5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a.exe
Size

361KB
MD5

60e68cc9fb46ca953b8cf3168ca696a0
SHA1

f4bd62a582dc2c503eb1f1ef8582c0d4d0ac99b8
SHA256

5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a
SHA512

aeedff98aa2628589af9f170567e59cbb8d55b7087656a62b2d3a4cce476011d4ec38b55116a9c75af6121823cd99a941bab9ef32943906571ca52a082904d3c
SSDEEP

6144:fE8SLJCKxvxTPsVQ///NR5fLvQ///NREQ///NR5fLYG3eujPQ///NR5f:M8Kxviw/Nq/NZ/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe

Executes dropped EXE 64 IoCs

pid	Process
2816	Ecphimfb.exe
4240	Ehlaaddj.exe
3968	Eofinnkf.exe
1852	Eoifcnid.exe
1404	Fbgbpihg.exe
4892	Fjnjqfij.exe
4436	Fcgoilpj.exe
464	Fbioei32.exe
4756	Ffekegon.exe
2372	Ficgacna.exe
2764	Fmocba32.exe
4012	Fqkocpod.exe
1148	Fomonm32.exe
5004	Fcikolnh.exe
4152	Ffggkgmk.exe
820	Fjcclf32.exe
392	Fmapha32.exe
4936	Fqmlhpla.exe
4520	Fopldmcl.exe
3840	Fckhdk32.exe
1644	Fbnhphbp.exe
3644	Fjepaecb.exe
460	Fihqmb32.exe
3932	Fmclmabe.exe
1672	Fqohnp32.exe
4180	Fobiilai.exe
2696	Fbqefhpm.exe
4660	Fflaff32.exe
3856	Fjhmgeao.exe
5104	Fmficqpc.exe
5080	Fqaeco32.exe
4744	Fodeolof.exe
4856	Gcpapkgp.exe
4432	Gfnnlffc.exe
688	Gjjjle32.exe
4836	Gimjhafg.exe
112	Gmhfhp32.exe
524	Gogbdl32.exe
4868	Gcbnejem.exe
2404	Gbenqg32.exe
4344	Gfqjafdq.exe
1072	Gjlfbd32.exe
1776	Giofnacd.exe
3832	Gqfooodg.exe
1432	Goiojk32.exe
1184	Gcekkjcj.exe
4840	Gbgkfg32.exe
1668	Gfcgge32.exe
4848	Gqikdn32.exe
1836	Gcggpj32.exe
4428	Gbjhlfhb.exe
5032	Gfedle32.exe
3980	Gidphq32.exe
1476	Gmoliohh.exe
1948	Gpnhekgl.exe
4624	Gcidfi32.exe
4764	Gbldaffp.exe
2220	Gjclbc32.exe
2332	Gifmnpnl.exe
2960	Gmaioo32.exe
4252	Gameonno.exe
1928	Hclakimb.exe
4616	Hboagf32.exe
4600	Hfjmgdlf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ecphimfb.exe	5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Fqkocpod.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fbnhphbp.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Ecphimfb.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbpihg.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Goiojk32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Ffggkgmk.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5624	5532	WerFault.exe	203

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gpnhekgl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 2816	4492	5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a.exe	79
PID 4492 wrote to memory of 2816	4492	5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a.exe	79
PID 4492 wrote to memory of 2816	4492	5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a.exe	79
PID 2816 wrote to memory of 4240	2816	Ecphimfb.exe	80
PID 2816 wrote to memory of 4240	2816	Ecphimfb.exe	80
PID 2816 wrote to memory of 4240	2816	Ecphimfb.exe	80
PID 4240 wrote to memory of 3968	4240	Ehlaaddj.exe	81
PID 4240 wrote to memory of 3968	4240	Ehlaaddj.exe	81
PID 4240 wrote to memory of 3968	4240	Ehlaaddj.exe	81
PID 3968 wrote to memory of 1852	3968	Eofinnkf.exe	84
PID 3968 wrote to memory of 1852	3968	Eofinnkf.exe	84
PID 3968 wrote to memory of 1852	3968	Eofinnkf.exe	84
PID 1852 wrote to memory of 1404	1852	Eoifcnid.exe	85
PID 1852 wrote to memory of 1404	1852	Eoifcnid.exe	85
PID 1852 wrote to memory of 1404	1852	Eoifcnid.exe	85
PID 1404 wrote to memory of 4892	1404	Fbgbpihg.exe	87
PID 1404 wrote to memory of 4892	1404	Fbgbpihg.exe	87
PID 1404 wrote to memory of 4892	1404	Fbgbpihg.exe	87
PID 4892 wrote to memory of 4436	4892	Fjnjqfij.exe	88
PID 4892 wrote to memory of 4436	4892	Fjnjqfij.exe	88
PID 4892 wrote to memory of 4436	4892	Fjnjqfij.exe	88
PID 4436 wrote to memory of 464	4436	Fcgoilpj.exe	89
PID 4436 wrote to memory of 464	4436	Fcgoilpj.exe	89
PID 4436 wrote to memory of 464	4436	Fcgoilpj.exe	89
PID 464 wrote to memory of 4756	464	Fbioei32.exe	90
PID 464 wrote to memory of 4756	464	Fbioei32.exe	90
PID 464 wrote to memory of 4756	464	Fbioei32.exe	90
PID 4756 wrote to memory of 2372	4756	Ffekegon.exe	91
PID 4756 wrote to memory of 2372	4756	Ffekegon.exe	91
PID 4756 wrote to memory of 2372	4756	Ffekegon.exe	91
PID 2372 wrote to memory of 2764	2372	Ficgacna.exe	92
PID 2372 wrote to memory of 2764	2372	Ficgacna.exe	92
PID 2372 wrote to memory of 2764	2372	Ficgacna.exe	92
PID 2764 wrote to memory of 4012	2764	Fmocba32.exe	93
PID 2764 wrote to memory of 4012	2764	Fmocba32.exe	93
PID 2764 wrote to memory of 4012	2764	Fmocba32.exe	93
PID 4012 wrote to memory of 1148	4012	Fqkocpod.exe	94
PID 4012 wrote to memory of 1148	4012	Fqkocpod.exe	94
PID 4012 wrote to memory of 1148	4012	Fqkocpod.exe	94
PID 1148 wrote to memory of 5004	1148	Fomonm32.exe	95
PID 1148 wrote to memory of 5004	1148	Fomonm32.exe	95
PID 1148 wrote to memory of 5004	1148	Fomonm32.exe	95
PID 5004 wrote to memory of 4152	5004	Fcikolnh.exe	96
PID 5004 wrote to memory of 4152	5004	Fcikolnh.exe	96
PID 5004 wrote to memory of 4152	5004	Fcikolnh.exe	96
PID 4152 wrote to memory of 820	4152	Ffggkgmk.exe	97
PID 4152 wrote to memory of 820	4152	Ffggkgmk.exe	97
PID 4152 wrote to memory of 820	4152	Ffggkgmk.exe	97
PID 820 wrote to memory of 392	820	Fjcclf32.exe	98
PID 820 wrote to memory of 392	820	Fjcclf32.exe	98
PID 820 wrote to memory of 392	820	Fjcclf32.exe	98
PID 392 wrote to memory of 4936	392	Fmapha32.exe	99
PID 392 wrote to memory of 4936	392	Fmapha32.exe	99
PID 392 wrote to memory of 4936	392	Fmapha32.exe	99
PID 4936 wrote to memory of 4520	4936	Fqmlhpla.exe	100
PID 4936 wrote to memory of 4520	4936	Fqmlhpla.exe	100
PID 4936 wrote to memory of 4520	4936	Fqmlhpla.exe	100
PID 4520 wrote to memory of 3840	4520	Fopldmcl.exe	101
PID 4520 wrote to memory of 3840	4520	Fopldmcl.exe	101
PID 4520 wrote to memory of 3840	4520	Fopldmcl.exe	101
PID 3840 wrote to memory of 1644	3840	Fckhdk32.exe	102
PID 3840 wrote to memory of 1644	3840	Fckhdk32.exe	102
PID 3840 wrote to memory of 1644	3840	Fckhdk32.exe	102
PID 1644 wrote to memory of 3644	1644	Fbnhphbp.exe	103

C:\Users\Admin\AppData\Local\Temp\5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a.exe
"C:\Users\Admin\AppData\Local\Temp\5e348f671dc9446a14e65ed20b0094c1651300ca2bf13994899fd1ec390f866a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\SysWOW64\Ecphimfb.exe
  C:\Windows\system32\Ecphimfb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\Ehlaaddj.exe
    C:\Windows\system32\Ehlaaddj.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\SysWOW64\Eofinnkf.exe
      C:\Windows\system32\Eofinnkf.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        25⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        30⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        35⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        36⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        41⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        44⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        50⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        55⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        59⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        64⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        65⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3452
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        67⤵
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        69⤵
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        73⤵
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        74⤵
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2420
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        78⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        80⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1768
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        82⤵
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        83⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4512
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3228
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:64
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        88⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4468
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        90⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        92⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3376
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3788
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        99⤵
        
        PID:824
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:184
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:916
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        103⤵
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        104⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3456
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        108⤵
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5028
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        112⤵
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        116⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        120⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        123⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 408
        124⤵
        Program crash
        
        PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 5532 -ip 5532
1⤵
PID:5600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
361KB

MD5
7d277d69dbf75b731d777371c0e34793

SHA1
635aa0691e3db7806d5365fac7c2b4eb88b89709

SHA256
68d22a6dea71f4bc36ab460aa2b02a88802c397974c62f140dddc48270ec623b

SHA512
c4bec514543fe0110e63030116a03f7904447e1a2a14e9fc7770a7ec3e58c0a29004ecf876edac1ddf39a7bdea2877123a112c9f0f75ae338d9213167bd42a2e

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
361KB

MD5
0d77c832e601b4c93448245892f573a1

SHA1
bda386e94e0af940e88648c36127ad922a8bdb7c

SHA256
f676d4d0e141d9cd3295fb3bdc650772143aa158107770b26e1b5d4c414df816

SHA512
6d0997f3574da33ee73661e25bfe32fc15b590fb4af74ba5d2f0a555a28ddda178c18988336c4cc6bb22d9c266d5c572c6657b55b84d55aa488e611ea2c144f0

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
361KB

MD5
6bbf1be87ebb7372eda106fd170c86fe

SHA1
ab31b231a5c23e0cd7d9b291249c0ff19c971698

SHA256
5379999e75c04713984086fd265560ce8fb1d8b37eee619dc3f5913a15140739

SHA512
3e2f52930004dac3a8e47bda5df60a11dd5f799feacaa96a31135daa2796512dd5bb65fc3725702ec8066e9848fe7cf491f5a1976aa931d37b1cb85652aee207

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
361KB

MD5
de4e2c7ba765b7c1da174dc9639f7090

SHA1
40b54d563cbdfebe8b071cabb53f5acf3ae3074e

SHA256
d7548c8d9c832a09ec82047d90d95cda43b07e7fc6dcdbacd8bd8168206e285e

SHA512
249a3545c6b95e74d8be986ed3b76b9b010a2787de9aee63d7afde895b7cd58c97315ae8e250c8190273d56e87e37ed11281cdfd6371e3c12dd446d9c07965ed

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
361KB

MD5
bb74385d4c37b31e28c98a2859b474c6

SHA1
3249ae608d34d8e86db75bb6550bbe95f2234f1d

SHA256
72f36a9c55685590523e3b64e0d5fcc4fb8f3a527b91bfb7b7e7dce34bf988f1

SHA512
f5164ba4a0f62d61760d1f0320663e6212d92e3b1a739d00e9dc43a4fe8a8b332cdda9e38f1f531fa494935550b9db7868f386d76422a8a3c0b9b02e5a038527

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
361KB

MD5
612ecd06b400e9929f8241eec4a1d9a5

SHA1
6a02c7cb39d575663cc4fc44379e721184565ae4

SHA256
0b6c9ee39a71e63115c2dee00c4f8511fcc6a5a280d4a19a8a51c41be60fdc70

SHA512
2a97bea280a97d41f7e8eabd9138cbd0cc43b6d67d189602c15813e5658cea3870fed5373cc2509692b649fa039af1901e53687cd1edd8a3c1548b24e3e68f22

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
361KB

MD5
b59571fb56e059b4f24dd1a834165ea8

SHA1
08aace27739e872d02fe140c767626c7a011999b

SHA256
5ecc8c12c038fe0f26f010b1911f869a8812a6bc5bc42aafd93820969d827f60

SHA512
0fd4343995a5d24b193345b07dd1cfa7565836d70780e3f5dc74c8e3dbcdecc9060691425f55f42ec39bf24be948de353409acbd7ec764a9114b410ee5a15653

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
361KB

MD5
ac16b775e813296f9ad177417a4ae2fa

SHA1
a593d416268cdc85c1987981b259e4158571de14

SHA256
5dc334614cb5673537a8040eaa5fa4db9a3dfee557923f43d93ec3c3105cc5bb

SHA512
3b346b67a7401743262ad8e4f13ae09691edc6a78fd9a3784f53de7cba5fcaab2efeef40fe34e83c65be7a4991a3acf3e24a45c4da2a147702d4f799c1b28052

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
361KB

MD5
af1ddc6052e1c6eb67b873ab15362051

SHA1
fedf5fbaa3327707eea0ffdd9bbdc86b406e5f34

SHA256
62391b8a6f353bd17fae15b372beed144ceccd81e2b10cb8b3d518eb307be0a5

SHA512
3e8038bf67c6b41a2a2f1b78b3de5f69dbb56a4490d86db27c6dd8e8a1776065cb6a9d359c0c06568247515a073332c67525d5f649ae60110970c5053b2c05cb

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
361KB

MD5
6ab45e210804b82973398705f1d9db9b

SHA1
dfd0af2d22424e5fdf09cf17cfd7d6fea5a3a64e

SHA256
c500b1a54dde2be8b530da91c8074a4c32f8b1cd2dfffa95757caabf8593503a

SHA512
6ad1a21c3503d87aa74aa03aa16c16c6271b497c81bff7db8d19bcd481fe39ba65169b466abc5033dfa8e83f1cb88bdc054111faedb421a1b7e7a1086ad47bdf

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
361KB

MD5
d09ffe8e2567cf0936a4923baa43dc96

SHA1
8fc4db3f463362230d2e7e2ef3242e2ba1859f23

SHA256
f3d830808b9a6060d4e553a16f1731dff91cf8a97b8f334aa7845d107f43296f

SHA512
58f4e49ba7fca9fc8901e37faa4eb4f6421ef0308207ba13dfe43dcabbde51655aa18f18691ad2b05ca2ca6f552425db7e15b981496a296d6d971de9f1134ce2

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
361KB

MD5
94c9d9e186e2aaee1c8f868567d29486

SHA1
6268c4ab7588a8ae1637c1bef5d37792e8168eea

SHA256
1705dc79326661401f670061a763f8ef26babb588541fe78ce06602f002b1839

SHA512
3b6b6a192f52e33f22b88a514e025026ac273054d908c903979a58363aca2a6a14ec0493e59a1a5da2839048ce78f503e92766bca64d9eb7a3a3f407cabd9af6

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
361KB

MD5
e6eceac3b43f99e220e820596307ae93

SHA1
5811ddc758ac54cda6915a792de3e7e04028c511

SHA256
98355f7e2c560397fa05b9ec3a1b5e359be998dd8975c73259d2df1d930341b4

SHA512
3f606e5bccc46acad26b94d2e34488cb8545b970dee647b4217977a2ab51d196ebd5d710dcd6f34a6f3c7fce710005053ffdc56827bdfc636b8b7e85b3371c32

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
361KB

MD5
8e2221cce369369e764ab82d329c9de3

SHA1
897ea0a1c78831524a864a5569d58b1ce6d47355

SHA256
7547e5d93417fa83718bb02f69e1d2948cf3053c3281bed2871c25b27657c295

SHA512
ce53e6a85b3c2a6b17369689afcceb2599f7b3bb916a5c9741401d403dd43c9b2e531bc8d9caf86cdb84b61d2db73497cf0ee53c2614ae4c337ed14998a6d282

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
361KB

MD5
94c931d3bd99512b512d9abdbf14bed5

SHA1
944a65e676c832434a34b1afa6ebf044546168ae

SHA256
bd61d7fbd648237db6a7a3bd37772414d3ddceb0a699d6e0205e4b37fe0b2651

SHA512
4192c3c3fbbcde8d611bd2a5fa46866377d637f30783627670c8bdee32ac01a6ec5ed916a3616c2efe7f108df4ea39c9251c9fc4793c628d853bcdb025c8e358

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
361KB

MD5
aefa8bb2a5030c8ab2858fdc8cc1f297

SHA1
f12aa77ff7d64ac8e708ffc0db04e8f8ed43db30

SHA256
10c2f26f8920fc25e0b25283238e239e922604519ad68d7998038e65eabd10f7

SHA512
1263b9919a209c2b480c8cdc99162b3705b26cbf5de0ea782f1de3800a5adf5d676e4a3fcba13ea04a4ab468aef09f8db0269cdcf8760c6bf00d93aa8497d5ab

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
361KB

MD5
ceae7d2edbce33a67984d27b4b62197a

SHA1
8bfdae6035557b755fa0f271225fdddc28437e4b

SHA256
388f1c6949dd9ae583c7f3ef218e992de0463a6bae2167e7af03608955f15f51

SHA512
fbc75c354f4bfb077eef11253a9ac9709cf9f4462f71301b364ef07e38bdee2221f04c1b9e8c832bf9236f4fa73b1f1e92008420a98d1ad29385e90c1c118836

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
361KB

MD5
aa8d5adfdce572baecf9a18f9d6e883f

SHA1
4ac52e8411f31551a4db385549a3e428daba1e35

SHA256
e9e078658d4a86bd9260668dd022eed2dbc549fe1585fbfdee995b8196e3c00d

SHA512
7ea2301677656c7cace986305aace20aa7d83e9d4a215f30b309aacf01e4d608b5bfce76688b80c8c58784a11f075b0f2dd408e48af67bcdd3b2864f1ab60178

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
361KB

MD5
ede1062a26955deb7589c722ceb2aa62

SHA1
6a279a354dfe6b2d2ff8708815fae117c5cd0d8a

SHA256
ab793f70877ec4753f8fb1e0f47dd1c28127adb1688eda142982970e5033f107

SHA512
22d0689a214dda4550a93c1ae7fb59874c4bbef1cd08be60e55a98988f0bf21adc4fe2f0ff406a3845de3401fb758ae8a59c66283544ab8bfc8d6c8448f24e4c

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
361KB

MD5
a5fca6dba9d4d584f80ce36f34f52d1c

SHA1
c3691bce67382c2ae8711fd3e2f9faa7f662f990

SHA256
633c91a4d67a5d693dc8766e5a4920f0427ffe4aeaacc0b65a287bfc36d6766c

SHA512
a7730b5934bb9bbe37b97d0bcee1d6b578933b42c9f17fb22c1a60701f4ed3159dc9b8779b6c617059a60e5a23d1a9932b1001f2d943c15225f4dbc19268aed1

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
361KB

MD5
f6aa75ccb59bb194afec7eb21a1dcf2b

SHA1
7a1db4b08257dbd4473bc207e0727d60df04546b

SHA256
5d2bce5681fec9adda328461e20c22ad706297c43b689f1b87866863272f19da

SHA512
ac33fa7dcbc45d60bf75dc726f46de608f545f3348adb2f7fb3e38d769fe9966552eec718743c0b1f30c48a78a0bce1fb2ac021a9fdf680eac1c67635d60e421

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
361KB

MD5
91af6e1b0a0893f63f89f38bcfeb942a

SHA1
504f53979384a142ea3b08990bac24b9ce921faa

SHA256
3661cddb83430fd647d0516097545958205809f398a8460a39689e3ee168bcfc

SHA512
3439fc5d87ab422a7765d3abdc9e8f5b2148caa72293e3d70af589a03f9f6e6608f0a492b50680ecd1abaa7b26d2f348669b40f6c5cf9b8283d33c60c96aabe4

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
361KB

MD5
f50cb452a83b5eef0ece33a8afede422

SHA1
01a8ab5255ee4a62cb31f65344c0e28f5a4e4fda

SHA256
508d10e4c145a6fe3070948a9f8e500a8707d6f048b81c284863f58564734c9b

SHA512
9ef0941d88c5bb330b84c50ba1d691fc1ea8dd1c0fd87e902d8795e1a46a2d593d68bcc69f79996bd4273f5ef0078386e8d5950e09cebbb4ecbd7f0d7c4bd8a0

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
361KB

MD5
46e25a8f83eeac66e78bdfb883935ccb

SHA1
4bc0359a0e6701e80f2f933cf99345713c68dcf1

SHA256
d36b57d843b6ffe8de5e0a593e759525485eb2b6add0d27e3fbf42c7d5d06ac4

SHA512
43dbb3e783d77904591d4c9ecc2b80ee261ff4b2bff9aa156e6b44a209599e76fc38cc7fbad2334a41fe11a55c0804d9456ceb379766e9e711784c9f3f8248df

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
361KB

MD5
990bf65d12385db300b76d6e6339dd5c

SHA1
2949898b8e62e997e648992690b251970ff93ce9

SHA256
84c4ba0d149d4dcdefff33a088895b7cca1f87005115b345226952a5b65ca5ce

SHA512
5ff851a8cac8c4713e1b990ab7252cad30af72099848ef0a803e6674dad749aebd27b924b582bd77f4f1501a024ec4b29b9d7cc60a4da7ed50b8aaa1f01c4ec4

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
361KB

MD5
e07337f4b4df554fea5f03d8a491e7a1

SHA1
5a8bf7e5c1abe5e9322d614eb5150187c996a3d4

SHA256
f73273bb61a99a5a8cbb4117d9ebda47518ee9dc1738f2319e366ad26219cf11

SHA512
926af4072051a48638ea2fc67cae144b372e7f0b4fd076d9ac4a9082d4278cc740ad46e17a60115d58f8ab3f50c98db7a4b4da6e229ed8a46b6d9cbbd6af7fb0

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
361KB

MD5
e71d26fb2026c0f07771c2fdb52e91c3

SHA1
8093b2eae32e43ea5ccf6abda22484e31fdc3647

SHA256
38dea05fd34599bbb0a683d34c1fb7b0608216e2bc5cb40ed287ae7f5c68f362

SHA512
bdbbc40b842eece8fea3d89aba7e8614cf30c65c061f515de9f1804976921a4d35d989059b6cb5e411b3989d6562c631e67fa262aa9c71705e0a5ce3bc70cc4e

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
361KB

MD5
c7778173fe85caf583907ea840bcefbb

SHA1
f7ffc07b198995631076b6424481c107a40d0613

SHA256
11909242c31cb78c348b31b39ef7c60221b44b34b92425f0bf8fc88b8a2d5bcc

SHA512
1e957e93e9be3903b3255c62ab0e01ba4912f4bf74b50bdb86f7c4d3057cae76c5b5d826a088c323dd80f8af863e34996f0c8eb288da1a8cd14d73ac14a690c3

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
361KB

MD5
f3f0aa05313414d539c04186559bb818

SHA1
e7ce622370a4e26136e55faa562dab57abbb7539

SHA256
f2104e1df1989b5529956dc8f1adbc2f99a5d7aeed7a36e29f280b7f0b45a9cb

SHA512
a7ce8eb8061ad7dcedcebd512359c42da60664c32daf8cc69ea6ff4b4601865b78fec1a8ca703ab66d51f089adb47533f29645e38c128ae7f455c60f1bb41310

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
361KB

MD5
c0acd96d99300263289fd5c57ee9eb1b

SHA1
d7c133ead54ae19795ff73538bbb0a05f8763eb8

SHA256
b1516620c341e3fc03bf1158acca87feb12960239776aaaf9f81973a1a5ff1d5

SHA512
327b813e866242e85362886b929d27812bb426fa11018fb4436d7919696831f5bb5645e68447c1a056554eaf418bc78ec772abe25b094c3b9cfd55718f6b3661

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
361KB

MD5
59acc770cec6d0b029bc613a492ec7f8

SHA1
ae33548ee35adf09ff3199834b551f88d95fec40

SHA256
1e8eb11bf76608769b69b07525c6cdaacc159ed573d764b6f6e3324f31f3e2f2

SHA512
4a7656eacb05066b9b2b52fa4ca4e8698e9bd942b8a4396467ec53de542d15ec3540afad19d4f7abee6f58e75408a5bbd69fa8d1593030c042f536880bbfb638

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
361KB

MD5
ad15dccb69ac61fd584a70f740c36a7b

SHA1
4826cec8025d52f7926e649272f4e6f96d7c914d

SHA256
acfd6433628768fbd9e4bc9f18e379e82c4acb63423b186639079e95e2c8fce2

SHA512
1757cd23c132ed7282f7faefb17451d25d4283c6fea14255c72f021f4b69e4f043f8ac59b2f0966690f0472fee05b47a11507345641ff3c116f388150d1a5942

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
361KB

MD5
303ed663714310ef4042dd55b7ee47b7

SHA1
fc1731d66e44c24fd9c6616fabdf7732c3a0f73e

SHA256
d86cc1682b5c240e7a04bc1f1df20f729a16dcb7da648d2ac724a4aad69e99c0

SHA512
c29827abaf048b1c2d6e3457c8f1e333d48a36df675b47b68fd722dc93727290721657336a441f5c5981645502b2b7d90af23f492a675bb72ee769d2707173f5

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
361KB

MD5
567527aae605009064ca73b3bf5ac2f5

SHA1
383c74a853dc430f5835f4e856a5421049a307e8

SHA256
c2b884fd2e557ca79c210c67522dd8cee905fcd016671098fc8cd83d66ba8967

SHA512
c1a4ffbc64e6a49bbc61936e8fb8719fd693278242d0edf479c8529e51580e18a93a324b92a0c1db63eeb3261c4d5df50385bc5b1fdc230574c7ac646d19a46b

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
361KB

MD5
5cb86c9e9dd9ef6b931874c82e6ec363

SHA1
9d99579e5494bd0306b15cbcebd763f1eb311462

SHA256
f0717d4eb3565c1a45bd1fba9e9fa6c95406a76d02fb382cce027a06101fa1e2

SHA512
144efbd19c3924c8c4102f07db595445d4239931a3a84775dfe819a70192873758e1c1fbdddfc5d34208cf9bc533eea251961cec13503734a3d68cfbdfcf020d

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
361KB

MD5
9bff6045b685f80cfe015faa9327e887

SHA1
f7a2c527ad5db86de3007af5390bf283592e9da2

SHA256
570b5fee23afc7ba6c170a96dd74c63c4f58b40b9c021db0333e3b377efe053f

SHA512
6800b9d897e9eb5db408cd44d5c96ab93291f0e4a3f60184d8e75f5ee113e699e200e7d055f95e1eb31e0d5742b5f79d9f237af91eba37c81d8cea7d438535ed

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
361KB

MD5
8da5e4c8ee67ff458b6997ee5a117f9e

SHA1
cbc1c643832056984b8686a4ad2332722c648e83

SHA256
cd3c744019d1da6b95816638d6c950b6cef34e0bf49aa00490ad658922a43f92

SHA512
5089c3c88089265b8ff449cabfd793c6209a495d7147f77a48c5e2c908c5f89930f70c4464bb5fa12cc951a8df547cd795704c8ff1076cf23bae6e0c1e41e5cb

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
361KB

MD5
d9fca122492d5e54693ac463ad65b7be

SHA1
64f017416b194bea84d70ce139ba7c0011f0cf0a

SHA256
58945dbf17f492aff64e008c7b640278882a171a5498386f823ff0e861fb40cd

SHA512
64e79cddbcc0b9379c086e29478508068597597d397f66767283a0ff4ff276fada5ef2a2c3b693f098981ed717dfb28d656437cd0872f8a274cd9161a4179682

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
361KB

MD5
722fc23e740d8964f6e85ecd5096bce5

SHA1
3da5e293169bc5096185609087871777e49d021e

SHA256
e9a2f2d3a08f10f835a6c800e6bcb3d533fb6f8e6b8e508fc9eda780e6fc8340

SHA512
32291fd34bd2d69ecca3a29a1250cd2acb9f7839dd9fe21fc90371f3d281ea9c58ceed5e8193d37e8a2fe7e457c871ebf84c7b8e49d6794113979ee83950853d

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
361KB

MD5
8a7a4529f559ac7e2f0ee81dd946142c

SHA1
a039355c9c3e717811f8f600a6c312b45f8db3fa

SHA256
c1c2829ee2c73f4f635a3be3fc3507cc6333a673e00497e916a5d74a6c58fb04

SHA512
04d1e6f764db0635e8d125be787d4532dfccad00db642f4c25b0888300c00b73bc940a65c8f8016ebc4feb75f472160c17411b4f098fe1c6f6a3bcb20a83425c

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
361KB

MD5
96725d0f6c072509008afbacd2c84b25

SHA1
e8ba56eb5b40e68e32b22a0911d118f7206a7232

SHA256
0a7745ee39aef47333810f2f5ba9159dca117e21ce6278796697307ee0510dbc

SHA512
11eb45034c8080c2ca5d999848366418e35a65499c5137fbbf12998317d6992af89e414640ff94cb03020f7bd3ea0877d3366644c0cd3431767163660643d4d5

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
361KB

MD5
30802b9d5d7ffbbf82f58fd9711a2b9b

SHA1
4ba18064780e2bd694a0110c3664736940405b83

SHA256
279046b7059ea9d7de6f7781350d3cdc79413883cdd2ef0633ff5410920208e8

SHA512
4e67641f35302cf6cebbb93a042bcb469fa8f78fd5578ad4a590b9d6f767b54478212fa6364d8ca36687d696c1846a871cc443e9667be7f6e4ac522035186589

Download Submit
memory/112-466-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/184-633-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/392-437-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/460-443-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/464-427-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/524-467-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/688-464-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/820-436-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/824-627-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/916-645-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1148-433-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1280-580-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1300-651-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1336-515-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1352-574-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1404-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1432-471-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1512-621-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1644-441-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1668-473-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1672-965-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1672-445-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1768-521-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1836-475-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1852-33-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1852-1007-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1928-486-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2144-602-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2372-430-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2404-469-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2420-497-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2488-663-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2504-681-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2696-456-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2764-431-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-8-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2920-496-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2936-495-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2984-533-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3036-513-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3044-527-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3184-657-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3216-639-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3228-551-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3368-493-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3456-669-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-442-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3788-613-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3840-440-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3856-458-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3880-586-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3884-675-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3904-693-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3908-543-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3932-444-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3968-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3984-615-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4012-432-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4152-435-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4180-450-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4240-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4344-470-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4428-476-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4432-463-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4436-426-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4468-568-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4492-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4492-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4512-545-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4520-439-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4616-488-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4660-457-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4744-461-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4756-429-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4772-687-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4836-465-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4840-472-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4848-474-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4856-462-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4868-468-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4884-503-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4892-48-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4936-438-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4944-562-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4968-705-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5004-434-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5028-699-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5076-592-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5104-459-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5104-953-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5136-711-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5176-721-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5216-723-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5256-729-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5296-735-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5372-746-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5412-752-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5412-777-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5452-758-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5492-764-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads