750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57

Analysis

max time kernel
141s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 23:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57.exe
Size

96KB
MD5

071d9916af19824482166a6ff44bfb7d
SHA1

2e2a9851b994de3a932982e87cc5b54f1a87c2ab
SHA256

750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57
SHA512

d8f9e660ca10f8c26b0704994dadf1f153a2b97c2221623e02e765bad2aeed9e3609d163cfaa5129c020ecb445b32e553ce61fe3369dc0fd3f4bcbdf9f48adc1
SSDEEP

1536:adPU6I9G//SW/aEZzyPy0AuSwVETkLiRQ+BR5R45WtqV9R2R462izMg3R7ih9:iPU3c//SW/aEEtbx+e+BHrtG9MW3+3lo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe

Executes dropped EXE 64 IoCs

pid	Process
1196	Fjcclf32.exe
2120	Fmapha32.exe
1136	Fopldmcl.exe
2180	Fjepaecb.exe
4892	Fihqmb32.exe
3772	Fobiilai.exe
4592	Fbqefhpm.exe
3568	Fflaff32.exe
4896	Fijmbb32.exe
2360	Fmficqpc.exe
8	Fodeolof.exe
4808	Gjjjle32.exe
1564	Gmhfhp32.exe
4132	Gogbdl32.exe
2868	Gcbnejem.exe
548	Gfqjafdq.exe
4996	Gqfooodg.exe
2740	Giacca32.exe
3628	Gqikdn32.exe
3204	Gcggpj32.exe
4988	Gjapmdid.exe
2564	Gmoliohh.exe
2720	Gcidfi32.exe
4584	Gfhqbe32.exe
2748	Gifmnpnl.exe
1448	Hclakimb.exe
3484	Hboagf32.exe
2148	Hjfihc32.exe
4688	Hpbaqj32.exe
1756	Hbanme32.exe
232	Hjhfnccl.exe
4384	Habnjm32.exe
1852	Hfofbd32.exe
2264	Hmioonpn.exe
3140	Hbeghene.exe
1112	Hjmoibog.exe
3292	Haggelfd.exe
3104	Hcedaheh.exe
3284	Hfcpncdk.exe
3984	Hibljoco.exe
664	Haidklda.exe
3048	Icgqggce.exe
3632	Ijaida32.exe
2992	Impepm32.exe
4540	Ipnalhii.exe
4416	Iiffen32.exe
1040	Ipqnahgf.exe
1572	Ibojncfj.exe
988	Iiibkn32.exe
5100	Iapjlk32.exe
2136	Idofhfmm.exe
1080	Ifmcdblq.exe
860	Imgkql32.exe
4644	Idacmfkj.exe
4184	Iinlemia.exe
5052	Jdcpcf32.exe
752	Jbfpobpb.exe
3084	Jiphkm32.exe
3524	Jpjqhgol.exe
2140	Jfdida32.exe
912	Jaimbj32.exe
2020	Jbkjjblm.exe
2008	Jmpngk32.exe
2704	Jdjfcecp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ahgndd32.dll	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Fjepaecb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6172	5856	WerFault.exe	229

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmgdgjek.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1196	396	750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57.exe	83
PID 396 wrote to memory of 1196	396	750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57.exe	83
PID 396 wrote to memory of 1196	396	750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57.exe	83
PID 1196 wrote to memory of 2120	1196	Fjcclf32.exe	84
PID 1196 wrote to memory of 2120	1196	Fjcclf32.exe	84
PID 1196 wrote to memory of 2120	1196	Fjcclf32.exe	84
PID 2120 wrote to memory of 1136	2120	Fmapha32.exe	85
PID 2120 wrote to memory of 1136	2120	Fmapha32.exe	85
PID 2120 wrote to memory of 1136	2120	Fmapha32.exe	85
PID 1136 wrote to memory of 2180	1136	Fopldmcl.exe	86
PID 1136 wrote to memory of 2180	1136	Fopldmcl.exe	86
PID 1136 wrote to memory of 2180	1136	Fopldmcl.exe	86
PID 2180 wrote to memory of 4892	2180	Fjepaecb.exe	87
PID 2180 wrote to memory of 4892	2180	Fjepaecb.exe	87
PID 2180 wrote to memory of 4892	2180	Fjepaecb.exe	87
PID 4892 wrote to memory of 3772	4892	Fihqmb32.exe	88
PID 4892 wrote to memory of 3772	4892	Fihqmb32.exe	88
PID 4892 wrote to memory of 3772	4892	Fihqmb32.exe	88
PID 3772 wrote to memory of 4592	3772	Fobiilai.exe	89
PID 3772 wrote to memory of 4592	3772	Fobiilai.exe	89
PID 3772 wrote to memory of 4592	3772	Fobiilai.exe	89
PID 4592 wrote to memory of 3568	4592	Fbqefhpm.exe	90
PID 4592 wrote to memory of 3568	4592	Fbqefhpm.exe	90
PID 4592 wrote to memory of 3568	4592	Fbqefhpm.exe	90
PID 3568 wrote to memory of 4896	3568	Fflaff32.exe	91
PID 3568 wrote to memory of 4896	3568	Fflaff32.exe	91
PID 3568 wrote to memory of 4896	3568	Fflaff32.exe	91
PID 4896 wrote to memory of 2360	4896	Fijmbb32.exe	92
PID 4896 wrote to memory of 2360	4896	Fijmbb32.exe	92
PID 4896 wrote to memory of 2360	4896	Fijmbb32.exe	92
PID 2360 wrote to memory of 8	2360	Fmficqpc.exe	93
PID 2360 wrote to memory of 8	2360	Fmficqpc.exe	93
PID 2360 wrote to memory of 8	2360	Fmficqpc.exe	93
PID 8 wrote to memory of 4808	8	Fodeolof.exe	94
PID 8 wrote to memory of 4808	8	Fodeolof.exe	94
PID 8 wrote to memory of 4808	8	Fodeolof.exe	94
PID 4808 wrote to memory of 1564	4808	Gjjjle32.exe	95
PID 4808 wrote to memory of 1564	4808	Gjjjle32.exe	95
PID 4808 wrote to memory of 1564	4808	Gjjjle32.exe	95
PID 1564 wrote to memory of 4132	1564	Gmhfhp32.exe	96
PID 1564 wrote to memory of 4132	1564	Gmhfhp32.exe	96
PID 1564 wrote to memory of 4132	1564	Gmhfhp32.exe	96
PID 4132 wrote to memory of 2868	4132	Gogbdl32.exe	97
PID 4132 wrote to memory of 2868	4132	Gogbdl32.exe	97
PID 4132 wrote to memory of 2868	4132	Gogbdl32.exe	97
PID 2868 wrote to memory of 548	2868	Gcbnejem.exe	99
PID 2868 wrote to memory of 548	2868	Gcbnejem.exe	99
PID 2868 wrote to memory of 548	2868	Gcbnejem.exe	99
PID 548 wrote to memory of 4996	548	Gfqjafdq.exe	100
PID 548 wrote to memory of 4996	548	Gfqjafdq.exe	100
PID 548 wrote to memory of 4996	548	Gfqjafdq.exe	100
PID 4996 wrote to memory of 2740	4996	Gqfooodg.exe	101
PID 4996 wrote to memory of 2740	4996	Gqfooodg.exe	101
PID 4996 wrote to memory of 2740	4996	Gqfooodg.exe	101
PID 2740 wrote to memory of 3628	2740	Giacca32.exe	103
PID 2740 wrote to memory of 3628	2740	Giacca32.exe	103
PID 2740 wrote to memory of 3628	2740	Giacca32.exe	103
PID 3628 wrote to memory of 3204	3628	Gqikdn32.exe	104
PID 3628 wrote to memory of 3204	3628	Gqikdn32.exe	104
PID 3628 wrote to memory of 3204	3628	Gqikdn32.exe	104
PID 3204 wrote to memory of 4988	3204	Gcggpj32.exe	105
PID 3204 wrote to memory of 4988	3204	Gcggpj32.exe	105
PID 3204 wrote to memory of 4988	3204	Gcggpj32.exe	105
PID 4988 wrote to memory of 2564	4988	Gjapmdid.exe	106

C:\Users\Admin\AppData\Local\Temp\750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57.exe
"C:\Users\Admin\AppData\Local\Temp\750d75b36002e278f0a78d2f9974f64ea42eb92ae392c128eca4ee3c6894ff57.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\Fjcclf32.exe
  C:\Windows\system32\Fjcclf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\Fmapha32.exe
    C:\Windows\system32\Fmapha32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\Fopldmcl.exe
      C:\Windows\system32\Fopldmcl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2564
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        27⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        39⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        45⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        51⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        52⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        54⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        55⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        57⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        66⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        67⤵
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3600
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        70⤵
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        72⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        74⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        75⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3216
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        77⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        82⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        83⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        84⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        85⤵
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        88⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        89⤵
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        90⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        91⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        92⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        93⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        94⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        96⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        101⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        102⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        103⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        104⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        105⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        107⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        108⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        112⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        115⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        117⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        118⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        119⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:536
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        122⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        123⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        125⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        126⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        129⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        130⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        132⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        134⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        135⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        137⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        139⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        140⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 416
        141⤵
        Program crash
        
        PID:6172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5856 -ip 5856
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
96KB

MD5
e3de807adaf63a720127feb471f192fa

SHA1
430da85c85907ec34f6bb847482f528755e505ce

SHA256
6722486f32b2674b0323404fadaf4c6e85a3f776476586bb71e4443af7fbc6c7

SHA512
c15ad4488378545898ce6f1512e9eac54e6315ee6e367c0135a30267be5e4a868c2b9f587e68724ea4dcd011028c7d0093a117c0a93d8b1c2545d021aa83f74b

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
96KB

MD5
181868f451e9ce7575b450bc54e5375c

SHA1
b1c5d462c2b0bf53dee65fbfbf0d19bf2b9e11b6

SHA256
7f86fabc160fa8ed956c8e756b21eb49d22af3f4c497f2ef4eccc40e6e43bc4a

SHA512
373b51f6f511983f0b2c544ff4da35e5ab0042b7fd84298e99bc6cbbbfe557bf4c7f336f0ba847ed8d3949151de5620aeb8e57a202fe314a71d8cf5eb9780d05

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
96KB

MD5
ab4315779eeddde980897745c3cddec5

SHA1
df8d8595a47508dd1648a41f83dd44d7d9503ff3

SHA256
c1db2f257036c979693d763ce4fde5333a97096c732acee67e41031b52f930b1

SHA512
e226853117a5f730fcdee61191b152b8257eab0ba89a3847b0adeaec9e5e57554dfd5e16a9c9223917e34c2a3652caa4c28c495841adfc99d1b0cf7925dc9e8f

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
96KB

MD5
4e2522884b39bae34461e5c908bc8540

SHA1
473bf781f8acfb10c6273baffd4006909befb8fe

SHA256
e44acdb4d155553ffe018d68faf5f5d11fe6b36307cb3a1f296ab0bbd5beb606

SHA512
5da4875369103236749afe6fd84519f5dcf88db1fd5c8794bca072cdba89472442b8992ad900caf30b4b3766379b8b6f56919755d7631ddb9280f9366e71fb07

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
96KB

MD5
ef496df8fa1eef497e9947f43105020b

SHA1
daff03757d0e9eb63311c88f315faca651ae0877

SHA256
9b3df50090aa2b233b35e6cf255cf8df8d688a2441ef2882e939f9db4452c59e

SHA512
f2815b18ea7df39d8a479f86057fa7acb6efaded417568339b8dfc2d980ab684800df362d84cce90e049b23165b2749dce88941974ac244f5ecaacc95f71da61

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
96KB

MD5
cc2b167f87b7c668b9f8862040cabc34

SHA1
7041d528dae36b89bb427102714de393b1d1bb2e

SHA256
e17fe26ad35a976f91d97341d10a88dd5d386176f0bed0d66cad3afe4aa109f3

SHA512
8b3a3eb03acc67c6eda072e50d566d427efc5609339e49e055a1959ca4b656ec77162709dea4357f49fa41ad2e5a0a43634d12d8302983922d312acef3498880

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
96KB

MD5
d506a9fb1e9f8b0d30273556c337bf39

SHA1
7efa4c6a6e1a359c28134a95ded7592563e068a0

SHA256
abee1a5cbe360af1b7bdc8cc5e0dd5bac67aba2a80fb42791fef401c00cbf6a6

SHA512
331185937c24f188493c09a1a0ace7c8a40080bda8f92c48b97f67ec49fb9b651be1f0b7b3f55a3d651a23a4e15f11b7637d92f89217ed70170c24ed7a9f8b61

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
96KB

MD5
ad4c68c0e73dd2e87ec6fc529e380c8a

SHA1
0aef183ee3d1c5a137431dff030699b735b732c6

SHA256
a4bcf1bad8f24ea138618d5b122fdfb47f2426ceb41d5376d43e97dbf4a10164

SHA512
df0ee3e22398d76cc983e8a2551df1c21db4c0e71080071fe686f0c06d3449285b7a728d1477f5570089351975d79eb293b5dbd40129d167003af27d3a109785

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
96KB

MD5
c6e67b23ed84582978a45f90e796014e

SHA1
a205184b79cba2027cbe8f4e178bcc5db77e9aef

SHA256
62a7cc5414ab16d6a2704fb5d92cbb4527bab15d4645a290e13390c67d341108

SHA512
4e438e83c12f1bd0dcec4425bb5728669c6a6b910da0ec41081ea517be2e92081d9f5b2091fc4252146ce8d5ea3927a22093b51c11717d8dabc25e5e51bd35f4

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
96KB

MD5
6fdf78e8063405833005fd19305fc4a6

SHA1
5bfd0538680361ed81f1978099a82af5a8e9dbc9

SHA256
00050cc29a38c16fcf7d25efa59546332f4d8e13b4b1947c8705322e35e1bc2d

SHA512
185ff3d25fed0eb2838eca30cbb722f88b53ddb64edf66bb56c8450e22ee0f1a44f68c8fcda5f27324249520ae47e2951a0d4742067a88be4599eeea4e6c6a54

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
96KB

MD5
bf34c2eead0cf68db2ef827315f3f611

SHA1
6ca1c83b25f796e75bf358c41c0e02515be7d691

SHA256
9cdc521e20bb0da9dab796c6a997cfa242cf25ac9a305d0f65ce67a7ee805f13

SHA512
c82a2d53b63760a46430c7800a9c6c17df8556ab4210fe6e896010e635dc2c3d6aa27bbbed87369f0c0131e2616fbc4a7e9cd2a2ec22974361930f341b761dec

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
96KB

MD5
0ece0323c56d0154157610aa4ede4489

SHA1
1ce2938d9ee80c0b3e45d7eba6a0bdcf10471402

SHA256
09bca72c4add9a855b7244401d311132f76e7febca9225f570db511367805977

SHA512
edf46f5f90451dd17c01e0e3d880dece1ff0db688cd9ec098ea90ff17b8f3d238ef148e39caf4afdc66279b17af0a17c3cf8499a19dd45ac7477d6262505821a

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
96KB

MD5
e65c19c2b73b049df58db0b5427d7f64

SHA1
8afe4c134a6991e68a06410432f6656b5790a03f

SHA256
b922e84cad88d987c68ed87e1c79487ec6a418a3876636e50e3af0dbec984327

SHA512
fa771bc458032fe6f05feb936b39056b1f1438eba7d8eb34cf76dd420df99f1875fcd1288f4958db371621eafd7ef475f2c84cf2e80646699b6d81b953e6db2e

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
96KB

MD5
755d7869558bcdb4721fab586887d92a

SHA1
42425eff260f381a5f9a49621eb11eb932b44a65

SHA256
7b54cbb973ad7119c566df908019f0fa1cce67e23518c71878825e511e05bd64

SHA512
4b8134044945c874a5d892749ad35a08864383502f784c953ac160d7dbbf75b53f05817f8d3b274632bc3764e84e3804c41f14f1c2949fea25c4db777f8c5088

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
96KB

MD5
5775b4597b5711f33db73c6c63740716

SHA1
f1324f15767a822574651e2e7a72c595e168cf82

SHA256
00f81483fa05f30163f108c31286e3e3dfca7942c7e8d3867ace8e2d1f3b1dc9

SHA512
2e8f450c021ad38fc7adf82aedd4064d6a6efd674737984c683ce82158dfb2835458fa55b121fa1f30b67cf6b1a73edbbaf8e2e9c6449521fbfb98cca97cfd12

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
96KB

MD5
cbddae5e59625e9bc2a2aff412c303c1

SHA1
c91ed5065502bb074378b6f5c09627d8b01cb71b

SHA256
6ca12a2e62a6a2a9d85eb637fe7f9e5b538d0280165498423dd2155f1b8d9d2c

SHA512
e6423d212861568c43235b6fd252e67184e9567e51d7626b3a8cc5c6731574e1a786eb6c0c2774707e5c47446e88580ffbf6de9a664e38570fe75cf3d4ca861a

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
96KB

MD5
b5fbe7a2ffeb711210615420176e6a8d

SHA1
bf8a88ba00ea2d29a65480550466082a60d0c2a1

SHA256
c57487859906739471a5e538b836ebc2552d002e86b0353ba6b7cc992ffe6241

SHA512
eda305ccce05b5d941c84d0e99016c47da762c00fd7e7929bd158fff0207578349841829bbd4bc63a7efa21b4a5acf651c83e003ad6af6d59ef52fab0fbfa601

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
96KB

MD5
4a6724f980d9c2dee2261c8a0d41e92a

SHA1
d32999fdf9cf9cff7f30664af951a7e15c38a759

SHA256
a564e8304fbbcb9aded155bc00e82216f984ec6d823809e97a7e6db92f6beaae

SHA512
90a9035357d72aeac54ba5711091a85994f65b14c0f3ec8176682fb25fcf06fa2ba8756499478cbad1973fbdc6de0cca8c57df489cf9b42f0d558bbbc9188481

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
96KB

MD5
bc3463b7fd154c3012045a6c219c3174

SHA1
62a5c8fd5b3b793f8615aa17dec152bc1bf0d56d

SHA256
3e8304917f80e23b8e2f09b5619a66b1e1b5b812b0502b7641df1b2ab668a30c

SHA512
69d09e76bcfdd6e8f9987e866329a2141c1b0c741cb3f0f8a7645a8ab1755e54230a3436b6c759277b55cb5651084fa4c111bf192217feb75a01459cc3519557

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
96KB

MD5
a56a3b9c0e087f5413b847d8979156eb

SHA1
bf0a4de4989aa9475f2500a70095c1f11c271aca

SHA256
5d88daa9574c7113e15a032e14603ac6fecc78218db1127ab2648f446a487a9d

SHA512
7a19c0d61906835b530a98a21fa34317bb63ec919ecb8404624cdef2be593603e53a515df398c802e43df4ed742e8571692b2d71a2b9f324f7e91c6da734c878

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
96KB

MD5
7630bb4be6966978f8b687434e2beba5

SHA1
1562764ec7238fe9f8bde644cbc9f20e914ac4e2

SHA256
170e75333f073e99acec44491727c038bb4d2347fd9eb6fce04d05134cea648b

SHA512
611a394034947fc5b38b41c65fac4adf0413f38637a26eb6c604b899a938f21aada1cfe5c40baf47cf359ba3207a1587f436b295751753e06924a9f2aa5b3364

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
96KB

MD5
dfad34919e770e09ccaf75a49bc30091

SHA1
b0b8f0f1cce12c7866eabe6b921bbcd09bd1cd65

SHA256
3c2dbe0aac330042906319038133e5fdbf4e930512d86fbd8414de417e679aed

SHA512
b7575c8886822e25b0ccf41150e605d51552d2731660332e121dfe2855d3f982cf8b0ce640bbc378308995fdb374df4a800a8ffbee541871eb78276bf5936ff1

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
96KB

MD5
9533f7adbb13a4d83b58eb0885ca46d4

SHA1
ba36714748c89712a50821abb79b2a74defb31bd

SHA256
a525b7d6b90ab2c22fe976ba8ead21c6225b0d168dde4362d932a7b97ec9b1d2

SHA512
8d5baf38a9bdeabd07e94c3564efe87bf381342050f49099e0bd1f7a8a5fe5aa9787b3a634b3a39b2da93df6e6b391c9aebac75c502ed26ea724356f673754b9

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
96KB

MD5
60f026c5b1cc31f0df8bddf7ecadb27c

SHA1
7574f0a45e755759067350425e65a80f782a38bb

SHA256
bd1ab0a9259dc3fb0b8c7a734d11f05aaacd17ba8ebd5dfe2c8730f23e5363ba

SHA512
d2578bbe38696429bea323719b2d331428c610bd17e155d5c6433ea83d5f86933804e02c59399336adb8e9e81e1bef41956e325c4da70ff84971e134fa8f74a5

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
96KB

MD5
a8fc70c842c5da583111aa0bdf66187a

SHA1
80e1c24edfd91eeb3a48f8ba30538beac8156031

SHA256
5fd65165ab7e3a58959f5d62bebf73cd3f6447d1fe5893aec8a5cf1f3d3a4da5

SHA512
9efac5773a1fd411614df55e76d0c82bd107e7f0226ab10cd9419b14c423583976ed03d922e336b23b00d8d6eaddc6af298b31b4626c498d1aae93ab4f387262

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
96KB

MD5
a2f282bd4c0cac70f8e652c786ebf97d

SHA1
e4464d7938d90d03ab4bc7e9457b62b4e00f9d68

SHA256
bfd1323efc15272f293bee11bca29d16f6214fa5ab71cf2470b6c556e11cbab9

SHA512
2d8c2007553cf06a2d856ac97702578ca650a469df5a59ccee90429b86536aea70f3e835b46d77e5092933d20d3e10b31b55fbb8798cffd9511a31cbcc90ee56

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
96KB

MD5
79094190b02aa19b73edb6186f5aa8d9

SHA1
a6c97e0dc46d6e6c8b5c0b3d8de1ad584a99776a

SHA256
47b6c86cde04c9465e8d4aae66d6d258d7eb689b149aa6a204deecbaffeeeb2f

SHA512
0f5f62e99607f571ad6502283b159f1686daa5e302bef4470f8fc92fdba6b147e3569eec922468f85a0b0a19aae57a2752577c08b79f4b40fb04ff740975fcbd

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
96KB

MD5
ea04a1204e5194229730ee4b5b312943

SHA1
387bc1443fb7bce0dbffb1ac7cde8f3c6f1e2c3b

SHA256
2e73b6d6b6eca50d10f46221f1b675e5fcbb0fadba0e210f7644a232fbc62720

SHA512
ce021217d91cb47e65f85b23eb5d1345bd463658bcc3b98153b2166f634d579bdb1f813cd4cd099664f13a22327db184be840314380b2fde411a4ed8160824f7

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
96KB

MD5
e53267f3c2c9a406dbc77429dd077e4b

SHA1
f2217a35ebb14ec57f0c782d5368097868f8229d

SHA256
5faec84cbe02316af21b7ecc5a0fba2d3b579f7b2f45bd34863ea1da86194c68

SHA512
58ea4aa1876d07f57a3a4bdd35e39af9efc6ecf333a6ff172884c0c5cdfb59d0742c2fbb80dc24389c8a8679a191726fe65add856f5e6c422a820c1332d44bd0

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
96KB

MD5
9141f316f1e620f2c17d218d02ff0513

SHA1
4427381b36d6bcfc76890f1635a13286a5a0708c

SHA256
aa4db934497b2b1b6ee7fa1e938391a3bbed2305bf46fa058937113460726c44

SHA512
b17a61d2a86143b72293b82ada10c0030b918d02cb130e5ab6c99f50f329b355cc329ee72625cdba7b026f3508150619d06e28a22f37a0ca812d878a0996ebc1

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
96KB

MD5
d166e76eb32f576eed1efbbf0cff0399

SHA1
a8c7b1d652972c443a4c81e26bc1ac6018c3cbc0

SHA256
a4f79ff00aae9f93df7a87f4ad589fc503472ca0abe353b3c27f805e4a54a682

SHA512
5ba7fd7ef4089bb99b6a23d4064af00278fce184fa5e7eb2f3634958cdf31d742e5a4d49a9ce70dfae1578e4a7650448e53e6b9ffdf07b176bd5527d2364b9f8

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
96KB

MD5
2f55bd4f6a75ef0ea05ee133253ebce7

SHA1
1c9fea063e7be533207a3722529acb5669e272e0

SHA256
6fdd5a95a174bdf9c17b35bb44d575085c0673059bd0d619eba9d89c22375102

SHA512
b6c54cd76c38b346c4a01b5434713306d092d808bcf83e0b47387679a5d3065d01cdc07f7aba758dc6e809e1d964dc021666f47d61e7306b5c8c1cffb926dff0

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
96KB

MD5
eb973691842eacd12808b20b327d62cb

SHA1
bb5f66c87c0cc273960ade9f5a549f521c04c556

SHA256
b5dcdd49ce43de81dbb7a3c8e28a72548cd3ad43421a1435e5844cc57ee9abb2

SHA512
42c211abcbca50868c89913617dea93291ab63583d6e7a141c1f6a50e30fc5d091185a21362c02e3ab87afc534b23e73cf5f05d7d9a6cc86a12aef97df86ba11

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
96KB

MD5
3261915734247c8f22d7a2112c829654

SHA1
d19ef727f7e1ac51a032926c376c1e72205e6cb7

SHA256
688f03ae024d679c997732c6a0abba6b163d64cbdef2516a489375c7e03857ac

SHA512
544264e28f9d576067aa63471ff6b862b8b2ce8b389af27896a579ed93d215f1b239085084f87c93830f2d250b2b3493bd6ceb1eaa8c967599570441ba9d9634

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
96KB

MD5
5d90307ffe1ebc503f083909df46a704

SHA1
df72b52e1f0b2e16965e01096c389e8b7c1ff983

SHA256
3a95a14b442d2a0146c1213e24de27d4072da6c3759fbb2f009045360b4ec008

SHA512
176043615ccab9d81c146b4beafddac659f94e01a7d45b2cbbfcf1f540a86e15de9125239518523807113c7b0aab5e52a2d5569367ae047314422425afb314c8

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
96KB

MD5
8f0f484c4839ab2cfabe4fe70f5de287

SHA1
8bdb4cbceadd21e17aee6709646e6e30ab2f31ae

SHA256
0a74143a959b0b95aee19095937eed4359b23cec2e27616875e56d672eac783c

SHA512
b931a0dfc312aeff53e2628290b4cbbb1197180c17a89658b43cffff6d92d69d75ef200c291923f86c1f1aba83207afc818616fab0abd19bf01092fdd8eb8b0b

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
96KB

MD5
ff2496d755ab041b2979def272a307d8

SHA1
b463e88f5d42df81c63e44a6283a265cbc6ff0ed

SHA256
447d2183f4cb3fc2806cc2d632d2e14b23fceaeb0a9f0caba2196c0c3a0cb39b

SHA512
8239c83ddf8a8879c03d32249be42ede51d4c0ed67a78ab7d965d99f780c6aa8efd47f3f6af2fb510ace08d0d5e1f71af76e43f1f1af0a4939d6acd366758ecc

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
96KB

MD5
25a67c008e3dc52e693e266b16e04e41

SHA1
ba68581fa951fce03b7e8b1373d893786aad1fca

SHA256
0944eb8fe40090deb16e64cb287c929a05e51ef79136c7f3145945778a3182ad

SHA512
f906a2e5e9e06499777edb8c4fed70fe7df9910a56820a92557058a939f654c6c6e4acd535fa22ee74defbd4b3554ba5d1124e1625fb405822b59a244f8f49c1

Download Submit
C:\Windows\SysWOW64\Lbdfmi32.dll

Filesize
7KB

MD5
edba1b94e59cb1642d90dd0f058171fd

SHA1
4fe530251b665d332d8858f181c0ded7a6cdbcc8

SHA256
1be3bfb326afcb45642e99c9109bfa08f24cb08c009fa88deab6e899af555474

SHA512
12864f3740ab455e86c87b59d712d81da10e0232168073640f07b7b424a5b393c8da87b35677b79682f8f7bd1279a421cbbbab0a4cd815cf539223a9e16cf1cc

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
96KB

MD5
f249da6b487fc3b56cd343a1e8ed181c

SHA1
005de587045e01a73189713fe443b34d743fdd8e

SHA256
9c2690d5f4aebccdca0d6e9d65d472aa5ab56852b0ff3c4aa8853fbf41302047

SHA512
18a97345af29e74f102e161e04675e9f3203314185a7e0690d5487f5502cca8912bcf6685328cf85dac658e465dbb2a7efb1072522b311257c9787bd3b89f63a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
96KB

MD5
58930420e87aceda79c5453299df004a

SHA1
1e568809cfdaf39ba5eec5bee0f44a3881a6743a

SHA256
bbf181752bd41dded3dd5d1dd61323031773239b8fe551dd1197dbd719ad6eb9

SHA512
2cbc170170857e44417f6ea66c7465ce42db2bcbeb70c937c5df4b73f77474979cf40ce0bfa2ca6c35b953fd6cef71093c1ab37f4e63e6b04503d38119a43c6e

Download Submit
memory/8-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/376-478-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/396-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/396-548-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/752-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/860-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/912-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/988-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1040-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1080-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1136-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1136-563-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1196-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1248-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1472-536-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1572-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1752-555-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1756-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1852-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1984-490-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2008-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2136-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-35-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2180-570-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2220-576-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2264-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2564-176-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-524-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2704-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-596-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2992-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3048-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-538-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3104-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3204-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3216-519-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3292-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3484-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3524-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-597-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-472-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3628-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3772-584-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3772-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3784-598-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3912-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3984-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4132-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4184-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-568-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4384-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4540-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-578-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4592-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4644-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4688-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-500-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-488-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-577-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-76-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-549-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4988-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-562-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-400-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5100-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5172-608-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads