8ffefacc3a9d9a396a321c4070ab4860a656521e02eeea5a3c7b9b23349af595

Analysis

max time kernel
138s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ffefacc3a9d9a396a321c4070ab4860a656521e02eeea5a3c7b9b23349af595.exe
Size

55KB
MD5

c74f5475944b9fab9ae97c65a67330f8
SHA1

601a40f2c5396e1c1f6d4a76f1fddc42de7b4b00
SHA256

8ffefacc3a9d9a396a321c4070ab4860a656521e02eeea5a3c7b9b23349af595
SHA512

40c8c606c648b914072cfddf4d2e3f035eb689dc234f72f938a38d36fe91c142c15f2fa374f7a9aac0e5450b0d7bfa1d2892873ef59e3370295f5a294116c045
SSDEEP

768:kJWRchgjrBCFQPSErNI3x6AOCXKGzMyuoFTbm2gH8bPtXpZBtSSM7PM+NAyRlWP0:IWd8EKB6uYeoSM7PMwAglx2LK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe

Executes dropped EXE 64 IoCs

pid	Process
2952	Fqhbmqqg.exe
1152	Fcgoilpj.exe
776	Fjqgff32.exe
4724	Ficgacna.exe
4212	Fomonm32.exe
3000	Ffggkgmk.exe
4912	Fifdgblo.exe
3856	Fqmlhpla.exe
4820	Fbnhphbp.exe
944	Fjepaecb.exe
4840	Fmclmabe.exe
1160	Fobiilai.exe
2052	Fbqefhpm.exe
4404	Fijmbb32.exe
3688	Fodeolof.exe
868	Gfnnlffc.exe
4056	Gmhfhp32.exe
3116	Gqdbiofi.exe
1760	Gcbnejem.exe
4768	Gfqjafdq.exe
3124	Gmkbnp32.exe
884	Goiojk32.exe
1432	Gjocgdkg.exe
1584	Gqikdn32.exe
3896	Gcggpj32.exe
4828	Gpnhekgl.exe
804	Gcidfi32.exe
3588	Gifmnpnl.exe
928	Gmaioo32.exe
1164	Gppekj32.exe
4208	Hboagf32.exe
4892	Hmdedo32.exe
2780	Hpbaqj32.exe
1412	Hbanme32.exe
4200	Hjhfnccl.exe
1588	Hmfbjnbp.exe
3100	Hpenfjad.exe
1512	Himcoo32.exe
1516	Hadkpm32.exe
3800	Hccglh32.exe
380	Hfachc32.exe
4364	Hippdo32.exe
4264	Hmklen32.exe
2928	Hcedaheh.exe
2800	Hbhdmd32.exe
3644	Hjolnb32.exe
3056	Hmmhjm32.exe
4228	Ipldfi32.exe
3492	Ibjqcd32.exe
3872	Iidipnal.exe
4352	Iakaql32.exe
4356	Icjmmg32.exe
1660	Ifhiib32.exe
960	Iiffen32.exe
4196	Ijfboafl.exe
1648	Ipckgh32.exe
2028	Ibagcc32.exe
2136	Ijhodq32.exe
4284	Iabgaklg.exe
1220	Ifopiajn.exe
4888	Iinlemia.exe
1000	Jdcpcf32.exe
2596	Jfaloa32.exe
1276	Jagqlj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fobiilai.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Goiojk32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7016	6904	WerFault.exe	239

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	8ffefacc3a9d9a396a321c4070ab4860a656521e02eeea5a3c7b9b23349af595.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 2952	4692	8ffefacc3a9d9a396a321c4070ab4860a656521e02eeea5a3c7b9b23349af595.exe	84
PID 4692 wrote to memory of 2952	4692	8ffefacc3a9d9a396a321c4070ab4860a656521e02eeea5a3c7b9b23349af595.exe	84
PID 4692 wrote to memory of 2952	4692	8ffefacc3a9d9a396a321c4070ab4860a656521e02eeea5a3c7b9b23349af595.exe	84
PID 2952 wrote to memory of 1152	2952	Fqhbmqqg.exe	85
PID 2952 wrote to memory of 1152	2952	Fqhbmqqg.exe	85
PID 2952 wrote to memory of 1152	2952	Fqhbmqqg.exe	85
PID 1152 wrote to memory of 776	1152	Fcgoilpj.exe	86
PID 1152 wrote to memory of 776	1152	Fcgoilpj.exe	86
PID 1152 wrote to memory of 776	1152	Fcgoilpj.exe	86
PID 776 wrote to memory of 4724	776	Fjqgff32.exe	87
PID 776 wrote to memory of 4724	776	Fjqgff32.exe	87
PID 776 wrote to memory of 4724	776	Fjqgff32.exe	87
PID 4724 wrote to memory of 4212	4724	Ficgacna.exe	88
PID 4724 wrote to memory of 4212	4724	Ficgacna.exe	88
PID 4724 wrote to memory of 4212	4724	Ficgacna.exe	88
PID 4212 wrote to memory of 3000	4212	Fomonm32.exe	89
PID 4212 wrote to memory of 3000	4212	Fomonm32.exe	89
PID 4212 wrote to memory of 3000	4212	Fomonm32.exe	89
PID 3000 wrote to memory of 4912	3000	Ffggkgmk.exe	90
PID 3000 wrote to memory of 4912	3000	Ffggkgmk.exe	90
PID 3000 wrote to memory of 4912	3000	Ffggkgmk.exe	90
PID 4912 wrote to memory of 3856	4912	Fifdgblo.exe	91
PID 4912 wrote to memory of 3856	4912	Fifdgblo.exe	91
PID 4912 wrote to memory of 3856	4912	Fifdgblo.exe	91
PID 3856 wrote to memory of 4820	3856	Fqmlhpla.exe	92
PID 3856 wrote to memory of 4820	3856	Fqmlhpla.exe	92
PID 3856 wrote to memory of 4820	3856	Fqmlhpla.exe	92
PID 4820 wrote to memory of 944	4820	Fbnhphbp.exe	93
PID 4820 wrote to memory of 944	4820	Fbnhphbp.exe	93
PID 4820 wrote to memory of 944	4820	Fbnhphbp.exe	93
PID 944 wrote to memory of 4840	944	Fjepaecb.exe	94
PID 944 wrote to memory of 4840	944	Fjepaecb.exe	94
PID 944 wrote to memory of 4840	944	Fjepaecb.exe	94
PID 4840 wrote to memory of 1160	4840	Fmclmabe.exe	95
PID 4840 wrote to memory of 1160	4840	Fmclmabe.exe	95
PID 4840 wrote to memory of 1160	4840	Fmclmabe.exe	95
PID 1160 wrote to memory of 2052	1160	Fobiilai.exe	96
PID 1160 wrote to memory of 2052	1160	Fobiilai.exe	96
PID 1160 wrote to memory of 2052	1160	Fobiilai.exe	96
PID 2052 wrote to memory of 4404	2052	Fbqefhpm.exe	97
PID 2052 wrote to memory of 4404	2052	Fbqefhpm.exe	97
PID 2052 wrote to memory of 4404	2052	Fbqefhpm.exe	97
PID 4404 wrote to memory of 3688	4404	Fijmbb32.exe	98
PID 4404 wrote to memory of 3688	4404	Fijmbb32.exe	98
PID 4404 wrote to memory of 3688	4404	Fijmbb32.exe	98
PID 3688 wrote to memory of 868	3688	Fodeolof.exe	99
PID 3688 wrote to memory of 868	3688	Fodeolof.exe	99
PID 3688 wrote to memory of 868	3688	Fodeolof.exe	99
PID 868 wrote to memory of 4056	868	Gfnnlffc.exe	100
PID 868 wrote to memory of 4056	868	Gfnnlffc.exe	100
PID 868 wrote to memory of 4056	868	Gfnnlffc.exe	100
PID 4056 wrote to memory of 3116	4056	Gmhfhp32.exe	101
PID 4056 wrote to memory of 3116	4056	Gmhfhp32.exe	101
PID 4056 wrote to memory of 3116	4056	Gmhfhp32.exe	101
PID 3116 wrote to memory of 1760	3116	Gqdbiofi.exe	102
PID 3116 wrote to memory of 1760	3116	Gqdbiofi.exe	102
PID 3116 wrote to memory of 1760	3116	Gqdbiofi.exe	102
PID 1760 wrote to memory of 4768	1760	Gcbnejem.exe	103
PID 1760 wrote to memory of 4768	1760	Gcbnejem.exe	103
PID 1760 wrote to memory of 4768	1760	Gcbnejem.exe	103
PID 4768 wrote to memory of 3124	4768	Gfqjafdq.exe	104
PID 4768 wrote to memory of 3124	4768	Gfqjafdq.exe	104
PID 4768 wrote to memory of 3124	4768	Gfqjafdq.exe	104
PID 3124 wrote to memory of 884	3124	Gmkbnp32.exe	105

C:\Users\Admin\AppData\Local\Temp\8ffefacc3a9d9a396a321c4070ab4860a656521e02eeea5a3c7b9b23349af595.exe
"C:\Users\Admin\AppData\Local\Temp\8ffefacc3a9d9a396a321c4070ab4860a656521e02eeea5a3c7b9b23349af595.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\SysWOW64\Fqhbmqqg.exe
  C:\Windows\system32\Fqhbmqqg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\Fcgoilpj.exe
    C:\Windows\system32\Fcgoilpj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\Fjqgff32.exe
      C:\Windows\system32\Fjqgff32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        29⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        30⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        35⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        36⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        43⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        45⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        48⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        52⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        54⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        55⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        59⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        66⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        67⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3920
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        69⤵
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        72⤵
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        73⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        74⤵
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4784
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        77⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3844
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        84⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        85⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        87⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        90⤵
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        93⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        96⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        101⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        102⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        103⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        106⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        108⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        115⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        116⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        117⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        118⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        119⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        120⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        122⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        124⤵
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        125⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        127⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        128⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        130⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        136⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        139⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        140⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        141⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        144⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        146⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        147⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6868
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6904 -s 408
        150⤵
        Program crash
        
        PID:7016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6904 -ip 6904
1⤵
PID:6980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
55KB

MD5
9ed2ba85c27c1161ec2f2150278daf25

SHA1
e9813d4ec3b418f32dcc2ecb5690bd13263597ba

SHA256
be7aad98177850e012a091101d9e1fece47865bc8625893203f3edaa5752c096

SHA512
7680bb3babd68e31e87bd9e45b633971acbe4676835486ece91ca8e4d453461ce66a044545753cc2fc416afb116a4e53c26644fa9c56ffff0ce14d5e89225639

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
55KB

MD5
eb959a28dced893eecbde86642f5f09d

SHA1
17519c15194a76f61a0df43c972b609637564fcf

SHA256
b3603f1efe29f5e160c65b0b099137f9f7498c8ef55b9aa9321be63a5e4584c5

SHA512
39d0520797eb327e3db8be6b7e9ac069ad15c26af7b155befa89b1adb0c407697585a1f21418b9381d37f342384c7e05d3e849d93b220c73a3d9574eecc581af

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
55KB

MD5
16094e1d48b64f8cc7fef366a78e8958

SHA1
d54c99d4913a19c97f865853a104a2dc2c9034c5

SHA256
46847a0ff4b7447eb500c0abb6f9fd1619dd9e227e4fa631bb71821d600fb368

SHA512
2b13d7b3060c88afff42e8e2d0cb5407615d7717eb4548171ef761419506755fb3fff7e9d88495d5b2020f8357033daa5d3f3647f4cd43c43c115249ababcfbb

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
55KB

MD5
999de8d954ea1814d5cb4c8ab28d7acf

SHA1
2be5a425847f116d36de709c1d835398ad8b0a79

SHA256
da278502027dea4b05db3e72d11f8bd3bd9076575cb67dea02ae1f627c6ae4d0

SHA512
570177b99b9c222b939b5ac215851e4951984de26b5807d8fe94ba35436b6332167c1e64f61a828dfa57846967275d90267144147cb6da467a5d2351cf37f3a5

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
55KB

MD5
d6c1c228768742e2d2961b401fee02f7

SHA1
9edc4c85f0d51492c010b83291019b03da253f86

SHA256
471be66229279fdccf49c63d5bc8f36959bf7bef33b75ef6b98e94a5d2e5b7e4

SHA512
7a3e77524b4913d4516a9b6d01203c897bcc4d26f4a82c19892b27582c5e46e217c6e39aa7abc424117238ea5cf216a4eb71a58bd11d2c2242d08fea737facef

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
55KB

MD5
6cf3d977ec1beaa4f46880e690294069

SHA1
bb35d240f756d888d53d3c51a02dd08c86e4e19f

SHA256
2014a148ae2361562894a2e0c2b98856bc274d8b2d6a8d5a9778a420a0d04143

SHA512
b62e37c21b9faf77322967ffd69f93438dbb716b695d886a3f5646c2630ecaf3e5efe0f548427e2b6e8b48f3f91fba80ab2aaa0602510b21809dd3673bcffc03

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
55KB

MD5
004904d3595a3a5ad426593bbeca3f5f

SHA1
01d774e46e4ada38ce7bf7f5acf9b57a70cc47f5

SHA256
6541a0b7809dafa940a326c2f193e066265a2c76ea244e1d6fcd0009e439a076

SHA512
79a124cf5070d4892b4922f60ca55426b14478fab73182fb468e1928f5a9e3569cb6388187e626514895c2e945438bb532952b0dd1f6665dc911759c0187df75

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
55KB

MD5
e40351382e974be5419ae3590e72115c

SHA1
e0ef9f542e26b5a4ac4b6ce231a2281586dc07e6

SHA256
5954a051c542dbfb24593772f0e5330407930b0e56f24f8858bed81ba8f99501

SHA512
25a89e69c0376c898ef7778ab97ad186312b558bab813e3f87bf7f2aa50b427d3df6c5a72eec108fc4e6b239c10f31c237a99769c13240703384243f3cf7c0a4

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
55KB

MD5
4e5b3f82f353bcfa61dbd18ecd5d936d

SHA1
ef12e597876cfc8974a5c89ea2c235db016a9202

SHA256
ea702956391bf759eecea8014a904f3dae4acad2f0104f12b0a59714d493fdaa

SHA512
b509bb368d4d006d17a5a0f657838ab444297836c349078a82e71d6d0c5d2fa959906ce0651bdf018163e4ca29d9d8636c097d163f76116d703ff57a08c01fcc

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
55KB

MD5
c443a5cd6d514039743483df36272539

SHA1
471f8cab48b814670ce3887891edac929632cdc4

SHA256
2268dbbe725f783d6f0d77c3c011db6c309b6009688aec26ffd43d63d8291d17

SHA512
bea0c999e45d083968e8edb519bda8274643df838cf172a207c0401a047356332f9a98bbd39f5a37659b0102b4554bb6c953c65ee2764ad19f41c4342144b989

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
55KB

MD5
8b189855358dd909f72e7327bcad5f19

SHA1
dc2f371bbee076e02f4d72c4bfda7349f5913c80

SHA256
d77500e4ada1f7b132b0b3d75669f17efa6b4841dc0ba3dd7414a234ce78e450

SHA512
d33f81aee943c94f1355af1c1dff800c81ac97a589bbc18c7240e6115aba0af29514c98ac408c4842017b419b45a1852d6b2686ee7ecb5d852dcce0aa5addb9f

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
55KB

MD5
c345d8a979d3a357363d16ab0e2fb83a

SHA1
243370eb44bdf263e2b2c7a42351034767f88a14

SHA256
ef17f7de4b57b240eb45a9060f70b277f3b2a2a36a01043f2074b99a08d77098

SHA512
c0c5a08a8fe168a722f73f5a9e440fcf8eb049262dab544d2da2bc4577430a497b96ec73d7ca3bf005635ff72c28f786c90f19e4ef0d4083c9c22ac26bf25b93

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
55KB

MD5
a7570725a663df1b7548bf87c53e7457

SHA1
a52e2177d828eb41a756fea47cbaa6be694d1460

SHA256
1d5ea46cfa75c849c88f32bc3ef28f897a7549bbd0706e584d8680b3a54fff36

SHA512
284e9774d3b55c5e0ac4226a6b7da2d7c49e933ed8c688520c400a9ea46aa7dec527c28c56b7643204496239f026c4d6bad24ee09831702567341631adf3f5e5

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
55KB

MD5
4c2781a0961a4d3b50e513acfb3fb8e0

SHA1
0cfd7863c2ca6aca2d7af53bbbf263303df6755b

SHA256
4c6d633c348ef155444fe3e2be98c87183fe68cf3a99a100f8d6c9a9e3d2db0f

SHA512
765254996afe1f658463c66e2666f72f132bc2316d1830ca824fb060130f4869e1c81e69538e0fab409a986628b46406de83ae0a5d7d55c10e80f4bbf3400689

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
55KB

MD5
4d91deb80a7ec6b5081d664861f39c02

SHA1
53f7b7ce2e04f33b137e139221748a106803a188

SHA256
55f36b9c33f418be5d41bb5fa53f0cba7f4b29b1993ceb75ddd973a92960a691

SHA512
2551ca585ff14301f8c0faab9fd0f2a040a364df7cd7fcbf752775e3adf2fad459c1ac3bf528299dad3e90291c3b7800aaa4204bc99f2017ef2f10937f704ea7

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
55KB

MD5
b7ea7e4efffac0352b556b833fc46944

SHA1
b964a878b3c6ab7fa502e20ccf61035731780571

SHA256
888d25a857ff9f410ea8c2d8a5a9951d6386d030c405d54f2d69401deed10a34

SHA512
884d482d25cf983986720a59f197ca18824cad86bc9936e4d09d62a8c05646ee1498d67d9a01cd71bbe0560c135e398f160487f502be6f5b827cec353c309127

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
55KB

MD5
dd88391c368a6fb2b49928a64353a862

SHA1
62e51f11d0fe1722babd6119824372f382e34618

SHA256
e359228a3b12820af6209d7ac3da407242215aec366ea24262b6b030227b6cd3

SHA512
81043c544229bd47513d6951565d036eda5c71e66cca1b57d2c8b2c286c8b653efbd2d866459f798c1498354175974bf352c274d789880f132dfd963e35b61ce

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
55KB

MD5
c334789a4cd87ff575b38ac7f907056e

SHA1
7e3e091a878d87bdc7d9bf4a831e3916b7d0b08e

SHA256
703479a903c43730e04671db0d3bfaf9df15033ac68f61b53792fd9e290d68e8

SHA512
ed5f8e0dd0d7050398970b9b9b3fb1f8a7a3601dff1d55fdbec54d122a8731cf41042eea55c5f825501de2cd2c169c771dfd21e0e4b092e0b49d140ff2b72f26

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
55KB

MD5
1ea57127a88715ae70efb1957cdd9f75

SHA1
115419399244b88f0f58efef06a937d503b311ea

SHA256
b2da48bb1b25f0b8fe036243e22265020d820af35323b4cc05d7181d5cb4d9cd

SHA512
e648fdf226caeec71cf890e42cbd2c3d3b51c24a7dd4edaad1bd3042e3c7b6e232bc69aa93a30b663423fe69decf508da536ecad5eb07bad3138827962d252be

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
55KB

MD5
b408c34ab30b2ce48cccf2336ea73b39

SHA1
e598e9d102b7accc543fc3afbdc3dae3dd9ce3c2

SHA256
4dda50cc8a94ef76c26dd392895c878849b2616fc72a8180c761d4eb467f8ae9

SHA512
c67b0ca8d73e35513f694cc801489831b5ee39bb1d7039099aeafce49b04b2ce8df60d8fe62fe1d1fae503ba422c7c1169fdf2a6d575215443e7a148b15a61db

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
55KB

MD5
870ea5d05a2f1d16c620d26bfd9b9d40

SHA1
235bace0f3d69fa8a04152aae1e5b00d029aa2ad

SHA256
06a9b3ece7ca39633cce2ab8ac87fd36ad04b5e4f1ee37108b35da1e0e414617

SHA512
8061483dc015086172e4296b7cce6b069affa8e346a7d21e6d2963debcd0092abc81d8163aa654387fabb7b9d10c4ba87219e1981159fd9b8232cfd24c05a161

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
55KB

MD5
e84a21bc2eb1bed725f591b106cefcea

SHA1
5d73599bc36da8c1b373dd01867ca0a245f23e69

SHA256
7ff39cca8b079b76449d694da4c0d8896bb5e69df85bf1b76ba92cc4efd994b2

SHA512
dc63852a8ce29ca6ae39b120c636a3e44c13c682ebae86a2e268d6ccb4a844530d6124c96ffe4978364c3fe4e416ddb7db3b70f726e476e50287dbe74122c7b3

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
55KB

MD5
b50cf322c59848c425cf2939b01b93f8

SHA1
5acd094d0462adb599da5dfe36964062fd978b97

SHA256
94301894d42d3823bed36cb685cdfb0a886792977b40b677e93028e1db498166

SHA512
c982b2c8c3729811ab67467eebf2b46cdc842f9c0ec2130645cf05c6661a045bce43f6359524bdb3a938c5e24e0f8fa25fa5874be0105e2962d5017619dc842f

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
55KB

MD5
26a3c2f43a78703c2263a668814a1e15

SHA1
bc7cf2319a0bd93ab2cadb9975d60ff18e92127a

SHA256
9913bc4d6357447ed6fba4bc35ebef0d7163eb9bb189c907900389f5f9f2760d

SHA512
33f6b7b7af7db5cbefba4d6c062b5ce29e326457e8c8006640740bbc61063f1d032024511d782101348b8dc3eabd1c61efbf3e1bbc86c8d4f3c710fdf67c2b7b

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
55KB

MD5
860b76e5fc33a5936a48af0b1c4f0f1d

SHA1
9759d8bd0fccc962fb5e1e449760866e787735c7

SHA256
2971d305a8904d29b481316ddba494fff091cfc98443b080e7f053eb427ef283

SHA512
e0cd8fb3f3a34b6ab80bb0d777c8a3298a2cd25552145139c1b7dd110bd5b719932c8ca088152bd16dc4f98e8cd2afbfe1e84724b2e9f7c2af326e988f5d065c

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
55KB

MD5
4d798781a1c4edde3781acd284ec121b

SHA1
2d391fd8fce6df8f3b04edfcfa0947c5aa8908d4

SHA256
503a39772c81070165c6e9f311ec8074f46b64b9ca76c500967159db5b642616

SHA512
2af3afbf42f064fd748cc9c2baf8d950685fe149635deb06d5768af6c9bcf8d4fe62fb83963318d92a140984ff9c228d69ff73f8fed74df6a16ecd93bf06ce9e

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
55KB

MD5
158567e3130cd5c03e69687b861c1110

SHA1
4996378e0084d9895c84a10437047ea5ea2deac1

SHA256
14cd0c83ba238abfbb506f8bd50fa9c9a9e2f5847608296020b2243859d46bc0

SHA512
e5c1f3ae328db81101e1f61ee46a8a6f0fdb889ce24fb6f8b66005ed2445c5d54e08a277acc54488922b69d0c509f0498762638ed3078741e31b4c850eb89b23

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
55KB

MD5
593923e65429b8821c47243b54c7fc17

SHA1
5a9d24d2529ad7da212175b852317775d0a181f9

SHA256
f71c1ecb1f81d59242751021985005fe0f7fdd0000d6c02dfe2d948cffd0afdb

SHA512
fc46a9a8a9c7f1fa1692bbafd9acc2a120b183816cc69b149dc378fd76198265aab89128b93818caa12faecb9f7972454b934358fc3f8914d8be08dda13f9e29

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
55KB

MD5
1325161d7f7166a28434e9c7c926e808

SHA1
90f67fb7ac3062b5586ff497bbaf7b1610f9a2f9

SHA256
08353a15c0c2835a48887e803e349dc671b16441533d6eb705b1f918a7e1900f

SHA512
426c56d858efe02103f091fc167a648f657a5cfb0f0b971fc622465f1a3e61728a80068851255725aa5c6f5a52e3d4219f5b1f27af9379d6722cc305484d6f82

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
55KB

MD5
d8d5f6a86e79e2a1afcccd22ef1d4ce5

SHA1
9bbfc210bcbbc12d9537571fb1fb39f32bccb0b8

SHA256
16949169973329734a88859963f7d1b8b4ba4dea06cc8844b703d93b95ab4f05

SHA512
6585331f0d2457ae3af8d22ebf72fa921b44d60900a5a886e53de8ec3e6728d4b4714c229bde962a3372e1cfa626d146d73e2676632d7a51752ba534778ef3e4

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
55KB

MD5
654323600317253275a459d5b8e8d0e6

SHA1
73b4b5bdf25ce837fde0a57302b8528480d610c3

SHA256
de0406e06f510bcdc23d9c02b0d45141fe9037027dd249f9c9637b3fab716d9b

SHA512
cdf7e736d6fcc046065b35796249d5409b97dbbf9e50a20b669fce06bf6ee700328586556ea97a93974025c83d3ac35b0f27f10b1028f65934b5198c602edfc6

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
55KB

MD5
ee233b09e377269fe621f4334bddceea

SHA1
127991525991e6f022d0853b9e5168baf151801b

SHA256
d42cd85e1c52afdbc6b35dd8576b027f1cf724812cd95f4750b3714c052125da

SHA512
9713f3b5d168b57e75dde2cf104c94021602e34601cc4422624f8ff79f95c156d8ddaec519470f3bfbee59bbbd39e231eb35e98802fbc295c93635d26034e052

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
55KB

MD5
86e1ca55096443a8b6afd96ada01984f

SHA1
1f1775b54172258d5df11dfbf27e3f6cc2652fd7

SHA256
854a60724287b26dd3c7744c36a6925fde44f0e0f36694d8e57a49faeeabb816

SHA512
3186ddfd1ce92fcc07062e34a99db20e0362eb77358c82ef022b5ea68e764ca0fd3c3e0ba7920cba97ae38c7c852cb704dd0eedd753f986344dbcc53d27d0a12

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
55KB

MD5
a9ed0e2c80d28838156c9e05c5fe94cd

SHA1
2bfd09919f750f474df11f1fcfd9614de0e115f7

SHA256
6684bf8ba276601c69fbcf53e2c4fec8fb54f3404f5cdc6d2f3ef8539eaf6435

SHA512
aec50e81406b1f2c0974c09bc06079f9e4e97584ed7489fe06cf13685f852099e28cef5c947ce8b5851f8fb3defd47d46b0c2a91a1622d1f8cbb0fdd01a6b772

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
55KB

MD5
699e032de7b02f21d100f1250cf40ae4

SHA1
0a7e6d8e25b341473f4bc075edb74ff84fb55677

SHA256
b54cc8a129d641343dd490465b1f39d1e37d093be054ef845df7f0356c9fc45b

SHA512
175395d4d30915bcb4c1ad1b3c76168f391cf5904fd958fd3ff0f1935d1bbb288af2ac119090886041090b3d658c22d28cae4122814b10f9cef66f3b572c7f8f

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
55KB

MD5
de417bec0a7949c61a6c738bfae534f7

SHA1
59e202388c94d05a5e8a7efb59131aa9e2488148

SHA256
f9caf0ddf8eff15123ae5247167615e957e823ac3d6720a2449b74cfb2ff18e4

SHA512
56c9a81e61a0b9dcbbb8bca581171fe103e8ee21b051889afb23c419ad0ef06be4704883f005e2599f4ed2363246d654f38713099788bb65a85c46acb994db7d

Download Submit
memory/380-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4212-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5192-1043-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5220-1032-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5304-1042-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5332-1072-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5380-1071-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5544-1050-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5608-1066-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5616-1029-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5704-1064-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5824-1040-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5968-1038-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6072-1044-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6156-1026-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6560-1017-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6824-1011-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads