6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3

Analysis

max time kernel
5s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe
Size

76KB
MD5

d338498d69b36997f59f02d6bc049316
SHA1

410fbaab33a12d3d7ce214d997f77e2655af206c
SHA256

6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3
SHA512

b247d8b2885496dfd47da5519c82bf50adde10748cf94dd1e701a59b25b23bafdce43f06c9840a0a63b305a103ccaa88f6afac8c467175287f1de27b8ff0a44e
SSDEEP

1536:K8IweEKi7tE35hRdUBKmcX7TOoSHioQV+/eCeyvCQ:Owe9i7m37fUkmcXOrHrk+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe

Executes dropped EXE 64 IoCs

pid	Process
3148	Fifdgblo.exe
988	Fmapha32.exe
4976	Fckhdk32.exe
5000	Fjepaecb.exe
5048	Fmclmabe.exe
2024	Fobiilai.exe
4784	Fbqefhpm.exe
1196	Fjhmgeao.exe
4240	Fqaeco32.exe
3300	Gcpapkgp.exe
1972	Gfnnlffc.exe
2052	Gmhfhp32.exe
936	Gogbdl32.exe
2600	Gcbnejem.exe
1980	Gjlfbd32.exe
2140	Gmkbnp32.exe
2008	Gcekkjcj.exe
3284	Gfcgge32.exe
1792	Giacca32.exe
4712	Gqikdn32.exe
1220	Gfedle32.exe
2068	Gidphq32.exe
2316	Gmoliohh.exe
4968	Gcidfi32.exe
1168	Gbldaffp.exe
1852	Gifmnpnl.exe
4656	Gameonno.exe
1200	Gppekj32.exe
3296	Hboagf32.exe
2708	Hjfihc32.exe
3844	Hihicplj.exe
1144	Hapaemll.exe
4608	Hcnnaikp.exe
2688	Hfljmdjc.exe
2504	Hjhfnccl.exe
3608	Hmfbjnbp.exe
1112	Habnjm32.exe
4744	Hcqjfh32.exe
692	Hjjbcbqj.exe
1060	Himcoo32.exe
1228	Hadkpm32.exe
916	Hpgkkioa.exe
1532	Hbeghene.exe
3528	Hjmoibog.exe
4956	Haggelfd.exe
1124	Hbhdmd32.exe
2828	Hmmhjm32.exe
1760	Ipldfi32.exe
3280	Ibjqcd32.exe
1992	Iidipnal.exe
3792	Iakaql32.exe
2352	Ijdeiaio.exe
2060	Iannfk32.exe
816	Ifjfnb32.exe
4636	Imdnklfp.exe
4940	Ipckgh32.exe
1312	Ibagcc32.exe
2484	Ifmcdblq.exe
3992	Imgkql32.exe
652	Idacmfkj.exe
1420	Ijkljp32.exe
3916	Jaedgjjd.exe
964	Jbfpobpb.exe
544	Jjmhppqd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fjhmgeao.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gameonno.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Gameonno.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5244	3088	WerFault.exe	221

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 3148	4492	6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe	81
PID 4492 wrote to memory of 3148	4492	6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe	81
PID 4492 wrote to memory of 3148	4492	6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe	81
PID 3148 wrote to memory of 988	3148	Fifdgblo.exe	82
PID 3148 wrote to memory of 988	3148	Fifdgblo.exe	82
PID 3148 wrote to memory of 988	3148	Fifdgblo.exe	82
PID 988 wrote to memory of 4976	988	Fmapha32.exe	83
PID 988 wrote to memory of 4976	988	Fmapha32.exe	83
PID 988 wrote to memory of 4976	988	Fmapha32.exe	83
PID 4976 wrote to memory of 5000	4976	Fckhdk32.exe	84
PID 4976 wrote to memory of 5000	4976	Fckhdk32.exe	84
PID 4976 wrote to memory of 5000	4976	Fckhdk32.exe	84
PID 5000 wrote to memory of 5048	5000	Fjepaecb.exe	85
PID 5000 wrote to memory of 5048	5000	Fjepaecb.exe	85
PID 5000 wrote to memory of 5048	5000	Fjepaecb.exe	85
PID 5048 wrote to memory of 2024	5048	Fmclmabe.exe	86
PID 5048 wrote to memory of 2024	5048	Fmclmabe.exe	86
PID 5048 wrote to memory of 2024	5048	Fmclmabe.exe	86
PID 2024 wrote to memory of 4784	2024	Fobiilai.exe	88
PID 2024 wrote to memory of 4784	2024	Fobiilai.exe	88
PID 2024 wrote to memory of 4784	2024	Fobiilai.exe	88
PID 4784 wrote to memory of 1196	4784	Fbqefhpm.exe	89
PID 4784 wrote to memory of 1196	4784	Fbqefhpm.exe	89
PID 4784 wrote to memory of 1196	4784	Fbqefhpm.exe	89
PID 1196 wrote to memory of 4240	1196	Fjhmgeao.exe	90
PID 1196 wrote to memory of 4240	1196	Fjhmgeao.exe	90
PID 1196 wrote to memory of 4240	1196	Fjhmgeao.exe	90
PID 4240 wrote to memory of 3300	4240	Fqaeco32.exe	92
PID 4240 wrote to memory of 3300	4240	Fqaeco32.exe	92
PID 4240 wrote to memory of 3300	4240	Fqaeco32.exe	92
PID 3300 wrote to memory of 1972	3300	Gcpapkgp.exe	93
PID 3300 wrote to memory of 1972	3300	Gcpapkgp.exe	93
PID 3300 wrote to memory of 1972	3300	Gcpapkgp.exe	93
PID 1972 wrote to memory of 2052	1972	Gfnnlffc.exe	94
PID 1972 wrote to memory of 2052	1972	Gfnnlffc.exe	94
PID 1972 wrote to memory of 2052	1972	Gfnnlffc.exe	94
PID 2052 wrote to memory of 936	2052	Gmhfhp32.exe	95
PID 2052 wrote to memory of 936	2052	Gmhfhp32.exe	95
PID 2052 wrote to memory of 936	2052	Gmhfhp32.exe	95
PID 936 wrote to memory of 2600	936	Gogbdl32.exe	96
PID 936 wrote to memory of 2600	936	Gogbdl32.exe	96
PID 936 wrote to memory of 2600	936	Gogbdl32.exe	96
PID 2600 wrote to memory of 1980	2600	Gcbnejem.exe	97
PID 2600 wrote to memory of 1980	2600	Gcbnejem.exe	97
PID 2600 wrote to memory of 1980	2600	Gcbnejem.exe	97
PID 1980 wrote to memory of 2140	1980	Gjlfbd32.exe	98
PID 1980 wrote to memory of 2140	1980	Gjlfbd32.exe	98
PID 1980 wrote to memory of 2140	1980	Gjlfbd32.exe	98
PID 2140 wrote to memory of 2008	2140	Gmkbnp32.exe	100
PID 2140 wrote to memory of 2008	2140	Gmkbnp32.exe	100
PID 2140 wrote to memory of 2008	2140	Gmkbnp32.exe	100
PID 2008 wrote to memory of 3284	2008	Gcekkjcj.exe	101
PID 2008 wrote to memory of 3284	2008	Gcekkjcj.exe	101
PID 2008 wrote to memory of 3284	2008	Gcekkjcj.exe	101
PID 3284 wrote to memory of 1792	3284	Gfcgge32.exe	102
PID 3284 wrote to memory of 1792	3284	Gfcgge32.exe	102
PID 3284 wrote to memory of 1792	3284	Gfcgge32.exe	102
PID 1792 wrote to memory of 4712	1792	Giacca32.exe	103
PID 1792 wrote to memory of 4712	1792	Giacca32.exe	103
PID 1792 wrote to memory of 4712	1792	Giacca32.exe	103
PID 4712 wrote to memory of 1220	4712	Gqikdn32.exe	104
PID 4712 wrote to memory of 1220	4712	Gqikdn32.exe	104
PID 4712 wrote to memory of 1220	4712	Gqikdn32.exe	104
PID 1220 wrote to memory of 2068	1220	Gfedle32.exe	105

C:\Users\Admin\AppData\Local\Temp\6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe
"C:\Users\Admin\AppData\Local\Temp\6b0cd829291c685e5082ab66238fb3c52951f7d559106473257d73e95514f2c3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\Fifdgblo.exe
  C:\Windows\system32\Fifdgblo.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Windows\SysWOW64\Fmapha32.exe
    C:\Windows\system32\Fmapha32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\Fckhdk32.exe
      C:\Windows\system32\Fckhdk32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        29⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        32⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        40⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        43⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        52⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        66⤵
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3656
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        69⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        71⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        72⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2388
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2244
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        77⤵
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        78⤵
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        79⤵
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2472
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        83⤵
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        85⤵
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2724
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        87⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        89⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        90⤵
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        91⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        93⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:216
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4576
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        99⤵
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        101⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        104⤵
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        107⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        108⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        109⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        111⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        112⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2752
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1164
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        115⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        116⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        117⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        120⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        124⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        125⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        126⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        129⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        130⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        131⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        132⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        133⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        136⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        137⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        139⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 404
        140⤵
        Program crash
        
        PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3088 -ip 3088
1⤵
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
76KB

MD5
48db6ece76d5e2d3ab13a7ec41f92aed

SHA1
00ff812cda5c56768fdac587c795da10669e0ee3

SHA256
f7643b0bfc03bd08fe6543f5a4d7a341524d78d7ca2c9c6a3be94168caabc352

SHA512
8787dd241287acf00cf9d57f2fbf1653ca6b5a2da19ed2834595734b98e918c3d54a75805d708d20f97f2fd013e036eb5ed1149fc16cc83bf9c728ff9e22d263

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
76KB

MD5
e789a686a3cad3020d7042d86d69b6b7

SHA1
817eb7b71cda1e6195df9155b52344651135560a

SHA256
05c1081e874289e0342f3bf9f37b75c3b850ad66f625df2e6a5384734ee9e2ee

SHA512
f1309013218c52d0989b5d22a842803bd9e63beaae50e83ee603c0225ed89ca47f17c3eb337cd3e8aea1462a1c854f728a7d8d9aa1be7712e6d753fa6ba48d70

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
76KB

MD5
bbc1d0b6fd622dd3b41cb0464934c785

SHA1
febadb0b96b39561318c5c945a12655aace38815

SHA256
7bb7fa8d4fbc97c6d77111de4238941076d011eca5e54b88040243c30207808a

SHA512
0ee688c5c790855e0a7a58ea9470ef12643ba001af2cb8262d7f5c573ecb7949e327b406c05ad7c12b0f121041eb5fd7b3f63e414a939076fbf47c816749add0

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
76KB

MD5
faf3b33d6c61b556f78b5bea94b79d66

SHA1
4ea3ceb2cc51e8b715164e2055e292ed6097cf03

SHA256
d6c9354f9adc94f63000155bfe410bd4b920d4d01381853ead3413e602d0fac3

SHA512
76502f21df223048ff33515cb5a0656e74cec31f3e70a570cd93bc48e3dfa5a71a33096efe6a0e4860f529ad89e4fb42ef76fea604240a1fd71a68ee3af8d742

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
76KB

MD5
f815e8728273836ebcfa4e679bcb2880

SHA1
51443809cdc9bd399c66c87b4d61f6f711aa8f2a

SHA256
4f9eda260db680fe2df1d3ad6f223dbf85f1a2dbc49b04c0aa1b1bdcddaef06e

SHA512
b1ff19b2a5eae5fc88b79998e7c61c491e672fcb0c6a474545432d32c721870e5a79fb59a43d1371c7d61bf40d63a6b1cfe21874a971bcdf9c89a687221053fc

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
76KB

MD5
e3477d946992801010c19ce9bfd58304

SHA1
7d5d63c644ff5d42b632c59a403fcda12d851196

SHA256
825bf73640923bfa15a9b2a31cb329268b802e6ec54061c454f1d7aecc4df138

SHA512
639f741c3297a2bacbed4ccf1c702510eb11484d82b22b9e5971a6445816a592660808e3848e8adc461d035703ec1040db0bb0b93ee92b0bbc5139fda89bff61

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
76KB

MD5
e6bf7c6adf0b65420946e7c381c053c5

SHA1
ae8918a72752cbf56e1f4b520afc7c9ca885d7d7

SHA256
0f885fa1c64b5997103ca5d4bf4c034bedeb1b9f09450f998aa8f6e9abd05f32

SHA512
2f431b1cf3f56d29e2c98473374f5dcb532ae61b9745f2fa7462277856e52a6eeca667b50930c3188c281db1c93b39b6621dbf888d0ead67b3220e4e1cfd01ad

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
76KB

MD5
0a920ae400ee70e0907509c7dcc2f60c

SHA1
f5df87542553cb9059cf009a58077871a20c04ab

SHA256
6a06f3d8fbe138a5ea6c20b648cbfe0478db3299661db4d053b196f17d695558

SHA512
8558a239017c9406f0590416cb35e6d01311a0c3908f9f697e3b7f80ac657c73fe451465c4e74596aa664cd12ef2e58c2f590cdd5a2a00e33a51702f70cacd81

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
76KB

MD5
a39a9473854ad7054e6a13bbd50c4235

SHA1
9c897f4021b7695585c7a5ca54470043c01d535c

SHA256
ac7e465e9cbb0bd6aa16d9c44605e0baf3ec57dda691fec7ea7ec1c79f71b74d

SHA512
886ba99c5da7eb9e8f1def60908b587dae69205ce7668bc56f5124557f3c2f67afe24d19e38ebf1bfbcd898c01079eebc54663007b106748f0f2b6170d1f4e2d

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
76KB

MD5
ca2549bf4292caaf263448e54f645bae

SHA1
ac4404226040184355c6d69f3935acd3b4f1ff0d

SHA256
07dfbfea694fa156626aa7155dc822d81f3477d3ec8c0b946aeb0bff4dddd8e1

SHA512
765cb6b8ca99775afaf8db47eacbd12b16d2e682588c31b30740fe967e7258bc3e641af9ad818cceb039fe329d35d9a365d40d31fde817a247b82adbd037c3cb

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
76KB

MD5
cf44f27fb6d5c3f1b7c993f299727377

SHA1
717604dfa318939810ef71ef353cf0c7f248e46c

SHA256
d15e49cdd9864e213be6926c7a3cc7627170a8ef88868cd1d834166a5ed61113

SHA512
733c016194065d742aad5e5c21aedfa380045b825b2ce97168072f066cd8f9f0eecee7cfea039f9de184b7e534f9c6e71c99da397b06cf064d8a62355bb1b655

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
76KB

MD5
c87a1b128bcd7c3be024fcb1005feb9a

SHA1
4c756299152cf748a267d3fe079608bcb7f4c049

SHA256
a8990dcfb2644788f6975c7a3d2e13c01b939098d417a2181ed6bc1e0fd6d9de

SHA512
57eeaad352cabd4407b067b7f0a65ebf98e653b8d60a08654ab06b07f81c86e2021c9bfdfee92b6b765a36d6b0c1989291bc7b342b0d4724d19bb4444faa8293

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
76KB

MD5
4c0466a9a8cc6ab71249e5ae08bffdbc

SHA1
aa687d07c21530435194646f93ab3deaf1903690

SHA256
2c2c69948680e03063dbfd9d96dc94ef3e253a2ff425a64a94cdc9b09babc1fb

SHA512
c1cb1f0320f924b60dbb177f58cec1b0fe68219419f21cb96c663a31f16a77eb3c811a62fb8e23b59cc1c7979f5908f912ee3eaa0e8a61322921daef0b3ef50c

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
76KB

MD5
c5d1a9d07f43f7c00ff8607b6f6cde40

SHA1
ed681f60a1f1f3092d9df7d75be645f9fe470746

SHA256
5da37d11ebddc8e8f042b2a9c316e79ab27b1e8d663132dcb7803c11e419fb98

SHA512
5e8fe6df48af5be5072a268eeebc3866e30e4a2e57eced52f7b828705b522b546546954a82af2e885f08fee4273ed6a12f13804fd49c6e516d8d1fbdf159770b

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
76KB

MD5
e5d0f117e04de7196573633490676ffa

SHA1
d53419b2041c873cb367c8e53e36b21de3864c6f

SHA256
f75a3477a5d68dafe31fa429d5fb77daec0da8fad11c1e4403eb13f8ee80ece6

SHA512
9c0c058ba4bbc5092acd9cf1c490f2e2ce2589a6525c4bcc7f422f7ffe948c00d7f2aa773ebe0db83bdaf75b50b76d61366679d4b30eaa658bf8572deb120de6

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
76KB

MD5
cdc5e56f97d1981771157da566604ece

SHA1
cdf1bb1d498c24ceb058e0156c95d7d27606a73e

SHA256
f064329c0f9470464531e9e777f6e2a748b79f978d1c6e23816d95cebfb2b3e6

SHA512
9a11ff3c6c16b6665db0c14d5558da341c991926198b196eb176de57678a3fb65ee30e3c640f103af633e807b7e267a28217e51ea262847390ff3cbfb06b0941

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
76KB

MD5
d232d0baaedf48b5ae3e524f4135a940

SHA1
4b98dc89e5c42ba25a83d7a7666fdfb42b6c058e

SHA256
7c19ef488360cee5f66a14e75b93beec4966318c63bc6a38d5f684e1ed8c4082

SHA512
c89e84b26fde9c1ca9253c57101b409fc7b50b6bcc7fe042e3fe6085caa146fe305274064d8b0100c1613f4e5b769cb398e58e8b9cc649ab502b696935bc4c72

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
76KB

MD5
bf4743c2c9e765192ee1c450f9cddc96

SHA1
b702290079f29fc8189b13aee0751c4850824db5

SHA256
21ba5c615a3179eda91ab91884c6ca45c566306d633e81e5f7ad6bcef55ea887

SHA512
4eb5d2429a4c7d16a5a71b66decfec2e16e2cfe8bb688849875caae8a22dcd822ed8243ccd70fda68fde98c3b2bcc0b5a6bde0a9949c0e776287ef72de978d01

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
76KB

MD5
0a1cd4c346ab59e71aaf104a868be7fd

SHA1
3e89a6f85ab0b0c045cfd08a4f810f0668582cd8

SHA256
86aa7861e310c415df0ebe52e655d712fe0b15d8eefb0ceb1b8373a90c1e6bd1

SHA512
f49afd0c5202ba3c4ba68fd9f0431eee48871e8ad7c1c2b2eec1490207ada1963e049c2672195102518041d73d3e85f7e236d3cedbaedf8ceb84ec8d4217242c

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
76KB

MD5
866b06d0ee71eb91ce093cd4c762a21e

SHA1
5c8340e74825915228c8f897c6cf8f9842234de6

SHA256
f675cf4fde1f86a96792876f4dbef2021bf1093086bf42c0557c83359eb8c3b7

SHA512
84a9e84b5fbf579d2db8d2ed83e83f6523f15940ec3f593e8844701d9cb733d83b863122fd54c5f37848c3ca9063f66b8c1a955d2ffee4745dd9d83c1c7c7e77

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
76KB

MD5
2239711aa032c7e883189256801bf8bf

SHA1
3489eeabe0a8857513a29713b8a6c7c43969a00e

SHA256
4a02299a20a15dc7e344fde2ad607329c8728329a7b90aba070f4a0380eb4589

SHA512
15a177cad9d04f29eb22df4d68a730360634b72eb190ae646fa054cd68d5addb688d23938f752be07d6f6936ae3dbcdcec19c5e7bdbcb71e59c42b0ee872a06e

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
76KB

MD5
1976a6ff2952cd081193d1e187a1a7d3

SHA1
ca39daa73228c4b84b20f210099907e62f12a6f0

SHA256
515f761434f163d78293797585a1d56188c52715227494ad1147928ddf5cd608

SHA512
7965bb815d1f258a504f1cfcd7d6fd7ef7bc4faa7afa5fffa7531471a3f640df3779e551054b7a45dfc272d96254e90cf66c252b438fd949d46c316836bdb1d1

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
76KB

MD5
03273e0fe094908b20560d4d240726cb

SHA1
a9de231e44b2ef625595c32c0afba5cf80f8a74a

SHA256
f071d5a462973a3057f97797fe2f83aa4b8168d9ac0e1d128cb9ae7c3dcdeb80

SHA512
d39920107814f22f8ba7a1627a23a7197934128025a4524537e5dd72c1e08bfa535604597572ee432b32b9e247a631b5e73249b8af865d40eff27575f815a074

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
76KB

MD5
4d97e48bdeb97e1076a8cb3928bab25e

SHA1
0ccd0445d9928d6cc0274894eef8404058214a3b

SHA256
85976cbc153e690146b3c683b44820cec524f2db68f85d45f49d7633dcb1537e

SHA512
31bff1af114df811af953d43dbfa4f604b4780ae3428d44095dc7bd3637ef04fe237302eb8213bd2b3936d94c004f46b037755974fe57e79871c1c6c847d0c40

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
76KB

MD5
54e615d9bf35794710a3719a03e74bf2

SHA1
e24a77ecb8eba6028f7a537a23795eb4287e4ddd

SHA256
9e5cf4f798f159eb0d8bd9e08b96caa0b3edfcf2df758cb9f37174cc8291f066

SHA512
c548c3ba8e6d7b420e56e3e263761e7ba5572efb5037bca2ba3e051f8e6b40e1f6bb2e126f6ca931b82c7ac4eaae1c3fa512898370dea6991e7c0b5af7db0db4

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
76KB

MD5
d6e6211f54716410bef8d4ef868b1a8d

SHA1
4877f865bf33c15e35fb74378d1e2e765368e062

SHA256
8196fd170bf3019e720897fb6aee4158f61737fe5eb978c66a3df5847a469c7d

SHA512
8c4630ac75ca84dd2d47f8e4ff592d2d2ffb9789c000bebfff95125ae8080d0cc7acf59d4e3504bf13c94690eb50a73d563e98d67c20b64a2c3dc7a592ab3fc2

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
76KB

MD5
2a615249fac152cd99e77190321c1f59

SHA1
c6200d3fb990728e4e8017ad2f253d9e318098cf

SHA256
b86499bdfd95234712b64fef79045cee3163f1386afcbc576176b5f5dce5e223

SHA512
15509a7290652d017e9ada6195e4e41de343a1429a14d07c1e54c319beb51cb27e6b68e658e32ff99c063eb2ca7ffe7dbc34f345e61f29b637e6d0410d237688

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
76KB

MD5
18499f8343a328f56363a4b4c129812d

SHA1
db30b9e8ddd30f6ef8967d9dfae81d60ff65528e

SHA256
b1bbf5fe9c9a118318c43e3704d68b86626e27d45152470be2d4ad6e0dc37d37

SHA512
3b85cf49afa8fb0d19432cdd092f2204b6ba77b46be9170aa0438ebde2d2d73a5a0f0cd81ecc7073ff94ed6200e388e77a93cacd49a2063bbc94a5475dbdf680

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
76KB

MD5
2fb4ad2f5419c182282661f9c9473cbe

SHA1
4ce632d0ce65de05c56923608137189180fd4e75

SHA256
204f031705f81773a1641ba24c7ee0e63719a2b372298e4be08019ed8e982d77

SHA512
1c1014d4041bb6a419c050c90961eedc500c7618453a8c47b83e78596f923114b25805e22b524a7571e4cb5d65c27213c7a4376fa88e83061c4979b5ea8792b8

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
76KB

MD5
f78c2e7b5a0f9f88ab2de18a2cc2ddb6

SHA1
7a0ebde8640cac3dc94954f5bbaf90c1631077e6

SHA256
b8b985c5f5cbe569bf444486aacb0995823f756c6367a98eabd232cc75ea8f02

SHA512
46f4875c1c32596f3abdb073afdc150daa33d362ca1e874194138f77521cd3feddcc9f25a5b2ecb44046e3a6c95a58ce9b057aa850aabfbb30c6220c4b7a5a34

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
76KB

MD5
14099db47e24629e52ed9938289c254d

SHA1
b0cb045d713bde565587cd829e47e336150a805f

SHA256
e28c4be2035bc7b322ce620a5429c643b4d07a48ae0040f9252dc7abd51f8da3

SHA512
bd155cbbd850f6b7fa63d85d353f0ec3b5d983cef32c316e30c41221e4608565af1e4ad611dc8a69ae69110bff035d39072bf5e864bb12b79c67c6fe0220e49c

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
76KB

MD5
2da3a9d9811efb658ef219b338370eef

SHA1
a1818948b40cd837f2194304b53c918b5b4c67fb

SHA256
3965fa2341e38c94976aaa9ed1d89f4281155d9a6aa595c66cddae86f344d6b6

SHA512
5ffcbf84455d2d7b7603844db78bbbed73c4bcaf261f0f174eba62049ecb2be158329418b2c7bc8d016374ac59dbc98529f2a36c9005bf589c4b6fee3e8d899c

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
76KB

MD5
d1ec031f1abc341fd9772f15cd38277f

SHA1
013d01fa4e433614d40d873db6c71458279fa578

SHA256
289c370eb86f9ba45458342fac84065b71feb3338c949c645b93c28a0bf50bea

SHA512
58a929ced2bf113c06d06c71cb79ca6d2cb2f0b88cd71ce10a0642d82a7ff82bdf8cbd69207546caa8c9535edc3fd05de0d8390a53a515cd19b09b99b475e627

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
76KB

MD5
5fe2341488a938b1a40e8e6008537dce

SHA1
d82459fac6812c0d43afe07b664e6daeddc23c94

SHA256
aa9ae2a68b35680501751e0815a33544e66fc37ec8bf4a4bd9d7d3f1837999c0

SHA512
d7de18ac9bf9a81213a485065ff60764d26446cddf42d834ca51e61aa782a31854806d3acf4f145f30503715f58fca385208b60652b5c95b8573ad32842059a7

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
76KB

MD5
0140bda439b1bfb57bc39a4abaa2bed2

SHA1
bc910557b6729004ecccce68daf071ff72006bb3

SHA256
c85acb7ad8db4fee49f0b51b869203c260a373fdc87cf40f154d0b6b1d61d443

SHA512
52d584aa13782efc0267147b44b50034b43a5b010f2d73ac11f0ec430b3f1cfe7f8ea327d736ca17925058229fe4ec12b9a29f62258a9438eab24991ff4ca1cd

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
76KB

MD5
bc9e2825bb3957b0b79590f7c75159c9

SHA1
57d6b21a7268984ed2db203102d7fb2a41f8b554

SHA256
6c9d531e725d639e0665f1a795979bb0aee5a110384ac8c428265fc26f0b074f

SHA512
798d8a817773d7b63ba3604067d084aa78fbbe906be91171f1406ca6a5376368286fcc9d6b88db07b71e4e4562c86d2fc9ca42d6d441342e4fef84e515363a8a

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
76KB

MD5
2ef84d18a68eff3fc58e8dc2be3c7d4a

SHA1
f7525981317405b81df93a907cce4b53a8c784d0

SHA256
693e6f8e40c9c94fd258e1ce4989b86680ce4531252555a791ff65440ebcbf2a

SHA512
295fd00fca598b07f41c93675fe097a0fe3a3887cb484488835da038415137aeb5392e73247e53bd76e4d35ff66bc95a8cf2a12b2c2dcc108ba8ed506e5cb982

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
76KB

MD5
ce9c5ae9fa0fb3ec5776a343f3564e4e

SHA1
cef8e2b8fe00dcd3559ee185b319fabcbd0c9e8f

SHA256
e81f3c89c765e76d61a8643657adc43706f6339ed64c7d566c1eac640db9998b

SHA512
1b0f55c2a8858ed237a84a0fcd777e72de76e8387ff8373bf89940e2473e38401f734499656166827f7ef1a86b166daf9a6df98df3ff9b322b1e31cdec682459

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
76KB

MD5
bbaeebcd20512d33affcc8873a0f7317

SHA1
d0021060c98f17f4d52c87a11764594460bc3922

SHA256
a9919fafdd52b823e5c95109759dd52e0f89e730e7bba8d86815df88dd9cb305

SHA512
d5a5844ee25789f1b0258a3aede7e729b8a0a15b6dad136f734cf02d6105f78e564489426056897a22d3db144bd3e3e4b63b18db84e3002d7209865d794abcae

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
76KB

MD5
646c9c6a11df98cff4f0cce80a8ff400

SHA1
10d862d1f96971efe6787f7e7ef082d922f373ec

SHA256
40559252e0835bc839f480c51a0afe91aec332f22c24be75fde5790958bb00fc

SHA512
b78e3c5e6728dd95f6860cf598578aef082f90e3ba8511817040a24e3467ea2cb8eb025b1a84dd76a036a77c9910c39a0fbf9c16a18cfa775b0b6ecc679572c8

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
76KB

MD5
be182c2c7997bfbd90675e98100b79a8

SHA1
f460ec3fe15473108470122fd832917f5dc7155f

SHA256
842bceb6221e96d1bf1bc960dddbdeb6527d8f562d15fae0a430a4dc49863cd3

SHA512
c146bbffb46e23fe600d6671882e75cffb7cf4569d7c0ccc697e9e8b73c6640ec441295db448803d73de1ee158319e51e56497d4dab314eb4dab876b3c63ac37

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
76KB

MD5
5c703f345efabdb3bb9b1b51a69f5040

SHA1
e6c98f449b316d4a07d5ad913b354f3b396469ce

SHA256
e97106c345743d93917c1aaf252d7694d3786ffb2b1943352d8e24a96ffffd45

SHA512
d08ca378187104c53760aa3912d9b7709ec34d1eb100d4a87a95aa40bd7c6c12aa5c417d59899962dcf5b15d3a18e9fe132c69555310f06ccd002b3833836df1

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
76KB

MD5
577f0cb3295eb1a67f657c80829f92a8

SHA1
a12b0b22592c710e1a3d448176c78b53418192c9

SHA256
f811422da89776cecbe3d96d898633bf2a9a4712559ecd979be3be71502c0528

SHA512
90fe4dbc7baa011ec0a22c5970e01513fe6a78933d82d9d8bc3193d0c42d6d416056382f42c58596e672b9c4b25a757fa450441598b612f1dbf2c1c757a99afc

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
76KB

MD5
f228deb0fdd8cc46abb9f77d197b9427

SHA1
99569c51fdc514677e29225c74044ffacabb74ad

SHA256
dbee49376c6f04008e81c1077c8f47551067944aafb03fa9586d8f8069e9a3bf

SHA512
1442717efa5a0a0a3f1294ee7cea3bb90461f3d616d472d6b46f4d2e0d8968021180eb9e818ea4a9e1e159a251eca1a2063bfebd0ab262d407b4b2341fbaf76c

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
76KB

MD5
619e4afbeb8e6f244c0d518975317cb8

SHA1
95eda4526142582befc4860b1c7352b41da91b04

SHA256
a5729665bd6d81ebdd7378367f8504310c5ab24844320e42f763017e6d900384

SHA512
3f43e22a7767db53efd2a5f74abb91e6cfccdffc199cce0f1554728e93d2bfa2ac98d6bed333990eefcb1b98d63141650bc247052739a07bf3cfe22c28042c22

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
76KB

MD5
5ed77653cc333b8bef8c44265d7f3057

SHA1
7f2b3bae25ec08267d8ea299d248610e0d4a01b4

SHA256
a32a2ec5983d73eb642a3bc0d8f11e9dfd41eaec34e5dea3037b9b0877a033c4

SHA512
52daa0e8ad6b7148acf250876fbfbcc2ab6796393af9a39d762f7f1f1407c864e213f49d65800c5d876c26e40268d1b72ccaded4adfc92d67a987e6dbea2ab4d

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
76KB

MD5
6c09483b36360bb3ebe295578bfe7fec

SHA1
3d45e4b401620eb6143a31f6613f4b8431d2c019

SHA256
855dcfed665e738491eb30042699efbe8d3e53f5e435444f7ba3bc51f5c3af0b

SHA512
81182de9b0cea23561e9295a5917544a88f79ea66c43bf82206d935a5a6935242bef3f6cf76b71e274b92aa54ec7b03121b0a98970aa371dafc6ffd49725f4b5

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
76KB

MD5
7a86a3e8c8520128be6b87c7355dc19a

SHA1
77bdc730c62dbdf5c17c6edddba04da4e542683b

SHA256
d48abf15340f3a7e8144126d64e6d2418fff22f6983c8b86a3bb69c2a0e6c292

SHA512
6ae3a2a6fe794938b2403b3de7090f0a399249a063c5591f86298039e340f9993b7158e20bac0aa28bd913f4234683f9723cc2a06a69818ea2718d4f6d03c88c

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
76KB

MD5
9b54d34a83f9aa9136eaea6b97051072

SHA1
a5c67266e4c109c5b49764aa71442fb009a7d11d

SHA256
5a6caea4b85c1d31fabf8e148cf5c2cbbde8a4a0d58453422dcb379abe42cff0

SHA512
590ab2c591445ba625c82c233436107210f94344299768af0ce076db57b4521b2875dcb997c16c5f2eba4b072e23a0c2085b5c096bb4f607e661961b1ac6e31f

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
76KB

MD5
5dbb53282ff0826e84387789055fe3a3

SHA1
bf5541ca684ffd7038434c6c9f1d56f8fee2774a

SHA256
8a7a07d0a9ffb5b015ebe22fe9e773e7e7e63018e7d583ea19cf572010f7c0e7

SHA512
5041b8fe65e063005ccf85ba8e0710d9c9d652065dd3d81835dc13c331cf9de948ecd1dd07d17349b4b941157682fb5d46b87dd2c5c417322f15b649a6d148ee

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
76KB

MD5
e5bcdb7c95781d4b1cac347b14b2da8e

SHA1
70834e4ce8967f3b839fc5db35cef6782fcf5f4a

SHA256
4734b27b9421c43e725975dfed00ce4d52cc9dc72b495357f2d1abecebad9d7a

SHA512
d8c602fbd1b971b869ec5f64f3b8529908c434a0bff28bc1bb25ae6a754a703085fc17c8e56a9bc87af47dd6ed78af59e9e08e9c7d35a6eb66e13257a33bd9da

Download Submit
memory/544-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/652-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/692-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/780-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/936-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/964-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/988-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/988-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1124-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1196-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1200-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1220-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1292-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1312-411-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1420-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1524-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1776-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1820-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1980-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2600-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-585-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-551-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3280-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3284-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3296-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3656-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3792-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3844-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-543-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4240-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4300-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4656-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4760-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-405-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4968-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-565-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads