7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c.exe
Size

128KB
MD5

ade7676ec48ca3121cd4035c8c27bdf6
SHA1

27a658c0cb595be9b06843acab53ae31e63e0c03
SHA256

7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c
SHA512

cacbf3de1f9742674b0f1e5cb481561e980ecafe576337e50aa44c113b4251016bd19ec463d4f21615a53750b57a783739c9b45e2e545f88aeae7fb8b8437e10
SSDEEP

3072:ZsGvPczZVLZZEna/4GVqZ2fQkbn1vVAva63HePH/RAPJis2Ht3IjXq:6GczZNZf4Gg4fQkjxqvak+PH/RARMHG2

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe

Executes dropped EXE 64 IoCs

pid	Process
3436	Fifdgblo.exe
3236	Fckhdk32.exe
4480	Ffjdqg32.exe
3364	Fqohnp32.exe
1704	Fobiilai.exe
4852	Fbqefhpm.exe
4004	Fjhmgeao.exe
4732	Fodeolof.exe
4060	Gjjjle32.exe
4292	Gogbdl32.exe
4584	Gbenqg32.exe
1912	Gqfooodg.exe
2876	Goiojk32.exe
4460	Gfcgge32.exe
3116	Gjocgdkg.exe
3872	Giacca32.exe
3512	Gqikdn32.exe
884	Gcggpj32.exe
3400	Gbjhlfhb.exe
3480	Gfedle32.exe
1856	Gidphq32.exe
3924	Gmoliohh.exe
3684	Gqkhjn32.exe
5048	Gpnhekgl.exe
2720	Gcidfi32.exe
1632	Gbldaffp.exe
4464	Gjclbc32.exe
4068	Gifmnpnl.exe
1068	Gmaioo32.exe
852	Gameonno.exe
1116	Gppekj32.exe
2992	Hclakimb.exe
2684	Hboagf32.exe
1612	Hfjmgdlf.exe
1020	Hjfihc32.exe
4420	Hihicplj.exe
2088	Hmdedo32.exe
2908	Hmdedo32.exe
876	Hapaemll.exe
5016	Hpbaqj32.exe
2956	Hcnnaikp.exe
1124	Hbanme32.exe
2808	Hfljmdjc.exe
4612	Hjhfnccl.exe
3112	Hikfip32.exe
1112	Hmfbjnbp.exe
4344	Habnjm32.exe
368	Hcqjfh32.exe
1236	Hbckbepg.exe
4524	Hfofbd32.exe
2928	Hfachc32.exe
5088	Hippdo32.exe
1232	Iiffen32.exe
1000	Iannfk32.exe
4120	Icljbg32.exe
1820	Ifjfnb32.exe
3720	Idofhfmm.exe
468	Ibagcc32.exe
3892	Ijhodq32.exe
2240	Imgkql32.exe
2780	Ipegmg32.exe
4332	Ifopiajn.exe
3136	Imihfl32.exe
4392	Jdcpcf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Giacca32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Gameonno.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6288	7100	WerFault.exe	272

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 3436	3124	7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c.exe	84
PID 3124 wrote to memory of 3436	3124	7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c.exe	84
PID 3124 wrote to memory of 3436	3124	7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c.exe	84
PID 3436 wrote to memory of 3236	3436	Fifdgblo.exe	85
PID 3436 wrote to memory of 3236	3436	Fifdgblo.exe	85
PID 3436 wrote to memory of 3236	3436	Fifdgblo.exe	85
PID 3236 wrote to memory of 4480	3236	Fckhdk32.exe	86
PID 3236 wrote to memory of 4480	3236	Fckhdk32.exe	86
PID 3236 wrote to memory of 4480	3236	Fckhdk32.exe	86
PID 4480 wrote to memory of 3364	4480	Ffjdqg32.exe	87
PID 4480 wrote to memory of 3364	4480	Ffjdqg32.exe	87
PID 4480 wrote to memory of 3364	4480	Ffjdqg32.exe	87
PID 3364 wrote to memory of 1704	3364	Fqohnp32.exe	88
PID 3364 wrote to memory of 1704	3364	Fqohnp32.exe	88
PID 3364 wrote to memory of 1704	3364	Fqohnp32.exe	88
PID 1704 wrote to memory of 4852	1704	Fobiilai.exe	89
PID 1704 wrote to memory of 4852	1704	Fobiilai.exe	89
PID 1704 wrote to memory of 4852	1704	Fobiilai.exe	89
PID 4852 wrote to memory of 4004	4852	Fbqefhpm.exe	90
PID 4852 wrote to memory of 4004	4852	Fbqefhpm.exe	90
PID 4852 wrote to memory of 4004	4852	Fbqefhpm.exe	90
PID 4004 wrote to memory of 4732	4004	Fjhmgeao.exe	91
PID 4004 wrote to memory of 4732	4004	Fjhmgeao.exe	91
PID 4004 wrote to memory of 4732	4004	Fjhmgeao.exe	91
PID 4732 wrote to memory of 4060	4732	Fodeolof.exe	92
PID 4732 wrote to memory of 4060	4732	Fodeolof.exe	92
PID 4732 wrote to memory of 4060	4732	Fodeolof.exe	92
PID 4060 wrote to memory of 4292	4060	Gjjjle32.exe	93
PID 4060 wrote to memory of 4292	4060	Gjjjle32.exe	93
PID 4060 wrote to memory of 4292	4060	Gjjjle32.exe	93
PID 4292 wrote to memory of 4584	4292	Gogbdl32.exe	94
PID 4292 wrote to memory of 4584	4292	Gogbdl32.exe	94
PID 4292 wrote to memory of 4584	4292	Gogbdl32.exe	94
PID 4584 wrote to memory of 1912	4584	Gbenqg32.exe	95
PID 4584 wrote to memory of 1912	4584	Gbenqg32.exe	95
PID 4584 wrote to memory of 1912	4584	Gbenqg32.exe	95
PID 1912 wrote to memory of 2876	1912	Gqfooodg.exe	96
PID 1912 wrote to memory of 2876	1912	Gqfooodg.exe	96
PID 1912 wrote to memory of 2876	1912	Gqfooodg.exe	96
PID 2876 wrote to memory of 4460	2876	Goiojk32.exe	97
PID 2876 wrote to memory of 4460	2876	Goiojk32.exe	97
PID 2876 wrote to memory of 4460	2876	Goiojk32.exe	97
PID 4460 wrote to memory of 3116	4460	Gfcgge32.exe	98
PID 4460 wrote to memory of 3116	4460	Gfcgge32.exe	98
PID 4460 wrote to memory of 3116	4460	Gfcgge32.exe	98
PID 3116 wrote to memory of 3872	3116	Gjocgdkg.exe	99
PID 3116 wrote to memory of 3872	3116	Gjocgdkg.exe	99
PID 3116 wrote to memory of 3872	3116	Gjocgdkg.exe	99
PID 3872 wrote to memory of 3512	3872	Giacca32.exe	100
PID 3872 wrote to memory of 3512	3872	Giacca32.exe	100
PID 3872 wrote to memory of 3512	3872	Giacca32.exe	100
PID 3512 wrote to memory of 884	3512	Gqikdn32.exe	102
PID 3512 wrote to memory of 884	3512	Gqikdn32.exe	102
PID 3512 wrote to memory of 884	3512	Gqikdn32.exe	102
PID 884 wrote to memory of 3400	884	Gcggpj32.exe	103
PID 884 wrote to memory of 3400	884	Gcggpj32.exe	103
PID 884 wrote to memory of 3400	884	Gcggpj32.exe	103
PID 3400 wrote to memory of 3480	3400	Gbjhlfhb.exe	104
PID 3400 wrote to memory of 3480	3400	Gbjhlfhb.exe	104
PID 3400 wrote to memory of 3480	3400	Gbjhlfhb.exe	104
PID 3480 wrote to memory of 1856	3480	Gfedle32.exe	105
PID 3480 wrote to memory of 1856	3480	Gfedle32.exe	105
PID 3480 wrote to memory of 1856	3480	Gfedle32.exe	105
PID 1856 wrote to memory of 3924	1856	Gidphq32.exe	106

C:\Users\Admin\AppData\Local\Temp\7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c.exe
"C:\Users\Admin\AppData\Local\Temp\7ea582454b538c72a3bf49174489b72c20444b1cfe17e642d60857d542af609c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SysWOW64\Fifdgblo.exe
  C:\Windows\system32\Fifdgblo.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\Fckhdk32.exe
    C:\Windows\system32\Fckhdk32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\SysWOW64\Ffjdqg32.exe
      C:\Windows\system32\Ffjdqg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        24⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        27⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        29⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        31⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        34⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        37⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        38⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        42⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        47⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        48⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        49⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        52⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        59⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        60⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        62⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        63⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        66⤵
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        68⤵
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        69⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        71⤵
        
        PID:732
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        72⤵
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4272
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        74⤵
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2164
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        77⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        81⤵
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        82⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        83⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        84⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        85⤵
        
        PID:968
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        86⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        87⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        88⤵
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        89⤵
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        90⤵
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        91⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        92⤵
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        94⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        95⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        96⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        98⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        99⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        100⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        103⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        104⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        106⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        107⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        109⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        110⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        112⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        115⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        116⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        117⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        121⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        122⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        123⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        124⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        125⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        127⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        128⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        130⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        132⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        133⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        134⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        135⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        136⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        137⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        139⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        141⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        144⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        146⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        147⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        150⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        153⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        158⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        161⤵
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        162⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6700
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        165⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        166⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        168⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        169⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        170⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        171⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        172⤵
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        173⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        175⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        179⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        180⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        183⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 400
        184⤵
        Program crash
        
        PID:6288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 7100 -ip 7100
1⤵
PID:6196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
128KB

MD5
65408cbe0a662faa1f43953a751de709

SHA1
d7eafd103d3be8f18d4147aa4bcb6777b20f59c5

SHA256
1b95868bb622b78be0ebff671fc5a0a1e3153f4639c2fa8e819668bdd5926053

SHA512
ef83778a6ecb0aa50ab9c3b961f34acdb1d66ed79e8c427ba71d7b18ea144656e43cfd6fbc3b9e73771ee4b33615ac3ccc80cb7b3e6cf44bb6930805e0d7f498

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
128KB

MD5
4b50d1365cf173df5a08ab41ec036605

SHA1
d85075f90788a24c7924c77f7c1d6c4f7d5aefb6

SHA256
25b91763a23d25c866596644eb9208285e92cf77e0f1d20d2db0577909270460

SHA512
630b69128df77aa3e9f387e342fb3adc06bff8d449103aef73baf775906c7279ba3cd0d21dad54a28c043e29751366782edb3fd0e2099ee5c9f757ccbb142126

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
128KB

MD5
c95d3be445c43586f45acbf11df96068

SHA1
a4c86ed1d13a435a732770a07490678e556fa964

SHA256
94f2291b35c6d7ff5605c88d0a835eec04c293056e026bb28f7c12427efb2859

SHA512
5e4d992c4622754677ac87ce4b1d32dd65b052bef14923e30f0d5c8015909f65225c8dba07623e65a22c8e465549a503ca97f711d523489b109ea79ebfce299e

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
128KB

MD5
0702685cf77049acc3b8644b185d4a4a

SHA1
0f82d38d3f9f5af038db201b68dd29f16e76646e

SHA256
a3a0c6838d5df88904c2c45894f7f5ab87825f772753051173f8608463dd4489

SHA512
e01ef6e5bc611f711d6d38e5843c7b48fc4e55e78c07ca6fc6a7949b4243c27b2e1c20a7ac1d365d1aacd93ed87b70d745a04bdbe3fa53d259fa15bf881fa16c

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
128KB

MD5
65aeaf476c18e432842ae01acad742cd

SHA1
af3fdd7e4202ed94d76ede77a1ea1edb6a45ff80

SHA256
92fd24ab392daa130618f8a04390fdaa389bdf96e2df873a3d943f126d3bd4dc

SHA512
21e0a0826901578a32db0eea25cd5d2a9b0c9ed5c3734b885da8e0ce58d3afb043e57c1770bc6aab6c763ec37fc8767212a964697d98bcf9a367fcb08e7c4e19

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
128KB

MD5
0b3fd3b38a5f108acfe183f44364bcf7

SHA1
41efa2f3d0ccf1148ccc4fc2248a6b57b19ea62b

SHA256
b1a9744720bf62c82be37c1a67c9574c6a118c27122c700f929b10dbc3a7bd12

SHA512
a917e3b0e3ed835884b189ccae9d82132bfae0a0d1e0d45d0092142503b898b631a3ce3922e1de13f0024926e0bf6be618ed181f16b1c4cf6153dd8261fa348f

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
128KB

MD5
36c4e47530a55698cc74d998a9162824

SHA1
62051b4d7e17cc14b31720a712f0421658b2058a

SHA256
adc17ccbea9670ffea6564eff304553f9ed82df86bafd07c4e3aa2b9925c2dec

SHA512
1e6d41416bf1d934304e47a531f76f1dcc75ca71b7dbf49fc5e79a1a67f3580a91766e31d623d10332bd8f3429521287fc342aedb323229c70388e3fc80a176d

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
128KB

MD5
abb3734a05931abbccba8251e251e3a3

SHA1
de8a9348e8c92b7068d866fd1e11b35c3ebb324e

SHA256
ff95e49d2eec5804beceeb4298500012a5dddbfeb9b42ce43f35829e4fc410cf

SHA512
9cb1e84af9bd801ab3df605f5e159104c9ee7025b9dd07827ee354f4d27c5ec5f8f2b1fd03c34694c721219c63313d07a6f217e90d929adf7debbeb5248c05fc

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
128KB

MD5
1edaa26b26c48208bb0e8679916b7dd0

SHA1
2060cacc3b2440afb42b702142d7e490b3e6fb37

SHA256
a9b3906d4acefe3377cd96bdc6be8252ccc91e8b973a133403e8b32ee8c29e55

SHA512
09ebe8811461499d488829be12f3a3ee3a3c9a68771352db326afae15dadb8d858f97857f3fccb77399e3d1603791b323ff466ee13da4c692bfb44209266ef37

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
128KB

MD5
1f764b7220b654e71ee425f317e818b1

SHA1
aeb01dbdffb6b8805b8285f686aafbbf1eba4e22

SHA256
eabd5018dd1e9f6551a2bb4ef6e6f7d98c97189e8f56ccd47b835547073228df

SHA512
a7b55e71bd7693b29a6f5a72349d271b9060cbfb280014530910334fd1cf64ea07b582df8b281c36c68aa5b1e1995a89a319946e325610998eaf2cde71f849e0

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
128KB

MD5
a74ae5d44abf710c913a38f69152e6b4

SHA1
c3d4211e5c39f978e4393f150e44b1c746be5494

SHA256
5c265b8a489f5375aea59a1fa6f0130135ac78e5bcfc90bb8d799c7dc22e47b1

SHA512
dbae19333c0944f12b5dffe2e5a70c09c1e0813dcafe11006b5d21b574f817048fe6f6472f1daa3b93a91de890e1e4d1529407908d75d46299115cb50bd1539f

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
128KB

MD5
af57ec73036ec05d7e6553838f431341

SHA1
30e97f9482d7476e046eec51a645e8e8bb3f97e2

SHA256
11a879aadd073e99172c88daf67b5dc209ca58ae48561080a2acc211a3d8c646

SHA512
77fe53315934712ff62fc6e41e8dda005ce79b798f309a59a0202bd2d7ab4fc0bf900026a288dcc07e18fb326677ff26ede23687346d1a8a8b3286659838e6cc

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
128KB

MD5
1c57ea8e7a5fd501e50ab691335b32cf

SHA1
81f260e08ed12b6bee922f6561d8dd6649444e60

SHA256
930f98a8a85cd80bf0879a37fb8773b85e23742e1a4a0ab17b2c379bf7dbf4f4

SHA512
3380dd55a0ae6e47b662fafba9dcdfd6d0c46db8bf8cab9341d6cdcf50a30d2dad850b7ec0eff0ba75a64c953c75a90090ac55e143ced12b4b68abd559183a95

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
128KB

MD5
5c1beb9ae6c11f230051dd5c172fba0b

SHA1
78e1606ce64f746444bc31e6133606039edd0a94

SHA256
7cf81a75d7ffdfb4e781b4cc84a468ce09b77ecfbaf1b96b5f6abe3eb021a936

SHA512
9a4c90e38a32337b819847e68cb2e8781208824959d86563652832cb21c95dd02d556437c289820de4e5d505f63770342778ac911230166d153dfb3a701f0083

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
128KB

MD5
132081f90de53325e2b63e0b1629ce0a

SHA1
1a1c86ba587a06d381eb9b0168c52b6cb7058d3d

SHA256
7d86f83b04bd2332c4f2577101619386f02dac43c124baa0cd60505d600f3831

SHA512
8ec85f61e55ab54562e155ee6c6ec013bc8bd050186ac31e2d56b2c0d73af4597e3cb2ed04dbdff0b098b6bedfc1f8f7fe8b6837b66bdf3f8fcf7c289797507e

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
128KB

MD5
705dc00d12d547e94f3ed5bdae18f221

SHA1
3e7713802a5bfc4daaabe30d52130cf5e256343c

SHA256
22cd1cc26c7d90e737828848efc14eacead9564a1df057a6c7184afbb461e26a

SHA512
8e1f6710e7ac177c2272b13a3e0da597372864a6733b30aea9fe644ef8fc8c78dd0247e399c68d1629b382972994a18c34a3d145528035b28afe1fac0593bb85

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
128KB

MD5
304ceb5af8001a6056bf96f40bfae1c9

SHA1
e7b5eb19490e8731a25bc1074cd5005e3162417d

SHA256
dc108803202f3e0a7f64644b2a74abf898f9650f1b17fc158ed20f46345ba87d

SHA512
b77ad75f44beef31ee9e0f7e80eb2295382dfaded91dcde1ded5324ec48ff849fe1ba208442b43e0ee9bc3db65e5c1f30bd1a0435c3d2d3537d6e691e8259a2f

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
128KB

MD5
8cf79baf2766569415ed804b0f3103b4

SHA1
c3a68a44a16d049afc360e68160db42bc2d6e883

SHA256
0164312ea85ed65cdc9f2234ba1f7bc70cc38b4f35afd25d781c189196bed6cc

SHA512
ba4208b31a5ced40f2f4a214ca5704de3e8d7c8135ee99a17c30e0028d0f181f2cd9c16ec3c1ebf4a7a2f11cd3559de3312e995674d00bddd48408d4fa0db4cd

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
128KB

MD5
08afffb8642f61bfbd1cf34de40390ea

SHA1
30bc72cba8c208afd7aba53d78bd85f6cc648c01

SHA256
86d3e9f52a1ddad77f10e1f8f134faa587d758545b073cf74767734f1d93a078

SHA512
ffffbe49a8021cf2771b7c8199f76e263df2a39a8010dee2560dfb426faf10744483a6b4dfd90d922e90ce947467288aac859085d30bbbf370e67ec996ef73e8

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
128KB

MD5
9c3fc736065355f704c7dcfba8624199

SHA1
02d63bede1450b8ce803f18baad156cc1ebfd414

SHA256
d1b172d475288b60fef206563ca64aed8c304613617cb75027efc20f455df145

SHA512
7a63080915dbf361ead5d8adfe525c5357f2ad95390e4fb835d1790ba55dfff0d5ea1620c29a39ecb9cfba704870fb0a4e07b2900926d8a7a376af0c631d27b0

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
128KB

MD5
28e2c9493fc4651829ea2da44bde13b1

SHA1
103b1be48471899323463815fb1ef2cd891aa6ba

SHA256
fd9d400501f2177bc46b0c4dd515dca88f88480081eb78f5a230c7948517af00

SHA512
3aa5bf4d76e3c486b99c10132a34216bd3f6331d102ea5884f0dfdbb6cc70345e7a250d2658d526c72a414c04e666578ad17fef4d13a660345e8e9fd04503757

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
128KB

MD5
19aa2582b4127c0953379c609bfb40c6

SHA1
c50f4a29cad28227c79f95efa06894a5ae537f9d

SHA256
3ded828820370df2af53fd7ddb745cbe5301df9e2ad9ea5f4c0de04f72a1699c

SHA512
64674f180c568c3ca2cc750ab71008abbafb92e39c10609883a431fed932223c7b17f78c56614e2fc275c8978a313094679aa7b6e2b11c6b9847ff650d6943bb

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
128KB

MD5
a4830666c68c5357b5e0796cc50ab2ce

SHA1
8ab45a9e284a23d32e0a7e5162dd6183eefb9b9c

SHA256
5a1f1c3704be6c6d6ee5e00cb97a293f1056784ecf0985dbb7efa77d689a3ff6

SHA512
393a6dd046ed3b78f745cdd23272dba330d14336a1519f5df2a536aeac79f2976c2d61c22c61a9235dc59cb028ab9397034c7abd270c14b8a95e309d44b72244

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
128KB

MD5
8bb535fcab06d88a35e211d6950f6664

SHA1
1a802458d09ee2a9da74836961ddf7ad3366525a

SHA256
9defb94eefd4449032306ec44df7d13b236682abc48f845709ade0232d498513

SHA512
3a2c26237006b7535a78524059d4cbbe005cc97dfdd4635dc712216e292de8eff6b55a8a04740ace714d8820a98b99317e43d8e21806cb83c4a1dc4ff4654e9e

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
128KB

MD5
7c00cf344cb3339975ce4ab2905e26dd

SHA1
449b062d7fb53abdb23047ea21d7c61d9a4a8616

SHA256
8022cfdfa8e93f7ae5c066c9b371b71b63ca61c705ac71a1159fb86750a907e9

SHA512
0f2043098dc0f12639a145df8e93c391a8ac65aa953f71bb1ed21516de255e94966d426b5f0f89da05f427211828d33246eb5ef897f94c8337a9d299b53ff467

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
128KB

MD5
d46eda50fa5862971e6a358d13140f1c

SHA1
078b702963bd042a5614576c1eb0798ba6e9e78c

SHA256
42a5f6726bdae2cb875c22f86d67c875e214a9812878af39f4d06e26ebcb468b

SHA512
1278ef470ecf77275c68500e5033c996ccb025fbae2a28238e8f3c336284d26f23c40da569f2725ecaa3aee2c2515fe6f85df8e45e1a6cab200fe49f690b6ac7

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
128KB

MD5
3072b448313b17f90d24b70aad8765b7

SHA1
57facac2d3c3b496ad13b0fa3db027bba29bcca1

SHA256
2b122a39f5bf7d2826521c4cd7ec2c154b69fa345b09b66d6311284d0f98c5cb

SHA512
ff465ed7ef7679c1e1b2bc67ac0d18861a6961950c9129409d86d304c6c27746c851c36abdf4c3dcd1eb6e3eb7b18b5cf623fbbc0f489ae8360b03516ee8c456

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
128KB

MD5
351b09e293470277484cb9c6aa3e92c2

SHA1
be4c318b540bf28d51b71a26ed96e1a6b64d9bc4

SHA256
34e3d23617e6eb21591f5622f5a18a264214d2234abd3e11f229aa9066c411ab

SHA512
bc7ae0521d88ca1b826e59c8af35092e2e47fd8e2ccb47c3a85bac0f3ce4a61f9f0c7fd5142844335c891654bc921393e620df4b0e25eb2de2543ac07883e6b5

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
128KB

MD5
6ba5b1afe862761ac3a48f030c42fa6c

SHA1
bc22b5f448905bf4cb1c33928a9a9fc02d77000a

SHA256
3429f0c9f1b0544ffecfbac9cc1d188ecf539f5b17e93a73d07f49f48c88e31c

SHA512
66f1bdd0d4a0a2da206ef80467fe03401021d1b72fa30a9c92ceb8b9df19a80693e3ae4a39aef078351cf689a00ebd71c732f8dee59b2b16dc87de3ab58d513b

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
128KB

MD5
bca14539315e703c5870f74f4590eb51

SHA1
b876e037e06eb1b443a621ab6abc437892df6be2

SHA256
cffdfc697aaa0f430997191ccaacaa6f71638b8e14a9f4bf9afedaa79fab269a

SHA512
6c498f9b05f85f2772b148a000204528bc872ae7f2cde2e3d27889f49747665ca9f17e3cca72a09dfbfea32da80f6ce3dca44ecc9892a4dea3f8e21e8ed0688f

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
128KB

MD5
ec5a01630f556111d3f918c0e5ac521a

SHA1
5122b418e2f6e61fbda8e196b90e5badba85607d

SHA256
613fb4829523504eecc48a56ec8a24822303c3267e542bab8a1c4f8caf957f63

SHA512
8584a13f84c392dcb8d492d4962d00b5945d40b41b284eb1b9ff2f227dd393fac1aaf61c4384398f9f1fe779867ac14c13be3d325f754f7c4483485e320461cf

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
128KB

MD5
9cf6d4953f9a16c0c43a8d636027dc16

SHA1
3e31f16b955a03b7ae6e279684f2c1db4cb7fc6b

SHA256
49e541a07c943624b0b8ce4947784835816627ebe89de847c5a3eeeadbd9ba2e

SHA512
eb7fb1cf3db5db48913fb891cfc28ba16f4fb4f29cce5967c63cc846ad37d32444e6f571ed1a9fb453b3248244cfd568e05b6ad400a6ca16e0db9f0993d4a9d8

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
128KB

MD5
c368550246de3f55a72970b29a5b133e

SHA1
8746b7bb057b5e174f64610a5fc87c2689561e2f

SHA256
a653f33a1a3893f8274d67a54939c3102543ad5136c1ce3264b5d27ff83e909e

SHA512
a1fc0f8a54e456b3be94ed98316f70d2e3be0128d496f2c03da5d01c48d32027e86fa3efefbbd96c461a564a0ff6505f0dc04e7166b94a98e2a499c601c4571c

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
128KB

MD5
cbe539d74deda26165bd1045cf463fbf

SHA1
eab965ba3c3af6d17c335a2faf6acae989b397d0

SHA256
148201add0cb8ff8c6047b88ac984345d45f333f60b9b7dfc42797b71893098f

SHA512
a5314d9c1cebd054ce9372e9a74d71d3e0077eb2d77b2a80049a20010e3ac1c41d058e352602a2d3929cc6570e6fa2f9de6f01644e6de7e4bc3ab3aa3030dcdf

Download Submit
C:\Windows\SysWOW64\Kagichjo.exe

Filesize
128KB

MD5
13e1a644e8efd6367d5c49cc1b54196d

SHA1
a153a5bfb7ae2356d23ae710891dd7889a37d414

SHA256
2df373d526f4ef88a1accacfaa82e487e67b09b727cf283ee39380fe43b18eaf

SHA512
f451141d2b18a25dcb537203fef248cf10706fdb0708b858be29538e38fc872ed8b8ee7b8f16622d7859be2cf8507c509e4cf36993058cff58e71908ba03f1d3

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
128KB

MD5
9e325f09bfdc894321f54686b1d06818

SHA1
c15b63cfe594c54ab594bfae54e681cc900eb6e9

SHA256
883484162ac50c2ac03a89966a92541f1e972e91e1fcbbe1380056a0bca10e57

SHA512
05bcfd37ea8f807a466d4841c74521493de066d6714c8b37a57be0cddc51e8c35e61224e7f9bd10daa454ea8c5fab6c309fd7fb227844efa2693b9b7cc8bbf5d

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
128KB

MD5
63bf64deeaea290ae705329e97dcbd1e

SHA1
0f46add1500df47c5059793754e2cbe2313e860d

SHA256
4bf7324642ebe40d8abaceb85fd67e034c26d4cda699d9d4d7c56cbac8ec72cb

SHA512
835ca1283bb732e5c644ef4143cf2a9c98c78250e495643f510093b487ff5d10e09bead85f9804f673168a1588bae6fbed90df5677a73043ad503e066f829daf

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
128KB

MD5
9d6918aafddc81d60bdddecd52ac7107

SHA1
b2dbc3b22a79b78960f03dfbdbb04664f7c50a90

SHA256
1173879df3ce832cc4bd4a5ce720218b3301503efd66cbb5d0c5889d0f551d72

SHA512
f2c0aedb1da366caea60c46aefacb48f66d74392c144c8c5d7d3adae201f289f96a9155ea0396c1150e29b52d3eb05e7b229989778be4a2d8f0f856d8ca6fd99

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
128KB

MD5
ba6c97113ea70a647a9e4777886cf909

SHA1
3949121f2a8862b843580c7aa4b35c6f532e38f8

SHA256
3432c2c57bbe9ae06d3b005c5694975d76eb58449c4f67a252fb77299fc51edb

SHA512
3d22ea1c62d61367b47624dc97e1ca0f413d3e5ebc21b725edbc2c469c03b6d861551ee66b42a739d0afd46d0c3252fe1ed9db7cb5c3af085d8c03aedf7392ce

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
128KB

MD5
4f7a3030fd2c2c37ea0dbaae0ca3a553

SHA1
3609bf151334c716530bf9d314de9da6ffbb6249

SHA256
39caef17edecaa7b7246bb664bb79faeeb9ebab09bca67d0225a63f6cec2575c

SHA512
2b2f009f45ae4ded6e5c2b43a245288d1246c5f65018d07ac6be4caad6a2c6a3f0ece3644617cf077d42a0c64c1775cc352c12c9c7371c11629dfd3817473528

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
128KB

MD5
f9b3cdad4104c75109a66d2259b53d9d

SHA1
906981e19ac2cff88ccb3ec3b7044b58c2368491

SHA256
e8a6e609d096fd6b384372d371939fd100a726ed8058d14ae0db507f2361c02a

SHA512
8d0010d6940fe2812d314a0b82b9189fd7fffb31e7cdb9964b681cf992526696e00d3afb9a21f596177ec23dcf42653f7be53d0cbaeea608bc7ead88522484d2

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
128KB

MD5
603b5700cd9a3a574b5324101063dea5

SHA1
a091691f3aa282d54234f8d1f060ef1cf1e2232c

SHA256
8562d5e1f59c4f14d3029a86fe56e99c005095cb9a0972adf7ac6771e7031fa1

SHA512
3e92def577d0df0df4f0cad20c4265f678ef87afe5edf38e3f41aa3096f6d50f021d24d5c94a30ac67778c7f827070067c57df9d48452590516ebb3363e06b8c

Download Submit
memory/208-495-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/368-377-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/468-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/468-494-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/732-506-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/852-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/876-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/884-155-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1000-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1000-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1020-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1068-336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1112-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1116-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1124-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1232-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1236-373-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1612-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1624-492-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1632-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1704-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1704-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-480-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1856-325-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1912-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1912-100-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2008-468-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2088-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2240-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2636-512-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2684-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2780-514-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2780-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2808-367-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2908-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2928-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2928-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2956-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2992-356-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3112-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3116-139-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3124-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3124-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3136-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3236-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3236-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3364-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3364-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3436-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3436-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3480-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3512-154-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3684-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3720-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3720-491-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3872-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3892-501-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3892-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3924-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4004-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4004-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4060-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4060-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4068-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4120-408-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4228-477-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4272-515-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4292-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4292-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4332-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4344-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4392-465-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4420-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-481-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4464-331-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4524-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4584-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4584-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4732-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4732-319-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4852-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5016-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5048-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-453-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads