bb9f86965fc3ca48b508820b237f2b461d3f8c59286d19564bfc2857a7c70069

Analysis

max time kernel
143s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb9f86965fc3ca48b508820b237f2b461d3f8c59286d19564bfc2857a7c70069.exe
Size

96KB
MD5

725680b47ffce901d3ff5193c3e45769
SHA1

39b9c2b22894bcb7ed106772d20048ac88bd3925
SHA256

bb9f86965fc3ca48b508820b237f2b461d3f8c59286d19564bfc2857a7c70069
SHA512

6dd541956496f04262e07428e6858bc8bbb5fa21269a63a2aa7752619370d542e89efbedc91d0279438d482185e483a0b6c00508948463756c471b7ba6476ab8
SSDEEP

1536:S5VkiDm7k2FhUZr5fHCb1b5UwEYPffloBvH7qY1JduV9jojTIvjrH:l7HefIfsgfOZJd69jc0vf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe

Executes dropped EXE 64 IoCs

pid	Process
1768	Fqhbmqqg.exe
2292	Ffekegon.exe
4992	Ficgacna.exe
4600	Fcikolnh.exe
1020	Ffggkgmk.exe
4888	Fmapha32.exe
1916	Fopldmcl.exe
1156	Fbnhphbp.exe
1092	Fjepaecb.exe
3976	Fqohnp32.exe
2316	Fcnejk32.exe
3900	Fijmbb32.exe
3196	Fqaeco32.exe
2972	Gcpapkgp.exe
4352	Gjjjle32.exe
1528	Gmhfhp32.exe
2284	Gbenqg32.exe
4920	Giofnacd.exe
1260	Goiojk32.exe
708	Gbgkfg32.exe
3460	Giacca32.exe
896	Gqikdn32.exe
1740	Gbjhlfhb.exe
2988	Gqkhjn32.exe
900	Gbldaffp.exe
1980	Gjclbc32.exe
1616	Gmaioo32.exe
5008	Hclakimb.exe
3432	Hjfihc32.exe
4460	Hapaemll.exe
4924	Hfljmdjc.exe
404	Hikfip32.exe
1124	Habnjm32.exe
3556	Hcqjfh32.exe
216	Hjjbcbqj.exe
3456	Himcoo32.exe
3492	Hadkpm32.exe
2668	Hccglh32.exe
2456	Hbeghene.exe
1320	Hjmoibog.exe
3712	Hmklen32.exe
3244	Hpihai32.exe
4128	Hfcpncdk.exe
3048	Hjolnb32.exe
4668	Hmmhjm32.exe
2208	Ipldfi32.exe
3500	Icgqggce.exe
1628	Ijaida32.exe
2124	Iakaql32.exe
2260	Icjmmg32.exe
4300	Iiffen32.exe
556	Iannfk32.exe
3028	Ibojncfj.exe
1648	Iiibkn32.exe
4900	Iapjlk32.exe
3136	Ipckgh32.exe
2300	Ibagcc32.exe
1820	Iikopmkd.exe
2188	Iabgaklg.exe
2068	Idacmfkj.exe
1696	Ijkljp32.exe
3172	Iinlemia.exe
3328	Jpgdbg32.exe
1864	Jbfpobpb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6512	6408	WerFault.exe	238

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 1768	648	bb9f86965fc3ca48b508820b237f2b461d3f8c59286d19564bfc2857a7c70069.exe	83
PID 648 wrote to memory of 1768	648	bb9f86965fc3ca48b508820b237f2b461d3f8c59286d19564bfc2857a7c70069.exe	83
PID 648 wrote to memory of 1768	648	bb9f86965fc3ca48b508820b237f2b461d3f8c59286d19564bfc2857a7c70069.exe	83
PID 1768 wrote to memory of 2292	1768	Fqhbmqqg.exe	84
PID 1768 wrote to memory of 2292	1768	Fqhbmqqg.exe	84
PID 1768 wrote to memory of 2292	1768	Fqhbmqqg.exe	84
PID 2292 wrote to memory of 4992	2292	Ffekegon.exe	85
PID 2292 wrote to memory of 4992	2292	Ffekegon.exe	85
PID 2292 wrote to memory of 4992	2292	Ffekegon.exe	85
PID 4992 wrote to memory of 4600	4992	Ficgacna.exe	86
PID 4992 wrote to memory of 4600	4992	Ficgacna.exe	86
PID 4992 wrote to memory of 4600	4992	Ficgacna.exe	86
PID 4600 wrote to memory of 1020	4600	Fcikolnh.exe	87
PID 4600 wrote to memory of 1020	4600	Fcikolnh.exe	87
PID 4600 wrote to memory of 1020	4600	Fcikolnh.exe	87
PID 1020 wrote to memory of 4888	1020	Ffggkgmk.exe	88
PID 1020 wrote to memory of 4888	1020	Ffggkgmk.exe	88
PID 1020 wrote to memory of 4888	1020	Ffggkgmk.exe	88
PID 4888 wrote to memory of 1916	4888	Fmapha32.exe	89
PID 4888 wrote to memory of 1916	4888	Fmapha32.exe	89
PID 4888 wrote to memory of 1916	4888	Fmapha32.exe	89
PID 1916 wrote to memory of 1156	1916	Fopldmcl.exe	90
PID 1916 wrote to memory of 1156	1916	Fopldmcl.exe	90
PID 1916 wrote to memory of 1156	1916	Fopldmcl.exe	90
PID 1156 wrote to memory of 1092	1156	Fbnhphbp.exe	91
PID 1156 wrote to memory of 1092	1156	Fbnhphbp.exe	91
PID 1156 wrote to memory of 1092	1156	Fbnhphbp.exe	91
PID 1092 wrote to memory of 3976	1092	Fjepaecb.exe	92
PID 1092 wrote to memory of 3976	1092	Fjepaecb.exe	92
PID 1092 wrote to memory of 3976	1092	Fjepaecb.exe	92
PID 3976 wrote to memory of 2316	3976	Fqohnp32.exe	93
PID 3976 wrote to memory of 2316	3976	Fqohnp32.exe	93
PID 3976 wrote to memory of 2316	3976	Fqohnp32.exe	93
PID 2316 wrote to memory of 3900	2316	Fcnejk32.exe	94
PID 2316 wrote to memory of 3900	2316	Fcnejk32.exe	94
PID 2316 wrote to memory of 3900	2316	Fcnejk32.exe	94
PID 3900 wrote to memory of 3196	3900	Fijmbb32.exe	95
PID 3900 wrote to memory of 3196	3900	Fijmbb32.exe	95
PID 3900 wrote to memory of 3196	3900	Fijmbb32.exe	95
PID 3196 wrote to memory of 2972	3196	Fqaeco32.exe	96
PID 3196 wrote to memory of 2972	3196	Fqaeco32.exe	96
PID 3196 wrote to memory of 2972	3196	Fqaeco32.exe	96
PID 2972 wrote to memory of 4352	2972	Gcpapkgp.exe	97
PID 2972 wrote to memory of 4352	2972	Gcpapkgp.exe	97
PID 2972 wrote to memory of 4352	2972	Gcpapkgp.exe	97
PID 4352 wrote to memory of 1528	4352	Gjjjle32.exe	98
PID 4352 wrote to memory of 1528	4352	Gjjjle32.exe	98
PID 4352 wrote to memory of 1528	4352	Gjjjle32.exe	98
PID 1528 wrote to memory of 2284	1528	Gmhfhp32.exe	99
PID 1528 wrote to memory of 2284	1528	Gmhfhp32.exe	99
PID 1528 wrote to memory of 2284	1528	Gmhfhp32.exe	99
PID 2284 wrote to memory of 4920	2284	Gbenqg32.exe	100
PID 2284 wrote to memory of 4920	2284	Gbenqg32.exe	100
PID 2284 wrote to memory of 4920	2284	Gbenqg32.exe	100
PID 4920 wrote to memory of 1260	4920	Giofnacd.exe	101
PID 4920 wrote to memory of 1260	4920	Giofnacd.exe	101
PID 4920 wrote to memory of 1260	4920	Giofnacd.exe	101
PID 1260 wrote to memory of 708	1260	Goiojk32.exe	102
PID 1260 wrote to memory of 708	1260	Goiojk32.exe	102
PID 1260 wrote to memory of 708	1260	Goiojk32.exe	102
PID 708 wrote to memory of 3460	708	Gbgkfg32.exe	103
PID 708 wrote to memory of 3460	708	Gbgkfg32.exe	103
PID 708 wrote to memory of 3460	708	Gbgkfg32.exe	103
PID 3460 wrote to memory of 896	3460	Giacca32.exe	104

C:\Users\Admin\AppData\Local\Temp\bb9f86965fc3ca48b508820b237f2b461d3f8c59286d19564bfc2857a7c70069.exe
"C:\Users\Admin\AppData\Local\Temp\bb9f86965fc3ca48b508820b237f2b461d3f8c59286d19564bfc2857a7c70069.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\SysWOW64\Fqhbmqqg.exe
  C:\Windows\system32\Fqhbmqqg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\Ffekegon.exe
    C:\Windows\system32\Ffekegon.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\Ficgacna.exe
      C:\Windows\system32\Ficgacna.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        28⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3492
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        39⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        51⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        58⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        65⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        67⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        68⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        70⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        71⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3808
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4252
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        75⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4564
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        78⤵
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        79⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        80⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        81⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:712
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        83⤵
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        84⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        85⤵
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        86⤵
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        87⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5088
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        95⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        100⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        102⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        103⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        104⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        109⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        111⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        112⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        114⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        116⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        117⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        118⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        119⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        120⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        121⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        122⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        127⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        131⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        135⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        136⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        140⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        143⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 420
        150⤵
        Program crash
        
        PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6408 -ip 6408
1⤵
PID:6480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dmnlpfhd.dll

Filesize
7KB

MD5
887d7e3678c25ffb2243f69354cc7ffe

SHA1
ea2826c2898b562f7046a8026129e1af7a76ecdb

SHA256
b9359641ca3208a65f1e14cce1a7bc1ccece451acc4fd47898b18434203a7026

SHA512
851c686c4a5094b45bc5624519e81a5b066455696d5323d178ff42d5ffa3e67f7fd92e9221c3f81d36774e8210c0bced6323d333abd9e2c5101b7d12bec1cad7

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
96KB

MD5
4a2c8b2e168fce3a903aed1e4e8fa9ae

SHA1
212c3e68362f4757aad82647f9bdda1a7e9d5b5b

SHA256
281a101eccc1dfa323c61f947f6c3ff6233e3d27f1054c93ae38d6a1f7c171a2

SHA512
333de0236eef8e04623d0423b3b9ae81a6d3aa3fa6dbec4bc19824fd66a86834a84441c84c7d0d1286a6823e84a2f4b8e5aedabd4d47995c313714ce92613aaf

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
96KB

MD5
c5c1a8643545cecbf91fbfc259d1f50e

SHA1
5c3abe0866b337150f7863932d20dd2cfe85c58a

SHA256
3f0ac587e6701e99034636d283fdfd737855ad8f096612f3dbe918bb7d2758e2

SHA512
d30407b5af3c7e75d1c69195f6ff8eac7350a644f59c7c0cba89f0bc62cbefb798386f0cb44de628d81b3b99642f80e42aafff8f92147a1ac64871df292641f1

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
96KB

MD5
1c08c7691fd429098a435e4e61c0a313

SHA1
3c70271a23ffdf7a2e804c223c34e7aafc899cc7

SHA256
8917d103c6ff3f824756972ee22fa791a25da7812a8af443f141abd72e364181

SHA512
2b0d70fdc1fab64a6331efbf047740243e0a9d99dd7b6c6abb7790b5645b96702cbde54baccef9962413bb28b95e1f60c47461a7214df527a8aa36b867433e5c

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
96KB

MD5
41fe0f42cc9aceeee840955424222251

SHA1
054ccc179b85245a36b4c27576a25c4b8c962059

SHA256
d0281d84a64610868a60260656dbc95ba37dbcb97f571b42eb38b25056f95a3f

SHA512
57d61b16d9422b751cabb2b526690ddfca9bf7af746c0e567d0443319b1e2da29b3a9a9f6a7bf82ac471fcc3a1c492fe93acde7482f65af69be351a8778fcdbc

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
96KB

MD5
0f991c0dad762679b0abaea681efa762

SHA1
ad494aa519cbad46cc8c1a04a57620cc624eab2d

SHA256
48ab8fde1c3ed3e67a3be507600f746dc557e1fd4179092d6d628f9170981b45

SHA512
dd0454495616277fd5f6f5c640de967c133d5d742fb98698433fa60fd1b58e039655250fcb6f044bf63eb433d176e87a6c6da14459a16caf19998420195c94d0

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
96KB

MD5
2f3735b3a20e4731639b62dca9fde3f6

SHA1
052bc4f918351f9fda1de81d6ffd413e9fb6cc9c

SHA256
0294e9daf4ca947035406a2a970e800dc0bc5f38ef5860b237f9617a76070b75

SHA512
038024226ba048e1a3ac2670efb0c6e82aa1e774d9f608fec4ce8db030a3c361a5a09682fb6a052ac902cb357c2c50c81064bab34b0312120f43f85280ef14e5

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
96KB

MD5
381b6fb6a1874ed60342fa3a91d88b92

SHA1
e11ee5849d72f7f8681eeb4aa83931ad067d00a8

SHA256
0ca01a2f2ba614524692c0bc550434aacddd479be3a1f28cb36540d47dede26d

SHA512
743e4e2863c9058160cc09783931dc140e5af5baf32ea7c55ba6e904fe0b8d02b3d9fb2f42f62b4e4af2e305e3b7f051eef0642808fdd2acd88642bffdb3c4b1

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
96KB

MD5
b6c9e36406cfc1ebbe0e43161957d6cf

SHA1
4aaa7649bb43c110d589a058f16cb8a6f5427752

SHA256
b3abb06a0b64d9e8dfe3370b86639e514ba47b36651252b65030ae745b7710d5

SHA512
be440f45c9c86a9dfa3ae240f9d2f14efc0fb12c3111d533595930e420ac1790c39b3d3303918f5330eae273d40c592deb79d895a183b8aa71fe339363ebb214

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
96KB

MD5
1e056dcf078d4845381e8f7cb3daded1

SHA1
de4401d487a18a536f3c4e2dbce52a27bf1a2ab7

SHA256
f23763ccd781075e1f64a3a864298439016c9e3de4dd1b061dec907d6692e92c

SHA512
1f5c224370b51f9941d079fb0a370e16bc9754732ffdb3e79dc5b21e5abb9fdc01586d6d033d8cedb8ab305ce9bdd436e52386f8601ba70fb331ebebd5c29a86

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
96KB

MD5
d4e8585f944329c12e63c41f2afcbdef

SHA1
5e3d849e2388d4bcbdeb7900484c47f0d849229e

SHA256
bb492597da6288710ac5879b42cd4981a383a5488336c42d59fd65413c33a812

SHA512
930dec1f832018845fe1b6c147bc5a9a4da13554c087f4b5293430dd8a52429b0e5a4e464b053396480ea9f7698b9ac5381fe2918ebaaf3f75a268ee985c9037

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
96KB

MD5
cead941bd394e5207f22af93f0ce28cb

SHA1
96b5410e40373f0c6074f9ad40a1e2d72dbf9531

SHA256
74a214114dc8c5e8b89098141b91db857adaaf48777cba6870214eab97f74e77

SHA512
f2239708145b2ab0f62f2879dc334a3a3109ee7a2347cd77d758f3cbd5d1dc5a3c0bf8e6910bae0d5b745928c8a35bcf4306a10a62694c0fb332b5043208e40f

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
96KB

MD5
c42056cf9dced93db8f7ce0918491dfd

SHA1
baa05a239cb212830770a0859d81663ae2d2f8b2

SHA256
e91450a910118cacc3bda208075f47cd61976aa3b20fea42c67fb2b1d785fbc0

SHA512
3351c1d641f6e21eaa1146d8caed60c631ddbd0d6b4ecb051a61ca7c60617619a9e0b3809d33893e27b8a36172b1b575ddffca99deaf29a32d511058434b1ff8

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
96KB

MD5
2e32207f877ab2ffd48359af41415c57

SHA1
1237ce562e65919866d67caf2231d304b9673c3b

SHA256
00d4304622986ac9510982c1f922eaf9bf5a1d8310ccc002e403cf487fed03ca

SHA512
ecfd513bbe43c44b3b69ed64ee27f2a9b74acb5485fcffbaf75a6496e5a95c4cd44cd7df4a486a94e892dec2e813617b9ac716552cc896a182407c8f1a5e87d1

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
96KB

MD5
a10d3e4520f1e87b48c2473b20c5a0f3

SHA1
04bfefb44c74662fdf4ae0cfb5740b5ee4b47359

SHA256
614324ba1129046307ca22bf67cec16e39fed4c25b66fa1ba55bef24a833c3b2

SHA512
ed8c5a7b4eb0fec79b90160b750c085df974d688749186e63d761269236cac2a51028c8dda4915efe8e673094e1aabcbd3d6b34edbbc788a8e8e4b26e0972b5c

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
96KB

MD5
0b7529628f980edec9986d97c730661b

SHA1
784338a84b7fe835230839a2fff9a27376665da8

SHA256
857856debd9b7470ad52ca6380c2e0ccf898fdaf095af0a7d2ccb3910045defc

SHA512
4adf3c2579e397981d5eeac4f5d3e772b5323d437fc15d744f9f7a0117dd7aee4aa21649b0a9c0a7152226b2c3de97b4265ba4aae6526a435a969f3e569343dc

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
96KB

MD5
87265f1e26efe73aef28a16698c82d7f

SHA1
93065dfa47eedf73d091d5997cc57140e50a8cbe

SHA256
53e52f348578d800b24d852ef829e763488f09b9de6e96521d7f3e7121e83ef3

SHA512
f38f745bf4588ec7ba5406076d2c31058c800b08d654569af4a731db611343ab3fe188a18f484de45d929056dc59d74804604f023bf2f831cae430778d861120

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
96KB

MD5
4681d5bc600c6221fa8f44c1619528c2

SHA1
02fe259ba70461f7bf3a4df63093f4ee2dcb09a0

SHA256
2e5b54535dfc1f287e31511d7a44b1cec279b01a327afef14489bbcb14f629cc

SHA512
fa9fe913efce3bf567efd51e2fea9d443c5d9929a1ba5d6aaee9ece6a0c482501309120240f4458bf063b1078df5e9201035ab172f03539929258d579f635598

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
96KB

MD5
be2ac1ebbd5e0f3484bf039c58ebe133

SHA1
4694a017b03be4897c58031849122c3cf1399107

SHA256
945d0f26493df6ea167b3a0b7ba1d90c7e89dbde67f9fadadc9d98be171de4d6

SHA512
f7b189642f30b672ad9ee3de5ecd8d2243cf50151c1476286913556c51c46c4ce0223a0018ebd3fc5b0e700f627842755aabdf20c10d015eb33452d174320cc8

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
96KB

MD5
cbd34c5c49b18d19a560e9be8a9f56fb

SHA1
20f9cb27554c380e529ea88bfb921e05f306ab32

SHA256
cec98d7c64d90f639a1d73305f922fb2ff1eecd841a7a6c28290a0a43fcbd79e

SHA512
155dd61a01a74e8215e0fa3cab90d9a4617b0d23aded8e212622d826256164c5bba3647f514c38bcf6790ef3a82b48dbf69e266235d13f38baead902dbb71ce6

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
96KB

MD5
6205fa628e33c9cbe055f4ddd8c0f5ca

SHA1
f49668215bc816c0a955f83b00675d8cc9111073

SHA256
dc0bb43963ddb97919c06af85d60802a18cfcf5143ab4986e07fc4307af7de09

SHA512
5d464651f86d62ab60d5cbcd22c1e538aff3db1928518895365663e2f934b3b686be85dac7119fb1bd37da28eac326e868bb61107ee590bb5de88b9757c89fe8

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
96KB

MD5
2e4488007ea5a3a0c60242ac8b01d810

SHA1
7d61daecea15d6d030947d17de7601ba188ae153

SHA256
c0576d1087228a53914bbb7bda25bdb3cca4a088940c4b6c61de2526cacc7cdc

SHA512
6464b9fa166874f37fd0ecd64176b0a00eb801e4544660720a37c0f84b202242ffe47d4350a67feac26465bdfec066bb7d175b2737e481712bf70c27795b2ea4

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
96KB

MD5
7b35e3c9a3ee1fc805627c37f726b571

SHA1
3e34e8918746dedf76dd28431459234e8be3e402

SHA256
36e2070c9f25dfcf28c68a6962d29df9c0c4c9a05190498142cd2b3c6786477b

SHA512
a660ae5cca462ee8ec0fb8df1e817c3801a69b88f909d01a86df7cd77eb6c7977028cf12582f2d089d403eb798da438ad8bbe5bd6a611e73aeb134625954cf2e

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
96KB

MD5
21be49203552573243bc3a4583188b5c

SHA1
eb89e3759443c7562c439861d2aae8d8902d49c5

SHA256
5cc3c9000c7b66eddb75cf0c2ae172d0a13e9d2874ccedf3f3f5902d74a2438a

SHA512
1f6ad69628b90ccb0eea082570fc63e0056dbc9e2791087876011b74ab4494ec62a0e2a54b1dc9fb30a8013918a4114a9ebcd546ba6d35947bd7e9318ba04d07

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
96KB

MD5
a2696a2d1ebd73a618be6339ca62b288

SHA1
7ff3c10acc11815d1e5ea175f7bb39e1fc36a6bb

SHA256
d20b1301b3aa1876f8729e74732a697f5e1c833bb069995dc1a6fd5f16bb5f6c

SHA512
f2615a3f5c8283f1c8ddba06b4ca13b671a15e46df561e30bbe74cc42a8497dd63dbb04f0dda9f89ee1508d821d24509e36c1ae9135ad202ba27dc3f0105a8c0

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
96KB

MD5
47724856544ef52229f065b38e1c5cc6

SHA1
10caafc99c968a847b88ed49e6bb69798e327633

SHA256
1d35aa0a34fe65e4405ef9630d679ccf3c63ba1bbe6087c300bcd3fdd49a5aee

SHA512
218c08034e09b7dacb6018c8f8bcf6094f39aace59bcff73455366a5745dff0439b39f8c10ecba79521c3bab26c905f724da518e668985e24cc1e93ed92816d0

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
96KB

MD5
3dbd130f72d484c011aeb537e41735f2

SHA1
3271638fd05b0de1e9dc46acf287375a8803a53a

SHA256
ee2aa8f89c5fac1218871c5d79d5a59f142d1c101c6af1d9abf725088585a94e

SHA512
0bae26e3d750c4e970cc1b4ff98137651855b1cbc4d69172d5f4730aa4923a96d4e3bc80f0d118fa8a45d00f1afda3aef6f907c631b5c4b0a601cbce7625ed5e

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
96KB

MD5
27fc6e9fe14d7f9cf352b6ff68c4b9cd

SHA1
531e237a4c0aac336381c382d2c50d8debac9ba2

SHA256
275688e28b68023bfd89125bd048b5a489552b92e4575cbbf5d2dfc6bcbcb4e9

SHA512
c767d89346054f620d03ca231dd80f8154c129f2ef85d4e923d96533e0a101315a2ecef9d6e7ccea5d87c966ed538155896fd00ac148a14c78afc9bd678804e6

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
96KB

MD5
a884bdc85f1c1049ead692a735e8dc55

SHA1
4f8712de3cb74a8f78e5ce352921fa14f87aa7c8

SHA256
29660433a5b865feca295ea0b9d11db2713f9b50d9a619366631bd8f06cda6a3

SHA512
2947a7077472be6a8dcc8b54b57c334aee2a3698da565bad895ccea417419f60badbb747558fb41731c378f504a952a8aa1dced4ef1735fc42b0c86070d81b61

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
96KB

MD5
2e4a6c8ecf54b469c4bdafed677a65a2

SHA1
9a0e4ee655c2a2d1ba6069fc729af5e4d59c462f

SHA256
64ce26b8b2e8031107e1a403615a8f9ddcd5a70bfb1217aebea5c6815764ce97

SHA512
a2c99df8682b4ae00b9ebc4a2e19ad129df013f130e6197179cbfac6f5ab422b92f7d5da1a6f28d8278be35cce907da9f16a8970fbaa418465d15b69dcd738d8

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
96KB

MD5
7cc4a468d08b0e7e8d502532b54a3f7c

SHA1
d6eb0f0a3032666e6be65fff449e75a739b3fad6

SHA256
a4b5ceaeb9470b0bcf300de764d475c67353796e4804f17ddde9afcd448ecfdb

SHA512
cf9df26250a181b7b282a35fc2e9f397c552d557efae43d73e7d6c1b0482d22d80e2d01587a82797083d5faac1b9b41b47326639e8f702588e79aee75ed32064

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
96KB

MD5
5176039a964bafcc105d7932a9a5a0d8

SHA1
3b74e57d90140c12aab6fb74dbe79c25bcb87c87

SHA256
fc62f498774fdf19a6078920eb92225c67aff6e442082ab1e3f5bf1bf5dd81ad

SHA512
437f1d2df8a7d2f9ff783d398a567eda721414dd41cb07ef99309dbd0ad41366fd6c9b411cae193e8285690f2a8cb8d308172c02ff0251fa3421759b41f54620

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
96KB

MD5
4baeab395473d6291c41fd17691dce83

SHA1
39dd41fb4f9e86ef113f2a6ce29bca470fd27f1d

SHA256
20b3056ddc7c8522d672789baf681e5ca00d6293d95d0ff67faa8b54d6f16136

SHA512
9caead3eb2dfe3e6a0b8add5178f0c10f68d4c984eb516a00ecab84f06ed65280d7a2b622a0386362afe0a0ba8bb5998b47bdb02919eaafd64b0a8e50c4cd454

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
96KB

MD5
75d9e305d26c056de462d9b722d62627

SHA1
fa912006bc98cea1b23edab3d408255d1c95a5de

SHA256
c8292c37658992d0672f5276924cb18a489affd9bc4c63339adf06f58449232c

SHA512
62d16a00e268e6953b11dd502d524e0776ab922704e279ad933edfe257e1f1742a7cf35861df5b6b7a4cc839b506fc925e00e4d59da94c0c18674b511f79e13e

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
96KB

MD5
35ca038ef29d09ecb95f575c8526d2d3

SHA1
593eba18e97867a6b2134ce48168cc5df625767a

SHA256
1aacfd4e8b4ac8e7aa3561205aa453f7513247cafb197482a2f099a0aa5f711e

SHA512
d870d0e07f958f040d639d2423ade9807d51a8e88de69db94cd2f3077304e5407185ea133022a9736518e7394dbf86afe56f4d59e0fffb4e0c626fd1f82234aa

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
96KB

MD5
65291725104b84517fa860dcb4738545

SHA1
c83313faebe44df05b91924be1f8f5b4e421069c

SHA256
4fc94ff04f128ec802f67c642e5c0dbec8bd10ad72a6f2d8ad485da9eb04f78d

SHA512
a985d94e2648ac5bee72c6d762e556ffe6eb09a1a4e088cf43aac2d5933bc86039481c33cb04e45c0548c8ff96eefbd9509e082c0e5be0624b66be348c69c4b5

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
96KB

MD5
a295300023847bc22648f78ce67c16c6

SHA1
66c9756d9c666a7a1c1edbd44693d5b291766c81

SHA256
5bda5973d6f483508c58a030b2d6df46d9cc40d46241b51301182f517c5c8889

SHA512
3022a7e4580e1bd82f457039772d201b22e8dafd50900c75c4b95f0891e1fe65dbe2803c7197b76ef0e31ec288e61dbdd5160cf043490b7eac95a31728add3e1

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
96KB

MD5
f02f4894d809d15b2354136a1128f5dd

SHA1
cf752d6cadb8fcaaebd2acc07225c3b0f5fc1be5

SHA256
af7f8a5c52d96d05dbefe3d5b23322fbf8f3e284620144a94c768bb97c7f797f

SHA512
8959d681aea114270326cee50a6b931c558098718bc4ad1249161fb5f9a554ba4a6c1f579d333ea06dd9a80164d30da9d2989bce95c45242b7b47df413ec4a66

Download Submit
memory/216-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/404-255-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/648-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/648-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/708-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/712-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/900-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-573-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1052-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1092-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1124-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1140-559-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1156-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1156-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1260-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1320-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1528-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1580-567-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1628-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1648-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1696-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1720-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1740-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1820-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1832-477-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1840-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-488-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-452-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1916-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1916-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1980-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2060-518-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2068-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2124-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-543-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-421-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2208-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2284-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-557-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2300-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2316-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2668-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2988-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3028-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-330-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3136-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3172-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3196-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3328-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3432-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3456-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3460-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3492-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3500-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3556-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3712-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3808-494-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3900-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3916-512-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3976-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4240-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4252-506-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4300-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4460-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-524-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4588-500-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4600-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4668-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-52-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4900-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4920-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4992-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5088-591-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-536-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5140-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads