438c2cfd64e5823c99e9215b4bb2f76bbb3397fdc85aa8032cfdbdfcaa310a94

Analysis

max time kernel
133s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

438c2cfd64e5823c99e9215b4bb2f76bbb3397fdc85aa8032cfdbdfcaa310a94.exe
Size

60KB
MD5

2171be10cc2aa4bfc5b13def67c34796
SHA1

ec4b0af8730e6e2dac0a84547cb5d6bff81ee60a
SHA256

438c2cfd64e5823c99e9215b4bb2f76bbb3397fdc85aa8032cfdbdfcaa310a94
SHA512

ab055f63451a4afb7fc9ad0a3631b2dc1fbd24cebc91e89c4f656702acc5e419323cdf026da208855273b83ce87d1d4421b0e724d4c623a12fcaa1679d7fb31d
SSDEEP

1536:DnE1jKc6AYrfbE/Ywr7OMgDqWrB86l1rs:zUKvYYwfZkB86l1rs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe

Executes dropped EXE 64 IoCs

pid	Process
3324	Ejjqeg32.exe
3832	Eqciba32.exe
4532	Efpajh32.exe
3584	Ehonfc32.exe
4176	Emjjgbjp.exe
2916	Fbgbpihg.exe
2096	Fjnjqfij.exe
1464	Fqhbmqqg.exe
5044	Fbioei32.exe
3540	Fjqgff32.exe
3184	Fqkocpod.exe
2656	Fomonm32.exe
1632	Fifdgblo.exe
3796	Fopldmcl.exe
4484	Ffjdqg32.exe
4468	Fihqmb32.exe
3332	Fbqefhpm.exe
1656	Fjhmgeao.exe
3080	Gcpapkgp.exe
3552	Gfnnlffc.exe
1316	Gimjhafg.exe
3776	Gogbdl32.exe
3884	Gfqjafdq.exe
2504	Gmkbnp32.exe
1564	Gcekkjcj.exe
3160	Gfcgge32.exe
1928	Giacca32.exe
264	Gpklpkio.exe
4552	Gfedle32.exe
760	Gmoliohh.exe
3892	Gpnhekgl.exe
4708	Gifmnpnl.exe
860	Gameonno.exe
3084	Hclakimb.exe
4768	Hjfihc32.exe
2036	Hapaemll.exe
1536	Hbanme32.exe
960	Hjhfnccl.exe
4304	Habnjm32.exe
1060	Hbckbepg.exe
2496	Hjjbcbqj.exe
3632	Hmioonpn.exe
4416	Hpgkkioa.exe
1652	Hbeghene.exe
628	Hippdo32.exe
3912	Haggelfd.exe
3164	Hbhdmd32.exe
3124	Hmmhjm32.exe
4796	Icgqggce.exe
3172	Ibjqcd32.exe
1460	Ijaida32.exe
4324	Impepm32.exe
2592	Ipnalhii.exe
372	Ibmmhdhm.exe
3328	Iiffen32.exe
4632	Ipqnahgf.exe
4876	Ibojncfj.exe
2340	Iiibkn32.exe
4216	Iapjlk32.exe
3896	Ibagcc32.exe
2072	Iikopmkd.exe
1620	Ipegmg32.exe
1016	Ifopiajn.exe
2912	Imihfl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ejjqeg32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gameonno.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6916	6736	WerFault.exe	264

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	438c2cfd64e5823c99e9215b4bb2f76bbb3397fdc85aa8032cfdbdfcaa310a94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kgmlkp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 3324	4628	438c2cfd64e5823c99e9215b4bb2f76bbb3397fdc85aa8032cfdbdfcaa310a94.exe	85
PID 4628 wrote to memory of 3324	4628	438c2cfd64e5823c99e9215b4bb2f76bbb3397fdc85aa8032cfdbdfcaa310a94.exe	85
PID 4628 wrote to memory of 3324	4628	438c2cfd64e5823c99e9215b4bb2f76bbb3397fdc85aa8032cfdbdfcaa310a94.exe	85
PID 3324 wrote to memory of 3832	3324	Ejjqeg32.exe	86
PID 3324 wrote to memory of 3832	3324	Ejjqeg32.exe	86
PID 3324 wrote to memory of 3832	3324	Ejjqeg32.exe	86
PID 3832 wrote to memory of 4532	3832	Eqciba32.exe	87
PID 3832 wrote to memory of 4532	3832	Eqciba32.exe	87
PID 3832 wrote to memory of 4532	3832	Eqciba32.exe	87
PID 4532 wrote to memory of 3584	4532	Efpajh32.exe	88
PID 4532 wrote to memory of 3584	4532	Efpajh32.exe	88
PID 4532 wrote to memory of 3584	4532	Efpajh32.exe	88
PID 3584 wrote to memory of 4176	3584	Ehonfc32.exe	89
PID 3584 wrote to memory of 4176	3584	Ehonfc32.exe	89
PID 3584 wrote to memory of 4176	3584	Ehonfc32.exe	89
PID 4176 wrote to memory of 2916	4176	Emjjgbjp.exe	90
PID 4176 wrote to memory of 2916	4176	Emjjgbjp.exe	90
PID 4176 wrote to memory of 2916	4176	Emjjgbjp.exe	90
PID 2916 wrote to memory of 2096	2916	Fbgbpihg.exe	91
PID 2916 wrote to memory of 2096	2916	Fbgbpihg.exe	91
PID 2916 wrote to memory of 2096	2916	Fbgbpihg.exe	91
PID 2096 wrote to memory of 1464	2096	Fjnjqfij.exe	92
PID 2096 wrote to memory of 1464	2096	Fjnjqfij.exe	92
PID 2096 wrote to memory of 1464	2096	Fjnjqfij.exe	92
PID 1464 wrote to memory of 5044	1464	Fqhbmqqg.exe	93
PID 1464 wrote to memory of 5044	1464	Fqhbmqqg.exe	93
PID 1464 wrote to memory of 5044	1464	Fqhbmqqg.exe	93
PID 5044 wrote to memory of 3540	5044	Fbioei32.exe	94
PID 5044 wrote to memory of 3540	5044	Fbioei32.exe	94
PID 5044 wrote to memory of 3540	5044	Fbioei32.exe	94
PID 3540 wrote to memory of 3184	3540	Fjqgff32.exe	95
PID 3540 wrote to memory of 3184	3540	Fjqgff32.exe	95
PID 3540 wrote to memory of 3184	3540	Fjqgff32.exe	95
PID 3184 wrote to memory of 2656	3184	Fqkocpod.exe	96
PID 3184 wrote to memory of 2656	3184	Fqkocpod.exe	96
PID 3184 wrote to memory of 2656	3184	Fqkocpod.exe	96
PID 2656 wrote to memory of 1632	2656	Fomonm32.exe	97
PID 2656 wrote to memory of 1632	2656	Fomonm32.exe	97
PID 2656 wrote to memory of 1632	2656	Fomonm32.exe	97
PID 1632 wrote to memory of 3796	1632	Fifdgblo.exe	98
PID 1632 wrote to memory of 3796	1632	Fifdgblo.exe	98
PID 1632 wrote to memory of 3796	1632	Fifdgblo.exe	98
PID 3796 wrote to memory of 4484	3796	Fopldmcl.exe	99
PID 3796 wrote to memory of 4484	3796	Fopldmcl.exe	99
PID 3796 wrote to memory of 4484	3796	Fopldmcl.exe	99
PID 4484 wrote to memory of 4468	4484	Ffjdqg32.exe	100
PID 4484 wrote to memory of 4468	4484	Ffjdqg32.exe	100
PID 4484 wrote to memory of 4468	4484	Ffjdqg32.exe	100
PID 4468 wrote to memory of 3332	4468	Fihqmb32.exe	101
PID 4468 wrote to memory of 3332	4468	Fihqmb32.exe	101
PID 4468 wrote to memory of 3332	4468	Fihqmb32.exe	101
PID 3332 wrote to memory of 1656	3332	Fbqefhpm.exe	102
PID 3332 wrote to memory of 1656	3332	Fbqefhpm.exe	102
PID 3332 wrote to memory of 1656	3332	Fbqefhpm.exe	102
PID 1656 wrote to memory of 3080	1656	Fjhmgeao.exe	103
PID 1656 wrote to memory of 3080	1656	Fjhmgeao.exe	103
PID 1656 wrote to memory of 3080	1656	Fjhmgeao.exe	103
PID 3080 wrote to memory of 3552	3080	Gcpapkgp.exe	104
PID 3080 wrote to memory of 3552	3080	Gcpapkgp.exe	104
PID 3080 wrote to memory of 3552	3080	Gcpapkgp.exe	104
PID 3552 wrote to memory of 1316	3552	Gfnnlffc.exe	105
PID 3552 wrote to memory of 1316	3552	Gfnnlffc.exe	105
PID 3552 wrote to memory of 1316	3552	Gfnnlffc.exe	105
PID 1316 wrote to memory of 3776	1316	Gimjhafg.exe	106

C:\Users\Admin\AppData\Local\Temp\438c2cfd64e5823c99e9215b4bb2f76bbb3397fdc85aa8032cfdbdfcaa310a94.exe
"C:\Users\Admin\AppData\Local\Temp\438c2cfd64e5823c99e9215b4bb2f76bbb3397fdc85aa8032cfdbdfcaa310a94.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\SysWOW64\Ejjqeg32.exe
  C:\Windows\system32\Ejjqeg32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SysWOW64\Eqciba32.exe
    C:\Windows\system32\Eqciba32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\SysWOW64\Efpajh32.exe
      C:\Windows\system32\Efpajh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        24⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        25⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        27⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        29⤵
        Executes dropped EXE
        
        PID:264
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        31⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        32⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        37⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        39⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        49⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        53⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        56⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        58⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        61⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        62⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        67⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        68⤵
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        70⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        71⤵
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        72⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        73⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        75⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3380
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        78⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        80⤵
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        82⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        83⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        85⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        86⤵
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        88⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        89⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        90⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        91⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        92⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        94⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        95⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        96⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        99⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        100⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        101⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        102⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        103⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        104⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        105⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        106⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        112⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        116⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        117⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        118⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        120⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        122⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        124⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        126⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        128⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        129⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        136⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        137⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        138⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        140⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        141⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        144⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        145⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        146⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6528
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        148⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        154⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        156⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        158⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        159⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        160⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        161⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        163⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        164⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        165⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        172⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6736 -s 400
        173⤵
        Program crash
        
        PID:6916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 6736 -ip 6736
1⤵
PID:6888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Efpajh32.exe

Filesize
60KB

MD5
b74237b6a5640d19080b8fda1aeb0617

SHA1
b919b56d39782fc8f58a2bd9ecae5cbe0dda70ea

SHA256
c3330303ba8039cefad90dfd8315e0570f0c83a9c674a5e37c43a3d68f45cffa

SHA512
6035cc915d9d6498c8c2edac1a8dc659179c62d7692f38eabdf15463c0de73cd2a66939ddaaf782f70543c6682d8e3a71e135cb8ef866e522d463524bbe49d9d

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
60KB

MD5
fc6474c0e62b21701a32311a17df3765

SHA1
6db5f70dbfd90a9d4a50525336ff3ee04d0dcfa8

SHA256
d25dcbc391a451b3f7e5bd4bf31f9dc1ebac1c71930eae3fd724451502aed60f

SHA512
ba90c01ffc77a514defb029cbce46f8fa1bf1e00c2ffc2da8a53569c4594b5c263dd170558fbe1e8aa2b647c7e91f03fdf56fb14de36ce66f78048774e2694e9

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
60KB

MD5
1cbcee9693b87d7c42b3b4fcac821c86

SHA1
0aad3e23668ddfaab93003ed0bdb03f216d32024

SHA256
bd36f53072fcf310d90e78309bd5b4e3bd743d9fe75f253d94e3bf5a8c0d5472

SHA512
35b2ac9691a9995ba14c3d9b501be09e77c2a04646ea4fff6f41a31a2dc024f7a169c0470ceade6077f18ad777548bd858e977609666221fa85d8976113b5aba

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
60KB

MD5
59c040167c4f794951ba55432d1aba32

SHA1
3cccd8e35af2382c16f5f1ab45ad55a4f199239d

SHA256
018c6505882cbf121e5fa92542348565260143362062efe1298ac9f147cff235

SHA512
446f997a1ed2e2f98ce5a46a80ed19d881ddb54cd1f7cc5b3e7104f41a6943ef7d0e517c25d421ce6b6e8444e462722379ebcbae25860d40e98e6ccd7eede6f3

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
60KB

MD5
7adae118bd65e2c208f15bd9bd9c9f93

SHA1
2f1855ee9051d34d89687e03c7cdef0e68c9c8c3

SHA256
639077cfb78c91e2f3782e2b90f77c1f3dd1df32dc8e6dfefce2e7c85c4b9d9c

SHA512
698ed8325d1ec69d257a6b856d157b56b80c8859cd11f02ff756f32879b676e16b9a0951b98e552ebc3f557fecd0ff8a3999a630d8cacaa3c8713a84f42a95db

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
60KB

MD5
ffbb1885abd7904dc85efa527fd854de

SHA1
b7f0830609ea87874f5e8308fc03a31640294e55

SHA256
7823ddcd2425850b4321c5c863fe12b227ec55a1a2052f721abef76d0c4d202d

SHA512
d278c1a84945e221411f81b32a9a9a2719e3b42c8630b2d2620c24f33962d6e802f94e7e2f07688a9394dcb121a5aed8a920e2c382b8aa858456446fd43d1ae3

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
60KB

MD5
6e884d2e273cdd89d5b2df4adb714f27

SHA1
2b9e837c629159d608d3d2cbd41db9e12e97b039

SHA256
9c809e45fdd0fb581878da1af959aaab086113bf89310544ed3df6d53e603e12

SHA512
2c7228fa856c899228498b8c44a868d986be6ea48a21bb690e1299bfdddba7e5b8107b154fc1641241a5b50891ad729ac1a1d0a5e3d46c9f2fb46135d5245a77

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
60KB

MD5
159a400526382a0ead7d526c4e08130c

SHA1
530954a8f21a421dfeaa221e025f33c6a57046c4

SHA256
3e3a6a332f5d8c24006261602572210cb264b2372288d03a4d14f2015a40a14d

SHA512
a73168159662b42a94f9a54817b42a003a6a787a3ad9de50694f4fb408268dfb202c60dafddd90facfb5788a89cf77f620de65c7273b7438a03a83fec94b5e59

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
60KB

MD5
7f3101b5b7b9ff450a9b9a43e33056d4

SHA1
d3b6407a6db157ed410057e149be9f36591f77e4

SHA256
ec9fa48c8bd18422199e9fdfd0ad145f1c5380723eb137d38c08995ce9135262

SHA512
07b2e5384332003aef7ec7f912c12adf62e3be87e28a8599520226303391b8b813361ca91551dd2c032eae2ac0c6e5f9ea8a7604d77213068e58e6533ef7f268

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
60KB

MD5
b9765e606543d687f30f6e97ea39d887

SHA1
2380d635e627f4c953536b033e30f827c06cdbfe

SHA256
af8cbc7fd84858cd828110c34ee0705933445e94e02c78efb655b040cfb407f2

SHA512
0d9445629a3260e6855215ab0ed34d5bea5cd9f1abfabd8c170cf99ddb12592fcf9e831af51ecf5b0207d1c6d630861d98a59b4ed79222b5d7747744386edcc0

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
60KB

MD5
fb68be51581ea1915fe61e83aac02c0c

SHA1
52a8f0085c4fdfc7c766e0bd959d2cb369b89494

SHA256
d2c0e9c1e6a105a8bbf48e1ed26fcb4d5faf40a84e92f28b09727e918df41497

SHA512
07246fee4d26fedb7fa232669aab90b8acddfd4234255b5f9841963f5b9c0e5b666b7988be19b70299d0d22d445a9099279d98697ed0c1234cf0a1f9eff8fb59

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
60KB

MD5
10bde85ab0b9f2bc9162a8fa9c384749

SHA1
72ccec378726b4a4c5c1e70b97b46634fc54d36a

SHA256
514139e63ab2efeea60b6a1b1c98fb92e00df6b9c1e3e3abd606c1d32b36fb0c

SHA512
cf489eb20ec0a9589780c723aac60b9c93efc741e3b8227fa0ecf0b14b8bf41623b73a88aea1d6b4685ff52164a07897493bc836c977f31cc1f7846948ecfcea

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
60KB

MD5
55acd5f5a2ad9280890bbc51146464d5

SHA1
3d87ddd48ec7db16d60d2a4db264a9582de8d2b9

SHA256
c37ef4f51a6ea334ed96b199c2f73505f4aef36bfeaa5250f2d6e785df800a76

SHA512
6cfd2577602c1ea79440aff8cb5a7fb902aef9f29064aa56cdf2684ac7c39def5a92f0d7dae03b8b648e65f08bffb7818928e262a14106fa2648a0c76e2535fd

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
60KB

MD5
192d80b58b891628bccfad7d4d774304

SHA1
81d105e9f6950fc56fc70c730665b6abb1acc9b3

SHA256
a6fb7e76e225679658ecb870d07111a8ce00d79bee95da7aaaa2ac10ffa874d2

SHA512
6009f94047fad3f4216649fa8ea4090462302a8b80a05f2ca7d881aa2f0966775ec4ed1a27a3305ebac52bbe80ebadd00d2d325f266d59b512f4ce865995a72d

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
60KB

MD5
b61dd49e0b1f432b5bd17893f434a92e

SHA1
4f43545ac93f2ac03f13ed62487d0d6b9173e23b

SHA256
133a0779b60e8570fa7bb3c633bdae0fe6a6b4d8afc9622bb469e1ae57d8042f

SHA512
bded4e0cc9d10d5dd6c0cd54d2a915e25006831cd1bcdd19fb0e1f22f224188f4bba69f52827a771fb3ecb9d23e07f65f62e40633fcdfa8ced58f7e86ef6061c

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
60KB

MD5
1f8e7ed940b7fa4050d6b644dc5a41b2

SHA1
cf82d7a49f0b4b1ca2c1a073a4e7619032a211ac

SHA256
4b84814bc12a0f57cdd84c337d3f890db583a55baef02623a95134ff903d31a3

SHA512
937a42abfe3959ec61b952bf3ff042362002d5efbd012a3d4edcb5f0c86463097f244d534c69ab5e2c6a77675dffd722cd320e2778769f9d4331880745574338

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
60KB

MD5
ca8231ab622313eec0021911733d70e9

SHA1
e9c64fc73274dd0edecea91dc71e3058ebde21e0

SHA256
c1001d68479427186bf6abe19bb6160aaa41b6614b0b4a3c255cff311b5d8b1b

SHA512
e6056331e680afa5e73280ca42ba52a6c6af49853f48f2ca71fdfb7e9d1e4e93ef1e2b6f8e22b168acd68f2ced1b0937039b7ee2f76b947367f226a7f3f73e25

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
60KB

MD5
b10d14c1622bfe7faf22a3ebb9da4d90

SHA1
b6251f92221d2824d79d6e131a0a8cbc3f9207e7

SHA256
eafd491bd5b990e50ba8d31901a60f3a47ea1861d1938bf6f9f3ffe8e587ce6c

SHA512
fb7d2b48d270a45f969af5b92030fa8dd076b78df8caac2e527a8fa7d921806d65706934329f21936e71418bf39e3a971ddf55c1cd7359f11f5688bb39b22054

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
60KB

MD5
085171fc4477a4b930cbdd2d3dfdcdf8

SHA1
f852d128d8e2892543174591e39bbbafca5696e8

SHA256
3a1a359360eeb2c66673c2d520660221444cae881da31de0de4d9e578d7dd746

SHA512
92b14884ccf77e7b0d3d3b4cb4a06dcba9f6f1641e4ae9c409d41af067f2292b3f254ff400b27416135db6c0ab4e763f63b1025135684f79f5e0c9e66a6bb28f

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
60KB

MD5
ea9bc81f8ae3f55fdb42b3e70003e178

SHA1
9a58d4711ad90a00a2ab3868caae138c4ad96c41

SHA256
8d3208defa8b0f11ab294fef31fa57dd09bcdc42ad7a604d8b87727c12f5890b

SHA512
4a0171bbac02956fab015c6071bf625afb7237cb105de3e08a97fc95a06bdd8cd7458e10d60d3f77ada66de3c750f61f271bac38c5ac2d8fd042a09e17173399

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
60KB

MD5
85d969d35d12dc00ebddaa200b821673

SHA1
1e2f066df5d44fec6383cf8b9b922c31a00fef03

SHA256
e2d30dd1016a078e550db832272a7a606520c914af23a9ffd13588fa36854c4b

SHA512
f10fd2a18b5a0b3a2f14619e333213cdd6aa9944a91bea18fada0c0bb7b1583733467465db7d96339299adaff881188f3d2d8f23c8467397f42b339c3393dd6e

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
60KB

MD5
233215df870067f081074db814bd254a

SHA1
8328bad05b05bf4b7f383704e16c25a8dd7ac377

SHA256
b3859f20ac784aa72faacfba9ec4b0a953bc88bca1f68b8ce812e5027b258e9d

SHA512
d3b2dfdced04382c0233fb5e8a6eb95452722beb7302c006e27b3cda660c6910c6a977e37eea1cb66fd721acf33bfa657fdc339c3a3e426edf71cfa74bdd56f8

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
60KB

MD5
d050c4e71c6558c699b79fcb71680e0b

SHA1
88b2a519902ddf87c608be4f5d92d7ca7d617750

SHA256
74f01ab536c36bbb1959f0ce94d70317439846d513f7f25465818675bd31dbb2

SHA512
5d2033c6a453ea190bf995440a31b726dcb95d3abc3fff6422ea5ac349de25061bc6172e9e3f4bb9202c0ea0a53568c11d7e98fe8c4bb56b83bcf6993a870c77

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
60KB

MD5
ca9ee5184e737881df8b1d3e4d91376d

SHA1
944e3da4ccbb3e79696f27665ad874894945b94c

SHA256
825569b72a3c3dad223f372f92fb9bfae9d1620ef2be61b5e07ee13061b6718d

SHA512
5bb74e04371b56b7a8c48598fe96e4b60ed8177cd5b42f49f5f4c2a6a5f6b8964f9714e3cc7b190425f30460d281c08061e5c393cbd94841bf1ec7d6189ba439

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
60KB

MD5
c589c67f54249afe9803bf061b85166c

SHA1
d9e7332e8f1dbf352f5f1b183f90af71af681c1f

SHA256
934b71d83c524b23cd7613e4f08f206b59db690e0d605d5e0caf5f87d2cf154d

SHA512
1eed52bb3850b72135c41233eb19cac99ff471804a9255f955c6a3cc5d15dc63ddcc2acc4bd231f2fd4f1af8d21e41145d217a3769b3e9e6b79722d4fe19af58

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
60KB

MD5
49cdb2899baad0653c2d173b1dddac74

SHA1
ae176da22b59402e2378833f33e7c735b7f33548

SHA256
e227cfd890dc3bf9eeddfb9a1de823dc4242153505e611cc8718d3cdbdfd7d4b

SHA512
673504b97b64bd7880dbbb1337eadad68b4731399bf8989aeb8323117fc24268666f597ebf52398d7bd7bea76b9815dc61fb24432ed3f0550a0c0475d89e762b

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
60KB

MD5
4252fcde32848a0b21997c49d962f6df

SHA1
636768e744082a8814ab80b71b57c7497cd8b32d

SHA256
c2efb56b09440ea360d82f845a3edb96b4fc1d01fd0002778bb17338269717c5

SHA512
30313e1334e6a3639c1c176d199006495509ae9e593962a3a719d47fc2c0dedbea4365c54c593d1f9c71e8ea40b6b68a665f6b8d0447abddd9d46c177419076e

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
60KB

MD5
a65694e82e95018102f8c805cf51afad

SHA1
34be6419c0866a808e3e73fd40118f19b4dc425c

SHA256
d9406fe9bf272a85de834956be10acad74ccd8cd3f2a1567f003b4df21ad171a

SHA512
bdb1ae3823aa08b8ddecc3c05893bb39b502d516287b08a3a720d27d624cf80618578e28c530ab716278e95b03439ce1bb8debca89eb24dbd554809fa2d30383

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
60KB

MD5
8de3ceb972a713deb6959ed61358d430

SHA1
83c11641a8e24811bb3ab56205dc8eaa77ab4d01

SHA256
cc5815fbaca140e64005db3b127de2559ef17e91c7a6686cc3372b19fedc0139

SHA512
5245013d1e74fc370962def5f29e5c26e716ec92786bd8f28f825d2ed88010eadcab3530bf5ac184df551bd67ca4953420fc80dfb5a0ca5e8b0699f1b29dc362

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
60KB

MD5
5db6482952bf7213837c751904f1540e

SHA1
1a1479d968f472b3958bbe0967a28bdba73fd495

SHA256
7ee76ce93f4267f795f3c409401e9927e8e0b1ca9943d89983e91dd31d66c3b4

SHA512
702fbabce936cfd476eba84a51c4a1fee4d0d536723b0b7f78d260328bd137fc6e58bc729fa0aeb2b6f93531f94e7d138dedc97b9f14791a997f7bbb1d0f416d

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
60KB

MD5
cb93b4da9cc02749adebcd2e7443a2d3

SHA1
e0045036e05302e7e7a994c608e4d3e03a7a74d9

SHA256
eb16c8362f2a7b28a1a8eda168e6bcc8dc27ad0cb29dde00d53a3e4a7313b57f

SHA512
fee0e7a16d236a53756043a91995ad84e7b6b54db2c2bf19b60e53198cfb35e0dea76eabc4c431ea67a8ebf21ee388c5adbb0d98bd737ef1d164bc91f518a8c7

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
60KB

MD5
22e7e30392a629f84b7af2b51b3274b5

SHA1
0820653f87f07e60a4a37bc67be33d882e438367

SHA256
5867eaa202c900af90fce22787b641e4072e8621dff41174671ddec18b5b0395

SHA512
8bf142c35ee5da3aa1c04eaa94dc0b8026201fc3f7b755197ab338f0c65c2a4d9b33d112fbdadc7e90c87d7c906ac3327a50e80df1952459288b36a3bcefd5d4

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
60KB

MD5
4486f94e6c8769fd1037be88e57c13f4

SHA1
5c4b68e7ec188d7f75bf19c53e3da73b25ea7ebf

SHA256
0d83eacfff6507b8a4169bea57b2d9395babd46b6ef84217b91bed80c5f5fec2

SHA512
26873ef856a102af814e1f518c19c2b1e13c8cd709d7c9cfd24ea498d4c82459b5f40bf18aa89b4e304febc10efb85349f45479d78aa661ba932020e436cec24

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
60KB

MD5
c09eaea96352897041e4854b0bd8a3bb

SHA1
ed6636f4a1c86337dc9c459ccf6523b1dc028dc0

SHA256
d870b5b90354dd7bb2a4f72d0de53c5ed42e7264b32822cf6e390035e28d8aca

SHA512
46a4df5217122c5f442d2d74d181a733d241f8908e4ac0b18aaf9ce6412111c0905a4c3fd9460ead39b8c3835b8d334ea1bff22a841dd24e5f674c8e5499380a

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
60KB

MD5
f3ada538f28660077b39b339bbd1dccf

SHA1
8a8f5a86d1b0976d90fb08d0364c6aa9513adcf2

SHA256
db19d7fc45a48c3074f250ae3a50218bfe96c55ee02ca7376e91bf90a22f6de6

SHA512
8a654a319414f8bbc31eb25106c97253bde7b9714cf651747c9a19fa923cb09496b9b6de825b93d07e87d2ed2bd5a0f633e008edf5ef593df8dda145b212c4c8

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
60KB

MD5
eea7f92f54026f3a97821e845d3da204

SHA1
dc97fd54993b10f5a13240e98fa22d0c9263c6d9

SHA256
ccd7b9960f39ab18991ba023bf7a3aa87f5d7b419b16cbaa1ab74949a9530181

SHA512
84a7d52ce839cbf6cc8e9953e7bf121d592e911e2c6138f47c482b6c00e6f11f26fd67e2a2c789887a19d1e2511b334666e34611bc464f433cf7b87311d026e8

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
60KB

MD5
af7e857a0d6b4e6509d5314fa9b2413d

SHA1
0feb2d5e475a48690a140eead91e2857f7115689

SHA256
99d566fa900ae2210631300d070e02e1a3fc53f6ce76a452c3d5a9b3f95ec854

SHA512
0e5f53b0a63ac9dd3b596826ff9c23f539105af1ca51970c26548d6edc590635934d442c0f279ef92d18d1896435ffc3cd68fc1994517f9f520c172501a44ed8

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
60KB

MD5
b8f93ed23104af91a5e530f4f26d6669

SHA1
c570cb7018310c174c8da4ad8b56ad2cd03369fa

SHA256
413200aa912a9c80c3e21bde6ec0500b69892390d1d4c88910fe3ff9eb5f5574

SHA512
fd99c9d33769bf10f71af710a0d8b8d068417d3005cce451c5a4ef89baa51c29e2b64e923dc4ef196c7988c68080bb682915bb27dbb78c3825df1b3f53bf7066

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
60KB

MD5
594a62e432219041ef14af76716c9e35

SHA1
2093b8b492ddb03f440cd0b19e8c93ad611b90c5

SHA256
380ee3485345306a16376674bc0cc8d47243fa64feb833de1a4138316f6499a3

SHA512
89d158e7c8e2bf69949a60cd726ecc0b37c877918244be6d57ec70cae58fa1d8c5055b3c7fbf123e2d59df208ecca9dbebc94d5ed3ee253d036b6a6c9c145b83

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
60KB

MD5
7f33f8875b3f3b584ac7ca918d442689

SHA1
12e0020dfd58d12a6229e0bf6f8d62916c12918d

SHA256
1111ae31b123fde77c1e4cce63512d42461dc66f22d2d53746715dd96a350cca

SHA512
f6c7001899ab4f3e12f87aec844b8ad0895bb0abb6ed7627c63fb6aa713f16115348ec1bec98a6fe3dca220c7cd89092c2f9184a1871e7e3abe2dc31282e3518

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
60KB

MD5
c991d4c02fa6a2f4ab033240b8a999bf

SHA1
fca3c3dc5430fac12e97a32f534053e8ef4a6bd3

SHA256
abf3df20859bcb8e51d906fc9839b2d6571c73ac9b5ffaa93feb3ff066551975

SHA512
fdebb869dc6ff3b6ff35a6078039baa0aa9c4cc4a4a38b85c88a0c956a29e511edc0f194166bd90987e267ff0fba11b02eea2c38c530e3e3c9163e27cef4ffd0

Download Submit
memory/264-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/372-475-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/372-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1016-465-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1316-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1316-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1460-451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1464-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1464-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1536-362-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1536-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1540-491-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1564-214-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1564-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1620-458-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1620-519-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1652-343-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1656-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2036-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2072-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2072-516-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2096-147-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2096-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-482-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-495-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2340-494-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2496-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2592-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2592-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2656-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2916-53-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3080-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3084-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3084-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3124-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3124-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3164-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3164-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3172-381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3172-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3184-178-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3324-94-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3324-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3332-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3332-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3540-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3540-169-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3552-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3584-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3584-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3616-507-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3632-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3776-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3796-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3796-209-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3832-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3832-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3884-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3884-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3892-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3896-445-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3912-417-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3912-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4176-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4176-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4216-438-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4304-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4468-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4468-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4484-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4484-213-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4532-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4532-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4552-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4552-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-3-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/4632-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4708-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4768-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4768-349-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4796-437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4796-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4876-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5044-74-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6596-1101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/6852-1130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads