f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63

Analysis

max time kernel
92s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63.exe
Size

246KB
MD5

ed028d06da50aea1852b698e6d0c5c7d
SHA1

be1831b981850ebdec1610d67748683d80d2e9e3
SHA256

f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63
SHA512

c6b49ee778e3cc1af2a772e17d4e92bd4f119eb1c207126c8b8d9dc6d6d7598ac64156515100466a4e64cac384d50bb888da4076767bd141d7f9cc24ad263bd7
SSDEEP

6144:g51q9sgCX30Kp2B1xBm102VQlterS9HrX:g509/CXCpas99D

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe

Executes dropped EXE 64 IoCs

pid	Process
4244	Ffggkgmk.exe
2448	Fqmlhpla.exe
1972	Fckhdk32.exe
1772	Ffjdqg32.exe
1076	Fihqmb32.exe
1248	Fqohnp32.exe
2956	Fijmbb32.exe
3388	Gcpapkgp.exe
3320	Gimjhafg.exe
1132	Gqdbiofi.exe
1920	Gbenqg32.exe
452	Giofnacd.exe
2356	Goiojk32.exe
5028	Gfcgge32.exe
5108	Gmmocpjk.exe
3324	Gpklpkio.exe
2064	Gfedle32.exe
404	Gpnhekgl.exe
4292	Gjclbc32.exe
3288	Gameonno.exe
2264	Hboagf32.exe
1744	Hapaemll.exe
1460	Hbanme32.exe
2432	Hfljmdjc.exe
4948	Habnjm32.exe
2252	Himcoo32.exe
740	Hpgkkioa.exe
3860	Hjmoibog.exe
1964	Haggelfd.exe
2548	Hbhdmd32.exe
5036	Hjolnb32.exe
3076	Haidklda.exe
4472	Ibjqcd32.exe
2028	Iidipnal.exe
2280	Iakaql32.exe
4972	Ibmmhdhm.exe
3960	Ijdeiaio.exe
3800	Imbaemhc.exe
3936	Ibojncfj.exe
4348	Ifjfnb32.exe
4992	Imdnklfp.exe
3916	Iapjlk32.exe
2668	Ibagcc32.exe
4060	Ijhodq32.exe
4000	Ipegmg32.exe
860	Ifopiajn.exe
3232	Imihfl32.exe
4508	Jpgdbg32.exe
4796	Jbfpobpb.exe
4952	Jiphkm32.exe
5084	Jmkdlkph.exe
1864	Jdemhe32.exe
3376	Jjpeepnb.exe
1432	Jmnaakne.exe
4488	Jplmmfmi.exe
696	Jfffjqdf.exe
4132	Jmpngk32.exe
3684	Jbmfoa32.exe
4820	Jkdnpo32.exe
4312	Jmbklj32.exe
3208	Jangmibi.exe
5032	Jdmcidam.exe
2964	Jfkoeppq.exe
3468	Jkfkfohj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5852	5292	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4244	3012	f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63.exe	81
PID 3012 wrote to memory of 4244	3012	f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63.exe	81
PID 3012 wrote to memory of 4244	3012	f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63.exe	81
PID 4244 wrote to memory of 2448	4244	Ffggkgmk.exe	82
PID 4244 wrote to memory of 2448	4244	Ffggkgmk.exe	82
PID 4244 wrote to memory of 2448	4244	Ffggkgmk.exe	82
PID 2448 wrote to memory of 1972	2448	Fqmlhpla.exe	83
PID 2448 wrote to memory of 1972	2448	Fqmlhpla.exe	83
PID 2448 wrote to memory of 1972	2448	Fqmlhpla.exe	83
PID 1972 wrote to memory of 1772	1972	Fckhdk32.exe	84
PID 1972 wrote to memory of 1772	1972	Fckhdk32.exe	84
PID 1972 wrote to memory of 1772	1972	Fckhdk32.exe	84
PID 1772 wrote to memory of 1076	1772	Ffjdqg32.exe	85
PID 1772 wrote to memory of 1076	1772	Ffjdqg32.exe	85
PID 1772 wrote to memory of 1076	1772	Ffjdqg32.exe	85
PID 1076 wrote to memory of 1248	1076	Fihqmb32.exe	86
PID 1076 wrote to memory of 1248	1076	Fihqmb32.exe	86
PID 1076 wrote to memory of 1248	1076	Fihqmb32.exe	86
PID 1248 wrote to memory of 2956	1248	Fqohnp32.exe	87
PID 1248 wrote to memory of 2956	1248	Fqohnp32.exe	87
PID 1248 wrote to memory of 2956	1248	Fqohnp32.exe	87
PID 2956 wrote to memory of 3388	2956	Fijmbb32.exe	88
PID 2956 wrote to memory of 3388	2956	Fijmbb32.exe	88
PID 2956 wrote to memory of 3388	2956	Fijmbb32.exe	88
PID 3388 wrote to memory of 3320	3388	Gcpapkgp.exe	89
PID 3388 wrote to memory of 3320	3388	Gcpapkgp.exe	89
PID 3388 wrote to memory of 3320	3388	Gcpapkgp.exe	89
PID 3320 wrote to memory of 1132	3320	Gimjhafg.exe	90
PID 3320 wrote to memory of 1132	3320	Gimjhafg.exe	90
PID 3320 wrote to memory of 1132	3320	Gimjhafg.exe	90
PID 1132 wrote to memory of 1920	1132	Gqdbiofi.exe	91
PID 1132 wrote to memory of 1920	1132	Gqdbiofi.exe	91
PID 1132 wrote to memory of 1920	1132	Gqdbiofi.exe	91
PID 1920 wrote to memory of 452	1920	Gbenqg32.exe	92
PID 1920 wrote to memory of 452	1920	Gbenqg32.exe	92
PID 1920 wrote to memory of 452	1920	Gbenqg32.exe	92
PID 452 wrote to memory of 2356	452	Giofnacd.exe	93
PID 452 wrote to memory of 2356	452	Giofnacd.exe	93
PID 452 wrote to memory of 2356	452	Giofnacd.exe	93
PID 2356 wrote to memory of 5028	2356	Goiojk32.exe	94
PID 2356 wrote to memory of 5028	2356	Goiojk32.exe	94
PID 2356 wrote to memory of 5028	2356	Goiojk32.exe	94
PID 5028 wrote to memory of 5108	5028	Gfcgge32.exe	95
PID 5028 wrote to memory of 5108	5028	Gfcgge32.exe	95
PID 5028 wrote to memory of 5108	5028	Gfcgge32.exe	95
PID 5108 wrote to memory of 3324	5108	Gmmocpjk.exe	96
PID 5108 wrote to memory of 3324	5108	Gmmocpjk.exe	96
PID 5108 wrote to memory of 3324	5108	Gmmocpjk.exe	96
PID 3324 wrote to memory of 2064	3324	Gpklpkio.exe	97
PID 3324 wrote to memory of 2064	3324	Gpklpkio.exe	97
PID 3324 wrote to memory of 2064	3324	Gpklpkio.exe	97
PID 2064 wrote to memory of 404	2064	Gfedle32.exe	99
PID 2064 wrote to memory of 404	2064	Gfedle32.exe	99
PID 2064 wrote to memory of 404	2064	Gfedle32.exe	99
PID 404 wrote to memory of 4292	404	Gpnhekgl.exe	101
PID 404 wrote to memory of 4292	404	Gpnhekgl.exe	101
PID 404 wrote to memory of 4292	404	Gpnhekgl.exe	101
PID 4292 wrote to memory of 3288	4292	Gjclbc32.exe	102
PID 4292 wrote to memory of 3288	4292	Gjclbc32.exe	102
PID 4292 wrote to memory of 3288	4292	Gjclbc32.exe	102
PID 3288 wrote to memory of 2264	3288	Gameonno.exe	103
PID 3288 wrote to memory of 2264	3288	Gameonno.exe	103
PID 3288 wrote to memory of 2264	3288	Gameonno.exe	103
PID 2264 wrote to memory of 1744	2264	Hboagf32.exe	105

C:\Users\Admin\AppData\Local\Temp\f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63.exe
"C:\Users\Admin\AppData\Local\Temp\f5da9282b0a62a768b647d4b854c97e72415d5f4acef230f7792d442c86bbb63.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\Ffggkgmk.exe
  C:\Windows\system32\Ffggkgmk.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\Fqmlhpla.exe
    C:\Windows\system32\Fqmlhpla.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\Fckhdk32.exe
      C:\Windows\system32\Fckhdk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        36⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        37⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        38⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        39⤵
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        42⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        43⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        46⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        52⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        53⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        54⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        58⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        61⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        66⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4596
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        69⤵
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        70⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        73⤵
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:976
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        77⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1576
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4768
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:468
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        81⤵
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        82⤵
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:312
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        87⤵
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        88⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3192
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2360
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4792
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        93⤵
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        94⤵
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        95⤵
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        101⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        102⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        103⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        104⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        105⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        106⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        110⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        113⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        114⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        117⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        120⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        125⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        127⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        128⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        131⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        133⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        134⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        135⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        136⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        137⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        139⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 400
        140⤵
        Program crash
        
        PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5292 -ip 5292
1⤵
PID:5716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
246KB

MD5
8bfa4036c19a137fb9d6f310b798e484

SHA1
ee1b1860240d2fb3d7d8b367f50f08930bce7f5d

SHA256
916c74b2b11a67fbe4475f29f22270c984a419ffe2375d5408a957dbbd88b739

SHA512
51c502b9d1991f96913c2a049e14316eeadc1435556956dac5427ee1e5019a4ee6066aaa363f9204b469948aeca953c1bc5fc3f0f34a7785ec62b8f9668e73b1

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
246KB

MD5
84ecf709b180295493cf285e5f61fdf0

SHA1
551a60e3e726e746bb7c0b81c37e820a2d56c23b

SHA256
cfaf97ba9ea0ab4713c9929bb632e9063c434a1ffdb285042424ea8ff52f1fcf

SHA512
b631921a96f7521b09b138f7d0b205500c70ffc0d6e72d5926e271e7019013a9b4f404bed6c3d55825f7d8bf039ecfc7762f42340ee7696a9d7b5c9179c4e0dc

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
246KB

MD5
c2994a8bb18cf273730c6692fa88c099

SHA1
848ac8d852a44a7b832c715fb6d840bd9462d856

SHA256
9097af18a951b4dc377c7546f03d24785832aeaa86b9a202dd56b39e61627b19

SHA512
669cab71e7df84e5c5f0b9ec966cdd6a177f9d8d212d8c0861d6fdd6a2e2d1d4aee9cd80f7cf52cf19827ac63de07f8e4b7eabd70801ee9a741e7b8a6fcea373

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
246KB

MD5
16292de98088ad0788df6a339df250ff

SHA1
441034251264b228952d793fdf9aa3cb5f7f592e

SHA256
719ae2a7a25a6219289a7a977bb45bc6423fce7693d3ec82d26d04ecc99b6ba5

SHA512
5841b4a88c5a4a4bfd9272527ba6a06e84386b59408ab27b7ad963e0055fb222224154bd6f248737dcb4e50194c6987b284d30955ea062cd24ed686f11f21ee8

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
246KB

MD5
923d6b551d48079a7a71278648dd52ad

SHA1
d490dfa563eb014eb5c1d8af77ab5176489db46b

SHA256
34f929f58e2ad9ed9e2df132669c159a160a3c1823131946a42eac71289fd73a

SHA512
70c9011ccf8065558d28afa8d65644c2b4dd645159373138d6558cbbeb34db732c26c10f9f12feccebcf80d4156e8ce6c060c62bff9fb03fff1b3ad428e31115

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
246KB

MD5
8b80570ba547af1ebf8da6a41e93a7bd

SHA1
322078a2e5123edbbfc564debde9baf8e31392a7

SHA256
1bf96ea0bf844b04e8a2033059be6fa8765712553b7a3d11617a4c3fedf5d5c2

SHA512
f5524b5339156dbbda9525df5ca46a7072532f5fba80f3d85d18b30fdff72288520a2c56aaf9f0517a294fc0d62aeb00a5c19e9b66d373839e2d99bb3a53f1dc

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
246KB

MD5
3eaa984f836ff61ad503bd9739e4c1de

SHA1
99a999710f12628f84c8d05ee8135b4f5de26ec4

SHA256
1dc45e6d18d4afa9f2c67b621749484f290422c9d7576ec98bc7e3dde7988bd1

SHA512
442fe249b224ca9a39006f24610f8817fa789e86eb633cda59e9dec587ada65991d1f227d41956fa3dc886b53c83ab3329ffbb376c8982a12359f468f95c6f74

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
246KB

MD5
ddcfc8802addcafb6a468909c4663c35

SHA1
f349f9905e1c85d6fd35d03926cf53a7615ad808

SHA256
6d18b885bc680cf4720ac01ba3a801339040fe2b1062a49160df4e765f851d49

SHA512
5504cf28de4caf03c89aaae302d13d8fe4ae84c66e46ce370e52ba35fa9830c316065a0a12ac7fb9eaae04f1b085f6b3f0cf2c570fc0e2d20a6dfa003805404e

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
246KB

MD5
319fb72acd22cb8bd87886e581139b8a

SHA1
31c8a541f6cbd06f1ccc50358b11a20a38d29413

SHA256
b55bbc0f038a7e0a9dfd2ed9a8d9f9ec69c76455817cfecc60394622d7630cc7

SHA512
3920895565349cabb087a47d99bb903a553255d240a5eb30ce0831c5cd7888c3f866a76bd1f0780a362473e6f862b1baf22fed2c4b51e49a9903f4aca3e3a141

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
246KB

MD5
bb0fb8356df9b2f47a6095021939995d

SHA1
0d42c3097d200bda380cd844a1f17744d4141124

SHA256
25f7c657657c29b8a0514cb6ad30860c5b5ad669a62a3d8fc8db6eacc462b157

SHA512
7beeb9409d84b1dc86a07652a64bcbf819a16273dbb5709ba094c70ffa4db668ee65273c1ca707326db2dcfa608e60a9ca62acb585816bd70b13678f0ca9bf8b

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
246KB

MD5
4fa52087362095bee7208ff824e2e54e

SHA1
bdb67ca7fefdc323b82a5c7d05acf739d32376e8

SHA256
4483de574ae58830cf24878aecd3c67f8076a3da8183fdfc646db95cc910f26e

SHA512
09a4cef9174fc6a02e498508b78a0436bc2bc8cae34854fc99a1ed39cee13b75c361809f8237d32e2322534764300d4656bb1e486287856e66382deeebb946c3

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
246KB

MD5
618416c2aa270dba3981077d8a2cfd26

SHA1
7ecc3b5b7671979b6a6bf1a11a0bf04e2c51c6b9

SHA256
00387df38a7e874b8625e0510570abb7c8585f08870eaef25464e214e14b18d0

SHA512
ec9c9b6d79957e46568aa1035bef1182b2bead676a12236da43cbdc8a275ed6be180dbb5f1ca7349905e48812433941e5947e18136cb127815c70f3918b80178

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
128KB

MD5
8f56e97d8c2ae4758b6b9099a66baacd

SHA1
eb394acfa8d51d20a3e0d37d09abdacfa655f123

SHA256
e4b427b4937592440553725e84b02c0be39ba3c460772d65f650dec77f947f97

SHA512
45a375466d9de46a6bda7f2bc2c37441e46f336383feb7ca1c1a045e3a0df317e29fc66e1f1e2b0cf220c7678852ba428f25913d8349f7d642f71ca4923754d3

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
246KB

MD5
87b63c87ab504da26baf01fa60d7f7db

SHA1
771e5e6c6712a1fba084ab3ff46f8c8b40bd157f

SHA256
893c134d4ca4e531e47eb28b99629d15e7f2328056bd9e7f065270bb27a7f9a6

SHA512
da43cf4b34c68c01a5469bc685515d40fa98e46699d8edf19971c1c5ce61f8455f31a50a459c8e1c338c473dd668520cf6a8a8f6ffb8b9b49c31f99cc122ec86

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
246KB

MD5
8c9cead88c65fa63b8dbaa4603a21f9a

SHA1
6459454ae0473c427da862ec9a3d92c33ea68cb7

SHA256
1d1b0d1975251d24544bccd7a717869e26f9ca68a7ccb4ea1e8a05710cc88f4f

SHA512
699ed41b2e0e711e2a67dd590a105e17ec4098bca73092f66b0da927841bbc5403d70e7706170aa9726fb2c2fac7b01561e44a45a7d5adf924d786bcd3cfbe0e

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
246KB

MD5
9e4527e34a0fbdc30985939e7b0ffb38

SHA1
596a34b91e3976813f5a931adb7097a84e431773

SHA256
3a4ff78644248576b44b2ad65a2c26ef9f98ee85017b532d72996a6c84cd886b

SHA512
9e455ae9032ec6fedfd9068711fce28aefc4d57fb4a7ea733fd83be3a02ac604f8e4a60bb341692ce1d780f1b226b19f0dc6afbed289349afc4e5fd6226be6a1

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
246KB

MD5
e5bcd2c496b3a6344afb95ebd700a91b

SHA1
73995468b9f9416076d06eddf68a1079e838843f

SHA256
b2961b1d72f74b95670efa3558223b8fbdb43cae0882c8249710d5d65b2e5f2d

SHA512
26f0c7c4e71583ddb3373291557b58563ee674dfa622611dbf5e50267f0f9688898bf3bcc8ed58d2935d845b2f0f3ccee4be935b3e02acbdc8f56f0a31f4bcfc

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
246KB

MD5
4303737e1a7fcde483ceb71916df004d

SHA1
5899986e2c102980a0fd77737857ca48c39a9843

SHA256
bb6db7ec00584dcb303906590d29fde71120956b64f649604da8e08f2c1af669

SHA512
4d40ceaafd603aa622e25a522bb86d9f61d23d87360c78b61228a893eeec22ff25f74512209d91b3cf3203cba01d3d1697cdee2e4d4140c39b747fc678dde8cd

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
246KB

MD5
39aa689df913683fcd50ed9513231f9a

SHA1
2c61ce8880b2695b419be767b4a0a1bfa4bba5e7

SHA256
fed4636b6c1723bdc4fd8802882840f131d7d4f29d24b9208bc575c2600dc93e

SHA512
6dd790b561ddfc6cb051c37c3b002364ad6b2f4fc6a763378f246d94bec3e1603c2de5930c6d9be735255970391926896a6b5fd32bac1dd04c40e795e6335bdb

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
246KB

MD5
36dc75a34b92c7f098686bfedee777f9

SHA1
716d58c1bd704babbb4212973871567272b9e52b

SHA256
f761aca174e4cfe95c0156bc21dcde8240e927859e59d9f9c7e4af113798228e

SHA512
610e9da9edb4b2c026c63c8ffc77de637f683b36d6b96c543bf4c9341596cdc6fa64f10aa3451403003d3d8c57c9c4be305c6be98170d5c352d7fea19606d7c8

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
246KB

MD5
eeba84923c2bcd8ad76a16f8664e9b7c

SHA1
c30a5b44b292397673ec0ebf43514e76cf01d4ec

SHA256
dc8b41514b9aedf00882ef65057719ce9421284d9cef46b6c9270afbdc670d60

SHA512
cb33f853711165bfef60b821cca822f87d15b19bf0042a35465e494d233405aeaeb36c02eb7335738a81b99eb2cd2815a9ba2026319a46b4501833ce31b4b36b

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
246KB

MD5
da2e1603132edf77c40694dbe6726001

SHA1
fc67db4856e0dfa978a97c99d39a87b2c7139253

SHA256
aed097bef904f0ea16801e1fbab318e2f0f699e9506978c918a07a44efe3ca8c

SHA512
aa1a2955d470cfd7354390e9b4cb3926adad51ec17d496a2ab8a4aefeadb491c9adf26c70eb9bf8bd2d26259c25da51a30978129b1e6f683f0e31cfbd2ad467a

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
246KB

MD5
0b995888268b348f269fedd0b2b169f3

SHA1
57fdf735799279f6a3e8127c38af11438f39129e

SHA256
894c336ecc4b69d0023f940cf8d9615fa00ea3eab9e8603dda5d4ddd1faeac8c

SHA512
4ca8c4d9105d7ab43fc772cd67a6f069222ca4b912c3d838fdcb5dc57d14c9e69322a7e8ba760f4e7bc28f1b995757ec7c5eb4eec1f433ed4b3a1ae5d090493b

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
246KB

MD5
72bbbae0bc6cc876b678388ff88f3bf2

SHA1
62ee721ecb4128cc48c859e6ade816381fc7d944

SHA256
672450ae9ee6216de768762ab21740d24d0835630c3d590459e58dda2ba1647f

SHA512
fc72580c9c9da60b13c91531face0157c98e1f261f108b9b7029e8e4a673f43050bc385c6fda1e25ff4948119a3249bf07c56810f2629ccf558462d38caf967c

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
246KB

MD5
7be0c3a7d4ba6cbb4f2e573b90475cc5

SHA1
9d3b4b5d2321997e75a79e10619807d212596ca5

SHA256
a3d400bf5162723464aa23e946ccd77591569eafd886c61d40f83de97c93bf54

SHA512
fb386458700179b201f6e2f474dd03bf54eef871488270c331fc2a1cf9e47a7930729e9ee538ff55ecf51353dbd53928905f38541327b2078ec4b0faca934946

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
246KB

MD5
4ff2f8d8bc572ce34a9362eaa999da75

SHA1
19a238dd34c7f363a58a1570f6ba20d1f0088f08

SHA256
3c2aa670d968de9591f8d80fd268417c7504f6e064e567617668703dc53ca2db

SHA512
dbdf9395c15bc1ab5e9bf9ac91b834b8432ccf2cf434d6633ef3799399c596c390dbb7249ed1953ae598a11cd26c6b82e9af41beae33448e96834a94e9e7f664

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
246KB

MD5
f9e2fe19025f7a1a3713bfe67e127aa6

SHA1
75f6a4ff20f60e112211e4fcf8c588fc6acc7090

SHA256
12338fb1c17b716f77c005ead9bca3811042d05f1962855c027c4a8a7f6201f2

SHA512
c72ee57ad099ac231be500c5938cf7000e6555fc30ad7c8a28f5664e90d25d45c12ffeae311df8b0e8efa6a173df231ad01dde1541c66e62170ebcaa158898c1

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
246KB

MD5
215acaa1cf5481cc0449c5fad4e4d455

SHA1
a47ce1c6680406719f302ee60056d051e8278721

SHA256
700c7b78394199e31c5edd5ccbc3329694c00fccee685e0a35eb096c17d18a14

SHA512
f8b5c7b5053b167c646584344f3e2fcf5e24850077dd9b03ae833a8b946392107f7346c015dbdf82ce7374afbcb64de8bf4c5e011924d9163cbbe860bccd97df

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
246KB

MD5
d4ce39b065fdc0d62781595d1652841d

SHA1
3a22c8ba67930ab35ae47442fee89c530d720f67

SHA256
91d175f8b7e89df7e409ba94ab1585c734646c710da69352cefc188613aa23c0

SHA512
5d458428744c5223df03576d92293e4a6c293e3f46aceb77e456d2c90241c1d31437e547ba4571fa0392aac3139f76edb488f38027a185cf12ca8e7c16355887

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
246KB

MD5
b5b9958c7551d8544e6b7fae4126ff4a

SHA1
9144dd672e7bea8f3bf8107cee53b73594264a59

SHA256
35d68c5d6c55f6626a5910a8c1a73dd61670a4e04cee7c0efab74fe442dc19fc

SHA512
5ec344b0c37fabe6e4d3fc53bf9e7ad7f18c136b1d493731506c8f5b4c4a01b966d1a4d97b1f8e1720e809c2b941afed664c16f7c078dc162ec72e53c21eab38

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
246KB

MD5
2638a194ec9b8e5565ef321f582331f1

SHA1
a02c2117c8e764814be81af0f34304119f1e9720

SHA256
77d236f24fe744daa82e5f948839d73eb64a5ed02003b641cd699acb3d72a49d

SHA512
b2f8a2613a2b08c16b981c0f105b425144953139eaf72615c0c2666f68a5afefd665dfa33637d3fc56302eb20e5ff704dd95b1fefa5854091d9ca7931654c7cd

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
246KB

MD5
bed7a74d88423c8832169a9e9c839235

SHA1
3d5eea99670dcea0d25a5b0c58e38749cb18a079

SHA256
4d156c2c6b7b36f0ae69b763f694f407d28e65c62064e81c9f5c0c16db953c8e

SHA512
76c052f13ed0d6d4ca67f6a70820123a36a534273bf8c2de5c6503f41c4b3cf8c844d6034b7f7eb07ec1f5689ab0a498a25643e4a731bdb37ccf18955c336d11

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
246KB

MD5
ca9e2c7cdfb2a3f2f1165bf2dc5a6915

SHA1
86560537c5230e2421f14e9d91b89f765611a887

SHA256
37ec92cc484a4e62176f2617ad364adcdbc06b87d282d643330f881f91a4b461

SHA512
418ac44121b62cf10f0170882b3b71e9b6c9f3b51319439b69a29a9b255716dd55cc563c00eee74fd37c36a5d86d372bcaad5d16a97c656f6e9f8a578e75f37a

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
246KB

MD5
a3be370e508c105936363cb559b76a28

SHA1
c343acbd866faab196023aa61db2e686abdbbde8

SHA256
cd3e1707e504452d9bac6993701d78246ffb0ef4d7b98665ed488bc67e3695c1

SHA512
197ed1162b4ae338b5255a7e956cdc025e9b835c486177ee06bb5e44d5d5caf75c438103c7f71f403fc0e21891caf537914e31b128a2cb7c5884bdbc6c28ce04

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
246KB

MD5
2ef634c2868113ad6642ce7f9ef335bb

SHA1
4bdfedf3f24f6e8b5a260eacc5de4fdc0231f012

SHA256
52f43354f86cd52eb32cc01941614544baac723241c25e784e2376b0e82e3277

SHA512
e7dd098610d4bd59336f559478fc7fe2eff9b99e6196eccfd281a92734e43606c2909b841409e6e473db9c976a5910f2516a22b3c367c85142f390eccd892300

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
246KB

MD5
5f584f853003cee9a9e85d11ad61bba7

SHA1
892870e09b10c18634dd8649b0f5d1c640e7c31f

SHA256
6b2cb6587ace1e44437089d588f55a65c612624c30d7e741c7f9e02b6f1792b4

SHA512
526134ddaf29d2eae65641880b9a144c80ec516fe9aaaa4d9f4595f515087e833179182e479c7d68591c298917fe91b7cfb48bee351c7f31ce824985d331c20b

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
246KB

MD5
05d4c18f26a6030fe05b735c547f28b3

SHA1
965ac24c37e1249c2ac0b7355f021d41e1b1f023

SHA256
480b79e6c3a7f24cd2578c4d96cbb323e672297d4832349e85eab7c73e9b60fa

SHA512
dcb97af17eebcb07242659d7de63cb0fe244b725241feef2ba53d83fde0a73d1270a231533a26ac34fc27a08bf1e4bd98737853e8756c33c75af3c68df6a8b4b

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
246KB

MD5
c6bc9e8a50d5c2109177d6edfc15e16b

SHA1
77ab12ffbd40658afb6a6b34c2e6216e2206d15a

SHA256
dbdafb8d00bc17cc5848c4490ed16179b3fa342c14c2c5ab11c08bf2773dfd26

SHA512
e6be798424a3aae5a851884a17df0467b0f0c1ebc0f971e3f2018bd7d15f5ebc3b8199a6712f619dbddda2f8ad3cd202f160b7441e2bfa6b1c0ad36e59930b3d

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
246KB

MD5
89fc4ba6d41f4d870fa4bf58ea6d5632

SHA1
8907da992c09b9083487c75c46fd31502bfb4d19

SHA256
c406d685e1099d825e938401dd5945b0244cce525ade3e60457ab37be7d0104c

SHA512
988af6ba012f82fbcc526dfac6cdd29fa13b3f169f2b4f63fc204e6b55edeba0c447e0c258a9f4591f43b729c465407786d0c4381ff241ebbbc5de96e9911550

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
246KB

MD5
e397d279f3789e276bb470735bf15e86

SHA1
3d010d7d4491a144b3c027860bf4b1538dcc972b

SHA256
dd4e8e29a186671e6f6e8222501d30644649f37638341ea3ac9ec1182c196f28

SHA512
4a7dc45f0ea5c5b64c8f749bce3af66beda7d7eb2458965ad2a37a4ba1b935840fc1a785a3e8f6f84c7b7eeab0a107cbb4b2c456d80190863c7979c26b76339f

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
246KB

MD5
5bf61965b33f646ad7e15ee152383d91

SHA1
48c539a778e2fad389be8c2ade4a29fab9578b70

SHA256
183a0105eb15b5a370ccf216c9dae118d2b9511437106e1471b2be3821e94f03

SHA512
c3840f4bf4018dd8bb3a76a50012a64f73dd03879c2211b738ba6304e50172f80d677456aa70a4c9224f8edb150ec0b989997a8bf5f1b38efa9f5edda8d86be2

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
246KB

MD5
b75b7281712401dfe0c1580de291774d

SHA1
5805667a9389cdb1cd32e38a864bbadeece83575

SHA256
1cdc90f314f79603bb9d762106959e023fc31683c0c9a7ac1257976642082795

SHA512
e2d05bac69e3f00aa62ee6d5f6b06ccc8db07febc85f06ada94f5e38a35b23d9b4125ce3be60d4402592da40e2360099f52d09b92c1edffbe5b99b9b9498bc82

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
246KB

MD5
c75af028e2dd0e4710a7a73a6c016231

SHA1
64370c7c1fa9aecb88c5723201a3380b66b1e5a8

SHA256
9bbd72a0fddcb0d641f0e9feb8d05b6e0a92e7b4fdb8d64740612bab9f2351cc

SHA512
5befd2fc8abde7f4dec4e62721f93fe3ced2db40d668be067af3b724e63401614605b119dc1294169e77c25dbbfb0c62e06dc3033250393c94f6c4d71cd9dc95

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
246KB

MD5
30c3c3a59737a7f5b8607cdf55f3a918

SHA1
de83d54fbe012d04734e671771681e07e35c5f40

SHA256
65017e5d67af88e69c238cb0124cfa3508664b8959adf606d2cce5fa2ef7500e

SHA512
21d45ea013f9e7fecfb1d62cd198931072d7c9d50b7a432046ec309241320cf54236fd065b9abfab30ca7a971c4898c7e670142213dba29791e07272e0c4c96a

Download Submit
memory/404-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3012-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3860-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads