3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe

Analysis

max time kernel
138s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe
Size

64KB
MD5

ae058bdc20a54aee64e2c036ec04d323
SHA1

5cb8bef0d72c8467cbc58f321bbd064107add5e4
SHA256

3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe
SHA512

ada1f6b0c8e8de9742f044f5bff01b9cffc05bb631291151c8100d226494f8f51d3a0b7ba48cf505e120bc38fbc8bff59f513d8c8715dc0a7e1d22652c0095c8
SSDEEP

1536:xYT6qMn+tR592ibQVZ5MlrozIpEbj/2LatXdZgQe:yM+7nUVZ50rpEbjEaXds

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe

Executes dropped EXE 64 IoCs

pid	Process
784	Fjqgff32.exe
3376	Fqkocpod.exe
5104	Fbllkh32.exe
4580	Fjcclf32.exe
4560	Fqmlhpla.exe
2436	Fckhdk32.exe
3488	Ffjdqg32.exe
4632	Fihqmb32.exe
4420	Fqohnp32.exe
2668	Fbqefhpm.exe
3036	Fjhmgeao.exe
1072	Fodeolof.exe
4816	Gbcakg32.exe
868	Gjjjle32.exe
2384	Gmhfhp32.exe
2512	Gcbnejem.exe
3500	Gfqjafdq.exe
4848	Gmkbnp32.exe
3996	Goiojk32.exe
4508	Gbgkfg32.exe
4820	Gjocgdkg.exe
3568	Gmmocpjk.exe
3192	Gpklpkio.exe
3372	Gbjhlfhb.exe
3788	Gjapmdid.exe
3972	Gmoliohh.exe
4260	Gpnhekgl.exe
1296	Gbldaffp.exe
4368	Gifmnpnl.exe
4432	Gameonno.exe
4412	Hclakimb.exe
1712	Hjfihc32.exe
3620	Hmdedo32.exe
2092	Hpbaqj32.exe
3588	Hfljmdjc.exe
3756	Habnjm32.exe
4008	Hpenfjad.exe
3648	Hbckbepg.exe
2332	Himcoo32.exe
4344	Hadkpm32.exe
4512	Hbeghene.exe
2148	Hjmoibog.exe
3640	Hippdo32.exe
1236	Hpihai32.exe
884	Hbhdmd32.exe
1324	Hibljoco.exe
4936	Ipldfi32.exe
1224	Ibjqcd32.exe
2760	Ijaida32.exe
684	Ipnalhii.exe
2796	Ifhiib32.exe
3848	Imbaemhc.exe
5008	Ipqnahgf.exe
5048	Ifjfnb32.exe
1472	Iiibkn32.exe
4844	Ipckgh32.exe
4424	Ifmcdblq.exe
3652	Iikopmkd.exe
5000	Iabgaklg.exe
1412	Idacmfkj.exe
2088	Ifopiajn.exe
2168	Imihfl32.exe
3104	Jdcpcf32.exe
808	Jfaloa32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Gddfpk32.dll	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	Fbllkh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6684	6596	WerFault.exe	239

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjqgff32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 784	2896	3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe	82
PID 2896 wrote to memory of 784	2896	3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe	82
PID 2896 wrote to memory of 784	2896	3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe	82
PID 784 wrote to memory of 3376	784	Fjqgff32.exe	83
PID 784 wrote to memory of 3376	784	Fjqgff32.exe	83
PID 784 wrote to memory of 3376	784	Fjqgff32.exe	83
PID 3376 wrote to memory of 5104	3376	Fqkocpod.exe	84
PID 3376 wrote to memory of 5104	3376	Fqkocpod.exe	84
PID 3376 wrote to memory of 5104	3376	Fqkocpod.exe	84
PID 5104 wrote to memory of 4580	5104	Fbllkh32.exe	85
PID 5104 wrote to memory of 4580	5104	Fbllkh32.exe	85
PID 5104 wrote to memory of 4580	5104	Fbllkh32.exe	85
PID 4580 wrote to memory of 4560	4580	Fjcclf32.exe	86
PID 4580 wrote to memory of 4560	4580	Fjcclf32.exe	86
PID 4580 wrote to memory of 4560	4580	Fjcclf32.exe	86
PID 4560 wrote to memory of 2436	4560	Fqmlhpla.exe	87
PID 4560 wrote to memory of 2436	4560	Fqmlhpla.exe	87
PID 4560 wrote to memory of 2436	4560	Fqmlhpla.exe	87
PID 2436 wrote to memory of 3488	2436	Fckhdk32.exe	88
PID 2436 wrote to memory of 3488	2436	Fckhdk32.exe	88
PID 2436 wrote to memory of 3488	2436	Fckhdk32.exe	88
PID 3488 wrote to memory of 4632	3488	Ffjdqg32.exe	89
PID 3488 wrote to memory of 4632	3488	Ffjdqg32.exe	89
PID 3488 wrote to memory of 4632	3488	Ffjdqg32.exe	89
PID 4632 wrote to memory of 4420	4632	Fihqmb32.exe	90
PID 4632 wrote to memory of 4420	4632	Fihqmb32.exe	90
PID 4632 wrote to memory of 4420	4632	Fihqmb32.exe	90
PID 4420 wrote to memory of 2668	4420	Fqohnp32.exe	92
PID 4420 wrote to memory of 2668	4420	Fqohnp32.exe	92
PID 4420 wrote to memory of 2668	4420	Fqohnp32.exe	92
PID 2668 wrote to memory of 3036	2668	Fbqefhpm.exe	93
PID 2668 wrote to memory of 3036	2668	Fbqefhpm.exe	93
PID 2668 wrote to memory of 3036	2668	Fbqefhpm.exe	93
PID 3036 wrote to memory of 1072	3036	Fjhmgeao.exe	94
PID 3036 wrote to memory of 1072	3036	Fjhmgeao.exe	94
PID 3036 wrote to memory of 1072	3036	Fjhmgeao.exe	94
PID 1072 wrote to memory of 4816	1072	Fodeolof.exe	96
PID 1072 wrote to memory of 4816	1072	Fodeolof.exe	96
PID 1072 wrote to memory of 4816	1072	Fodeolof.exe	96
PID 4816 wrote to memory of 868	4816	Gbcakg32.exe	97
PID 4816 wrote to memory of 868	4816	Gbcakg32.exe	97
PID 4816 wrote to memory of 868	4816	Gbcakg32.exe	97
PID 868 wrote to memory of 2384	868	Gjjjle32.exe	98
PID 868 wrote to memory of 2384	868	Gjjjle32.exe	98
PID 868 wrote to memory of 2384	868	Gjjjle32.exe	98
PID 2384 wrote to memory of 2512	2384	Gmhfhp32.exe	99
PID 2384 wrote to memory of 2512	2384	Gmhfhp32.exe	99
PID 2384 wrote to memory of 2512	2384	Gmhfhp32.exe	99
PID 2512 wrote to memory of 3500	2512	Gcbnejem.exe	100
PID 2512 wrote to memory of 3500	2512	Gcbnejem.exe	100
PID 2512 wrote to memory of 3500	2512	Gcbnejem.exe	100
PID 3500 wrote to memory of 4848	3500	Gfqjafdq.exe	101
PID 3500 wrote to memory of 4848	3500	Gfqjafdq.exe	101
PID 3500 wrote to memory of 4848	3500	Gfqjafdq.exe	101
PID 4848 wrote to memory of 3996	4848	Gmkbnp32.exe	102
PID 4848 wrote to memory of 3996	4848	Gmkbnp32.exe	102
PID 4848 wrote to memory of 3996	4848	Gmkbnp32.exe	102
PID 3996 wrote to memory of 4508	3996	Goiojk32.exe	103
PID 3996 wrote to memory of 4508	3996	Goiojk32.exe	103
PID 3996 wrote to memory of 4508	3996	Goiojk32.exe	103
PID 4508 wrote to memory of 4820	4508	Gbgkfg32.exe	104
PID 4508 wrote to memory of 4820	4508	Gbgkfg32.exe	104
PID 4508 wrote to memory of 4820	4508	Gbgkfg32.exe	104
PID 4820 wrote to memory of 3568	4820	Gjocgdkg.exe	105

C:\Users\Admin\AppData\Local\Temp\3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe
"C:\Users\Admin\AppData\Local\Temp\3c7e970fa86afbb362873828f5b5d3d337cfe2f98faf4ae4f4f290b271d1d8fe.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\Fjqgff32.exe
  C:\Windows\system32\Fjqgff32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\Fqkocpod.exe
    C:\Windows\system32\Fqkocpod.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\Fbllkh32.exe
      C:\Windows\system32\Fbllkh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4580
      - C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        23⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        24⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        26⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        27⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1296
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        31⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        37⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        42⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        47⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        48⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        63⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        64⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        66⤵
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        67⤵
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        68⤵
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        70⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        71⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        72⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2648
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        76⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        77⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        78⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        79⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        80⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3888
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        82⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        84⤵
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3100
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        88⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3108
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        90⤵
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        91⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        92⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        93⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        94⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        96⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        100⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        101⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        102⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        104⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        105⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        108⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        109⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        117⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        119⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        120⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        121⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        124⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        132⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        134⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        135⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        136⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        137⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        138⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        142⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6244
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        144⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        146⤵
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        147⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        148⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        150⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        151⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 400
        152⤵
        Program crash
        
        PID:6684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6596 -ip 6596
1⤵
PID:6660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
64KB

MD5
178545d21ecb88c66fc44c916e306d21

SHA1
d155633b87de24366b0514fc0266e2c9fe89d272

SHA256
fdf86fc5a13b726803473b79f0f5d439754efed91f043ae8dee76bf0485651fc

SHA512
97fc95d2d2a8a033fb5a3a3322a9f283bd52b8966c49f1fa0e6c93fd8462e2b63fdbd3218664fdb2bf570e6bd63967f75764639bf143ef05f12a55f8ec35ac36

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
64KB

MD5
5d01fead64ed54698843e0bf42feff2e

SHA1
210707d9a5a75b596e716ce2b2f84cc5e4a1bab5

SHA256
27dfae4eef7dbe6d271f310273cdd2cbc71c6b85de6db82d66a3abbc68ca2390

SHA512
b2ea20a93b85ef68d1d000893d38d8a64de6cdda7541986d8ccea7a02c22b175021722de1a160da51654970bdcf4d6a7f19cfd83f5e7c2e2c2fe3418dccac0b2

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
64KB

MD5
dce149bb13799cb02931d872bbfe46e3

SHA1
8c8583097d7970371600a3d2ee68bc95dc921bba

SHA256
70006db1e3fb6a3a8e4aab9e86dda253b790486468a99cf51433c36aaaffb1e9

SHA512
46a12b6f5f66b52ab7e78c67da97c46ccab3b2e9b2fdd3b720d37cd41ac02dd5aed97d4ef482fa07cd011800d312515c4219e74fe61c6e1d4fbe3fcd456d45bc

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
64KB

MD5
ea88398285711a640164d89b0e5ef51f

SHA1
d1194d5c636101b5fd956d70416b9df8e00cc054

SHA256
4d3e33def8cc91bdb624807896ef37c447f43305116dce4673411fdadaf40471

SHA512
e92eb6b0ee252da483b80d888aef811f22877143e22df8980f265bb8aaa0b2a963e4367b7227cf59a67e2cf80be4c568a01331731e7a80a78ec4ddce26badca5

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
64KB

MD5
2bc25ea74466a58be87f37a9b5c253a0

SHA1
ba862233128a7e15214811be86b16f30eedf9eb7

SHA256
6ad307699d67ace0843cb611e5d4a67e3e4d3a2257c974a5ec5e1355726cbd94

SHA512
278231fd81550143010dad3c3b3196086a6e93691ba3872bc9bea5e4b59f1b878775867920fe0b73ac03d3f85dad3e7801795c8e68f4cc57d9e47aa49b4e25f0

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
64KB

MD5
8b67208ee411cd2e36ff9cfc98dcf5de

SHA1
fedf7dab5667e6d4653044bb83e831ad08bedf5b

SHA256
889f647bee9191af7815a5db278552f401d875ac34ce22a9bc04766324dace95

SHA512
c0de7cf4ce2b067794ecbfb267e32c03a72a85e633e38f0da2027263bcc3f7629941fe4f2582c9253300561d50837964b429348b12beeb4bb3f303070a9bc258

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
64KB

MD5
867e3c2574a789f34864ed9659c0c75b

SHA1
9b0214c7b5b1c4e980516db8bd802d445a68e166

SHA256
8117728e484af07a22bd769744b336e032b34a35bffff30b6f45e8cded4e0f05

SHA512
3e2e795305fd5508810e698bfe3601edb17be504d8e5abace2cae8c68f6b1e6fe06c918d8c44a42f2f71f74bfefb9ec9b84cc010e07271036d644007111a0453

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
64KB

MD5
ad66eac1605dbc336e47c3de382e87e4

SHA1
d0a3edf89a6fd993cff5971b1528a5e531764861

SHA256
1ee66ad12e01471e873fb0ab7760c1c26c0cce663912f0aec7b0be66892e1656

SHA512
df75a07d2c0492a74454b1d4762bfbd9f649e8a6099f2be5e6446a298d56688d2710a7748a5744ed291b2ab21aa9b10e536d91d97e05c77d1fca42dffec83ce2

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
64KB

MD5
06d650d8edb89c2d3d13d05fd37b02da

SHA1
db32f76fa8ceb1b165b3240a95c9ed6ae0b5cbe9

SHA256
e8d4a064031bd3f95eaf8514f7cb695cdd5710eb7cf112ea92cfa0f67512f74a

SHA512
1e9938a22b5e64b8f97405782aa0b17e534f3aa1c85017c9c7048914077afb08b982588fac9cb46717f9ed72e4eef441680426f55cf43d1f0e08bb3851b5fdf7

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
64KB

MD5
59ed10a0f44b13668c3c86b94ee17c36

SHA1
5fac5c6e938f4d4b3a51a0353cac727764e48912

SHA256
5af7bba47ad69070e3007684cc765d258d3dd18d587f37443888144cf68beea1

SHA512
06807f416be0c70f61a3ec1757343f6a0c6f5d8af48c606b519f9687529879bda12bd5ce338445bbbc56752a9fb96826cb0a0aec2a67a1cd50de298b99737726

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
64KB

MD5
df9292e97baed4915ad44783260e2869

SHA1
550edf3816ac7857dd21c6c95f14e87cd8779d40

SHA256
6cb579050251981dd1db9e62d910f6b394314b4965188d460d98a5043f1de0e9

SHA512
1719679b3550574beb25446f5d91778879af8fe1bc242ac7afcc8cc2b248ac8833aaccc6f1f12dfb3e10f6fdcc82c7896cdde56e145f86559200d79f5772b342

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
64KB

MD5
79d469278a64813fd20b3219d567b890

SHA1
12e3c94eac4d4ab07dd5a3bbc108ba18d375f8fa

SHA256
5edfa616a1c83cf8fc07b99611e9ae05f7a2c51b323f44e03efe0d4defc3aabf

SHA512
5c2b8d0a5abaae717ff0d5b0ca4c389e319222d7d0212cdc8f6e545e04837ac185aeb19ff2d0e7315a902114b2c25869b1a64e7b6277192fa243b27ab03c871a

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
64KB

MD5
812ad0d418af58411f727cb44974301f

SHA1
22174a34d0042997ccd65c2727fe3d357e2b1183

SHA256
cff17882988ef5b26c34cb968dcc6318916972605d2f1d4b218fdd4051adf8b4

SHA512
d3877e6366bb796f4d543724d931e62d024d7db739438d8090b9a1d52fcbb53b28c7efe56590c394f2aebfa10cac652c9460884789edeb3d0741a430a02124b6

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
64KB

MD5
e0922266e263dcf9b7b206f1d542c074

SHA1
e7eeddf92105c099759c6134847f7772db020223

SHA256
ea2043d49562e5ff393e0f6ec31040c52ce299954f896d97d1f2452eb94f3e2c

SHA512
970c9b39681b9501b77554195f92de8481254acf51b0d4da83b1032686b13cfdedb173f2e2527f751b554f3ceb29755f700bcb0107e2a515fab5cb7bc636e0c1

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
64KB

MD5
5ee8eccc30966ecd30b8d204cb1b6349

SHA1
73a4bf097d2d09551c95edf99181d7f432dd9668

SHA256
17ba71dcc9919e5f38435e24217a4a1da076c6b37d83e204a726ce8e6cfa751d

SHA512
3029757c3b3c188e2484d044a610575ee6660d733e0a8484c36847721f202923790244a14ab3635babfdea399c97243b8b0264bc8cd06bb04ed445d79554a7fe

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
64KB

MD5
185cd4e0ede4edc0c1bd0e302dae6636

SHA1
9ae5d46bceb5e2ce67e46560bd61a0bd0ba0fce6

SHA256
fcd0d35ab813ed19f700a0e5b3b6776f6e20fbc0ebdd2a820175a696250a906b

SHA512
1deb10d18b11a962051e2655d91f214290a05cbf7d8b11b27d6b99c80ccf422aeddd13d5371a27b914d6794e49a624560a8d13c9cb6304011f3e7def4b00a79f

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
64KB

MD5
0eb12866126686954c90b9e51e7f354c

SHA1
4d1b83545f1ba4697c58c3c26b47c4f3f13ca22a

SHA256
94cf61b2cd60d2279048bbf083f633018c71b78ff3cc55a97adadedf180d2683

SHA512
060b90539095170997b1d570e028195e8aef81b46c731b6024bfa60c304e388b9853a05ce143c2d86594f8dbe32d142bdaf4f0768ab137fb498838375b7c6531

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
64KB

MD5
f181e8c79e93d9aa4c6882c87add1c3d

SHA1
0e76c9ca59af4335b81611428ea83e46319507bd

SHA256
1754e21085583ec2c981829b65df424c01c684e858cf03fee56e5a54129bc087

SHA512
796c9fecff8899cc0c44dd74f12edf47d5afa3cc1ad5ac6864398cff220ca69f3df69057c5fb6dcf5d5930689499f2fc6fb2a2e88fe7dd4ca7d02f7b3718aeaf

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
64KB

MD5
1bd445528b54a0dca1af3bbab0247317

SHA1
07bbebb699569583bc6aaa7d7ed33ba92347980c

SHA256
d35fe3a8c8d37b780d8c024c1295cabb9007327b08fb28d41c8ca4668ede2e65

SHA512
cf06c7b58f020e18b03e856baa8034a4868df480185e79f0c2c454fe39d1d3b34b6f30db907698ab6878bb93d9201a52e3d0bce8f56b4aafcf3d3b49f1915a1a

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
64KB

MD5
78b161d3edf4e1ef70ff8765547cead9

SHA1
f48b59cb2fa7d92d59141825c046b33e28c544fd

SHA256
ddc424251973d95d41c6d085c0374909262cbd11acb700fdb8f431d229db9928

SHA512
e9b8f97f187d47077d0e37a40f320f4418fab8c7620384e92c767396fb70fc1512dec0a70c4fea6cede66593886cadc39d8734afa4308e0b56e8d839dce147de

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
64KB

MD5
9ab8ac8d414b45420901f539a487094c

SHA1
0a0dc36db8f95190b70b17ba5cda4d699d87cf34

SHA256
8f0076867ac8eeabc2f303f8bafc7abc7121fb0b55f06073960bf8a071a16c6b

SHA512
faf63f5c50509c5942ec5222d11d2fcd586617e6f97b837bf6dca8578030ddc3cec531d61f559199c4c5087ca1f4be5080787e4963b6110c65810f7f6f8711fd

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
64KB

MD5
c22081dc635dc408c80234d72c839274

SHA1
db91f50745f95d9113399cfe6fd69ff9949f5043

SHA256
1cf2daa975550d8150828bcdc8e61f75cc734da1a4f2e0267ae3aef505d826b6

SHA512
3012e71dabdd408f7584e72b501e12bc906864ad81ca2a869d6befd10c968899324fd8101b80d5ffcc4b76f306caf1480dca43f6f9150a92ba8ca27fe77ccafe

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
64KB

MD5
15410b46c0dfc34ba74b96396d419d4d

SHA1
bbe4a1b5149ed598cc51bfc82a4df580cfd56a79

SHA256
d87b4e1a2fbf70f0ded27744906dcce30f0407fb8992de653c4f1e84208f7c1d

SHA512
971da2ffb124dedbfe051f63e51368af0d403e08acf32a3474455f937d3db06d9bd34e127ebcc387f0f91a965aa3d8017fbc9eea25f1c3ff630ff7319560690d

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
64KB

MD5
00b34fb735b1dcd82328daa727498398

SHA1
2ef77e78ad9d95930791b17dc10e1d981afbf720

SHA256
a579846d42eab52b6086a938ecaf2e10fcebd98cb0cf5bfe9c01560cd4aef722

SHA512
a19a9936e3dd50dd8c955a6de3df73ff9107bdb0799d3838ffcc4278f8cc63da3983e7b0533a543df3bc9806fcf1ee88e1c914a9e41771308a7cf2d6c0c9cdc4

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
64KB

MD5
267f40532f4768aad727c445fca276f2

SHA1
9632f35c701364c83dbf69df3b00d9f489430ee1

SHA256
6572e7648b2214b24b7b063ba370544add05acfd0a1891f18df71675066bb00f

SHA512
dfee6a42d471084852fce1589f23d3513ccb5dbccb755445121f69b3383fac232926d3d82c7551f2eb56d3f3cb0cd649e0cbc8fc75969a09d7b19a381c47ad24

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
64KB

MD5
8d3db1428a8664c2b4306e7bb61e10ea

SHA1
aeef7b6d2cda8fb734a96a8206fae712e577c419

SHA256
df6adac6b9967f5b00c83ecdf359b0395dcfc7c9d745db6deadf6a83f9471f79

SHA512
bb45612bbea8f61666f3034f3081e9b377f6f8d1228b772538afa116831a52e7db89914f833e74a13af0229d0b7460ca111c2688b3f54e0ea631a5377fff2e53

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
64KB

MD5
e9f68d057972acce4c0d162a3b3c8ad3

SHA1
4bc98fffb47c6d311768b70b238896e8b7d04da0

SHA256
2f80821843c795b8ece60ea29faec965eb248c12496bfd2c75383c0829da66a5

SHA512
1ff915a19fa3dc5da9ba305e1fb9dbe6beeee477a93aaec4d688dd866b3b64b01772e813f47ba8a9308965cd5d880e2d9dbdce3b52a4dd35ab2e7ed2e67fc066

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
64KB

MD5
787e1f4dd67c12d7fd1788fc485dcb42

SHA1
b86276432a628ec918739ab0e0efe85365de8912

SHA256
6c337a4393df982a9f768c65687a925dc7b0443fcd4d378c85ce5b960bd9ca1c

SHA512
bf5605f397cce3b2c7e423ab2c03d619de82d429aa79fcd5a485d9f879be36cb24590e7b2a5e83aec72624ebbd010166fad7930e024f82cadf66f56722485f4c

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
64KB

MD5
9211190f55f6dca909477ad93f06290e

SHA1
e5f286eb6199d9289ca636086905d5437571d30a

SHA256
b628745354bf64fad4101c7badd9b4a691835807e20a5d86505b4dc90024f143

SHA512
9c5f005ffe5e07207257f062b0773b709732a48c6f7eb34fa0b4f5206a17316dcb0ea728c13ac2bb4441e57c0cb09b5b867608bb65d8226cc0529f0dbcc79255

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
64KB

MD5
3eb643a79bf57a763afeba6e1e72c2cd

SHA1
bce3273ef3d0e803b4a2d36d51dfcafe2da8b346

SHA256
3ea08be824f3b22742c64b18053e741bb7ddf8a067054f3b7efdce0922482d54

SHA512
06b4bb4dab37d5b6200be7df5805e7b48e0d8f1aa7bdb2f4a09dacdbed1cc07aa2fe81765ab2da69b41d132ac1d8938fe07f3d079f5daa61469bb569577fabe9

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
64KB

MD5
0580859b7bd984c11601ff552c9aa2c7

SHA1
f9f0d43ce18c2afd5e80e219ca96157f05dcc6dd

SHA256
b990bde409a887d1d9003c94d96d9f3799514fbcd28740257780bf38c2bfdd8a

SHA512
e54bd230aa4e67f6f55500bf06914d5a91bbb26474e4d016e24f1a76ae3da40fcf848308a72da8b80911b56c07cb7b4b91238247fa554b93a322c98d92cd1258

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
64KB

MD5
9be5425a0aac941b054b22467f38759b

SHA1
9a4fed31cf35a1af4301950119461c18517042fb

SHA256
3312aa8eb7357f95da92a0f634c802f46a495d7ce39aa5a54acc1ad26812856d

SHA512
fa02c2c432d1f2950d1261744c60e8177725c292e0c34164b6093a38ec55d21c908b696f339de24ba5a57b79322f1542a70abefe4c75b3094cbe2af2364475e8

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
64KB

MD5
a20460d6bff01f5c72feb32c42762716

SHA1
9892dbf60c8ce11e23ba62547772422f2a8a494b

SHA256
d4efd012c9b5a1dfccdd6ae3a221dff960fea9099e72a1788b9ed8d6c91967dd

SHA512
8f7605b27c8c592d40ecf12f8db331cc9ec6162393f925e8174868c0c7083070e80d11b83ef1efad2e962039a18c505c36518bbfeb6810f17e7b4aa22b501de7

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
64KB

MD5
cec6f6414681bdb0675da309c984bd6c

SHA1
23821a13b486ae86f5ccc265d3729cdf9a73e443

SHA256
4410ce4da05a289c56dc96d0a1bcd08e057da34c9700b76b1b8da9dd6ac6d640

SHA512
de878c72b367096897d182606f4819350d8fcba574aa8295dcd4460ff59d03114df966b7bab1a1c341b1111c35351663f0fd98f0cba26a9b88e6b8974617b223

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
64KB

MD5
0be705a409992ab91e6720c387ed2096

SHA1
4b6759892816014d1b05e6bc281ad08f0ac00b91

SHA256
ea2de432f58a3231dee4b1bb890c3c4d2d9de2c3ba0111832ed3b022cab1d0a8

SHA512
5ccbcb064bc36fc368e4ac7a471c3c236fb00e42e85b242511db42a560b8d352d33aa0c1346b15144d5282161e82445bfc2d2b8c082a9cb11a90602c5ff622e2

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
64KB

MD5
a411036ced8e5f31b9a63f3a5b748c7c

SHA1
16c07afc98051fcd1a10960c17b7b4909f6bf4be

SHA256
2a98cf5c77d066d64ba8f4c520a8734a65165fea1396bd56c2dc65731c07087b

SHA512
e68a396bc26d8a4839e19873a81fcbf9b4b27e1c2c41ad0edc4d9f348a6936f3d1d3f7a84b91dcdd306485a045ada58c17627701d6cbdda7df15940d00dc7e49

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
64KB

MD5
3c214e4159d121a3d074a853c9e915f5

SHA1
7dc969f2d8974d7ff8e98e2c1c8c045223a9dfb7

SHA256
b9ab92d412e691335e790887448cf4af450499d0d9d0358264abad59341fadd9

SHA512
5d0cd0ac0199f16d8c98129846c4e0c9357827c9e5ac51ccc934bc24f15f4626483f095cccead9a305a246cbe93b0debf4487dbc6989e4afad46a5040bf6a10a

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
64KB

MD5
b19f31aa9dc7e1467f43aebadc082ba0

SHA1
1f3944d249e9adce9808c5f93e6792db9538687c

SHA256
05b8866bc8c1b849099f2b41afa34d0e57fb6c40e69e8f7025d3511eef415bbf

SHA512
47fbc4672af5e90a12ef905d9fe8f3e9ccef3c5c3afcc0d81425ab236dd65309c01cbe1725b1543b09367e9a852ff722eb80aefdb7262bdc6d71142df8b4f8f1

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
64KB

MD5
3676838e1ecf9692c8c2bbb66aa0837c

SHA1
11bb05d961359bfe5d0011867f97d01a5d4a8816

SHA256
dc4b5073185541f652398c0368928f671cd8bc89f3a0fcfcecc3e4ea7fceff0e

SHA512
8c68ba9bb00a6f85e440c757e5ba9adfadf646768324ec80bac5012d4fc664a50bb814b14a45b39b2e39947a61eba7fbf34781e43bca66e41f4e6ca9e4d4f319

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
64KB

MD5
5470fef409252d89d592f8f1b1cbe292

SHA1
06e79505ba698b4954be35c883c4b4b85cffd594

SHA256
386da26ecc9fa595d9188cb1064e30a7d0e33e096b8cd2700b8b24fe98fc6b4b

SHA512
9b81eac7ab3fe56597b0a1c59488aa1c7e9b23a8fafca60188256a8ac74e7026d63fd6182bbfd70d916da30128b8c9c194fc6ea886e6047f324df2be72c8c7a5

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
64KB

MD5
0222606a95b1ca594307490b9cbccf77

SHA1
4fdcf068ef3798726671f88dafaf894f787ad40b

SHA256
ab54f88f3c226b931da5125ba90cd73915286326cd2a892b47ee594abd1285fb

SHA512
df8d17e9cee936da406d32a94e371d8f4ea2d0547726aa7ef9ff03fbf6a0ec660d5e2371f941d1d1b857baa84a5aaab932f27d55f00285953c42840838654205

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
64KB

MD5
bfb91303b8a3cc36b94338e2d98466dc

SHA1
597e4ded3e5d42340f3ed326412ac9c40423adcc

SHA256
130226d560fc10b4b7a241007a5c964b1b73203ef67e9505ab35ceeac48d2899

SHA512
c054d0c1cf82e4ceef00dbb60e0f5fcf235fd78e045afb9fe26f7b0f609ca6dd09237bac745816fdfefd89de9380d28e5e81aa5f97df33008a2b14b838c53e1a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
64KB

MD5
9a72029c057783cc52d579d2b165e22a

SHA1
f3507e7c5936debdc31d2b8e211ad4a596e55e59

SHA256
c02c495ba166655b09137053598dead13c0460e519da8b6277af151d120e0a60

SHA512
2bb3332b686e6d8b41d6a280fbac7b87d1b823f7d88d8fc289f8480fdd7393dcf111cfbc287d900e964931dab3a96f880327ffba699703c0768a681137a27a7a

Download Submit
memory/684-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/784-556-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/784-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/808-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/884-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/960-477-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1224-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1296-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1324-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1336-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1412-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1472-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2088-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-85-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-537-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2760-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-584-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2896-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3036-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3100-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3192-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3468-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-61-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3568-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3640-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3652-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3756-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3848-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3888-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3896-591-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3972-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4224-525-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4344-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4580-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4580-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-599-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4776-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4816-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4924-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-571-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads