e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884.exe
Size

199KB
MD5

2ce863bbd2db69bea23dd6179ed9c048
SHA1

fde4b0f860f57994ec09d032db2ed7447465920d
SHA256

e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884
SHA512

d66edc7a0b7ccfff760abdba80e5a8cfca50d0ee31f0af6432d1c7356c1ea5861177907761440b740234b9fa5610913ecb991fd315f8b0342608476f0e9e5dac
SSDEEP

6144:tuPM5N985wA3SZSCZj81+jq4peBK034YOmFz1h:EPMzeiNZSCG1+jheBbOmFxh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe

Executes dropped EXE 64 IoCs

pid	Process
624	Ecdbdl32.exe
5100	Fjnjqfij.exe
1484	Fmmfmbhn.exe
1140	Fokbim32.exe
3668	Fjqgff32.exe
2788	Fmocba32.exe
2868	Fcikolnh.exe
2196	Ffggkgmk.exe
3944	Fmapha32.exe
2076	Fckhdk32.exe
3976	Ffjdqg32.exe
3252	Fmclmabe.exe
3912	Fobiilai.exe
2392	Fjhmgeao.exe
2176	Fqaeco32.exe
3280	Gcpapkgp.exe
1352	Gimjhafg.exe
216	Gogbdl32.exe
2536	Gjlfbd32.exe
3360	Gqfooodg.exe
896	Gjocgdkg.exe
1228	Gqikdn32.exe
1116	Gbjhlfhb.exe
3152	Gfedle32.exe
3168	Gqkhjn32.exe
388	Gbldaffp.exe
3760	Gjclbc32.exe
4580	Gmaioo32.exe
4488	Hclakimb.exe
1124	Hfjmgdlf.exe
3396	Hpbaqj32.exe
2312	Hfljmdjc.exe
396	Habnjm32.exe
3220	Hcqjfh32.exe
4640	Hfofbd32.exe
4980	Himcoo32.exe
540	Hadkpm32.exe
1132	Hccglh32.exe
1688	Hfachc32.exe
1844	Hmklen32.exe
1652	Hcedaheh.exe
676	Hibljoco.exe
4852	Ipldfi32.exe
4996	Ibjqcd32.exe
4888	Impepm32.exe
1668	Ipnalhii.exe
4428	Ibmmhdhm.exe
4260	Ijdeiaio.exe
400	Imbaemhc.exe
4248	Ipqnahgf.exe
4960	Ifjfnb32.exe
3572	Imdnklfp.exe
3604	Idofhfmm.exe
116	Ifmcdblq.exe
4340	Iikopmkd.exe
844	Iabgaklg.exe
4252	Ibccic32.exe
4736	Jaedgjjd.exe
2980	Jdcpcf32.exe
4836	Jiphkm32.exe
1128	Jagqlj32.exe
976	Jdemhe32.exe
1384	Jfdida32.exe
2316	Jaimbj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Ecdbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Neahbi32.dll	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5328	5516	WerFault.exe	235

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 624	3256	e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884.exe	81
PID 3256 wrote to memory of 624	3256	e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884.exe	81
PID 3256 wrote to memory of 624	3256	e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884.exe	81
PID 624 wrote to memory of 5100	624	Ecdbdl32.exe	82
PID 624 wrote to memory of 5100	624	Ecdbdl32.exe	82
PID 624 wrote to memory of 5100	624	Ecdbdl32.exe	82
PID 5100 wrote to memory of 1484	5100	Fjnjqfij.exe	83
PID 5100 wrote to memory of 1484	5100	Fjnjqfij.exe	83
PID 5100 wrote to memory of 1484	5100	Fjnjqfij.exe	83
PID 1484 wrote to memory of 1140	1484	Fmmfmbhn.exe	84
PID 1484 wrote to memory of 1140	1484	Fmmfmbhn.exe	84
PID 1484 wrote to memory of 1140	1484	Fmmfmbhn.exe	84
PID 1140 wrote to memory of 3668	1140	Fokbim32.exe	85
PID 1140 wrote to memory of 3668	1140	Fokbim32.exe	85
PID 1140 wrote to memory of 3668	1140	Fokbim32.exe	85
PID 3668 wrote to memory of 2788	3668	Fjqgff32.exe	86
PID 3668 wrote to memory of 2788	3668	Fjqgff32.exe	86
PID 3668 wrote to memory of 2788	3668	Fjqgff32.exe	86
PID 2788 wrote to memory of 2868	2788	Fmocba32.exe	88
PID 2788 wrote to memory of 2868	2788	Fmocba32.exe	88
PID 2788 wrote to memory of 2868	2788	Fmocba32.exe	88
PID 2868 wrote to memory of 2196	2868	Fcikolnh.exe	89
PID 2868 wrote to memory of 2196	2868	Fcikolnh.exe	89
PID 2868 wrote to memory of 2196	2868	Fcikolnh.exe	89
PID 2196 wrote to memory of 3944	2196	Ffggkgmk.exe	90
PID 2196 wrote to memory of 3944	2196	Ffggkgmk.exe	90
PID 2196 wrote to memory of 3944	2196	Ffggkgmk.exe	90
PID 3944 wrote to memory of 2076	3944	Fmapha32.exe	91
PID 3944 wrote to memory of 2076	3944	Fmapha32.exe	91
PID 3944 wrote to memory of 2076	3944	Fmapha32.exe	91
PID 2076 wrote to memory of 3976	2076	Fckhdk32.exe	92
PID 2076 wrote to memory of 3976	2076	Fckhdk32.exe	92
PID 2076 wrote to memory of 3976	2076	Fckhdk32.exe	92
PID 3976 wrote to memory of 3252	3976	Ffjdqg32.exe	94
PID 3976 wrote to memory of 3252	3976	Ffjdqg32.exe	94
PID 3976 wrote to memory of 3252	3976	Ffjdqg32.exe	94
PID 3252 wrote to memory of 3912	3252	Fmclmabe.exe	95
PID 3252 wrote to memory of 3912	3252	Fmclmabe.exe	95
PID 3252 wrote to memory of 3912	3252	Fmclmabe.exe	95
PID 3912 wrote to memory of 2392	3912	Fobiilai.exe	96
PID 3912 wrote to memory of 2392	3912	Fobiilai.exe	96
PID 3912 wrote to memory of 2392	3912	Fobiilai.exe	96
PID 2392 wrote to memory of 2176	2392	Fjhmgeao.exe	97
PID 2392 wrote to memory of 2176	2392	Fjhmgeao.exe	97
PID 2392 wrote to memory of 2176	2392	Fjhmgeao.exe	97
PID 2176 wrote to memory of 3280	2176	Fqaeco32.exe	98
PID 2176 wrote to memory of 3280	2176	Fqaeco32.exe	98
PID 2176 wrote to memory of 3280	2176	Fqaeco32.exe	98
PID 3280 wrote to memory of 1352	3280	Gcpapkgp.exe	100
PID 3280 wrote to memory of 1352	3280	Gcpapkgp.exe	100
PID 3280 wrote to memory of 1352	3280	Gcpapkgp.exe	100
PID 1352 wrote to memory of 216	1352	Gimjhafg.exe	101
PID 1352 wrote to memory of 216	1352	Gimjhafg.exe	101
PID 1352 wrote to memory of 216	1352	Gimjhafg.exe	101
PID 216 wrote to memory of 2536	216	Gogbdl32.exe	102
PID 216 wrote to memory of 2536	216	Gogbdl32.exe	102
PID 216 wrote to memory of 2536	216	Gogbdl32.exe	102
PID 2536 wrote to memory of 3360	2536	Gjlfbd32.exe	103
PID 2536 wrote to memory of 3360	2536	Gjlfbd32.exe	103
PID 2536 wrote to memory of 3360	2536	Gjlfbd32.exe	103
PID 3360 wrote to memory of 896	3360	Gqfooodg.exe	104
PID 3360 wrote to memory of 896	3360	Gqfooodg.exe	104
PID 3360 wrote to memory of 896	3360	Gqfooodg.exe	104
PID 896 wrote to memory of 1228	896	Gjocgdkg.exe	105

C:\Users\Admin\AppData\Local\Temp\e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884.exe
"C:\Users\Admin\AppData\Local\Temp\e7678e659e8f53a4529d39af67da5e893cc8e9a9a6a30ba3692474b476d68884.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\Ecdbdl32.exe
  C:\Windows\system32\Ecdbdl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\Fjnjqfij.exe
    C:\Windows\system32\Fjnjqfij.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\Fmmfmbhn.exe
      C:\Windows\system32\Fmmfmbhn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
      - C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        30⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        34⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        36⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        41⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        58⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        62⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        64⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        66⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4684
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        68⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        69⤵
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        72⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1616
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        79⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2288
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        83⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        84⤵
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3616
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        87⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        88⤵
        Drops file in System32 directory
        
        PID:496
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1960
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        92⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        94⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        98⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        99⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        100⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        101⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        103⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        104⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        105⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        106⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        107⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        109⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        111⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        112⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        114⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        116⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        119⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        120⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        123⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        124⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        125⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        127⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        128⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        129⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        131⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        135⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        138⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        139⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        141⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        144⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        147⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        151⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        152⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 400
        153⤵
        Program crash
        
        PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5516 -ip 5516
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
199KB

MD5
0ba5af5776f9e977d40940842b6c4e70

SHA1
0795951408f2514f13f8f12ebfde37bc1914cde4

SHA256
944605623021e0bb7fa23cceffd0b022f59e376bb744be5601886de191bb0686

SHA512
8eb0ab0b87dc5e73a26d5162062f1c17069e966e6260f74100257bf95a3c7cecac176f6436238c07fb6d895eac5f6b9291c60e65c132ff9cd26b3bc6cdc325b0

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
199KB

MD5
b86277a0c7e3689049be5079223d2855

SHA1
04f92de96bf92c6441870476c470551c1bb66f70

SHA256
4a306335a12a906074587de1e318c678520216a5c903ebdd3db2e22d082b0af8

SHA512
0bab957ff6de8838cfb8eff2273a91dd81c104379184b504d3fcaa92342be26b71316ecc615679544311dbc32b84f45c8c546829eb14267bb2d60cc4d8487c99

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
199KB

MD5
8a3c004f629c4cb7674c8e03e7a289e9

SHA1
1eac72da521c83bede0a78d58c892854f60f447f

SHA256
fdf30e188a7a541aaf736105c328be21aa6d9cfdd416e53332540687a8e57d4a

SHA512
8000159ddf9ef7594d974f235c7e6e1662146a065b7cb57e4d210e230936e8253226cf7cb1a3d0fe27d49a3d17de94f584642ceb1e5e183dfc93f8bb3abf5b78

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
199KB

MD5
8987b9a1f271846843c09974745515ed

SHA1
58e90cb571e06be7bbfe6fea49edf4d74aed800d

SHA256
f8a3d062cc17aac5a260fab24bf0ff4b16a14e5579148fc92d4835fc7d2538c8

SHA512
b9f2d7051518573d3c8db4891d21634064e2b2e1c3be113822b62f42ffa9af2b0f86e03b8f96e766f11d921d5ed851a89cd0da243da452731501f440845b3a9f

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
199KB

MD5
abd21e21284f1ec4fc85947149ffc253

SHA1
c8e58e305ee7c7f8765b1ad46ef3615540e333e9

SHA256
2eeb2abc89700c8044666fa9433d22dbf5abb602c19cd7258d7b09ba333c486d

SHA512
fb66493c665b7049d1090743b7aad05251789e91cc61a2f7ac80dc4c7e170d9c9a89f9345589f81dd117156e2ff1d86a23fd07500c3b473bafc481eab0c0a9d7

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
199KB

MD5
3385566efb6ceba289fd6e5ab7aeab0f

SHA1
0020b15c688d877a5a1a769a2e947636e35b2f9d

SHA256
44614e8d3670eec04c081da0eae2cddb672af16adb7a5b3b24400e78362bf827

SHA512
9a471a73bfac389f010c2cd5f351130b4bee42839bd006abebecfd51cc78bd35c802761194e58a027cfa9536a45d46b1eeddae52a9e9b3a57000c7ce9914bd75

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
199KB

MD5
aa198aec0d3f92ede7ad7d0f6b8f6fbb

SHA1
5ca8e54d14fd11ba8cf8c299d4dbd3e8113eea41

SHA256
74c5235b4037f74c559ab2d648303b81024acbb1b01a131b5868582ee7332ec0

SHA512
d51379892daee97629840a8db7c3e7bf479a060123c7d4578dcc280f850eef2cb34b570787f0948cd578d3e796a0427670287b7651cc20854177da057848f2fd

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
199KB

MD5
6244d98683d53d945facdaffa6a40be4

SHA1
c63bf8a258b73f638d5999b46a360d73b0bef326

SHA256
1d61717e646cc028e29023bc518761f74fbc2c17ad141207e84043327bb3f2f7

SHA512
b566c7c96c8f73b4967a4e0d55cec59e38d2884d1d222a77f0eda3f788e69f6cd7b0b9bc150de56e369fb25c5fdbd8cad7fdc4b7534961378e5aac8fbaefede1

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
199KB

MD5
25c7f34cfafc1964b547fa8fe8bcc04a

SHA1
2cb017b7e167dc76b469d7a195583f831071e23b

SHA256
29ae3aa597245ec7fedef765573f0fc5c43e2a0e7d362c4888f8d046220c5c83

SHA512
0571fcb9b1facbe9eff3c72e3d74de16ffa820bc1ead5fc4b76cec5f440a3203f40893e8629cb924c7a8accef16fa3e1d42e025d3cd6cac14ac75b05ea6adc20

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
199KB

MD5
1da940d97cebac2b5f15404ad089d6f7

SHA1
71a97c96f99cced36b1a60daa826c829b13788e5

SHA256
1760bec83217eaab2a45b127c3e992fe57733b1a8626642f11ed12cd12346b77

SHA512
150daafd14e021318168c742cec957fddebfaae7f8cf798983ffbd52bc117e441886adf95be5a120b020162e392de2ad247bab18af2dc1e067b338118e6022b6

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
199KB

MD5
bc6fe7a37d881f6ca380507a0a19d9a7

SHA1
8df4ba3d3238e19e05de218129d3fd87cb897830

SHA256
de4a1ba319506af3269418ce54f1264f0148538cbce2b5d279d4117d6a411b99

SHA512
a49f797751685b7197be833af5aa12aefb46f5f3ffa22f59d340a9675cf18794adf450aed18f589cb95fd44c0fa14adf192d8104fa3708dd6e0d76a705836c37

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
199KB

MD5
e99d01257cc64322e7ec1ed19fc70f7b

SHA1
4d69daff728c91706427e958a0c7e9380743c86c

SHA256
cfebff9e34c4e53a20c88aa6a626cbf44195cbdb8b80034243ee365a24591ab4

SHA512
9ab70a8ae87b10abb66e603f6b63dfc62b8dff9af6e257ffcf64e5d102022666002e046f1aa1e659d19f706ca4a480043f73f0ddacb17181876842f60354f67f

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
199KB

MD5
4c11062daaae87ee13e3bdf093d2fd7a

SHA1
a415a7d826c3caeef860524c8a2dddc1d7733286

SHA256
bde5c1b53115bf53094fae7b97f9cad3db13d84312f6502fd7afa244ba95794e

SHA512
5b225624ad1f1cac411f9e64f0bab0d13b93e62a7007a3f3fbbba021f0bac2cfe21381032d0e1ea4fd2503cf7640fb30d8f7d123372c0cd485d911142af48312

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
199KB

MD5
281ae4b48cdb2bb308b8ff661139e94e

SHA1
892f9d40e1e61f01818a155f1306d25e42990414

SHA256
2fe927adc122b9fa405076d4e4c222fa60236f51612a0dc88ed27251a7992810

SHA512
3df8665d1c202f9948884129fc54e30b571d165fdedfa2484f3ea90056644f8ee4eb1d40c7f1fafe127fee3833ff06962b352a2b0289a7d0a21b7e096325d18c

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
199KB

MD5
6090a954f502441ddf95819e4fff9537

SHA1
424db9b338d0e5716518768bed7c72aa560dde98

SHA256
01b9cff8fa2d54a24c706e2b4992117308cde092d83f7e0dd812ba71b44f4563

SHA512
29ef41567d4aec7d0ca986c135cd4488b90f7963e53e83d5fa73cfdb6dca4bb1cc4166d7c13e29de1820ced7045774e29ad3668bd7f41e0f5fbb7afefe9ab7cc

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
199KB

MD5
c3921024ee0c1eee39918414f7528628

SHA1
b8aa28d4d2f6b45cdc47acd66cef4d99f44b744f

SHA256
e0c91f950cace466eddd8d917ff1012a9e7a3ec27884f72b64e7f81049c78db6

SHA512
7b49c0d09ffc05eaa16299d81837f6e8b3ea0773c7043696143cede732869e9e4b81c0ed11c7df6e96b4a1641c8d832e95e8e4ea344c1bbcdc8285b6ba705bfb

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
199KB

MD5
16ab7df332a6c2f686ab665dfc6ce0e4

SHA1
3be3edae04a67e1f0b7ea62a8f69ff021cbab4fe

SHA256
e66ad32c403f8333f385c8eff107c9e29a2ba9f240b128fb2d8a2c2ee96e496c

SHA512
549581ce9269268c04bf1325e02914e2b0b52234bd1e5daec33fd40dcc3df72a2b223bc03461c0e26cb7f30048f3afff0acfcc3ee92c95812dd7dd37179772aa

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
192KB

MD5
46f36a51b67f9e45eafe86cee7a9b3c8

SHA1
e82f9ab63b2607c94c25122864c4403a48204190

SHA256
426762e00e400557752c277483e6ef93839208d61e7e1de1355b5ab8b02a8cf7

SHA512
6fb36c95894a00bdf9265c779430307a1c0c772dad016b05f720b271c41b5b3571c04e5b9f698d19df405d91f722ab9998cb662049e00a1da793105a4c07ace6

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
199KB

MD5
ac5c7633eb4dd2282fabd265bc3f67f7

SHA1
2bdac0fd18fca2f02cd1a289800a09e686d91b10

SHA256
4a7550dd464060ac71e6969ba9a99ac7053146b7e0fc2d828b0e86d04106585c

SHA512
bf9c6f60631aa77925200128c34d11714243a2772a53613f059ed04c9aa34d436f34fb99277f235b10b3aa80d8a9188f0dd0805036860944d70abd5982915532

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
199KB

MD5
b2edbc8474487128aba8c5f7a642a45f

SHA1
ac04a1d09d6cd00a2500f54b014b879481b0750d

SHA256
256f1b4fc5b71f6e85e7be5f3f787d3f0bf172cb160541ecb47b3c9119afd7dc

SHA512
ff8ce92c3fc5b9f58fec2b20f12c247d67464b959331a0ebf496b72ee16a38e082f17701d6248fc78028ec2efb2768d6565146365980ed9fc084b3dd9ac9c04b

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
199KB

MD5
1dde7bddc6b8a55551dc6cdb15651c4b

SHA1
aaca2ae13cce1590b052288fb576d52e4846d261

SHA256
50143b1995c6b0784ea85ada5d1ebb3eda3a1bad72a0e2387015cb9c703c8791

SHA512
4b34088abe9060916180bccdfb1fc16b9cd55ec2b65787b5b261a51bb4d99d760e05722b254e624a23c488415dc8b5a23cb7601cc0126643b2e3d22cae64e2ab

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
199KB

MD5
d6fa5ab919cea565320c4bd4d55d4191

SHA1
0c1cf3af58def8b3734178f081ca163a74d5dbc5

SHA256
21878e643e0b71cb790fd10d4bb4e3dc28c4155ff399ffa7b236cf4d09e17060

SHA512
492a0f56fc4c51e236b0b27a6daf96736a0b05aa1c4f9645e84f9fd5e8df46107960625756f4928e1026428f9515403a5033d24f77b3019c49fdcec7fe2909db

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
199KB

MD5
d2b7fcdc8b192e666e73840c193dec0e

SHA1
02e3d62ea470692eded4ffd274df91860f8d6f49

SHA256
4d250641c841dcec8352cd97a7c491865334a825454f5b2b08ed637196bbd208

SHA512
37bb217af495de076e6a97fe9d8de6e017bb32b21ac8d39797eade062e4b123eed078395c2c2fd8d10bd499e5f64bb6f0387993480c12788d1278244e51c7b87

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
199KB

MD5
0ef49f378a66dd57f584513a3e348c3c

SHA1
dac3078b1ef3e0c21f8c50de339d124046b2d194

SHA256
98b1efda6ebe74714191e06a5b5d0abb9027ae6f1a178e7b176a06b905744511

SHA512
088c1f422300b7fe0f5fad668689a3a3e0360d2037ab5737d769dd745eba980b968b9cfb9602ed9d7352acc3999bd0edf20a2934609355d9ee36a23bc101229d

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
199KB

MD5
73d6d5faf5e4f815547c67f8ec782f88

SHA1
0eba3b80ecb907793ecebc97854a4baeb017998f

SHA256
16a64fa49c8527cb1a1de8f68a05cd11f11bba4eb5625da11fb35f8c1c091575

SHA512
f278472268412b89ef8e39445aff09f162cf5aee052fbc9c9e818a50ce4219273db43eee19d5c7ffc1a8e1714d761506662ba9008cf3b08e87be2679d6d92cc0

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
199KB

MD5
4edfc67b7dec4cd46decf127ad1b2f9a

SHA1
8b93b58a356896bc9e240912e35e7749406c749d

SHA256
267e6f1feb73231a9014358ad593fdc39e2e27c82784647e67f386354783cf0b

SHA512
0a3722cd6dfb8c2c4a530d294b16d509d8aeb0f67e095bcdb63e5c0b6b5b3dd136e2f11e1012db73d96621280573f8d6beb98c0ad947296cb38b914877f2e2c1

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
199KB

MD5
6258359e51741b5ca2168d0511a9bb11

SHA1
cb7b7ccc8d689770ef3ed454271228063bedca79

SHA256
f2ddae246f83ef05c08fb6828b4ab59b3fd60a178b0867d1702d3e6bb1c2fb37

SHA512
91194489837dcca9f3449857a0ebf4dc6c98548195e94e359451413f892621427f2031bb9a54c1129ab077a7660f7c6c68d8f78e4483a5c5dae81f5ef65cfaf5

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
199KB

MD5
ca75f4aad016ae98c2339e072f5f47aa

SHA1
c772572d3278fed1e5028f799a7613ddf701f5b5

SHA256
88bbc89caf965c035da052692a01083695842483edfcd55128e5e5584210e2dd

SHA512
859f67fc7c43920b6b8e0ae9a99f91d9f261b412ab7872a30c1e3441afaf07ef3d0766440a8fb03147de953c24a1d6a6abeff3481f0eda948965ed0d7daa9fb0

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
199KB

MD5
8a20f6b5c8a26cd41678547471a30289

SHA1
c4ae6771bc3878c4f5c2e8a2ebd917f283529486

SHA256
3741c3f5eb071bd3dd835e6413e4cc59b6b5c176c8029b475cea602e4d5df351

SHA512
5c4314ae851cece912a7f1d585d7fb6d3697fd4ee400edec001f97c94b8b144a02813eb864b3fca5f01ad3e7f1c3465b21b69c7dbd2195dddb82c7bede83f71b

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
199KB

MD5
1d43f415deb75c40caee20eb630d769f

SHA1
9058d66c9a6be5e67e7e10504bd290510a8200bc

SHA256
f714088c4c0af357740ae834983af2c30d058c098422f33b59fcd19e91b69087

SHA512
a29540268e9f5e8f781f7af28cc270e6d1c68f4ad854706ecc8e37d188e5d46d5be1f91c5e8ab7636f368ad51ada909a93b8ebf6232a0836cd07d80d490a7188

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
199KB

MD5
6adf913ad52c3bf4f387fb621a34d15b

SHA1
818318435ededc2e07980418c02e04e1c94aba4b

SHA256
50434dabfd556915095df3a9052859089b243996ff77713d1e2da012ee439ec3

SHA512
3b8db2941324d71afad7dc482dc48663c926f07029ef6f1b31b146d97e1f855531b907c2fae8a5653e422bc10bca9714808184084966908929e5e0d0daa6f7a3

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
199KB

MD5
0fa0c457c30204cda993b2fe69df6078

SHA1
51568879847a2073c67cdfe67b6ce26f25b40869

SHA256
c4e622cb3d7e5deb2fccf30099b5c5a257a081c0b8d58be55972588091ba7d94

SHA512
d7e7d974880abc325210ec625ab996f08fd70e9ec887d33902f0485df91ffc864aba61a07eb835d0676b5e52634d5a14d00f338faa29569dde9822f64c429ce6

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
199KB

MD5
ca1674a54ff8d40588444c81575801aa

SHA1
de56d36edada2e398d82d12da573f48dcc6a7c24

SHA256
fbf61a781eda841e9cc0d1d02ff1b89f8d7234796a033662183ad7271b23b7b9

SHA512
ea662e8e6be8c6d807d730ba86e47da8b3e6fcb1cdd66b2d8c447e1a9495500a282ccfd39b737b2895aed707778a1ac72aa9bf1eaf57d428698f84ec67bd3dba

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
199KB

MD5
765e66a115b8df693ee7612fc621052d

SHA1
df70f868a2ba8263be3a106883d4bc71e30ec391

SHA256
db099aeb3768aa1663aca2bcbd8ccef9b40f28c2cfde1722411e2f3a38d2f536

SHA512
a7c01b7ee6a1e8db108ae3dafd6e20d55419af2180c528903959a4674ab50d40f4973123120017346df3af86244dfdf5e63264e5cdc7f62a378d57f7c837939b

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
199KB

MD5
8fea48eebd95ddebae68db11a8ee5a32

SHA1
d490a11ebd4853eb97a492635342ee3a689bb6e3

SHA256
af2dedb86b2c2d1f5f2fe65a0193335bf34d3ff76c8f3e33e84f9390f98a0041

SHA512
d0318ab049c30898aeeaa42a95bdd60c127d8a550dd9c7fcb8f9643028f669a20a20860171fa5d1092d14ef9fdc2f96e4fd74e7aea85b63707c5488bad487c95

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
199KB

MD5
075bcf5ce1bc6509dbfa8495a0a04b8e

SHA1
9efdaacb400498ca96e75a3c6b2974017a984280

SHA256
b7fcffab8608c41cbaed3337e6be77c893d2882d87e928cee40fe9c5489a093c

SHA512
50a4c20f6abf85f2cdac23cfe32cdac6a0da93a70dc7a5e04a38c9c5061ac221968f9a2d8d195ad39cff6f067b357c4da2387b600ed95a19f8d6137d00d3b68d

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
199KB

MD5
14229767c3b2bc4f02ce1f594be336ba

SHA1
05699156a4b7f93cd8b01ab39c74f707f9816462

SHA256
3d7453d844235af7a8308ca130150d17dc2ef2f63855d446a29ceb5368afa17e

SHA512
9262314cc7f819f466f6fbbbf41e488efa785d20226eb717b4a869a447a1de992f96ebf7fd42d5f4abfe6f943f7488be515b3850576d0674c5fa10a9898792bb

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
128KB

MD5
f5beec25289b747242c8a60e1a650a98

SHA1
4da67a4cabf5a98a75dec2a00d7faeae35ef0a5d

SHA256
406affe88554a5dbef7655a02ff65de0a70c0f84f5beb55fb76fac1386716db4

SHA512
4f6f31057db9b89eee3001e200a65444260724a20b1ef0e5bb20509a7aaaa28b16d4d8087ff522b8844b73be83a58414be29e7a4c24726ec3528343c90230a80

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
199KB

MD5
9e3b9c2317719550eb9ba43c8c950284

SHA1
a290bd45dd7740198b7db573e1e52fb771193dd2

SHA256
a84627d66081f317648e29f1c4617427667189a6b6829bee909e4a8ce285e580

SHA512
89a5ac4e745f2ad8f7f2aa86500f4e67106f60b96ac2a7d378ef02d6302aab6446e837ab57d9a6da5ab7676dce7913a5ebe35ce3a6b38d61a71934bc4db8cc5c

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
199KB

MD5
af85627d44b31f4a5fbaad939107fa89

SHA1
f4836fedb2f43188cb92e28570de1ba30811e921

SHA256
6805b69e1fb5d2244c4dae0796069ad0a95acb1c7412f9bdb2d7edec920bcac0

SHA512
a4f6c790ae7b89d310c8bd1cd3d92293ea4a2508604cb4b6f6f9666d951faf3eb08a7a6d310518a0b294e6f411f5efd6359c8bb7e75ffff05cd24dcd1352c63f

Download Submit
memory/116-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/388-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/496-593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/624-552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/624-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/676-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/844-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/896-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/976-439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1132-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1140-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1140-572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1228-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1308-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1556-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1656-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2076-85-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-599-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2288-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-585-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-550-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2980-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3108-486-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3120-537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3152-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3168-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3252-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3276-519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3280-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3360-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3396-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3572-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3756-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3760-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3944-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4044-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4200-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4248-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4260-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-590-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4488-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4736-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4852-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5044-579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads