f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523

Analysis

max time kernel
138s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe
Size

318KB
MD5

1546b56fc4013c8380dd05a1a686ca77
SHA1

754b17db4ccb468e067cfd44d5d8e1dc6580117e
SHA256

f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523
SHA512

2c5abac8342eb402bb05fcddcbc9dedf738e834e58f8c072502645d43e702e7460659bd39e74d5d35b1826ef6d50db3ca3dfdfe357b76e3d53dca16615c9d3a5
SSDEEP

6144:vRKDLyERVEQHdMcm4FmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:5ipO4wFHoS04wFHoSrZx8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/files/0x000800000002342c-7.dat	UPX
behavioral2/files/0x0007000000023433-14.dat	UPX
behavioral2/memory/5064-13-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4860-16-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x0007000000023436-22.dat	UPX
behavioral2/files/0x0007000000023438-30.dat	UPX
behavioral2/memory/4856-36-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x000700000002343a-38.dat	UPX
behavioral2/files/0x000700000002343c-47.dat	UPX
behavioral2/files/0x000700000002343e-54.dat	UPX
behavioral2/memory/2224-55-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x0007000000023440-62.dat	UPX
behavioral2/files/0x0007000000023442-69.dat	UPX
behavioral2/memory/2468-71-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x0007000000023444-77.dat	UPX
behavioral2/files/0x0007000000023446-85.dat	UPX
behavioral2/memory/1668-91-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x0007000000023448-93.dat	UPX
behavioral2/files/0x000700000002344a-101.dat	UPX
behavioral2/files/0x000700000002344c-109.dat	UPX
behavioral2/files/0x000700000002344e-118.dat	UPX
behavioral2/memory/1752-119-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x0007000000023450-125.dat	UPX
behavioral2/files/0x0007000000023452-133.dat	UPX
behavioral2/files/0x0007000000023454-140.dat	UPX
behavioral2/files/0x0007000000023456-148.dat	UPX
behavioral2/files/0x0007000000023458-156.dat	UPX
behavioral2/files/0x000700000002345a-164.dat	UPX
behavioral2/files/0x000700000002345c-172.dat	UPX
behavioral2/memory/680-170-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x000700000002345e-180.dat	UPX
behavioral2/memory/392-182-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x0007000000023460-188.dat	UPX
behavioral2/files/0x0007000000023462-197.dat	UPX
behavioral2/files/0x0007000000023464-204.dat	UPX
behavioral2/memory/2804-209-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x0007000000023466-211.dat	UPX
behavioral2/files/0x0007000000023468-218.dat	UPX
behavioral2/memory/868-219-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x000700000002346a-226.dat	UPX
behavioral2/memory/1772-228-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x000700000002346c-235.dat	UPX
behavioral2/files/0x0009000000023389-242.dat	UPX
behavioral2/files/0x000700000002346f-250.dat	UPX
behavioral2/memory/1828-254-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1328-262-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1212-270-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4388-275-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3920-285-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1988-287-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1240-314-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2556-315-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2260-330-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1228-388-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4068-390-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2424-396-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3200-402-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4648-408-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3524-419-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/files/0x00070000000234aa-420.dat	UPX
behavioral2/memory/376-425-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2712-437-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3712-436-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2232-449-0x0000000000400000-0x0000000000479000-memory.dmp	UPX

Executes dropped EXE 64 IoCs

pid	Process
5064	Eqciba32.exe
4860	Eofinnkf.exe
3588	Emjjgbjp.exe
4856	Ecdbdl32.exe
632	Fmmfmbhn.exe
4696	Fqhbmqqg.exe
2224	Fomonm32.exe
4104	Fifdgblo.exe
2468	Fqmlhpla.exe
4952	Fckhdk32.exe
1668	Ffjdqg32.exe
452	Fjepaecb.exe
3380	Fflaff32.exe
5056	Fqaeco32.exe
1752	Gcpapkgp.exe
2596	Gmhfhp32.exe
3500	Gbenqg32.exe
3548	Gfqjafdq.exe
3160	Gqfooodg.exe
2716	Gfcgge32.exe
680	Gmmocpjk.exe
3496	Gpklpkio.exe
392	Gbjhlfhb.exe
3352	Gmoliohh.exe
4232	Gfhqbe32.exe
2804	Hclakimb.exe
2152	Hboagf32.exe
868	Hmdedo32.exe
1772	Hbanme32.exe
3700	Hjhfnccl.exe
3192	Hcqjfh32.exe
1828	Himcoo32.exe
1328	Hadkpm32.exe
3740	Hbeghene.exe
1212	Hfachc32.exe
4388	Hippdo32.exe
3920	Haggelfd.exe
1988	Hbhdmd32.exe
2028	Hibljoco.exe
3616	Hmmhjm32.exe
3248	Ipldfi32.exe
1240	Ibjqcd32.exe
2556	Iffmccbi.exe
1696	Impepm32.exe
2260	Ipnalhii.exe
3396	Icjmmg32.exe
5016	Ijdeiaio.exe
1868	Iiffen32.exe
2368	Ipqnahgf.exe
3292	Ifjfnb32.exe
4492	Iapjlk32.exe
2780	Idofhfmm.exe
3456	Ifmcdblq.exe
4212	Iikopmkd.exe
1228	Ipegmg32.exe
4068	Ibccic32.exe
2424	Jaedgjjd.exe
3200	Jdcpcf32.exe
4648	Jbfpobpb.exe
1652	Jmkdlkph.exe
3524	Jagqlj32.exe
376	Jfdida32.exe
3712	Jibeql32.exe
2712	Jaimbj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Himcoo32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6180	5164	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 5064	4520	f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe	82
PID 4520 wrote to memory of 5064	4520	f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe	82
PID 4520 wrote to memory of 5064	4520	f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe	82
PID 5064 wrote to memory of 4860	5064	Eqciba32.exe	83
PID 5064 wrote to memory of 4860	5064	Eqciba32.exe	83
PID 5064 wrote to memory of 4860	5064	Eqciba32.exe	83
PID 4860 wrote to memory of 3588	4860	Eofinnkf.exe	84
PID 4860 wrote to memory of 3588	4860	Eofinnkf.exe	84
PID 4860 wrote to memory of 3588	4860	Eofinnkf.exe	84
PID 3588 wrote to memory of 4856	3588	Emjjgbjp.exe	85
PID 3588 wrote to memory of 4856	3588	Emjjgbjp.exe	85
PID 3588 wrote to memory of 4856	3588	Emjjgbjp.exe	85
PID 4856 wrote to memory of 632	4856	Ecdbdl32.exe	86
PID 4856 wrote to memory of 632	4856	Ecdbdl32.exe	86
PID 4856 wrote to memory of 632	4856	Ecdbdl32.exe	86
PID 632 wrote to memory of 4696	632	Fmmfmbhn.exe	87
PID 632 wrote to memory of 4696	632	Fmmfmbhn.exe	87
PID 632 wrote to memory of 4696	632	Fmmfmbhn.exe	87
PID 4696 wrote to memory of 2224	4696	Fqhbmqqg.exe	90
PID 4696 wrote to memory of 2224	4696	Fqhbmqqg.exe	90
PID 4696 wrote to memory of 2224	4696	Fqhbmqqg.exe	90
PID 2224 wrote to memory of 4104	2224	Fomonm32.exe	92
PID 2224 wrote to memory of 4104	2224	Fomonm32.exe	92
PID 2224 wrote to memory of 4104	2224	Fomonm32.exe	92
PID 4104 wrote to memory of 2468	4104	Fifdgblo.exe	93
PID 4104 wrote to memory of 2468	4104	Fifdgblo.exe	93
PID 4104 wrote to memory of 2468	4104	Fifdgblo.exe	93
PID 2468 wrote to memory of 4952	2468	Fqmlhpla.exe	94
PID 2468 wrote to memory of 4952	2468	Fqmlhpla.exe	94
PID 2468 wrote to memory of 4952	2468	Fqmlhpla.exe	94
PID 4952 wrote to memory of 1668	4952	Fckhdk32.exe	95
PID 4952 wrote to memory of 1668	4952	Fckhdk32.exe	95
PID 4952 wrote to memory of 1668	4952	Fckhdk32.exe	95
PID 1668 wrote to memory of 452	1668	Ffjdqg32.exe	96
PID 1668 wrote to memory of 452	1668	Ffjdqg32.exe	96
PID 1668 wrote to memory of 452	1668	Ffjdqg32.exe	96
PID 452 wrote to memory of 3380	452	Fjepaecb.exe	98
PID 452 wrote to memory of 3380	452	Fjepaecb.exe	98
PID 452 wrote to memory of 3380	452	Fjepaecb.exe	98
PID 3380 wrote to memory of 5056	3380	Fflaff32.exe	99
PID 3380 wrote to memory of 5056	3380	Fflaff32.exe	99
PID 3380 wrote to memory of 5056	3380	Fflaff32.exe	99
PID 5056 wrote to memory of 1752	5056	Fqaeco32.exe	100
PID 5056 wrote to memory of 1752	5056	Fqaeco32.exe	100
PID 5056 wrote to memory of 1752	5056	Fqaeco32.exe	100
PID 1752 wrote to memory of 2596	1752	Gcpapkgp.exe	101
PID 1752 wrote to memory of 2596	1752	Gcpapkgp.exe	101
PID 1752 wrote to memory of 2596	1752	Gcpapkgp.exe	101
PID 2596 wrote to memory of 3500	2596	Gmhfhp32.exe	102
PID 2596 wrote to memory of 3500	2596	Gmhfhp32.exe	102
PID 2596 wrote to memory of 3500	2596	Gmhfhp32.exe	102
PID 3500 wrote to memory of 3548	3500	Gbenqg32.exe	103
PID 3500 wrote to memory of 3548	3500	Gbenqg32.exe	103
PID 3500 wrote to memory of 3548	3500	Gbenqg32.exe	103
PID 3548 wrote to memory of 3160	3548	Gfqjafdq.exe	104
PID 3548 wrote to memory of 3160	3548	Gfqjafdq.exe	104
PID 3548 wrote to memory of 3160	3548	Gfqjafdq.exe	104
PID 3160 wrote to memory of 2716	3160	Gqfooodg.exe	105
PID 3160 wrote to memory of 2716	3160	Gqfooodg.exe	105
PID 3160 wrote to memory of 2716	3160	Gqfooodg.exe	105
PID 2716 wrote to memory of 680	2716	Gfcgge32.exe	106
PID 2716 wrote to memory of 680	2716	Gfcgge32.exe	106
PID 2716 wrote to memory of 680	2716	Gfcgge32.exe	106
PID 680 wrote to memory of 3496	680	Gmmocpjk.exe	107

C:\Users\Admin\AppData\Local\Temp\f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe
"C:\Users\Admin\AppData\Local\Temp\f8f8545777b44893f744227de0643294717fed2f41cf8c774fc3dcdaf4738523.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\SysWOW64\Eqciba32.exe
  C:\Windows\system32\Eqciba32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\SysWOW64\Eofinnkf.exe
    C:\Windows\system32\Eofinnkf.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\SysWOW64\Emjjgbjp.exe
      C:\Windows\system32\Emjjgbjp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        26⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        31⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        32⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        38⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        45⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        59⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        60⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:376
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        66⤵
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        67⤵
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        68⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        69⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        70⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        72⤵
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3924
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        74⤵
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        76⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2236
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        78⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        79⤵
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        80⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        81⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        83⤵
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        95⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        96⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        97⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        98⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        99⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        100⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        105⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        106⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        107⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        110⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        112⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        114⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        115⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        116⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        118⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        120⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        124⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        125⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        126⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        129⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        131⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        134⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        135⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        137⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 400
        138⤵
        Program crash
        
        PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5164 -ip 5164
1⤵
PID:6152

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
318KB

MD5
a591bb7bd46ae1c2ea80ef9a1aaa5cb2

SHA1
f55419198a1cb357e69cb0e4bf8779433cc50afc

SHA256
a6870f2a6748877ce3af84a4fc423d854e18e7d40a91386199b461ed1e54d914

SHA512
c975963e4684af6bcd91ce447a5317bed4cd08b294d870e8fff5be277b93172d08f5697f2e4babfdfcc29f310752682904e38cc6ec55c2b5256a20a0a6add976

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
318KB

MD5
892633ce7ca2a0f280b34d3b87609724

SHA1
1d3cf47c7c355ac84c209f27669f2c419954c775

SHA256
ddd56cdf92734e37496884796faabb0360940cf9198284fc83ceb40479421716

SHA512
c5c03b647723eff34ec07bf01809a4a73e73b9bf18e9b2c8afd066e02445613af45fbab53451ac06ff1d0dd5d0fd7a033cf808ab99cf452943d30ce13d8ac6a7

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
318KB

MD5
1da499945ec4ffbf025719d67483d99a

SHA1
4e4f3f93d3b6a4a5b47bc47e58fc5836b09a34c9

SHA256
9ced73367f283ba1f9744e206210e5ed12d761f8f97669bc2d39ad9fd166b442

SHA512
b057e157c3be9e3c9ea48b85efdb841c3a6678156111953217512cc68bb152d0cb9e6f09495d3b9d5c52f690966de4887a794cb1e07d769a50b0c8bf33311aad

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
318KB

MD5
ed73b255beebebe8969ea6cfdd9df754

SHA1
86474c0125d7dd661d953ef07cb8dba6f0315d47

SHA256
3ff6b96e1609a3d05bcf9dac0987f78c7b01841fe51e5fdb46f76126ea88559c

SHA512
2729b8de27e507f8cf4a1d160b9df2d009ee8ccfdf55d73b402be46767306b892bb37d06af14105bed6aa6bcad3853b37012ac25296120605d60c5732ff4fb32

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
318KB

MD5
246a00d1f688c43d5268a6cfeb0d87be

SHA1
f0b24e1be71f1d6d0aa15d1ffdad8afe1d2bcf82

SHA256
bf0632b95287162ae29db80b35f3f9088d0baf1311d4d43996216d7a5da04b9b

SHA512
d8bee89137dbb2e9efb4ca42ac7f48837c38aa8fb61f466a9e49e646e6d31780bb22aec877a65d61053a6e7e49cbe7da36ab9a1a6dbc1c298f9c13464259800b

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
318KB

MD5
287581df41548a291ebe8e80573d9dfa

SHA1
5145a1dcec24c7656b430a6e322ff5d073000164

SHA256
4b88f7cd03c266d95eb0eea8625807776284cc27ff812e24280a8e6160c762ae

SHA512
46b06503a3e59a223558a4be2c8b2c80dbec4081b42f9edc8b516a4d16ba1f7f697c4f7bada64912b0b8ddc9d20fd0393a724fd020f0d1af99f04c5fae62c872

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
318KB

MD5
1b5b5bf6b92e5c3df40c8be13f9460ce

SHA1
dc65eb5a22c9c6f3449a2d407e1075f062ccdcbd

SHA256
09df3cb1fd533b058a55f69583ca80aa3014fb9e045d03d436a0309b0e2622a3

SHA512
2fa7161aac1e65742914b779cf4d3d1e675c0edafee397db76864a23f4e872089f1b1b7c67375851df12c13ce925848863f4ea2fa2da2e34bac7a6d7c40d2715

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
318KB

MD5
727e3c4c33aa60ac3971d6469a63b18b

SHA1
5b2df4a2447e661680f93f0cea9fe267a1575116

SHA256
e303716e4fa3f104595a4d13bc235afb3118e6df7c43744af106d402c044f6a8

SHA512
e2a97266e0e5731d9bf2d56c60af9594ca13da2a88e08d9a44d24e5052cead95e6222ae9227837b6523f631240db46069d64812946a4c0bb4fe5390874f35ff3

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
318KB

MD5
5b240d7b8716283ea6b86a3c7fd63267

SHA1
285ebda62f23875ffbf3162aff53b3ed952b8186

SHA256
0ad15313693f6be498e9861f6d3e3bfe8eaa03b3e2a2bdd792ead5ffe52b117c

SHA512
f3db33d0648f4f2fea3777431c34a44287d51ecd587c2b478109f90e8612c3437c7841da3528e7fa07a08c2b95e642a641f8c86c5849d200504b837e5ada4c3e

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
318KB

MD5
95b6189c7b8febdcf23eb06bb81fad1e

SHA1
1a588dcadc9ad7206fb5b02a1bf99fbee3aa48bd

SHA256
0480bc476d5cfd29f8c23180858214fbd653272e2e7d8dbcd3055098ca02c27b

SHA512
71ededad87fde38360ac601bc9d3b0878f3378c1ed163cb20c945a7e449a750700fb660d26e5e02b621cec8d5e70a63cad8e165205ef9d0f304b09f2c81ba782

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
318KB

MD5
ee2239ebbb55a6a7fdc9d30afb10b6f9

SHA1
122de8dd5dc32a32d727e2d1e393d03c8f3dce1b

SHA256
5c911b2fd515824c397a4971c9d53dc59c3dba31f1d02007154788c2d82a5451

SHA512
2a88fa6eb0c3b77a6d991da03d49b98ee3648b39968fa09ce87fd2d99b0db5098d2e420fa0a9b541d58db7e295f063409915bcbe1bf0effed8b7d62fca02c332

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
318KB

MD5
61a15e2c7b66dbd596667e60d69a3883

SHA1
1bc39ca4bf78e37b9537a840acb33cc59bb1b489

SHA256
9c477b2bbc73cd81a95823b959f49ffa735d6ace695e36d41ea3ea56c677b8c6

SHA512
f8e9bb774e1d4922fde3e266f2d496f3d433af043631b17bb3f45b9fcaa82316a7b1814762487f9e46a6f5be331b904b49a37f91bc17aa84d14a32c97017b80e

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
318KB

MD5
f0bdc013de06ddb25c92b4798beeb41a

SHA1
bc877d2a5ef050135d2161718e3948d74ef25795

SHA256
af2d4c9a647e377ea7b788ad5083dd3fa5c65a97d39fa9239513f60b0e5ecede

SHA512
e197a35e2a7785ba07bfe82fa03d787074570b1676f6e48107c3f57eab824e46f99e9776cc6fda97dc483a84d8c5ebee0377e27b0e2dc9971f02ac34da1deb14

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
318KB

MD5
eafef1fbfacaed480f9c476b8c569766

SHA1
d3c8be627a5807f35b51e0f190baf4284f9c0e43

SHA256
9779b104328f4b9a5b4359ba58f161035be4a2328e72ba99a8f332685266ec1d

SHA512
c888b7c665695513e750d086761a3c67ac295b9f6a180aad55e600fc0b7fa6dfd8b4ae3ac22ea0b96331ffac4dd5ecaab3bc90e55b6345255fdebb725eb84491

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
318KB

MD5
35de9e8051da0ead82c27d401f1fe388

SHA1
bf0126b90c8a4b5b342644f1ca5f0c79ff003bc6

SHA256
b40419c6c13165be37557706c0b350b4aaf652a2efaf92879ab8e22c8e1d4320

SHA512
179aea7d22890855c65a17963cb18c075c71ad0894684de73eb79974f7e3a67d855c59b6c6d3a590d3536f72e39d5efcbc47800f4467cf60db97ba833db4612f

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
318KB

MD5
8fcc1b9bdcd589b64c2ba17a5db5b341

SHA1
a1eb88507e05a471185b0fbb73414543b58c3780

SHA256
7e7b75adab82691532fb552cae833be714baefb6543e9a52df19e478945a291b

SHA512
198f8eb9bbd0afe3aaab1018a86a270a9dda0d69e642bd2edc47e476af37e62fe5a03c1ecfdb8f1b4944d62d23e4576db02eb8fad7e059ee6f0663c6f4e6ba8f

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
318KB

MD5
15b862e625c6d56eedfc094389637206

SHA1
a10dc7af1d39d7de7860876700669f7e408799cc

SHA256
218653ec16b3a71d811cb46531b09d487cda3363d2c5517533980221516d33ec

SHA512
78e115982516d65aa40eb908718cb3a87d883f85dccd7a2b30406a6923432fbd96559ddf9587f5a2569e77e9c9e0ad6d103a44ee9325c0b248ddda5f10344299

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
318KB

MD5
b078698eaf7e2a0d9d66a4c2223ee77d

SHA1
5aecca062bee447451d95fefd1fade9a4a6de290

SHA256
25a74437e4f9ef5b9d940c025baa52194880537dd5212d44c74c4e5b07cedd0f

SHA512
155b6b14d35ad897716740b8ad997ab82d7a809c0e80d8537f89079ac4276816f9c6448c0d183ec2e1ce128da4efbc60e2627411d04c2c97f185c11b75fd06b9

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
318KB

MD5
6c2c65fbef8375a2fee9b2c737b71cd6

SHA1
d0f12d90c940f50c0ddba2cfe37ac79a27f5af98

SHA256
31792e33e0a9c939381ac6b85890760f93009b4391697dd9e684ac2a29734b69

SHA512
3b4663d76631f9b939589edf115c2b9cde321c5ebea896ed0034e1a5d86951194b01d45a89c2ca91d76d069a334c2a1b0f37f19d45ab662a87cf636957b9db11

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
318KB

MD5
4337019fad1434955f36f1625cee00af

SHA1
9d7527ae77a1aee913e3f0c403da344d7e1231c2

SHA256
1e957b61eb0bfe726a618ac4686e260ead04e31161ba3cb48e334079f4d27a92

SHA512
b7e0246c1de50f95aabbe1301992807979a26a5f18f6775527fd8a0f82d974606c8da4db40b353a76b00922f3f971303de7fcc416921afde86796001698f678e

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
318KB

MD5
75d9fcc06dbd9e7fad0f6e08d86c282d

SHA1
1bf24d0e0d72db5a82d9844261f1c1ec4ffb8bf7

SHA256
368197e0dde70b973e34d0a424b6d3466a0d86c558c8f4acfebbd619c3b9f0f9

SHA512
f60bdff2ed9d31d90e29f239ae2a89223e2cd3b2b4b26a6a9a48a23c2ca61a9eb8dfd4273dcaeea66eec25e4add5b8a643dc59eeb513becd1d228b2f17749c1d

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
318KB

MD5
4817c2a18dbb02ab2888188f86821406

SHA1
f4456f9c62bcc4d5f95a1cb5ab425ea2c40a24e6

SHA256
dd867ac9c6752b04c6dd906b0291926e5ef505593cd8122afbfe3c90ed1a9625

SHA512
54dd05939d318978c508595829dd7e05f2df10635b387d0a9768a617db77d7438cc2a72df10a419686fe97c44216219cb4c51e04d2ccd7f9c3067a63368cd0ca

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
318KB

MD5
8700a4f7b485fec6784dce127f9c0764

SHA1
70f74d5e7f2f83864345c972910aef063373b3c3

SHA256
1938a795b58c204d7818dbf771760e6a7a117885013294d3b1b72010e701a1de

SHA512
6630b4ee17564861524a1cbaf38b5e3233cdf380d692314be701f846f58ebb8bf66802970d062e180e06fb549096875c6c8d1d765b6d5a06ad04a4aab8e0e2a6

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
318KB

MD5
148e8da1aaf40c86b8f39f0d9a5e711c

SHA1
c61bb595f9b320368f4c070afb93faf76d8ce936

SHA256
3a92bdc25030eb12e604808227f451ea2b5783b142152a766113e66b7de47aca

SHA512
c44efa4a99321e939c7bace587df1c4cd4eaf1d5b9d03fda20837d07b57f1d556846a2e95575c17de00d3334fc19799e8235e2ce5ba2901d6eece483d4775a55

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
318KB

MD5
a0f049d7966d7ae6002c23e7e862cfe3

SHA1
8ec51427b98cc144cc98ceaedfb158a0a9aca75c

SHA256
a6931f8f530762a3ba77b5a31bc07cb1ddd8abf8cd5690f601e4fc66293536cb

SHA512
e30416f7eaf066f28678f6c95d41a3f52b26f23a50dfa2c97b003b22e7fd88753dcf0133f75e61b0d3e97c6c1e95ed0aa8b350149e40aeafb5c10990a23f5b83

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
318KB

MD5
8b7e50cd9ce7e1d6bea0260f778d3a71

SHA1
03d488e75e3e83fd615c890abc3ce20c799fac89

SHA256
e6b8683b2d12871c548ee75245fe77beb94f31871d56a7fb4c5895f151cc7f39

SHA512
a9a243b7d1169c9f1ba72c6be3cf7010e70bd4adb679fded013a31fa130802f6a1d15ea2c66a05cd16914821982f21d2f622a239eb5bf680b23c35a43c688f24

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
318KB

MD5
ff5a5555086d266cf0e816cec4e0d36a

SHA1
c2cded5a666e9609a9625af5f6e4a029bd4e5a71

SHA256
fa6f17a41bf3459e5548d052f76e1869fd701d8371a3b4466fcb864abd56384c

SHA512
5b0f26022234b6f3f359da267c0eb0bd7e03af546da822d051bdcac0c3f355dbecb2d61f378b438d1b309f33f54fcfc07c7be3409ce96026c72b831f9ddc7768

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
318KB

MD5
13b3e2a534f198d022d5ee78404a3daa

SHA1
b0ceff513e8e16a6a748625dd512c0547dd1ba61

SHA256
349f53307858f0818dec054e5013696e1079861fa8b105432e01a6a714b9a2b0

SHA512
3a6ce3dea9c4eeeb0dec64c74d22b3b382e5e9bf6fd813f435bcd780e7b47ead94d76c9baa386da5b9da871eebc4724e59ba4d6b1300c06e455c41ef806b3908

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
318KB

MD5
bfd6cc619c29ffc161ba6560788ba286

SHA1
2929ef259c683562a81b5d05a118277a39ee64d3

SHA256
86492247dfbc8cbbed3825b00b57e698843f37bb60f43d823a8ff144f8bd0582

SHA512
ee955b753b3e2707348047b31331cfecdba546c4828ce27b8a3016f42339b201dc39e9b7d5c6d16db04b486977c710ad83f0a31f02211e2e1fa3f3a886e40d44

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
318KB

MD5
7276ccbfa1f0866eb10c65ad6777d874

SHA1
02f80ec943124f6d0da070c752365c0bdbd1438b

SHA256
dbf0151ec12674114f4cc6d5eb6c22dda8694f0d72b83d5e07c4ec07ce110e4c

SHA512
66410dbee32d469ac4164e00324d8faa7f87665e03fea5bce93fa60a634e174a28d3fc5d16d70fc3867fe908f9c9d0bf25d248fd636ba8f8933c8adeb9600631

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
318KB

MD5
b06d0b521aa270a4432206975d2c3587

SHA1
6fd3d87744d5e907432507440ce186772af120c2

SHA256
33150aa2a9d724648f8392e8f4d408a6628e3c767053f627760640b4f60f19f6

SHA512
b43638a0825bbfefdcb368d8d3e14e9b10b595d0057b93ff6e416846b44d453fd67953607cc9d45a5bdec375b13b4d53f42497f3d64438920c1073069e99b9f9

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
318KB

MD5
8a693b6b249425b717de70578f037ff6

SHA1
86388dfdfc1347f1f855dcb71650924da30138a5

SHA256
f4f007069189487c9079698dcec67da4bb4837fb7be2ac765aa063b1b13e49bc

SHA512
42abb653d5626b7afbba3c1e4075f312caffb95064ffbb12ec4fb36f6b24327e866b0f10efbf93f8e6072ec4ee5d6a2ac5a00950d62fe88a71d262e23bd26626

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
318KB

MD5
f28c4dccc32ccbcb4bfa68bf0a6fb96f

SHA1
04f40c423ce878ba9ccfa9064d20637e7a574728

SHA256
842fad0b6e25515d64129c2329e7d781a76bae67269c55efb974e3f55ecbd136

SHA512
fca2694675a81686ad60893083ebca94502e2713f92dc47d9461c3070427d9aa5779ab135822b78baeb427d2ccafb51ef7d61e33454437b8976e9de719bc3d31

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
318KB

MD5
1893f6756d884fe74116ca5ac68f08aa

SHA1
862dcd1b5598c8860a176d3e3281b00f8b1de0d2

SHA256
096a07c32c02e9a2fbc664aaa8b5e9ea057f24a664df121350b0adaff8a57d20

SHA512
69be1d617e70ae8ef576218276663879a836227f2c4218e234c9fd236af0e8ced75df38856fb18ca0f2f112199bdf826bde15528465ea8c2edbfb8f90605fef1

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
318KB

MD5
af1a74bf51c93856c9fd6dc54f9f2366

SHA1
52f2f2f9a5c6ad3a6051b0c148084bb52bd35bb5

SHA256
7eb9bb5be5fc60eac3e635bf3cd3a7f85fb4b96807b32c645a75b9cb232ba4d5

SHA512
56ee60c14f89271e9945662a3bf6236952054cfcc3ab765fa1068ccf8f629fedb6f0f4ff75d64c14560de3976a59be96b7a1f9985b0a0981cdb1a828314b2439

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
318KB

MD5
7d1b3e3f5874ac95cec0dcc7eb5fcc52

SHA1
987c7d532d969a37f4f478a8fb78ef92f4980a0b

SHA256
66ef6f030fa0a26fb982695227bf4f068ac70e34e9c05b8c880803913c305570

SHA512
d84dc92eb4cf83fa70db7ea9f38f9577425d5b634a094f96da42619fbfb8aa1e28d2605d14d849c596452efb884246093f09e5be7289d8a34d2078304568a095

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
318KB

MD5
74aba2f6f17023bec044426e14132e02

SHA1
7336493f12d087deb1e247ab4fb07843d6005cf0

SHA256
d23c1bd27c6a20b3db71d4a737f06887fbde0d7955c194692c5519d60f245437

SHA512
79ed93f0b47d9675cecbd478cca67472212116dd256d2bbd0b6eba8c54f48d43f6abc6b6614414354539c26e0aa3c0862d88b6a0415f595cb5521475853a403b

Download Submit
memory/376-425-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/392-182-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/400-531-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/452-99-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/452-608-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/632-565-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/632-44-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/680-170-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/868-219-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1212-270-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1228-388-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1240-314-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1328-262-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1544-502-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1548-496-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1668-91-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1668-602-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1752-119-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1752-628-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1772-228-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1828-254-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1868-344-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1988-287-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2104-477-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2144-566-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2224-55-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2224-582-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2232-1029-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2232-449-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2236-508-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2260-330-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2312-467-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2368-1059-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2368-354-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2424-396-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2468-71-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2468-590-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2556-315-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2584-443-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2596-635-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2596-1129-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2596-127-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2712-437-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2716-158-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2716-659-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2804-209-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3000-524-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3064-560-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3160-653-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3160-149-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3168-997-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3192-244-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3200-402-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3200-1044-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3292-356-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3352-189-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3352-1112-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3380-614-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3380-103-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3396-332-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3436-552-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3456-377-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3496-178-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3500-643-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3524-419-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3548-647-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3548-141-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3588-24-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3588-550-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3616-302-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3700-240-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3712-436-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3920-1087-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3920-285-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3924-484-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4068-390-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4104-588-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4280-461-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4388-275-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4388-1088-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4456-495-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4492-362-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4520-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4520-536-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4648-408-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4696-576-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4696-48-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4780-455-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4856-558-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4856-36-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4860-549-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4860-16-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4904-514-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4936-539-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4952-79-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4952-596-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5016-338-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5056-621-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5056-111-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5064-538-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5064-13-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5140-907-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5184-987-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5340-896-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5352-918-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5444-615-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5508-622-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5560-629-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5792-931-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5796-961-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5916-957-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads