f80f12d5d75993144b9bec8df60091b94381ad8a4203eb604f944c3d4c5d93fc

Analysis

max time kernel
138s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f80f12d5d75993144b9bec8df60091b94381ad8a4203eb604f944c3d4c5d93fc.exe
Size

91KB
MD5

40544840d159ff9600c9495db7cda2cc
SHA1

7e9a1ef7367255cf48a2d5cdbfe55a9a903560be
SHA256

f80f12d5d75993144b9bec8df60091b94381ad8a4203eb604f944c3d4c5d93fc
SHA512

a9adf69b7ca4d0468c7604c750187ded5db1af6704574aa8cbe6038ce79885bc130357aac61742458bfe320b655b5279debbe9d87c8c57afa2cb06a43a7e75db
SSDEEP

1536:U78vjIUL3xe0anK5rztCflLBsLnVLdGUHyNwtN4/nLLVaBlEaaaaaadhXd45J:ne0aIz0flLBsLnVUUHyNwtN4/nEBlMdQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f80f12d5d75993144b9bec8df60091b94381ad8a4203eb604f944c3d4c5d93fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe

Executes dropped EXE 64 IoCs

pid	Process
3284	Fmmfmbhn.exe
2516	Fokbim32.exe
2612	Fbioei32.exe
884	Fjqgff32.exe
1020	Ficgacna.exe
4364	Fomonm32.exe
2504	Fjcclf32.exe
4636	Fmapha32.exe
888	Fckhdk32.exe
3452	Ffjdqg32.exe
1644	Fihqmb32.exe
1136	Fcnejk32.exe
4216	Fbqefhpm.exe
2764	Fijmbb32.exe
1372	Fqaeco32.exe
4876	Gcpapkgp.exe
2700	Gjjjle32.exe
780	Gmhfhp32.exe
3580	Gogbdl32.exe
2148	Gbenqg32.exe
3524	Gjlfbd32.exe
4336	Gqfooodg.exe
2252	Gcekkjcj.exe
5052	Gfcgge32.exe
3416	Gmmocpjk.exe
3692	Gcggpj32.exe
5000	Gfedle32.exe
2332	Gidphq32.exe
4368	Gqkhjn32.exe
2820	Gpnhekgl.exe
452	Gbldaffp.exe
4476	Gjclbc32.exe
2396	Gifmnpnl.exe
4256	Gameonno.exe
4984	Gppekj32.exe
1672	Hpbaqj32.exe
928	Hcnnaikp.exe
4480	Hbanme32.exe
2144	Hjhfnccl.exe
3712	Habnjm32.exe
4500	Hpenfjad.exe
4128	Hbckbepg.exe
4904	Hfofbd32.exe
448	Himcoo32.exe
412	Hadkpm32.exe
4416	Hccglh32.exe
3296	Hbeghene.exe
3460	Hfachc32.exe
3912	Hippdo32.exe
556	Hmklen32.exe
4960	Hcedaheh.exe
1616	Hfcpncdk.exe
5068	Hjolnb32.exe
4228	Hibljoco.exe
3572	Ipldfi32.exe
4832	Icgqggce.exe
5044	Iidipnal.exe
3056	Impepm32.exe
4940	Ipnalhii.exe
3748	Icjmmg32.exe
1140	Ijdeiaio.exe
4684	Imbaemhc.exe
2760	Ipqnahgf.exe
4220	Ibojncfj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ficgacna.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7024	6852	WerFault.exe	268

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 3284	4504	f80f12d5d75993144b9bec8df60091b94381ad8a4203eb604f944c3d4c5d93fc.exe	83
PID 4504 wrote to memory of 3284	4504	f80f12d5d75993144b9bec8df60091b94381ad8a4203eb604f944c3d4c5d93fc.exe	83
PID 4504 wrote to memory of 3284	4504	f80f12d5d75993144b9bec8df60091b94381ad8a4203eb604f944c3d4c5d93fc.exe	83
PID 3284 wrote to memory of 2516	3284	Fmmfmbhn.exe	84
PID 3284 wrote to memory of 2516	3284	Fmmfmbhn.exe	84
PID 3284 wrote to memory of 2516	3284	Fmmfmbhn.exe	84
PID 2516 wrote to memory of 2612	2516	Fokbim32.exe	85
PID 2516 wrote to memory of 2612	2516	Fokbim32.exe	85
PID 2516 wrote to memory of 2612	2516	Fokbim32.exe	85
PID 2612 wrote to memory of 884	2612	Fbioei32.exe	86
PID 2612 wrote to memory of 884	2612	Fbioei32.exe	86
PID 2612 wrote to memory of 884	2612	Fbioei32.exe	86
PID 884 wrote to memory of 1020	884	Fjqgff32.exe	87
PID 884 wrote to memory of 1020	884	Fjqgff32.exe	87
PID 884 wrote to memory of 1020	884	Fjqgff32.exe	87
PID 1020 wrote to memory of 4364	1020	Ficgacna.exe	88
PID 1020 wrote to memory of 4364	1020	Ficgacna.exe	88
PID 1020 wrote to memory of 4364	1020	Ficgacna.exe	88
PID 4364 wrote to memory of 2504	4364	Fomonm32.exe	89
PID 4364 wrote to memory of 2504	4364	Fomonm32.exe	89
PID 4364 wrote to memory of 2504	4364	Fomonm32.exe	89
PID 2504 wrote to memory of 4636	2504	Fjcclf32.exe	90
PID 2504 wrote to memory of 4636	2504	Fjcclf32.exe	90
PID 2504 wrote to memory of 4636	2504	Fjcclf32.exe	90
PID 4636 wrote to memory of 888	4636	Fmapha32.exe	91
PID 4636 wrote to memory of 888	4636	Fmapha32.exe	91
PID 4636 wrote to memory of 888	4636	Fmapha32.exe	91
PID 888 wrote to memory of 3452	888	Fckhdk32.exe	92
PID 888 wrote to memory of 3452	888	Fckhdk32.exe	92
PID 888 wrote to memory of 3452	888	Fckhdk32.exe	92
PID 3452 wrote to memory of 1644	3452	Ffjdqg32.exe	93
PID 3452 wrote to memory of 1644	3452	Ffjdqg32.exe	93
PID 3452 wrote to memory of 1644	3452	Ffjdqg32.exe	93
PID 1644 wrote to memory of 1136	1644	Fihqmb32.exe	94
PID 1644 wrote to memory of 1136	1644	Fihqmb32.exe	94
PID 1644 wrote to memory of 1136	1644	Fihqmb32.exe	94
PID 1136 wrote to memory of 4216	1136	Fcnejk32.exe	96
PID 1136 wrote to memory of 4216	1136	Fcnejk32.exe	96
PID 1136 wrote to memory of 4216	1136	Fcnejk32.exe	96
PID 4216 wrote to memory of 2764	4216	Fbqefhpm.exe	97
PID 4216 wrote to memory of 2764	4216	Fbqefhpm.exe	97
PID 4216 wrote to memory of 2764	4216	Fbqefhpm.exe	97
PID 2764 wrote to memory of 1372	2764	Fijmbb32.exe	98
PID 2764 wrote to memory of 1372	2764	Fijmbb32.exe	98
PID 2764 wrote to memory of 1372	2764	Fijmbb32.exe	98
PID 1372 wrote to memory of 4876	1372	Fqaeco32.exe	99
PID 1372 wrote to memory of 4876	1372	Fqaeco32.exe	99
PID 1372 wrote to memory of 4876	1372	Fqaeco32.exe	99
PID 4876 wrote to memory of 2700	4876	Gcpapkgp.exe	100
PID 4876 wrote to memory of 2700	4876	Gcpapkgp.exe	100
PID 4876 wrote to memory of 2700	4876	Gcpapkgp.exe	100
PID 2700 wrote to memory of 780	2700	Gjjjle32.exe	101
PID 2700 wrote to memory of 780	2700	Gjjjle32.exe	101
PID 2700 wrote to memory of 780	2700	Gjjjle32.exe	101
PID 780 wrote to memory of 3580	780	Gmhfhp32.exe	102
PID 780 wrote to memory of 3580	780	Gmhfhp32.exe	102
PID 780 wrote to memory of 3580	780	Gmhfhp32.exe	102
PID 3580 wrote to memory of 2148	3580	Gogbdl32.exe	103
PID 3580 wrote to memory of 2148	3580	Gogbdl32.exe	103
PID 3580 wrote to memory of 2148	3580	Gogbdl32.exe	103
PID 2148 wrote to memory of 3524	2148	Gbenqg32.exe	104
PID 2148 wrote to memory of 3524	2148	Gbenqg32.exe	104
PID 2148 wrote to memory of 3524	2148	Gbenqg32.exe	104
PID 3524 wrote to memory of 4336	3524	Gjlfbd32.exe	105

C:\Users\Admin\AppData\Local\Temp\f80f12d5d75993144b9bec8df60091b94381ad8a4203eb604f944c3d4c5d93fc.exe
"C:\Users\Admin\AppData\Local\Temp\f80f12d5d75993144b9bec8df60091b94381ad8a4203eb604f944c3d4c5d93fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\Fmmfmbhn.exe
  C:\Windows\system32\Fmmfmbhn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\Fokbim32.exe
    C:\Windows\system32\Fokbim32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\Fbioei32.exe
      C:\Windows\system32\Fbioei32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        23⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        24⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        27⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        28⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        31⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        33⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        35⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        39⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        50⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        55⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        57⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        66⤵
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        67⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        69⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        70⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        74⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2624
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        76⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        77⤵
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        78⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        79⤵
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        82⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        83⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        84⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        86⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1260
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        89⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        91⤵
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        92⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:872
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        94⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        96⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        97⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        100⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        102⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        104⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        106⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        107⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        110⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        112⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        114⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        116⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        117⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        118⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        119⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        123⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        124⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        127⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        130⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        132⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        133⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        134⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        135⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        136⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        137⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        140⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        142⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        143⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        144⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        145⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        146⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        147⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        148⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        149⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        152⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        153⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        155⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6580
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        157⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        158⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        160⤵
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        161⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        164⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        167⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        168⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7140
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        171⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        173⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        174⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        175⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        176⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6708
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        179⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        180⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6852 -s 400
        181⤵
        Program crash
        
        PID:7024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6852 -ip 6852
1⤵
PID:6956

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6580

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbioei32.exe

Filesize
91KB

MD5
73afda7e3322244a5205190f302a375e

SHA1
39facc62620e63411a55f5c1e1a0b992574ea04c

SHA256
093b809483b1a70b80fc8eced7eb3b0cbae7a531a98674ae7db334c00c04fe7e

SHA512
31a08d00357f46b2a510a04d4827e47b810d44645fa935374092ddf3e5199628f47ae63b30c960a5d0707c5568b2bb93ec381b7c12fe4daeaadaba14f667bff5

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
91KB

MD5
8bbac4d5e0917f938cc3449960159819

SHA1
76e971e9b3173fbd64a62dcfe3cc4b8e65d9abdb

SHA256
4d05455cdd843925ddf2f1659bf5704d4e88694a348d678f3494d0f39252e6c5

SHA512
581df3b1f355059c2c29b00886ac4bcad27dd0d80643981d9ea8a24d47e6eb94b65227789d8b6fcfbf3f96309ec549ef175b0b81d63d49f984aa626defd1d4b1

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
91KB

MD5
94a7d082f57e6b3559a0b604cd226cbb

SHA1
0c8869d836d4e28efdeccd7b0e4d80c85cf6d75e

SHA256
dc1e37a807932d1ab2836ae160362572b775b7d6573584f2ebcc03f5c4a11279

SHA512
d2c1f817ec960db4a1e8e4adcd198b81e0ae8f594538303e1a21091077cb7936993414bf0d960e912bdb6c4631f5140a28896490fe9a59fd9674bc9f1556f925

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
91KB

MD5
5cc5d35930360a9296aaa9a0602f3bac

SHA1
5c10e9719dcf8759694a57d2b99247ed6842b5e4

SHA256
81f6503d3ff8d5b9711cb0fca8d6556bfec33562acc2dcae9df388f44cb8020e

SHA512
e86904dbf5fef62471aad099f364d3d2767d5c1b340ac8a79cb06b78c5c0c812f65d324f6735b66b257bb6e473322477945aadce2e593ccf2865ed2607e177d5

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
91KB

MD5
cc6c1a96316124e49c62b1108fa078b0

SHA1
f0f94c3f203627f889c016d8d5d317e79d9cf1f5

SHA256
fe8e307307ce4d8b6b1cef583b5e4c2490907388b26acf19b76930cca30f6916

SHA512
91ce26a8ebc6356b0e9a885ded9ebedf9f0289075cee8c8ba3311578cebc235e2d0513ca049e39d8f2b724d9fbec50bbff6f230e826cca62b5189489c18691fe

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
91KB

MD5
8b747875f5f23bd39dec61af36cc9c45

SHA1
511ccfb1a51e5a0f5aca29dc8ee49b5932424782

SHA256
1dd5f70519b1a33d945c3920beb77af4aaef2d70f38614267d0debd12c6b0e92

SHA512
4e6b901b4b599beab0b2b0aed4fe9d21b32c38377adb9bb945e9382d849cf9d0ee7a853651c50e2bcdbb39e1485e1d22215bd2e686143773bb41b0312f8383a1

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
91KB

MD5
e3ae2d38d935c74a1cef913f8bc07ab6

SHA1
095e008bc925bc753354677dcc57c8af442755dc

SHA256
cf6f82f3e28eb3de2868c5b2eef74570628cddb54ffa42d5ac8ab6bd019089a6

SHA512
06d8a7fb73deb8faaadd9fb6f5462d324142de10c2fe5f4f02a2db9470b3535d227bab19a78ed48cdb59b97534eb6e83201f2dd260c705afbf86cf5129aa7891

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
91KB

MD5
a99106706fc85aba1f16b0297bb9fc04

SHA1
3c586b697d63177ab3d507edf28cb88011199eff

SHA256
ff84cfd7a34111affc212f4692e504d8a5db3ef122efb3a02245a2253e0ca2f2

SHA512
4f1be0c36f6ae9641fff71023664a26d3758db0f1cd20d1bacff07e877ae705a7600542b04656ce979eb045f4f7831c54c379df190eef15928516664cd19b6fc

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
91KB

MD5
89ed782be4797723186a73da105ce031

SHA1
4c568df499c5a9ee2e9e5143f3e151d3ae618798

SHA256
43d9b34b22946db44350cc5913cb2cf644bd2c9ce579e308fc5313187f46614b

SHA512
8a50d916b1e48088160b144b64cfbbce3af5cd4aa59cee8d35eea8446470e67809415c75a63d2a4e0a37db6ec3a3c7388626b1f00fdf8f450dac8dc71c89c6a0

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
91KB

MD5
32059865bc8b5150965517afa5818ba5

SHA1
b85d8c6b6160a5eb6c146cc508079aee48434690

SHA256
8abfb1d0ee322dba1f2929952e3c7eaf4c2e98084ab1e8a8287c6ad0768eee8c

SHA512
a3d7c1f58b66ce77401513b1e1708192dc6f8c4ce29f229bfdaca97a31a14127359ac014b6c8aad025f99130f3e7cdd4e63d7eec4e216b2f284eac30d3e94dad

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
91KB

MD5
da6bd8c5dcf6dd0fe3acc08b154efaf2

SHA1
a9909374a6213fd8eca2cce13db2399a8d0008ec

SHA256
02c8b419d965e9cfdbcf3a8b84ca53f6cb4ba9bf2a52c9a6dabd009e6f1a976e

SHA512
2a95e251ca4182892b9c3a6cf80657c29a36441d65c5751f0e3ec422384fe06fed88608522aa9bb9679aac6137e1f8b5a0dc1209418bbc02b7a96bf0470652f5

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
91KB

MD5
8c2963ea84450d19ae3a28fcffe84bbf

SHA1
172f522d3561657f1eeb805009663ecec935898b

SHA256
29d4fab71aee31214d8348edad531b322c04e68c5b6cf49caafb65408225b3d5

SHA512
48cf441eaeda889f2ded8ef9559fdacfde46c23c0982e7f660324e98cba3a47509dbc85d7c4c5590e57e84c9c868e63e626ffce9835f7b531cc0c60042003a31

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
91KB

MD5
637a3217fe9c93be0f76cfe0ba5c92f9

SHA1
57b3d1da3913539553d1f0b9d96040bedd13e590

SHA256
0fe6795b7a1d861a272b524419496817b00fe20fdd3c6df0b7fb9421c2042033

SHA512
fe261841a89d6957a0da3883e6eadbd120b70640109b4a2fa1372c3a4380b6f1baf783ad187f18b15c604496b3f318f47dc3cdab38ceff78f2d9e5d4271013d3

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
91KB

MD5
85b5c7294d6e44a3351b05e97b21f9ad

SHA1
516469178b4e7cbdc7d26e1fd269155e11f820f9

SHA256
4e883eb7f94af63c023f4b3c4bd895c55f107fe4aaa9b808686a12a87990a6d2

SHA512
8d2a1fe35859dbe6bd751183d9cf2da3c6ab04e64d695a9abfc54366b8cad19a3aa84b14cfc3d43f0c9a03fa3ac31e6db8730bc2fa30f7e84bcd489c168db203

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
91KB

MD5
0da0e7f0ef01547e80176041c55cc6eb

SHA1
342dc3b2d1efac30aac42c28c150a3d8be423eba

SHA256
fd80403488a19eeb39762b09a7e85928de9a582b6b9698d98c526dea0d9ac62f

SHA512
f3ac303baf27b9fca2e86f0711e4527df6cbd1d471313a329cbf72e0dabe01b626a875dd83fa2dc306e61fb8791434698654043d62604299e76c301161f6dfec

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
91KB

MD5
bfac68035a59896138d1224f6ade1823

SHA1
3a9741911a40d57c00e09204491b5b9798af5400

SHA256
4ba68c7ba1eb414b6b919b6fcf4db4e11a214cd7904ed8b60afd1df07f9d9788

SHA512
71c94f6a8d09b8f5605d559f50872d5b6b2519d4712d8c9b15c496294747025d0e66ac0c8db30672c122739a61fb9c469e8d260f43f770977c3510ff03d34c49

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
91KB

MD5
2dc4a09708fe50c45a8b7a76bd6cd6c9

SHA1
6940a442a1b54b1b52001a96fc89485be6e4da9d

SHA256
785eae4ecc37d32e6d4eaf96b7321ccff0fbc35ce4000fe4cd256d9bf24e2d7b

SHA512
ba577c8f7a2ce2581376d1f2af0f038c043b9e3d3fc718f42ff170ef95b9ba046070154ef05cd45964d7fa9085993f8d416dc300d654d8f287e3edbc59b1a6fe

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
91KB

MD5
ac1c970e6b207dd66f7e0fbd31e9de17

SHA1
271d88e0eb693746f93078a4ce327a8c90e92c41

SHA256
f001bac318c1a0fcc704c75ba1d3b9e90e3336d574d3557e27c066ac96a5cdc3

SHA512
c54973c1b6843c99285d1af606a5db998e04cefd2b52b6413dad68eeb5dbe96a27d61ea7c78fcd5751d546655732816507b80017740375bd21938a7c48404939

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
91KB

MD5
85df3a5eb580c8f836e7c13522524bee

SHA1
24fd0f1b1f6489a573bb4a91da7d814e70178acd

SHA256
f84ea38b35f19d4341331850a689d0c33879cdcfc46446bf94f835f13c7b826c

SHA512
c037963a9842ee6bbe4aa65289a85836257a53d9c0e45ba1fc0e10bd29fd939afe7a24ffbf4d4e6c213338b89a60aac9f38bb7bb4727bdb81914efe42d36812b

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
91KB

MD5
343c928fa441f8430146037a90b2b597

SHA1
35330abecf13bf16f643c8aaff39abc085e90054

SHA256
3078ebb688f1cf63f20d74882de4d10be95b6f29dca8f7972ac12aa1b3990853

SHA512
120bd5905df0885ca9d7aa8b41c6ec83ffaa9a9bb34e656455793ca2fb784647099e8e4e70f7255168ed95560b7e29e72b8dffed41b570187f63bbad27a36017

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
91KB

MD5
c9d3304ac5f8d8deb817b46762372717

SHA1
af9d955513f20bf9843dea7310870276bc7b9f8a

SHA256
6b1d972fd13c175d9be7e386db0a807803d655434145955190582cc06fa9fe72

SHA512
e46a2817a8e16a8e6d68191d47e6d57f0bbc9181dd384eb9fbc5c58be70aac48c195d6fc49d90665ea0e64523daabf0c806fa7b6e174994d29dd6d72582b4cf2

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
91KB

MD5
9f8ed2aa9b4432a6e4839b22de80d523

SHA1
87e8d6e6a9455619388c65321bbdf34902499799

SHA256
a68a19080910e46c28861cb122b136fd00758bc7a01516b6baaeffdb7d117e59

SHA512
a92fec542f78b10b179d7b5e719dc1f7e60a0eb4a9dd30188f55217753f69ac092aea2baa989033d29b464dd6b08902a1208da0eb6abba878137a625d7f109f2

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
91KB

MD5
780ffad5996fb7e3aa419756ef7d5800

SHA1
9f148d6cec635476d7995cafee8feeba43bb2ff4

SHA256
78169054d99ec4e29a9e2696fe8f8e3dbd6c47f990863cccbd5a01f1e6f0e208

SHA512
f01f6567c90e930eeb785de134a911d7c5581ee463d4c4df1c8ec3c069c92f7c1737aa8d1e4baef922c4f44332b946a0595f6084ad5af12de72d704867a2ddb9

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
91KB

MD5
2b3faa80b9ca6a6a5f2947b65fabbb04

SHA1
cc65eb2895bdec664f8b051d43423be6b8f6b884

SHA256
b999ec44d77b86237fc9f0644caaac76af82584a579d6e7dc0a7043cdced4f18

SHA512
0ef9708111bea99aed018abb51eada68da9f76eb8360893daba281178faaa6bfc940d271e0e3f42ad38f5aace265a4ed5ad237439208401f06c3634088073d65

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
91KB

MD5
6043a85a14653d469d92d7945e828e42

SHA1
c954f3c64296495cdc1271f2567e8a555691e098

SHA256
40ab628e9e808afa265f3f811fc49ca3fcd063ac878df9a3c34a9a1703cea4d4

SHA512
ce62ecb29e4f42f48596769c9a0e589314b5e5c32b08c1d0bc097caae388c07607ad3f6943ae3dfdd3d36b98d2689c87b5142bcd876b67caef5ec388901b6720

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
91KB

MD5
d683da38460f6d4c436d549d0e059a73

SHA1
4e5203bf00122ccc1e0837a12e73fe4aa72d5d79

SHA256
91494dc22fce6355a4cf4e099ad63649173d4975a801d2ffe1577ca293bab322

SHA512
7f873f294cd75bc6a8cfcf37c09b62031837510db7142cd28256398bb1c51da6ee5edc7ac6ef81c6fdf773396920a4924b121414a7182e35739c23c6182429a4

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
91KB

MD5
e24c4b515d3477925b4ed755ccee085b

SHA1
71d856858d43745f0684129dc216036383d26ab8

SHA256
35a6721801ea8c412f7c56feb912f970007623c8ded5a9479ffd8b25d2de2f28

SHA512
fe5c8d486d25add2fbdb42794aa163306187480d05d9868c0a9c151537cf22ecafd8663ff312f12bae82d26d4949dbcd6b0769dd9e256053d26563efa2f6f2f6

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
91KB

MD5
fb75337ca4ed7fb3933e3199c725c6e6

SHA1
344a69746c417c3054ea4115e3496b0b45f12003

SHA256
b363d374e7dd8f337b0d8b511f771cb51dcc0662786c1604c237fadf463cdbf1

SHA512
cc33bdc95a911b6ce4904b10fd14e185e663edc8b461cb0f4144bb9c49a66b9ac1b21306d5f0a1d5db3f39d4cd40880ba1ae1d97de7d674b959ed65de46d3cae

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
91KB

MD5
a0a50db0f1008c465cbb772ec09533ad

SHA1
eb28d9481f7610b197f826d5498db60f5aceb5fd

SHA256
f644c37760b161ef797a39a1b22b953baf0dd287667aa56b5aab20f30f13984f

SHA512
66c3d24af2b20ff0db40ea028af6d3303b27a80f9ef12f531551b3b623a8cd7d252f18888354c1d6f189836a94db70701c776ebd2b480efb167dec8fc00687e4

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
91KB

MD5
c38e296a623a99c56dec7b3826309c50

SHA1
0c5024169b3d8f522e2b4406f83b086da1ec406c

SHA256
eeae33ad9236c56c9782fa8481991c9d61545e05fa3f80dbdf93b3e00a8f7b0f

SHA512
a5cfebc66d00a68034c4093ae581f878eeb62e0b648ce4c51851f572ddac9d1846c24a56d9746d57851771080851e732d49bb4caa45300f985a71b484f9b6087

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
91KB

MD5
ed1c0fffc81b531127858a4ad14da32a

SHA1
d6995a353d86000810c382e3b1a8b5612c463f59

SHA256
ffe467440c06b82cf39b0b5307939a1b68b25434d795e8baa87a6b81ca4623d0

SHA512
c203ce27ee68870a970666e9e09a5bfd870489fffb3ded91e3c87a5c268145169693437db6b04ec3b0abf88105d028970135a7a3b42f1e8ab376c5ec9d7802d4

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
91KB

MD5
32c911c760951d4186681ec2e4855cd3

SHA1
ee29acaedad77762b1ca0695140b6bde698f3e0e

SHA256
3f2565d80c51ca51f62106e103048e26ffe92672eb9f5bfc305167417049d83f

SHA512
1e19b5e5e09020bfbd45acb027ad03fed082ed4c834db4cbd1e354d782a63aabf8c21a1621bd13047b44835a57d02c7fac1b3ef043024ddd332c709fec214c6a

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
91KB

MD5
f4f2ac310f6c35300b4641a616176d1f

SHA1
b48b560c03031914c5e7f01bc6c940599e61a43d

SHA256
c1488db4af8915948eee79511fbd91c48d0e21b53f6257af398846167d4917aa

SHA512
903b0d8fd676fa9863a4289fe05379143ccb3e5e939695b5692a27a025872a22dbb93e8c8add565c14acea96adfa39ac6d99d7ffbc601c53e6db422b37baaf46

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
91KB

MD5
df0c1143de81d1dc404eb238e7f3d0b1

SHA1
bee8cfbe63c0e22a24cd43bc3f43e5df393a3671

SHA256
f7c6284de9dc9d45c3fcb7eeb1e7d45a23e2e55bdebe2478f877218e196082d7

SHA512
23928174373556cf91ba794975e428d6f9d2b8251d8a8510a03356881d3ec33dcebab31b4a82c4b3b771d8d595b541d14ca0d3aadf8a6a601bb2518b7dc45ee1

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
91KB

MD5
0065ccb591fc83039c358111fc466e0a

SHA1
8bec32c282c77bed4c53cf02df0620c3184853b7

SHA256
7a236fcecbec96ed08fb7cc82f8901860ba8ce39fde4be8ce45da77c0989c586

SHA512
0da469c9cb57612a4d3172446c8d7887504cfd46fa4897d63ecf1b822234ac520375db6828ca284b3b33b057c1cef01312d073ca71a4fe6410bd0bd5345277eb

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
91KB

MD5
7ba12ab986d9c255f1066c50bd6a7a45

SHA1
2abb3871fd24125416a0ab9b8dcaf08885b3807e

SHA256
a15ebfb30f3458be2a8cdcf52119f8464c185fa2c6a74c4f15e4e626e5f1c25a

SHA512
0136b804099545b621211aac8476707bdde5ff67848d76308d17128cb869a4a102b490b51f6b1a265a04d1fee54f0efc59e06d599d7812991e6b4b468bb3e265

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
91KB

MD5
8a0fc9cf3bb3b7bfaee2cb77937dc9b2

SHA1
635e4eda3b37384678f7e8527fdf2aa9bc9ca025

SHA256
cfc15745ad7acf46297f24afd0ab14ff54a83adb5cf756827689b67dae2716ce

SHA512
466fb8970c008a6eb0ec881bb33086af7e3420d43e4dfd14e04862786348c07e39dd7f60f9ef830529022bd89cfb51fa5814ae47af15f77b9c21a97bb4fdf806

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
91KB

MD5
83e8eed73ce28075c4502fe7bb186f0f

SHA1
c17dec5348d1ac52a1eab296aacce9505846629b

SHA256
5659cfe79777a2090e5a1cbf77c1857286bb2248a378c79f60e1baa3c5f04305

SHA512
675fba6692bf4cc4c1dd52f80a8058687ff04e67a7a8cc554a143329c9c6879af5ccfe762272c1f3d20e4df05178b98a113ea727411be908cc2e934efc946bdc

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
91KB

MD5
efc003c7f1c3f781b326254069493363

SHA1
19fd98db0f55a7c184de0dd22d69ad443c0f333a

SHA256
6f3a9ad8bee9e13f4e1fa3d7dabf758a42a7f32e578555ced645bdc490676125

SHA512
c71824778b9f573a5f3b250a3dbf007012ed48929df95d5e7b006af72fdd26dc80fea7ef964beabca031ea3c40f37f3520b282d9e2c05176606c600b55248161

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
91KB

MD5
d0ff903c79593a8979ce50864eb2f172

SHA1
5733330e65db514415c4cc9f33350bb8cc0c90bc

SHA256
8269f541a00ccd720aed33008312a9e96a4f897b430059b39eaa66c0f56a98ff

SHA512
9e2ea6901d06a199c4bd66d202809254867afbeb54e70abe37d07655928ebf96c21573d6372ec7f3522f6d886d6b0a9b3a5f49c945082c1ba95b887c953fb30c

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
91KB

MD5
5d710604cf87ea6a2b98f5b3ab5798c4

SHA1
94dd5ccda4afff26dea73178094843f1f5d0f3ad

SHA256
9bf943161e01638d29fc15b09a3dd246c8b6144da0581b525606aeafe99946c5

SHA512
6612f8556bbd36782681ca1e2a30a8d209d769a33468e229d7065f7342b4d68ea2ca60948ad5010c2be36c04e3ca5339f675ed76158efb932caf82ca5007915f

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
91KB

MD5
28f4cbce664b6ddddef55d5f3903e81c

SHA1
16281bdbac40af7dbdd80456995db85528230b5b

SHA256
f4eae6af385f6b31ce79b73330321ad2104df148c6c76d5823daa48dd0346741

SHA512
53fea33d2ab885f517c6cab3e533ac1cab3134b2ef95cee402b1806c1451f45d9382fce344ceb12fcfdbb6201a15d2e9ab93891def90d9b720503f0e29ab6fda

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
91KB

MD5
731b5a5ed2830ce9943e25510d7c1316

SHA1
fc752cadeacd1a3b696f0ab49e7f60c3a7f463f4

SHA256
7f389af8756ebd3fe494d6e06399e522cd803845e871f3d9fe5b6b41f3532780

SHA512
03c4affa71de3fefc3b12aee8c7da7473d842bade13903d13be0b72c3972559caf92f6eba0acc319229c671d19a54f5c21c7ff217c6be4d5a8524bcce4d73dc0

Download Submit
memory/412-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/452-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/556-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1068-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1260-588-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-603-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3248-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3284-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3296-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3416-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3420-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3460-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3572-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3580-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3912-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4128-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4216-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-596-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-597-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4480-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-604-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6788-1215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads