f174e19d7c36f062bc907e7924d39d34b2dde3ba622133017280ff5bdc53e5fdb44a219693ca476d213d4f97dcc73b

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
128KB

MD5
80dd01c1f2892f4457d73c3c2e0a3df1

SHA1
17d2fb16474b8f2ba95c4da0151f4796b20795d9

SHA256
17021cb9cd4af963242a7c50d3898c3c8c661c9802fcfc14d6a3da24fc067b72

SHA512
3c8283c80734c0d4eb7ac68aba5cf621d7e87a3b172c797c6cb206acad943858f423655e0f4bc16db9d8174f13c13028412f70fd0e0e744ce1cc6e6f11e05a1d

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
128KB

MD5
ed0cf0b55c5eaa6b56cc49875dc51e58

SHA1
476ee4fa11fc6486bbd126072209870b27f5786c

SHA256
79fd02d6c3a62d95a0ebbf30c5258cbdfa8efa36fd27f40fc024c6b350cc431c

SHA512
51f7c5adcceb3477172bbfffbb024f395c00aafd6a27509a2a352210878d1fe6107778f78935201118bf3f3c0d3327edaa6c0036c7f25a181b93df2f88e5e129

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
128KB

MD5
8e1c6f931f555f026fc381886ca9d9fe

SHA1
87a6f02dcd6419606a141e3c975333a28c8ccce3

SHA256
d19276435b34b7f156b4ddb658f7c75bb07a882816556685125d29af83b713e5

SHA512
0188944d6cd5ed39ea4033103528c0d5a70e551ea1bd838284f3365f8585341dff61240f55754f56cfb9ab3e0d2d61fb809e63814672218d046b4b19649d8152

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
128KB

MD5
e3bb50aeed4ded1186fb8cb5acb7fc51

SHA1
128ce9fec8afa6957988ed638d0c68b7d6378625

SHA256
3c4e59697bfc5fce177364090cccc1c41b20c4f7cb1a3d0a1763778d7bb8bf5e

SHA512
dd46f2be225d8cf34babbe912d3f95bbc0e58d1e8660e92645762ad837f52fc796147d85fc1b2d83f1eb58834ace87319bde8afb7f25316446d51815056cfda6

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
128KB

MD5
65c8727d6246b1efcf50e072d63e6b7b

SHA1
83da53db4369d332cd44cbd9033ffba7a7faf251

SHA256
8d49566ea7038cb8d3e82fde9b79915a113cfb164b0c72f59ea97d9d713cdd0a

SHA512
f07b0d051165330b5966efb22f9a6575b4e63d181082b7035d10a9c09849019d23325ec7c7241c9b68bf7f0eafef0656a2b5bd3f6b868ad5d1231deb57f8a80f

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
128KB

MD5
a93659c2f8d5ff8131baf2f15002e2ba

SHA1
b5e98831cb1208170ec55ed81a5708e740df8ba7

SHA256
b0a7e55cf468bf045e93188787b3b08efaddde4b3c4f95a067b842c5b32bf175

SHA512
5aa9549896130ecb8812410ddc2d54bb64a3b83a5ea0bd1633f928bb262217177aef272a89501af902923fe297769ac5d8610bc4919b4563c1e7d950e598f1aa

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
128KB

MD5
a6ff2b855c1c46dc0c2ea0dfa1d3b931

SHA1
d4096258124bdd0a130f7d2471fae116e1a58ee9

SHA256
85a722ecce2654b3bb8f9a924369f7463acb36587f882c3ccb4a2ce47a44b928

SHA512
1ab9e51a53814dc24a73ce4108d476c48fcaa3baf3d21e3413b84c6ac416413e459c65a65d7fea70838955bf8618267b4afe2681026b22f6314368616d943a55

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
128KB

MD5
98ccd5665928653ea989103e5a8503cc

SHA1
35526e3e572b0cfbca76244834c70954195bd706

SHA256
0d903ce8285c8afedf1a5bb5ace920b2b24a62d7e2a8d5ea9c75e24da9cdfd2c

SHA512
0a3a758c6237b68b31644b854b44e82ba78f92f71a11ba304d48cc2eb8971587c246339f1a17ac0a45c521a0a86cb8fbd12631caba6465be7724458797023a84

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
128KB

MD5
800bd25d24627ee3ed748bb7f0dad021

SHA1
c3db99fbe4700154de905e3086ffbc95ae3306ef

SHA256
f18054877550156b59634116037eaa454d7252e8812fd6ee29299b81f95ebeac

SHA512
40b18afe2e851aa0980987b38935b40a2631eb70fcc9542f147600c25f587a36a5063947bdedd8cb5320e3eb9c11a7272aa8452b708ed85eb571c7631798b5f4

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
128KB

MD5
a5c162fc10f98e8df09214d7771e571c

SHA1
a6fae115b029526d8b132ec2032c9b0b143f79ea

SHA256
c3199ee8048480dda841e324ae4109f9268465a351c58ec420139fd2376fbe6a

SHA512
dcf8b09b6e06995f058cc459c82e4e02d97a690e4a116730903ee9e82aa64202bf96819bcfd28c824636a2a780652c36a5ce9c546bb14cb5bfa63942e967909b

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
128KB

MD5
d283019c1d5a4afa249e976e18e31d28

SHA1
e924485939bcbd2d5d87a33914f6f779651d1439

SHA256
9d2cc5d198341f1378f901e6ac12ee38b6312ae55d841f8a1b4b1c342be1e7ef

SHA512
a6c43fa2c4c3880c6a3bba36b06c23e7c85784f1e466ccdb0bc63d2e73e61bc1dfcf55e0e953f8a066bad5ab1009f5c6ccd6e358028d27d24a7bcc9f2f1d9c5a

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
128KB

MD5
78cd66f436a390a9ec0fa42768d91097

SHA1
70351aac4486d0dbde412a2642a5c528f410f063

SHA256
cd1883c92e0264d2d048590656798fd48017130713b7b150a7c7e12c498b62fc

SHA512
1240d7dd1e498c6d21e1ca3eba08674aad1a593acdddf657d8c730b69be2aa1234877802025b972c52117d54de3861f27dc8db596912323b20099d7f78ee64ae

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
128KB

MD5
37189fe4d4ac10640c1db44111b6131d

SHA1
d6e8a01b73ad7d0ab4f295daecbc986f932de803

SHA256
b12d1c70b1b4bf52d26ff7d3056c177f5f54b762249d67038f375ad085a8c69f

SHA512
caa5dda7db85306d9fa18e1702e4d7ccf1a9f75027b8ddd59bff261908c8880ad84d959792b9ccd82d6980278a2828955deab0f7dfb92874e46945e37dd7b589

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
128KB

MD5
82bb4efebe145ba4ca50c5a8ec4fb4db

SHA1
954cfb1a35ed6296a98349578837ac277a4805a0

SHA256
2f52a5c147e4d046fb347e3b1d8c0572803e5f18c91649af150994bc6b0bb8b1

SHA512
bd16eea6ea4c891adcd56ad2f30f432ce7caf4ce8387e330d866afe0192a36f43818e6a1138973ae08871f056ef4d8156bc6eeb1dbf9c73ea2429de5631db46b

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
128KB

MD5
41156dbd287de6ed012dee7648c53d78

SHA1
eb93673df979a89b0abe1658fea8bdf6cc50a97f

SHA256
f8d620a76e7ba6ebc265a8dc21e22b39f47f7e38c961b31d06bb0fe4f6049791

SHA512
e746fcbf472c369d06bdf5c5c4fe897840dc8bfc46308efd079d16497f49d9001ebdfed9ceb813b56408153163acf508b44d3d1985dfd1385f999adb0d15a346

Download Submit
C:\Windows\SysWOW64\Neahbi32.dll

Filesize
7KB

MD5
6ff9f77a61d8ea958dbbaefeb54513fe

SHA1
9738a6882de8fc37fa34570cad34379e264120e5

SHA256
5ccb44fc2c41bd217753e02461e08fa3c4f53ba15484aa41b9c582ea8442de9c

SHA512
3a5657bbfff76426df667fe5b268ba1beae562d0f9b8d7c4cb6a33b434d63e04c5417c1710a1fdce47910971afbdbb7d461b199e8d749350314d0ac4d07903f5

Download Submit
memory/388-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/548-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/632-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1420-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2076-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2324-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2340-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3212-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3540-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4652-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5284-1137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5368-1149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5448-1123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5460-1148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5616-1146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5640-1134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5716-1145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5772-1122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5836-1160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5848-1143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5880-1159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5996-1125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6012-1156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6044-1121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6048-1140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6092-1154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6404-1114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads