9c948a694be4b69b695a7fa3ae321880b38138a636784421e0a69f98e7288193

Analysis

max time kernel
141s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 01:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c948a694be4b69b695a7fa3ae321880b38138a636784421e0a69f98e7288193.exe
Size

464KB
MD5

5db6c62d29d35af46fdd85eec4279876
SHA1

64d0569953a102cc534919f57ca2d55a28fb5a08
SHA256

9c948a694be4b69b695a7fa3ae321880b38138a636784421e0a69f98e7288193
SHA512

07a3367c7867de87ff2b68351dab5534829b81010e5dc087c5269abbedf96021a031874f0db2e0e4be54aea15a8c36b974ca74b926b10221e416af3eb55e4e16
SSDEEP

12288:ofYYjnah2kkkkK4kXkkkkkkkkl888888888888888888nusG:eTah2kkkkK4kXkkkkkkkkK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elhmablc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe

Executes dropped EXE 64 IoCs

pid	Process
1864	Daifnk32.exe
3584	Domfgpca.exe
1012	Dakbckbe.exe
3372	Efikji32.exe
4356	Eoapbo32.exe
3864	Eflhoigi.exe
2760	Ehjdldfl.exe
1708	Elhmablc.exe
2916	Eofinnkf.exe
3644	Ejlmkgkl.exe
3988	Fjnjqfij.exe
3416	Fokbim32.exe
1424	Fjqgff32.exe
1412	Fqkocpod.exe
3428	Fbllkh32.exe
2968	Fjcclf32.exe
3600	Fmapha32.exe
4924	Fckhdk32.exe
3060	Fbnhphbp.exe
4484	Fjepaecb.exe
4688	Fihqmb32.exe
1876	Fqohnp32.exe
1700	Fobiilai.exe
4820	Fcnejk32.exe
5116	Fbqefhpm.exe
4376	Fjhmgeao.exe
2316	Fijmbb32.exe
1484	Fmficqpc.exe
3452	Fqaeco32.exe
740	Gcpapkgp.exe
4428	Gbcakg32.exe
4280	Gfnnlffc.exe
4064	Gjjjle32.exe
1252	Gimjhafg.exe
956	Gmhfhp32.exe
3028	Gqdbiofi.exe
1784	Gcbnejem.exe
3516	Gbenqg32.exe
2212	Gfqjafdq.exe
4392	Gjlfbd32.exe
4452	Gmkbnp32.exe
2936	Gqfooodg.exe
4760	Goiojk32.exe
5088	Gbgkfg32.exe
2044	Gfcgge32.exe
4844	Gjocgdkg.exe
948	Gmmocpjk.exe
2532	Gqikdn32.exe
4620	Gpklpkio.exe
3916	Gbjhlfhb.exe
3088	Gfedle32.exe
3148	Gjapmdid.exe
3936	Gmoliohh.exe
4408	Gqkhjn32.exe
2976	Gpnhekgl.exe
1492	Gfhqbe32.exe
4400	Gjclbc32.exe
4624	Gifmnpnl.exe
440	Gameonno.exe
3984	Gppekj32.exe
4504	Hclakimb.exe
2204	Hboagf32.exe
2736	Hjfihc32.exe
2216	Hihicplj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Eoapbo32.exe	Efikji32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ggmlbfpm.dll	Domfgpca.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Fqkocpod.exe	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7132	7040	WerFault.exe	251

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaid32.dll"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efikji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9c948a694be4b69b695a7fa3ae321880b38138a636784421e0a69f98e7288193.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1864	2264	9c948a694be4b69b695a7fa3ae321880b38138a636784421e0a69f98e7288193.exe	83
PID 2264 wrote to memory of 1864	2264	9c948a694be4b69b695a7fa3ae321880b38138a636784421e0a69f98e7288193.exe	83
PID 2264 wrote to memory of 1864	2264	9c948a694be4b69b695a7fa3ae321880b38138a636784421e0a69f98e7288193.exe	83
PID 1864 wrote to memory of 3584	1864	Daifnk32.exe	84
PID 1864 wrote to memory of 3584	1864	Daifnk32.exe	84
PID 1864 wrote to memory of 3584	1864	Daifnk32.exe	84
PID 3584 wrote to memory of 1012	3584	Domfgpca.exe	85
PID 3584 wrote to memory of 1012	3584	Domfgpca.exe	85
PID 3584 wrote to memory of 1012	3584	Domfgpca.exe	85
PID 1012 wrote to memory of 3372	1012	Dakbckbe.exe	86
PID 1012 wrote to memory of 3372	1012	Dakbckbe.exe	86
PID 1012 wrote to memory of 3372	1012	Dakbckbe.exe	86
PID 3372 wrote to memory of 4356	3372	Efikji32.exe	87
PID 3372 wrote to memory of 4356	3372	Efikji32.exe	87
PID 3372 wrote to memory of 4356	3372	Efikji32.exe	87
PID 4356 wrote to memory of 3864	4356	Eoapbo32.exe	88
PID 4356 wrote to memory of 3864	4356	Eoapbo32.exe	88
PID 4356 wrote to memory of 3864	4356	Eoapbo32.exe	88
PID 3864 wrote to memory of 2760	3864	Eflhoigi.exe	89
PID 3864 wrote to memory of 2760	3864	Eflhoigi.exe	89
PID 3864 wrote to memory of 2760	3864	Eflhoigi.exe	89
PID 2760 wrote to memory of 1708	2760	Ehjdldfl.exe	90
PID 2760 wrote to memory of 1708	2760	Ehjdldfl.exe	90
PID 2760 wrote to memory of 1708	2760	Ehjdldfl.exe	90
PID 1708 wrote to memory of 2916	1708	Elhmablc.exe	92
PID 1708 wrote to memory of 2916	1708	Elhmablc.exe	92
PID 1708 wrote to memory of 2916	1708	Elhmablc.exe	92
PID 2916 wrote to memory of 3644	2916	Eofinnkf.exe	93
PID 2916 wrote to memory of 3644	2916	Eofinnkf.exe	93
PID 2916 wrote to memory of 3644	2916	Eofinnkf.exe	93
PID 3644 wrote to memory of 3988	3644	Ejlmkgkl.exe	94
PID 3644 wrote to memory of 3988	3644	Ejlmkgkl.exe	94
PID 3644 wrote to memory of 3988	3644	Ejlmkgkl.exe	94
PID 3988 wrote to memory of 3416	3988	Fjnjqfij.exe	95
PID 3988 wrote to memory of 3416	3988	Fjnjqfij.exe	95
PID 3988 wrote to memory of 3416	3988	Fjnjqfij.exe	95
PID 3416 wrote to memory of 1424	3416	Fokbim32.exe	97
PID 3416 wrote to memory of 1424	3416	Fokbim32.exe	97
PID 3416 wrote to memory of 1424	3416	Fokbim32.exe	97
PID 1424 wrote to memory of 1412	1424	Fjqgff32.exe	98
PID 1424 wrote to memory of 1412	1424	Fjqgff32.exe	98
PID 1424 wrote to memory of 1412	1424	Fjqgff32.exe	98
PID 1412 wrote to memory of 3428	1412	Fqkocpod.exe	99
PID 1412 wrote to memory of 3428	1412	Fqkocpod.exe	99
PID 1412 wrote to memory of 3428	1412	Fqkocpod.exe	99
PID 3428 wrote to memory of 2968	3428	Fbllkh32.exe	100
PID 3428 wrote to memory of 2968	3428	Fbllkh32.exe	100
PID 3428 wrote to memory of 2968	3428	Fbllkh32.exe	100
PID 2968 wrote to memory of 3600	2968	Fjcclf32.exe	101
PID 2968 wrote to memory of 3600	2968	Fjcclf32.exe	101
PID 2968 wrote to memory of 3600	2968	Fjcclf32.exe	101
PID 3600 wrote to memory of 4924	3600	Fmapha32.exe	102
PID 3600 wrote to memory of 4924	3600	Fmapha32.exe	102
PID 3600 wrote to memory of 4924	3600	Fmapha32.exe	102
PID 4924 wrote to memory of 3060	4924	Fckhdk32.exe	103
PID 4924 wrote to memory of 3060	4924	Fckhdk32.exe	103
PID 4924 wrote to memory of 3060	4924	Fckhdk32.exe	103
PID 3060 wrote to memory of 4484	3060	Fbnhphbp.exe	104
PID 3060 wrote to memory of 4484	3060	Fbnhphbp.exe	104
PID 3060 wrote to memory of 4484	3060	Fbnhphbp.exe	104
PID 4484 wrote to memory of 4688	4484	Fjepaecb.exe	105
PID 4484 wrote to memory of 4688	4484	Fjepaecb.exe	105
PID 4484 wrote to memory of 4688	4484	Fjepaecb.exe	105
PID 4688 wrote to memory of 1876	4688	Fihqmb32.exe	106

C:\Users\Admin\AppData\Local\Temp\9c948a694be4b69b695a7fa3ae321880b38138a636784421e0a69f98e7288193.exe
"C:\Users\Admin\AppData\Local\Temp\9c948a694be4b69b695a7fa3ae321880b38138a636784421e0a69f98e7288193.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\Daifnk32.exe
  C:\Windows\system32\Daifnk32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\Domfgpca.exe
    C:\Windows\system32\Domfgpca.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\SysWOW64\Dakbckbe.exe
      C:\Windows\system32\Dakbckbe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
      - C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        24⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        27⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        33⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        35⤵
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        36⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        44⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        49⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        55⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        56⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        57⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        59⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        61⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        67⤵
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        68⤵
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        69⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        71⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        73⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        74⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2720
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1476
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        80⤵
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        82⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        84⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        85⤵
        
        PID:780
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        86⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:896
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        88⤵
        Drops file in System32 directory
        
        PID:4412
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        89⤵
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        90⤵
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        92⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        93⤵
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        94⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        95⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        96⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        98⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        100⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        101⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        104⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        107⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        108⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        109⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        111⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        112⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        114⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        115⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        116⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        120⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        121⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        122⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        125⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        128⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        129⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        130⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        133⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        134⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        135⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        136⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        138⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        142⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        144⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        145⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        146⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        151⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        155⤵
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        157⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        158⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        159⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        160⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6996
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        163⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 212
        164⤵
        Program crash
        
        PID:7132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7040 -ip 7040
1⤵
PID:7108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
464KB

MD5
fce891f56f71bc09d58dcf890ab1a9d4

SHA1
c888d2161ebcb6165f63c72bd082553e9f600538

SHA256
d14a10513bd509e19cfb85e6c1e34ed1488377a38fac7b24fb45582910b5bc4f

SHA512
81a506f6a0f333d7662e8a5d74bc4d2b92ff86040e0ea43c86bd116ff8ba66b925b5f1d03de18692485a1d4ab15e945b50a8e13813834c945d76de209741bf8e

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
464KB

MD5
6b4f9f6c954cfd0fa8427b7ba44031ee

SHA1
cca98c86c2f1ebaa0fca55f89552fa4f634cc6de

SHA256
4ca19fe5fc1fc6f6c9d9c1875d6563caab9890c1b869df682feee0e902a007bd

SHA512
d2787f00de2cca032bfe0db66150ec698607b725c77ae178b4d50accde688eca26ce975d2ddeaa0dd9a35730e8a53325137a139b47b7377f59d265a497bb4de9

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
464KB

MD5
ad05b929e70cbe96ae91287efc2cf632

SHA1
454db8fe717f3573a27d7fe83875cddf7808185c

SHA256
7556468a460e079a834d2e83decc532f40d854faae6457d46df54617e8d91b53

SHA512
ab2fd67c0f8d01eadfa84cdef6ffa841d7b6732b4ffe587cc569794e08d461d16dd1e7b795662eb3db2f0a968e7bbf5154774b8efdbddf8a315622432a256d8a

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
464KB

MD5
b809b61d50ee84d7592af4269926baec

SHA1
bb6fcb4349b3632bc8ed13fd532179b5b3b5811b

SHA256
87176a966255aee8ea10f458d465acdf6f815bb1c99efedc1a82159faff2b066

SHA512
02995139aca1ed7ed15890f26f71bc66a0b74da5f3db4dfff3670d056edcad0b78e9151b36d92f5d14a863533c946d69344edc930fe4eceada768443b047ed77

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
464KB

MD5
9ce7778c77ad8ea16e3af93e9322a09c

SHA1
6f09b6a54dc08f045811c687cc789603d72846b5

SHA256
dd4d79d2c9b43c5408ad2ba495b69697278bfc2464a1c82380c2506708b43d35

SHA512
89f138f347f12b8c66b3b726cd378ce51108a4b3c2d9c5b0450ab9a1b41a6c70a25ca6d66ad784e92358181741dc9fe9c91bc6a6dedac86cd4265a19899899f9

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
464KB

MD5
6db191370f873bb5b8a1e92c14bd8223

SHA1
213d34be6333c5547af58052179de978ce084157

SHA256
bd5455793ed1a5cb8c4e348c6e56c89852dc096506f850a70d34b93aa1f23c55

SHA512
39e60eaea49620474fa289773e98187fdfed486765a713c260e866d54b58d4e2bf88e36bf2619813ee1ddd015d83d8d163981ff2424abc3ee65addf33d3f2314

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
464KB

MD5
4eb8a6d1b4d687bb6a7e8c780bbda9c2

SHA1
c8a2fb83dace2c1cd2362cd9a6616951774066c8

SHA256
be442ae68e90f34368c30ec0c9447cf495ee39db4fffdd05e1da498bbbae9688

SHA512
5959e698b2c1434f50a09d21a7071f02dc281426b0e1f2152312b3a66a3fdb7e956111a1bc5bfaa82c41c7bde008de5a63029012ee6fbb46459e95e89aa417ce

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
464KB

MD5
c7469ee589fa3a0dc580a305dc471a57

SHA1
1ff87ce27785d621c83c29f403e217eb1eaab394

SHA256
7b9b2e80df9b4150402d7c0748d09e9971023d94b6b29608df7a2019934fb582

SHA512
12fe1b5a044cf6661113e0dcf4d5b68dc16970d710e444e78b7ee7f05f839f8a1d4ec23b8edf81c56a656e3de88c8cb7b3b546ea1e564729c7f2805b28b0ff33

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
464KB

MD5
904c847a3f60469d0f2c2d65236db606

SHA1
fefeb321011344cb892352c0b0be08e7685109e8

SHA256
3f3de2afb04d9fd2e155a298b795fa1e923db626f81a8becb3351455eb1d5b86

SHA512
110643b07b11a700a3ebc27eaa1114adee87b13314ac419fda785567a30d3f373c1aeaff66371880489afbd29a5c5b769fc1933cf95ab03bb8d8bb7b992c6943

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
464KB

MD5
efc7db84703568ef057fb1cd10e9897c

SHA1
1c8eb4abca045807385c8da8d9b6692223ece019

SHA256
91f99e07eac5bcd17d68a851904a6271af5c0320509425adc1753e2bf03630a6

SHA512
782c57dfdf601605a7920b1f57581f3eccc8b363e9960e94d941c6033daf0b22a65b970a58822a5f34acee355fb5d2f2071f3cbe9184cf18d7f7e18610096e84

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
464KB

MD5
fb3fe3dd459172f0b0f7c7f3d3c292e6

SHA1
a311d6a734e845b38f3c38c28d085be315edd01b

SHA256
3bcc801c914f7f18a28712082e2b64b1ea29684305fe0a560db273e412c9d005

SHA512
9917c0d93e33546afd7a6ba5cefb55822e7523cfd64d86d39d3d21aaf3c6b7f9c0cddad4f7717e533aaba70f5b3c39b8a57af8458b967cc49a9609ced3ab0476

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
464KB

MD5
31a9de785e784e9622451c72f1757191

SHA1
dea199831e739ee2820955b537c2796f041ee1a9

SHA256
755d62ac112daec12ef10910e6467f93b19c2012b751f49ad1e06f3ec4468355

SHA512
9f4498abc4f9e0e2263252dab4c7866113ba2e68326f3b4d785701880de7461f78b29bf683199fde1a67e973dc0bf9784fedb6a11c783f86afff9ba74c22dcff

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
464KB

MD5
85b71e6ca1afb0d09f93057f77a3f0a8

SHA1
422600828936c811d420b0137463ecd6e37e8598

SHA256
43dc560f97176de98822afdde9b87630445d9d953b5e68e0e3ba66a3c61d57cb

SHA512
06e318ac29a9b8cf841c06fcd4a38295e1289ac45e94c4ada952dab29d875d0ae7d28e505142b437e2ffdc175bc8842198ac53a686b9776407a99bd0bcbf84af

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
464KB

MD5
fb1a19bd9a80d64babb2f520ea2bae2d

SHA1
3cc0c9348cdaca6769f7581185e9e0908eead616

SHA256
b249a86e00223f7049c9af34b60a8e96a948a31ac82df9800d0c9786887c5dfd

SHA512
a3c2f1431177c542553ddf953acd957e085b3f5862b626879e1f7fd79c9d1d791ad0fd719fb8ed10a7d045718b0c8fe728a652583acd2cadbc4a4497b918d87c

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
464KB

MD5
6c3bd09ded0a9bddc69cf0c57ecd941f

SHA1
b5cbaeda32b6e881128ec8f13b174dd9d7eaa540

SHA256
33ad5e995953ba5212de1dae7be07c7afd38c307834003758b266535ec9ccef6

SHA512
7bbc86ed29cdb1b6abe2f30a50c989d074b51a3b5f825feaa2baa911846542e184430cf7ec829ee7231f677fa9327275e88bb339346fde23efab267bb4662992

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
464KB

MD5
e7557525aa603724a837e4f4bcad4533

SHA1
f01c399668fe5446295b675480abacf155ec71e8

SHA256
cafcea7a601ff5afbdb715756899c61f679ae39973c8925e92dc868eef169618

SHA512
00cab3a62dc99fa18570d83d9b7b037790dc1d1fcbcbd3aa45fd870770d001d4ac2644a09058217351cf5fce99f42610eece41a64b8117b9cab2546520188a6a

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
464KB

MD5
89ac4b64c76c36d308774fc9616b77d6

SHA1
a9e1e3d09368608591b00323da4f8dfd8c73f222

SHA256
ce55dadf8d17db0a1174392beb9f54a4216d9c775297f16d90595e6c88d9ec08

SHA512
cc598c1dde1fd1ae7e4f9ac447e802eaea79ab80a5eff2a568caf94708ea10b8af59e573a52bcdd231fbd2a4da64ff89502d0dead4ee6210395f227a15346598

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
464KB

MD5
5deb714ae9be4f801c3ed2ab491aa5fe

SHA1
c93cd039ce5cb0ac0ecff18678e03557e94c85b8

SHA256
6b97e59de49e331830dc591e06ea5727afff42143ae0df83bbacd3b8dc7d6e28

SHA512
3890567dca072fb5b8384d61f92271ed95a66edd26f780bcca25d17ef05a52b1dcc6a96f20bf71d53f1d69bfd68285912bcb67d7d68b3b0393a60c4d5d453272

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
464KB

MD5
51a5974a260c470603ff826b48c15d58

SHA1
6461425913398364464ef8b1f7b20bbb79fec04a

SHA256
53f00d5fe2d8c7b7ba1ce26df0ee7acae4ac3dbaee9f9ca5decd7be134b0aca3

SHA512
48b8a251118b1cc7e61f51d94862b749c8fd1293ff6006dc953202851a67cab723d0b2e6a95fea682a4055b77e68c45e03032197406d78f348959b9a2a6046be

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
464KB

MD5
b44e71750237a46decc1604fe2f1908b

SHA1
f7122f4cae8daa95458f71632246f3cf1d1fd95e

SHA256
d990f37b858691faf9e27df3d209e55cdcaef703776129d5d9844b8535ad186d

SHA512
196333c06ab7d90bfa7a17d10a23f4e8f843084f2dddbc1a097c6db1434fad321ba627f601f5141a9ea9b659f1ceac7a4f0513d219966ed6613a1fc719420c3d

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
464KB

MD5
5ec66bb24d94c7b449d73802e6fdbdbc

SHA1
99a54ec37a5926995daf7f69bb27083ab73e103d

SHA256
4adff7dab7acef7f0d38fd40602745977038e4fff551e46b8002a6b19f0e28a6

SHA512
eafdb2af223ca01a2430ee13becc6cef025414c43ed5ca06609d93e20f0496a01cb8cee483144654b20cd3d0efec3facd23e968ece05b0a3ddb388814a776b29

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
464KB

MD5
22fa809094eda9fecd61029432ee6e8d

SHA1
8f3e8fcf6ec3b057be484e9a60ac3c1affe19f31

SHA256
835086db48c7599746914a8cd3fc2fc26d6bbaa578971fa6733750e82c326506

SHA512
9c4e1ef14c27a0fbc412dc4ae484a35a3a668d1b54f78c745b57911e65b07b2a4288b04ec7dcd2b6aa2700812abde49db1677a6667dd497b0d65bc534a78a7e4

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
464KB

MD5
8e58381fb0449f2e25a58685dddc064d

SHA1
4dba0dd16bf6d3f76516d526b77d9461714b363c

SHA256
91d23501d30746b8c45568f65647e8ac2f2ba92e01c6b1be97e0bfe4f8727239

SHA512
669808f0e1df1df07d4de63caf3c270298b265da2589cb7c142c3d59d229d2914ef4a07a988a4001a43f791632221575007d4c584a4eed4767ebea32a05f513e

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
464KB

MD5
676cbb87f71672f8e184f5b205d5ba22

SHA1
235bd0c03a47f08e85a769908a022afbd3fd6dd2

SHA256
24b93f60360009a700c146f7f0434927597bceb5f6e575dba5d6087893ab7d7d

SHA512
acc222748efba2e6cffd897547d9f6fad8ff4ed8e9656cc962eb694a963b7e7a35e3c2e2e0d958e844cf2b3c1b767ed7982cdf6e0e72af55abeb58e521c32ae8

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
464KB

MD5
ff2375cd284b87a3f9cf44c784f904ff

SHA1
a8b29642d0e62ba7c9dd2dab51c7dc40b9c832b3

SHA256
30c45dfe99e095fc5f1951036eecb2132f4e92178acc77f070023ccb8496cea4

SHA512
a77922199643434e70ffbba975ae1b2be91f339299ef085ce2cc084bc1376ab30e74b08de06bde5864f0e2b637818e679344e0a13e69c8728c2157f85344f9f4

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
464KB

MD5
60f4131083d22a153d6d49a01b94af52

SHA1
108809edae1ead1092f3c3679e8ebabe00b04537

SHA256
8d0241ab395cf27d2d6433e5e0c4144bfe4f2f7fe236310b791b603fcdbdc050

SHA512
ded49dc673c0b8bc5399412b52d03953ecb2a7b262f13e06791dc9418f0a93bbf5fd2153a5f74546c68baddf88627f2cdf3acc563557034fe8804f6273d9149b

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
464KB

MD5
e1c172b100c3bd3cc4a311f60c055782

SHA1
c96341b9ee1ca16fe683294dc6984e984e2e674f

SHA256
0e55fe0077b7eed13c5aca1ccf33de87e446241571743c4d9ee80867560b1c34

SHA512
ccf17939d162344e44dea5030398f3e205373a83aa9f02212ed9c780d9c214171a142fa307d9706d3b34c1dc91f7e196bd42880af5880626615e20e686be5c7d

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
464KB

MD5
c5cb41ced100b163c456ee2fb55a1105

SHA1
f60b1f85c0631035e5dafa23f2202f1d53df7f96

SHA256
f813096fa6cfc252ea30f292d1713c1e7d9c19af9abbfb6c58ce3e4c7e433a40

SHA512
a77b290793aa1c382a86538ff683c213fd232dd88550f5b5c9de742e125421b01f065e4eb4beb0a297f83f47c81bb7c45e96627cfcefb2d6aead049cd4af4708

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
464KB

MD5
bb5d5b5f93003b2de35f437aff7280f4

SHA1
524382b095bd7d9c5ed512a3e7b22ee7638f4c78

SHA256
82a00ec6e133703442a6edeade552610491a5d1ba3539f52138af6c4917cf94d

SHA512
c38365089ccd664a69845a699dea9186922a572df28de49deb7acb92ac35b8427f4b3ee96fd59b6ba13dcdd55bdf0bca1a34f87173db02bbe61e0b4b0107446a

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
464KB

MD5
937a82c623831be021aeb0745f929d38

SHA1
d642ff5ae65af0dc3648c6e3c53649748785b11c

SHA256
9506efc714efa2ce4bd910ac7ab22063cb1cfeeeac244206cd91d838130d556c

SHA512
ae95ec69e745977609615dc37dbdc9719944b2f5db187c1fbd65f343d696f3abce48632e9e0822f39f48dc6dfb9e8acdd9f9efa6b231b7a6a1aeee670978a374

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
464KB

MD5
d7c65ebe65d79bd9cae03c43be2e30a9

SHA1
19c24378e94cee3915d98120760c3ae17d4265e5

SHA256
80678b8c344a5a224e602cdc1c543ee732b7fec030d8da33ecf4fa93322a25a5

SHA512
f1285696eaea631237fd5be6dc6ae4ebe6293c60a2b5b7ca03fc1686bad49efb49ea4a4b9c6b3ece80615e253ae5f9ba7769462a9f35bf95ad76bc81164a937c

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
464KB

MD5
87c21ea7c036bca4c7e0abdb7bde440d

SHA1
e3427a284bdc8a1609ca1760d7c37d60b20217a6

SHA256
52a4c243e5acbe7ca1f6ddc254909ddbb79c0d83c5d3d3cbc1743d246d85fce4

SHA512
da80feb6da6476f774abce10376ebc4647d498f884f87ec26f4ae5928f66d5ec9bda967c9fa8e4492c74c955599ef98c4c568e7b30c3d6835a0028a544bde8b6

Download Submit
C:\Windows\SysWOW64\Iedonm32.dll

Filesize
7KB

MD5
81bf16019a37be01aa4a14990d8f61b0

SHA1
e91017c71d5a12029cc4f79c02b689923f1c933b

SHA256
e1c70594f6a6fb27afea2443aa9e6fed06734dee4fe1d016a950f770139b1ae4

SHA512
ce804cceba0c603a897a068a18073d8675a77c1c6ddfbc5907d67242d287a4ae93f7c1ffc4e7d052d64fd05e9001a65bd145dafd15390ee09cad2e1b2f013fce

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
464KB

MD5
2a7fd6f9e7880fbdbdda26265dd5ff2f

SHA1
33c3f7ee3d92c10b3abfb8bf4c4feb237eed2bce

SHA256
bd87c742c1b3486e636426558b133fdce8eccedd2dda134c0ca4a4fc4e284fe4

SHA512
cbf2afa78be1ab1912797d7fd89287b1d79d82a54174963f25b439878639d6f8a363cc4e3c379386ed4b5b81d10f6d8ca0e5b431a9f43ee8732806fbd09f0367

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
464KB

MD5
566ab09b30f799acbbf2f9bb92b0f1fb

SHA1
7a25a2433d391832476a21eb7573a64cd98adb3e

SHA256
1490c0d58c4d5be7a41d22e17629be847e7cf485130ac5be00efc7e54cf7b19d

SHA512
2ac7c11e38e99dafaa736f4a4b902a41acf0ee69d6b971103341e916e7f0f3adda2290a868912a20abb3143f16df2e834014361d68aa7b5b37b8f4dff42f5d42

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
464KB

MD5
5bec570911e0993b560b610d555f9981

SHA1
db7a9482bdfead097ce4cd897b6cdcecba018e0a

SHA256
88730bf9231d4df74f9d96de2e912d078839acc46dcd208d579b70319f5a49e9

SHA512
7a5b11cf55963aa75fdea3ae411e63aedea81224d93c56359fa347d789a15336203522c4a0593c036dde1e598e2945177fd4aea5ece407e6bbf1d742ae47b363

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
464KB

MD5
7f766a3e0b4f00d9c5a9fbd328f0aa00

SHA1
8468525bb9abd1e2f8a7d48d7866ac0ce6b87b0f

SHA256
901c1d709d7fd662391d4f3aae21154566c2fb1bce777cdb6646b2038b3c1fcc

SHA512
3b3f96b27b2ae0743b43620f010ae07bc1c407c11800f1cff0da1f41132071f065f95edad2aaf7459af04a622bfdbf61fa3b235418dbb3835529514a87ccf44f

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
464KB

MD5
a6a52e41b5832386bae4f3850ee00906

SHA1
70a4bce47d751aa8b7092a7f6dbfeea1a98bd8ff

SHA256
0e561c364bbd9a566ae56204c488772b2e2c858d283ba2eac52fa15e785ff9c3

SHA512
efae839e1f1ba4b754ca01075a7ea874adc966a24792b79af98d33c9838b97cfccec0af1f01f6a147edaafdad6e2c86e3e21b43e4254ecfce6874cbf4afc9594

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
464KB

MD5
2911acddbc2156bbd1c84891267f5604

SHA1
c0c6c60c27cf292023b85819bf78d90a9cdc100c

SHA256
28153b8692c7e8f049a5dff0d0c96c58291af6243bb90fb00c91d21b2b4ed28d

SHA512
25cfa5c4094d7b829c21fd353a8cdf2e428fb233e0a0e94504993af01135d2b243fb28e5260b8a7a4cca04dea4d255d84edf6a83b4837a199118c1289f6d12e8

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
464KB

MD5
78ab63b01d03e82d035a43cd8d641413

SHA1
f718cf0f6c34a01d86011851ee99ff72902086ab

SHA256
33fb0355b363d57311d3653ebc5bb236f7487fde6f5e0514cc743c40c31fe5c4

SHA512
da00fd4e4059c4145fea6db5c41a6cc5858652078b1bcb71bb0f0f33b9010b35dba6b0672f838724be1f65f5ee1d9c48d0d712b979c8224595973dc69c573833

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
464KB

MD5
6e229cdb270ed18b5b1fb1c0f7571936

SHA1
ff676992f1c53fc5d36f4d521c0384d347bd9d60

SHA256
2a32d05cc5118d73bfa9db8b495472de4ec6ae08180daa7aa4c762b00771b5d4

SHA512
03ec8ee6d0c318e6d00f2794c3b3b9ae60d604c4d128b3183b121d8b4722f50cf887863865d4af89a6376d0325edd4944ecb679c78d0e4d44d886a1cecf47b4c

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
464KB

MD5
f2ff8532da0c41e8f382b790dc579b03

SHA1
8a598c8a3493a5b001686211b7735d44dad81b7e

SHA256
c6418de57fddb58665e68acd5f4281931e0920a3f76a92fb30d5a6cf17413a38

SHA512
0a6c4ff380a19f288ae7c0bfc45ef52b82bc376cea143dd468742cf40a85df21aa8c31d5b1c7cbfe1a44665251eb82dfab40c8b6f36ce8b8c528e2a5b08bda5f

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
464KB

MD5
6b75b00b32b6460def241ed0be1f31a2

SHA1
7b3021825c616855508c6af94345b69ccfc5104f

SHA256
bd679def1bc2775885e4f43a8488f154bb7a4a348a0a502f80563fe67e566b77

SHA512
33de7321fbac405ec0e09b4be20995a9daf5a64ec8877f3f059b3d16731ecdce2482b34c481d8e8d4429972f1e00c19e5bda9f4ba95caeff4e78bbe057f8d2c1

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
464KB

MD5
b590c3c5065958cb633be8eb5ccbadbe

SHA1
84c5f845debdc41620c0d311557915a2c59d66d5

SHA256
0858e48c1fbb6d6b25309c14ac12d30019eb20119b200ff78c618ed1f57d4005

SHA512
9bc0222ce360052234c37e74131a041c013cfa1327a94c10f7161b51108ef9c3e0a0adfaa8425d00f291fe951408ea701eb0f0a86fcfdf6d47936c98e76bdf7f

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
464KB

MD5
359048c9a04bb3eac531227a3f3e84c8

SHA1
d44029780286ce55f49901eed5557012544bb2eb

SHA256
4290f3980b4968523ec8e72cbb2d173c9e4737586f44c089e5e3699db501355d

SHA512
09ebec4b2d3693c17bdb92f8be887b9d3cf0030e05799021c0d97a45b777b0cabf7f7a68b9e054fd828c84ac1813e0e01221f5c73c947099001d3ee346467f81

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
464KB

MD5
567636724b8d65c0a59fa92d56bffa82

SHA1
ed7bfee42d14924ec655b89c3abc975dbe31b152

SHA256
40ee532df243097f59c9b63aabf9e019d49e6c74f05026be39948757a36790e5

SHA512
6ce18aba0999341e099076229d61813ea2cd0ce183ba94679aee309e8acec160dc7be14f7f9b78a9f096d867e0bf3c352ecaf875fba005aeea2d7929b0a971ed

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
464KB

MD5
5c5aae634788b6434b7c11c04e316c31

SHA1
7672304cf47f4a2180f0c1bdd0b302e242ae8a85

SHA256
726f572fc1f498072f32c02b1febf493952f5f1904658311d906686a2ecbd239

SHA512
912628d76a3b6365b26d87b0aa80270bd46d2d6a3543f2ac31b7695d6267b3b5b065ecebba587c46f53e0fcb57195cf70442de0a097069531f03669e7862764a

Download Submit
memory/440-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/624-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1012-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-592-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1252-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-517-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-513-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1424-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-611-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2212-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2900-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-123-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3644-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-620-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4620-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4624-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-477-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-622-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5160-628-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5204-634-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6092-1111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6996-1059-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads