ddee8c29fd43ada81e4952085a27b8526cf4ed28e36b5602f9d30dc08a9cbe8a

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddee8c29fd43ada81e4952085a27b8526cf4ed28e36b5602f9d30dc08a9cbe8a.exe
Size

288KB
MD5

d5a3369c4da3f76c35cf1085af8d2b79
SHA1

a6dc8854dc303698a27375dfa6e6aa1205c9c74e
SHA256

ddee8c29fd43ada81e4952085a27b8526cf4ed28e36b5602f9d30dc08a9cbe8a
SHA512

1d1ecd51ad7ef40965ecd30d39eafc88ecaa2be4f7d2fef764ca5d188b677232eb1996531da4127581a8867eded4981e38e79e0b9e4ba22fceebf4b52173c5dc
SSDEEP

3072:EWdNQXiF9ZoCBVT8S3a+LaYthj7ZTNf9Nm2C4smf9vms+CzFW4r2RKihOfr9n:zaXiF9ZoCB6N+uwLN7Rjr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe

Executes dropped EXE 64 IoCs

pid	Process
3692	Eqfeha32.exe
4776	Ecdbdl32.exe
3556	Fhajlc32.exe
2072	Ffekegon.exe
4148	Fqkocpod.exe
444	Ffggkgmk.exe
3576	Fifdgblo.exe
2916	Fopldmcl.exe
2528	Fjepaecb.exe
1408	Fqohnp32.exe
1420	Fflaff32.exe
560	Fijmbb32.exe
1380	Gcpapkgp.exe
3592	Gfnnlffc.exe
1704	Gogbdl32.exe
5020	Gfqjafdq.exe
3892	Gmkbnp32.exe
3376	Gjocgdkg.exe
3132	Gqikdn32.exe
3916	Gbjhlfhb.exe
520	Gmoliohh.exe
3112	Gbldaffp.exe
4092	Gifmnpnl.exe
4768	Gppekj32.exe
1096	Hfjmgdlf.exe
4228	Hihicplj.exe
452	Hcnnaikp.exe
2436	Hfljmdjc.exe
4396	Hbckbepg.exe
4888	Hmioonpn.exe
4860	Hccglh32.exe
956	Hpihai32.exe
2580	Hfcpncdk.exe
2404	Hmmhjm32.exe
2104	Ipldfi32.exe
4812	Ibjqcd32.exe
2888	Ijaida32.exe
2268	Iakaql32.exe
4856	Icjmmg32.exe
3408	Ibmmhdhm.exe
3860	Iiffen32.exe
4996	Iannfk32.exe
1580	Ipqnahgf.exe
2380	Ibojncfj.exe
1144	Ifjfnb32.exe
1428	Ijfboafl.exe
4532	Iapjlk32.exe
3668	Ibagcc32.exe
4460	Ifmcdblq.exe
3336	Iikopmkd.exe
824	Imgkql32.exe
4320	Ipegmg32.exe
4780	Ibccic32.exe
1184	Ifopiajn.exe
1132	Iinlemia.exe
4608	Jaedgjjd.exe
3452	Jpgdbg32.exe
704	Jbfpobpb.exe
4008	Jjmhppqd.exe
1112	Jmkdlkph.exe
1624	Jpjqhgol.exe
2352	Jdemhe32.exe
3948	Jfdida32.exe
3436	Jibeql32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Ffekegon.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7056	6968	WerFault.exe	248

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 3692	948	ddee8c29fd43ada81e4952085a27b8526cf4ed28e36b5602f9d30dc08a9cbe8a.exe	85
PID 948 wrote to memory of 3692	948	ddee8c29fd43ada81e4952085a27b8526cf4ed28e36b5602f9d30dc08a9cbe8a.exe	85
PID 948 wrote to memory of 3692	948	ddee8c29fd43ada81e4952085a27b8526cf4ed28e36b5602f9d30dc08a9cbe8a.exe	85
PID 3692 wrote to memory of 4776	3692	Eqfeha32.exe	86
PID 3692 wrote to memory of 4776	3692	Eqfeha32.exe	86
PID 3692 wrote to memory of 4776	3692	Eqfeha32.exe	86
PID 4776 wrote to memory of 3556	4776	Ecdbdl32.exe	87
PID 4776 wrote to memory of 3556	4776	Ecdbdl32.exe	87
PID 4776 wrote to memory of 3556	4776	Ecdbdl32.exe	87
PID 3556 wrote to memory of 2072	3556	Fhajlc32.exe	88
PID 3556 wrote to memory of 2072	3556	Fhajlc32.exe	88
PID 3556 wrote to memory of 2072	3556	Fhajlc32.exe	88
PID 2072 wrote to memory of 4148	2072	Ffekegon.exe	89
PID 2072 wrote to memory of 4148	2072	Ffekegon.exe	89
PID 2072 wrote to memory of 4148	2072	Ffekegon.exe	89
PID 4148 wrote to memory of 444	4148	Fqkocpod.exe	90
PID 4148 wrote to memory of 444	4148	Fqkocpod.exe	90
PID 4148 wrote to memory of 444	4148	Fqkocpod.exe	90
PID 444 wrote to memory of 3576	444	Ffggkgmk.exe	91
PID 444 wrote to memory of 3576	444	Ffggkgmk.exe	91
PID 444 wrote to memory of 3576	444	Ffggkgmk.exe	91
PID 3576 wrote to memory of 2916	3576	Fifdgblo.exe	93
PID 3576 wrote to memory of 2916	3576	Fifdgblo.exe	93
PID 3576 wrote to memory of 2916	3576	Fifdgblo.exe	93
PID 2916 wrote to memory of 2528	2916	Fopldmcl.exe	94
PID 2916 wrote to memory of 2528	2916	Fopldmcl.exe	94
PID 2916 wrote to memory of 2528	2916	Fopldmcl.exe	94
PID 2528 wrote to memory of 1408	2528	Fjepaecb.exe	95
PID 2528 wrote to memory of 1408	2528	Fjepaecb.exe	95
PID 2528 wrote to memory of 1408	2528	Fjepaecb.exe	95
PID 1408 wrote to memory of 1420	1408	Fqohnp32.exe	96
PID 1408 wrote to memory of 1420	1408	Fqohnp32.exe	96
PID 1408 wrote to memory of 1420	1408	Fqohnp32.exe	96
PID 1420 wrote to memory of 560	1420	Fflaff32.exe	97
PID 1420 wrote to memory of 560	1420	Fflaff32.exe	97
PID 1420 wrote to memory of 560	1420	Fflaff32.exe	97
PID 560 wrote to memory of 1380	560	Fijmbb32.exe	99
PID 560 wrote to memory of 1380	560	Fijmbb32.exe	99
PID 560 wrote to memory of 1380	560	Fijmbb32.exe	99
PID 1380 wrote to memory of 3592	1380	Gcpapkgp.exe	100
PID 1380 wrote to memory of 3592	1380	Gcpapkgp.exe	100
PID 1380 wrote to memory of 3592	1380	Gcpapkgp.exe	100
PID 3592 wrote to memory of 1704	3592	Gfnnlffc.exe	101
PID 3592 wrote to memory of 1704	3592	Gfnnlffc.exe	101
PID 3592 wrote to memory of 1704	3592	Gfnnlffc.exe	101
PID 1704 wrote to memory of 5020	1704	Gogbdl32.exe	103
PID 1704 wrote to memory of 5020	1704	Gogbdl32.exe	103
PID 1704 wrote to memory of 5020	1704	Gogbdl32.exe	103
PID 5020 wrote to memory of 3892	5020	Gfqjafdq.exe	104
PID 5020 wrote to memory of 3892	5020	Gfqjafdq.exe	104
PID 5020 wrote to memory of 3892	5020	Gfqjafdq.exe	104
PID 3892 wrote to memory of 3376	3892	Gmkbnp32.exe	105
PID 3892 wrote to memory of 3376	3892	Gmkbnp32.exe	105
PID 3892 wrote to memory of 3376	3892	Gmkbnp32.exe	105
PID 3376 wrote to memory of 3132	3376	Gjocgdkg.exe	106
PID 3376 wrote to memory of 3132	3376	Gjocgdkg.exe	106
PID 3376 wrote to memory of 3132	3376	Gjocgdkg.exe	106
PID 3132 wrote to memory of 3916	3132	Gqikdn32.exe	107
PID 3132 wrote to memory of 3916	3132	Gqikdn32.exe	107
PID 3132 wrote to memory of 3916	3132	Gqikdn32.exe	107
PID 3916 wrote to memory of 520	3916	Gbjhlfhb.exe	108
PID 3916 wrote to memory of 520	3916	Gbjhlfhb.exe	108
PID 3916 wrote to memory of 520	3916	Gbjhlfhb.exe	108
PID 520 wrote to memory of 3112	520	Gmoliohh.exe	109

C:\Users\Admin\AppData\Local\Temp\ddee8c29fd43ada81e4952085a27b8526cf4ed28e36b5602f9d30dc08a9cbe8a.exe
"C:\Users\Admin\AppData\Local\Temp\ddee8c29fd43ada81e4952085a27b8526cf4ed28e36b5602f9d30dc08a9cbe8a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\Eqfeha32.exe
  C:\Windows\system32\Eqfeha32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\Ecdbdl32.exe
    C:\Windows\system32\Ecdbdl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\Fhajlc32.exe
      C:\Windows\system32\Fhajlc32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        27⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        30⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        33⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:956
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        35⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        39⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        41⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        51⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3336
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        53⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        58⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:704
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        63⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        64⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4884
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        68⤵
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        70⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        71⤵
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        74⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1432
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        78⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3308
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3964
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        83⤵
        
        PID:376
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3532
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        87⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        89⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        90⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        92⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        93⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        96⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        98⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        99⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        100⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        101⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        102⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        103⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        107⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        110⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        111⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        113⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        116⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        118⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        119⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        120⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        122⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        124⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        126⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        128⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        131⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        132⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        134⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        137⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        139⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        140⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        141⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        142⤵
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        143⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        144⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        145⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        146⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        148⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        151⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        152⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        154⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        155⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        157⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 408
        158⤵
        Program crash
        
        PID:7056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6968 -ip 6968
1⤵
PID:7032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
288KB

MD5
ded581ea2aa07f167941292e7a12a5d8

SHA1
bcad42cf7334742d52f8f341ca52e3e690175620

SHA256
3f980c072643a9d688f91b71f5f87f2ea58f5f23d6c1f5cf5c0ea05a85042688

SHA512
ca14484b869010a2a354186407d3a5a227a74c90743838b82f2c208d3927f5ebf4a9aa9b1c417fd0da1daf54feac2e07192d0ad01e13a0711d343b43cef3a5c0

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
288KB

MD5
db30235059ebb9d6440abc226a08d1dc

SHA1
02e13f517d3338bece53a280ad5dd647387b18bd

SHA256
74e0340f9a219b49245fd09c3e6999907de1841c2bdee877ab9996be7d9fc5e8

SHA512
daa8eef7dde8238d1d7eb591f0a60ddfa60db58660da1ee96a839b2fa2f85b69ac7b6410970f15332ce87b216f5abbf3e62cff10db6294cc27df55a22cc5ebac

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
288KB

MD5
4ba2b1f86a48dde3adc55c1df66bee74

SHA1
a7db2395348a13908d20cdf33d5e475094ba046f

SHA256
a0aebc74c0e73a9882a0b8d468fc7bd249ca9d8dbaef1e2cb9713b5e5a4b32d8

SHA512
7106bf6dcebf2db21cda90860871e3de3d7f7c26c135c7010ae019664e1d80200696d709dee45fa1a32c439ac9bca0d18c6d47b0dc67c5f1f503569429d4ed47

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
288KB

MD5
e516abcca5349296e5f1986f263ae61a

SHA1
4f21d71e13328c8440d6d2c3bfdf3fcff07bc8c2

SHA256
b2bebbcf53480bc6d2336cfb48d5b8bee5c91a0aaaf83828950238566b507841

SHA512
b1ee3b54d9b22c077bf5b3478abb6549ada8357719a4425af6e811526b05430ee224807e2bccaca03d5a5c4cd6bfd8fe42e368e5a0f3c215a792643273bbe644

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
288KB

MD5
86fed13cad5f6527f570c9f0571ad63c

SHA1
8bcef52f9a57d003210be90f0100a0ea375788b2

SHA256
e56bf4a5a809aef5c7c504f1f252d6ca046b186f2b260be80bf3de79154cbd1d

SHA512
a12868f2063b94f9c5cc9f4d92c43983725fccc003fd529a3a3b9669b10922a180401587e26a389844f330721afb3869651a1e21c1996f5ca4e756bbc2b8bcc6

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
288KB

MD5
d3633617ab96ff0c9b04e3d128efa36b

SHA1
ea156da779daedd14f0e2e23f45167d90a5bde07

SHA256
688dcbb40b0ae21baff75d33289bdc387c26430e612bbfdfad5855c8e174c122

SHA512
a8c359d624e4e111d6639be8553cec7e4295f265906bbd48086ffcec3c3f80ca810a82bed206aea0d1c6f90d712599ea99adcd2d5071b61f777fc3c16e21cadb

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
288KB

MD5
6972f38d012e7b8a92cd6d326eae644e

SHA1
3e3403017a2d054a641d54b4e5ffa9b5b8cfdb63

SHA256
22012c12233c12128fc22321538998f7205a7fcb1f9727766f2427e97fe2daf3

SHA512
11f56762fd3656d0a9a89fd9671a59f01cdb29db163467624819af6eef2e063732dcad595981bf53e50d95474d106a91f56f36ffc5fc431a7d099a74b15aa36b

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
288KB

MD5
0a8ab0c0d757312677ed2ecf3984bab8

SHA1
39e083eb02a754e871591caaee1402488316711d

SHA256
fb55662c6eff6af40788af2f8554928cfbe860d45ea60046d7a3ca4916fb559a

SHA512
10cfdc7619269c10a9fc3a0e8d60d96d29c48872bf1225bee820c9cd44a4eceac3ac687b3aabb7de0e63f86b2bb452d3f233d9d89203f1b2d0ddd25f61081138

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
288KB

MD5
c19ac08b3ea9a8da704254d1ff504638

SHA1
9a43a7aceb74454b282ec5298ecce1c4def0e70f

SHA256
751bfd2e7dc0d6aa72d58e9bdadf9ae56f112390ba8b66ff13ab6e4e2c8fb612

SHA512
6ae6bb15b0341b0c5c31ad03196d0274379978973f525e600272959423bb2ab52e72a2913dc9aa5929faa8027be3b6932c9179387f8237c9ebc7fad9df731130

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
288KB

MD5
2a80e876da373718a0f72a0dea3e9ec0

SHA1
4626221cd3727c050d6c52937a4d341d65aeda5a

SHA256
b3e0298a500faa77bbadc0851432bc06361eca2585ad9a663b52e1a9826e89b4

SHA512
58233e8c1693c82b8b8f95412c85a175baa043ec20838f4388780a84d5b9895a0c3a6e82c56afe083ab55ee54f6915c1d7f14c54747076d83fdb1d96eb0dd2d4

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
288KB

MD5
70cc626a9113f1ba12792cc42890db16

SHA1
c8fa07ffe6643204e26a83a29c39da95610d0a98

SHA256
c9f9ef1d62d279b0271d202684971459f540b27a0c603c1de498a6f7e26eb1ae

SHA512
0602381a8a74858258ee5e0fdbe306967f611dc810021c5edd40cf6ba1562c898d35e95fa5c0d7b074cdf7cac809ecd5bca7786a0f94f749afe67052a9a63dd8

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
288KB

MD5
295c77c83e9c8cdfa05cc0f32e45ee81

SHA1
8b62737cd847fe64508be051333c1656c04318bc

SHA256
68f8421d33c0685e5dc9d4bc348e8293c28f4beecfbf1614fea4c0fabcc4f800

SHA512
f7e1cb850ca1be94534b9540a6a098b6c1ff77c5e6d4b9332f1a0a60a9c4095c0c1105bbe6258c483ec0a54dd1caff41f385828c13aae766561472d85c94a378

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
288KB

MD5
235fe102c9b0d22d2eb77eb0f3155f96

SHA1
49b47aa872855af52ab4325411a75bcd48c2ee6c

SHA256
1f6942ce6914811b56630ffb0a63188a4e7a543cdc70df1589f194d445d323b0

SHA512
de09504ef1f5f51c73bdb70bb6afeb93604f87a6d62cc5404acd4f7cd9746c57aef06c65579fc29e9a892bd237e9a5f24f0c7425467bc12442824407963324aa

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
288KB

MD5
c36ef7044e594a1f02a85d31b92a4f1e

SHA1
e532cc9e05c2337ac86da56161a9f7e3d8cbad31

SHA256
e6f3d288ec15cd0b1b3c93c73660d8d2e0caa9faac7c1ade3d08dba90d60dc81

SHA512
4a17138df5c04e9dfef982c0d83bb8d9d7467e90a7a2115d9c749c693520f46069758fdd3d1e5de2647689c0771d53006352090043d217fc73d9910cfa653e39

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
288KB

MD5
bc5472be6df751816bcdc2d888add1f3

SHA1
07bb1b6f26bf420afbc13fa0ecfad5cf13b635c3

SHA256
8111d0da48793f889ec98fc4e63667d32dfc77103ec191f920f0db4afbe25971

SHA512
f47e0d498706b3967627f3e4df5f4cab6ca09bb1d1757151851ad3c06767ad6ca1247c7be07319db812fdc50903352c61965d7c28e89b7ba29fece7492bd232a

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
288KB

MD5
edf016a48f307dbe1c662376bd703feb

SHA1
a8f17f571b9de6314d351661a9d7b61d4b1dfc2b

SHA256
1c38db98d30f4818edeaf55d5da2df46ba9d7ed88862c400e66d1f9068facd41

SHA512
109b2e6edfefc87a11fda3db9b51df80e0b20e2bdeeb4ef2439e3fbca5bc5de63db40a1034754746189b3023238f53dcbf4bd4df374590c7cfd14c8895bd0285

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
288KB

MD5
4def266b2e2581560483aad0daee47cc

SHA1
067c92e319d94fbdcd48db5d2d0d4eef43bf6bea

SHA256
89e4ea3481f70b67441242e9615d958568f85640b4d5512106289ff9a8e8313f

SHA512
1daeff07032c6220f8ad78d424b2824fd81debc14ddc63bd9fabbd0821c1cf253250874a1c5835bd95bc16ef48a724f68a6dd9fd8657393cf4d8dad6f40aafe4

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
288KB

MD5
2c1bb5e0f5794802119a1ef411550d14

SHA1
f669c2b6515bde958b0fd4a8c704d42222662360

SHA256
3158a5d880805876a567dea69fc3973b5e65a7040922123aed41666d93e14417

SHA512
667303346388ad539d262c93347251eb4da1c8c4a40ba391a311e7395ebcc484a1a0b91977ab6097aac0230ec143903fb49c02fb9b7556d253dc196b70ba828d

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
288KB

MD5
944e45087ecdf8bbd91b8df5ab652c92

SHA1
4329a30921a931570da712ade721382f243c07c9

SHA256
79d4dd12ded2cf2e152069427077eba4ea69e12a43f7c94c61eca2bc4edc1a49

SHA512
8ff1869beb313905ad611f55c306a161abf0eb8176e603711fdd01e8634e80b19674d36ea256a1d7ba22e3cc253e3b896ed29a72df1edd0aaa87ac9a438b0080

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
288KB

MD5
b297e95eeada8b5c40e6cb88d64b4106

SHA1
d23b80fe4f036718d62b0a23e00f38cdb8d3de8a

SHA256
9d26d4ffe00cfb162123d6afdc107354e239c8225297694406c1956df826a672

SHA512
5f571091af823579a1acf574ff1530e63b9d9e4826d834769f149d2aed5cad568175a1fa60918441a6531a5bd411b43dbad8a1d556a648557f425ab9f73bf0b7

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
288KB

MD5
d251d0524192461a182db4406c80ddf2

SHA1
bc48c221eb0cd6a1b878e29b55da61e1f804da3c

SHA256
0a645fe580cd8ef91c4f178c4b7f6bbe7fd48bae59250bd0d05186f3bb881305

SHA512
425da307ab5d4c44936276b05c027001731778df590209897624953dbd4fda6897468e7ed6d36797ec298fa4f713a8edadf387ce8274bedabe940586e3be83da

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
288KB

MD5
8744cd57cf6afa056f8da22542fd2e4a

SHA1
c00d5863be21d044239d4f1d48b36dbd8ff9a009

SHA256
b7493c2c9c58daa5be6047da736e2009e2c4dc2ed55f744bf2e5b120e86177de

SHA512
77aa7e4818c709b6bf5f7a68838c6e5503ce99a9f49c7e7c0260f248d51f604c9173db53c24e0ecb528554e74dfb9e15089cd4b364eaf4ec4c441d136e12a31d

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
288KB

MD5
325ec3e3c765c258556a24485fb40154

SHA1
a2cfd82951dc74d046aad81c6e77901251b63a0b

SHA256
8f8fecc44a37f7ea02a2e5cfe339d899f0c0bbbfd4d1fd2bd852f1512bb46729

SHA512
f44cce5de80171699e1dd473604e2f93edcc39ec5da2f8bd89352821ed3533a06e9627762c90515494cd6b963205194ca55c149c2279866ccaf1f733eba35987

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
288KB

MD5
ed42e8ea0c58196ada3cf6e2867e05b4

SHA1
410694910853b461722fe5da7e3b671741a1dd68

SHA256
254486eeb5f6aecc3b4a6f646d8af9a446e732749d71e69525f932307b3b3bc8

SHA512
fa944b6e546ec19778ad870d1a15c2f1d1d61c8057f79bcf36f597c7ac84472d624d8979e74db54796b3d7eb52ccafa101a1d7f8cfcc37ce61281f2fbc2a9679

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
288KB

MD5
5946e76009739d7e94ccdc8557a7698d

SHA1
9de2384394ce89b5788138ed881b55149a008ed8

SHA256
caa13db43a5aaf61c4d3ae190c2269d0878806f38087d29b239114f68afd1a40

SHA512
4c5eb4f3db7e89f99ffb2b07a9eb1cf2769253d08a2d27651fbd85b9e0ac8622c0df2e5518d5f07e151cf73e72a11c26c2ff455d8dd6e0c8aa44c9ef4da12229

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
288KB

MD5
a5ade70bafee944ce02f066ba88bdacf

SHA1
257fa49851b518ffea4f483c95e101a91244144f

SHA256
012f68851ea9017ca6087f706b331fe82e68dcee6686997ba030c355794dbc79

SHA512
9429f8e22af494f17f7b36f3bbeb7391a5e54ef9d103709c88b24edfe4f413ad6d328c9ef9db1f3ee01239693a762e93d4c5da403e74b25d3af6f5002530cc29

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
288KB

MD5
0aadd64d35d9c3f7192d1c72a9de7e42

SHA1
7bf0466a7be91206696df8296ec12307242f1731

SHA256
4b134e2d79089f948d7a04a87f331a49b16ecd1c23f1e7ea74700c2d1f9f3122

SHA512
d217de1e898566b07c99c056f57589426657540ca850076b1c36cdc190f66915452a1dccb353a92461efa55223989b119022cdccd28715b5ce2bcbb5d69f117a

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
288KB

MD5
e7e17fbb07f9f58f224e7d05c1f36639

SHA1
456c5aab7f90a5349985e39619b0c9b18e428fbf

SHA256
865f0db478ad0d7981082894f2dea162eee5095fe6b96ad0e91975404e525906

SHA512
94000ecdc8825d21669c2647bd771168b2ad7ea323971ea4e30c62a061be978281caf09f2e3bc4fac492fcac7c57616508c5761bd4311a797f08e0a1c41188df

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
288KB

MD5
6c283f681baba395dff3dcc8bce22b04

SHA1
df456b4192f25918d4701d040a4b018a18563f47

SHA256
ea31d681a3059dc4877038150acf2a0b41039f3459d0a1f7161729911754ec83

SHA512
0bfcd6900a24bf6d088177d41adec2e8d039c6d42a01be7f4760b42fdf034f4efed1c080e8cfebec98e60b173a5fdf505a5df471538a81bf799ff6ba13b5f77e

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
288KB

MD5
76e4c11234c1c3c8585d4b6a02e35065

SHA1
6e4ccb8419cd3f0c797f48ef17756e6ec57f9c95

SHA256
2e198410fe4fc199b344eedf596cd248c214ddbdfb359855512f92a9466956ea

SHA512
4cfaa1e92844cf7887afbfb847a2c9fe268cc95d4928f420da21163f334547f544727eb9de639e52a9db1224c687f0a310f20557c69aa97a53fb1cb4c4423564

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
288KB

MD5
098e5f78f921c7f39c83b8962b4a7343

SHA1
4f2ae769003f322be859982f6752d1d029b14e1f

SHA256
6da71b8af9bc99919c0dc78d47a11d17eda057c3aea6a1efb5dd97d379b7bf8c

SHA512
c34f947e4334a73b79412aeeab4e9ee4d2ba258c050ed4b0fb01d49ec6f6f66f8e34530b503ce487556ce2f350322943c37319ee58d1f927baa3689bf4ef1e09

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
288KB

MD5
4523b369ef7007e352d64fd282a1a3f8

SHA1
9130ca657b7645f997bb60c7b4b9362ba5593c8c

SHA256
ad90a694f7e2ac24ffdf4f92bae04f219236e06628997b61c0afae5762a8dafa

SHA512
7244f6cebd731cca7d6733d388daea1615e0382ae1286d5e566873c19cb85a2a00a197c0e0c4bdcc2f685757488a466fa83d8ea684ffebbffcc2f2d784ffab9a

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
288KB

MD5
11845d9a1242531207c44fb718542df4

SHA1
6c6747b03357990902ea355f6c4466f596acdf83

SHA256
b5561faa9d5a03dcbf1996d48b7b3d35647e5daa24e0e6f91775a42f748afd77

SHA512
e9f91fbff204bc0d7f7920784081f7a84574ad1e4e58cc815b48ec5d5273ae92d22019ca58e3089fcd644dcf79a35f007d8bc88b00ccf919ac8c8331722e49f9

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
288KB

MD5
8dd22e3960ba69009ab129e2d3864f50

SHA1
6274f17d6b62f23bcc29f130cbfc89c4f58bc314

SHA256
3e9637cfbaa843eacddc4e37e45e1e3ab584f47bdb2c054027fae2ed1f36c2e6

SHA512
8c837055bc0fcdeb9c93214493265cfd04f59b05c187dff8b71548324caa49d1b78df54a9eff39bd680401052017c46dbbcaefde448ae48161eb3f4223442f82

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
288KB

MD5
cb674502eab4d5e34c22f937f8449e0b

SHA1
2e26000f1f6551045633e4a15051b60f93d9e826

SHA256
f373f4e3ece2bd402a69936a41a0e2f91a2eb1ef240c6e147b9070a978c3409c

SHA512
b404e594f2dade9c1b62fbc2d029e71c74be31ec1e0f3050964a5b20644f2dc188a8c6f1ed0d273bde55add9cae930caf21f062d1b0931ccf30d8ecdc4c1632a

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
288KB

MD5
505796301a8cdd1f7775561437a3a768

SHA1
2f2856b40026bc50827cac610572990dea33a152

SHA256
ddc9336ce34041ac25f8537db04a94dbd1cc2053a17c4667a103781f634815a3

SHA512
f2ffa9587e3c7b094a405b230617388bc86eb640fc13a77e103e89a58e0324729bab8520fdcc06662c06dc5998aa66cc975545e4cf8705ee8fab2ce507af07e9

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
288KB

MD5
1505c4c40fa315f6832457e884d31c6a

SHA1
8ff21e5043cbf1bb0b78c61c46f25c779738224f

SHA256
19b6484e70ca0f44cce3bf52799359a2e526b4ccadc8c007c6835d3fd23f7e04

SHA512
e11de6bcefa59c3dce007397d6325ee3304538bdf1f66c9df6d3ead697267a89f3650f0ba5db9fd68d506c90a9f37b86e4cb87b839019300896a8058fa86c9c3

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
288KB

MD5
ec56efd43a57833b4865c632da9a416b

SHA1
480038feaf25a59a1e81ff0b065c1e4e25aae28b

SHA256
095fd57482c35bd9d76ec81efdfd309445d71eabeff10e3cf09386f256486100

SHA512
ccf5de90042033daab630941beedf4674f507997e93b1b1180705c4a897fc384ab3d4825bd93e4f129a6ecf7ac332e16ac87e52d8892f7d3d9f55c3626aff2f8

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
288KB

MD5
3d60fdf0bec6046a48bb5e0cc7aba372

SHA1
f29ee82e98d913d9469d01aa0ab6c05307a06676

SHA256
34143a90cdd93c3d7ab5a50e2d9a352f77c2d207d30df322fbde6b1566847243

SHA512
812fea9bf0357cc07007342f11c5a2d386c6fea98edbcb9de1728c65c628a65da56c1b98d6c7ce05fc78bf174174a6af053aebfa7e41f4fa806c6a74cd795efd

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
288KB

MD5
d4c58634d2a5d998ff1655410eed4b02

SHA1
4cc2081690970ab9f49dc163dea15a2503ecb66c

SHA256
7b6bcd008c13fd54bac3932b19c7d857d9a44386640e145ba116c3863822de45

SHA512
85d0dca0238aebfa6e3a9ebd684ce9e4dbaddb47dcc397c31746f139bb089d78e3fcc8f111bf390f460a3111048900e47d7d664c2786139c05e66d4b8bced371

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
288KB

MD5
a5eb1fc9b11ab5f1d134ad3f601683d2

SHA1
9f30c60adda69059bb19c3eb508bcc4b896f0673

SHA256
f533fada3d3cd9fabf49d7a8264f7e1c58ff8391a58a2044690d1d1bf84e4a53

SHA512
bf314fb7beb1f92fb50d4a63f9f5ae8c756cb01f139fe49063cec7557a38e1b5b38241de610467a539f92693192061717fbfa3e3690f3439b99b171083563e7d

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
288KB

MD5
8ceae0295c743e1b9e50442e57a6d9fb

SHA1
a9fb4efb20333621789adbfe86f1d6e856eff6d7

SHA256
56bf01af8d69957ffa905b088e851797cdc1e9696d37802470af74dac36d95e9

SHA512
0ec9a2dea71ec2ce0b14e669832ca038bfd501ccfc6096d70dd761a10d6be7bfd3e09b32ea4bc7e97413ef71eee6bad7f0378712d3a8bd9c7387ed68b9d15f7d

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
288KB

MD5
a20b9a89b668d73fd5acc05065127c63

SHA1
3461bb8e36966d42911a5d1a63c46bbb1f3104b4

SHA256
e9a4ce9d316ff6872602e6348f2766ebcc80e37ae13a9f1eff88a75ad610a91f

SHA512
b9e0f13a31e6f8b2209e3a902f287f2e28d73dbd912d9ee710e3545e190d4e6c32b69d1ae9c397b321da26c9c042c7fbba1c78875fd01e49b3b054855b227e67

Download Submit
memory/376-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/520-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/560-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/948-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1096-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads