dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651.exe
Size

376KB
MD5

36cdfd0432f88da411e7e8d1353ddb8d
SHA1

323edfc1e2675fdac996a11248b3c826a4e1fca0
SHA256

dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651
SHA512

0e032af069e704f901b1f317a2047ba5942ca9f695ff52b7abd6e5e30e4d4fe4d0b9d67227926a182fb489ae056b57feb708e1a737ba9d274eddacc6613dd3a9
SSDEEP

3072:w8hDA+cbcZK1jvVAURfE+HXAB0kCySYo0CkkhHs4WfO7:wycbcZsjvRs+HXc0uo0CkkW1fs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe

Executes dropped EXE 64 IoCs

pid	Process
4656	Ebeejijj.exe
2052	Emjjgbjp.exe
2732	Fmmfmbhn.exe
232	Fcgoilpj.exe
4932	Fbioei32.exe
836	Ffggkgmk.exe
3232	Fifdgblo.exe
2644	Fopldmcl.exe
4992	Fckhdk32.exe
4828	Ffjdqg32.exe
4208	Fmclmabe.exe
2352	Fcnejk32.exe
5024	Fjhmgeao.exe
4844	Gimjhafg.exe
2932	Gogbdl32.exe
2772	Gbenqg32.exe
4872	Gcekkjcj.exe
1648	Gqikdn32.exe
4540	Gcggpj32.exe
1368	Gidphq32.exe
1460	Gfhqbe32.exe
1616	Gifmnpnl.exe
4592	Hjfihc32.exe
4412	Hbanme32.exe
3668	Habnjm32.exe
3308	Hcqjfh32.exe
3556	Hfofbd32.exe
1236	Hmioonpn.exe
3584	Hpihai32.exe
4352	Hjolnb32.exe
1844	Haidklda.exe
4980	Iidipnal.exe
2156	Ifhiib32.exe
4496	Iiffen32.exe
1888	Ipqnahgf.exe
4148	Ibojncfj.exe
2776	Ijfboafl.exe
1124	Imdnklfp.exe
3772	Ipckgh32.exe
2004	Ibagcc32.exe
5052	Ijhodq32.exe
4348	Iabgaklg.exe
1724	Idacmfkj.exe
4984	Ibccic32.exe
4016	Ijkljp32.exe
1768	Imihfl32.exe
1328	Jpgdbg32.exe
1856	Jbfpobpb.exe
1440	Jmkdlkph.exe
536	Jdemhe32.exe
4628	Jjpeepnb.exe
4620	Jmnaakne.exe
4356	Jplmmfmi.exe
3788	Jjbako32.exe
5064	Jmpngk32.exe
2016	Jpojcf32.exe
1796	Jfhbppbc.exe
2476	Jigollag.exe
1864	Jpaghf32.exe
4880	Jbocea32.exe
3300	Kmegbjgn.exe
3296	Kpccnefa.exe
3252	Kbapjafe.exe
3564	Kkihknfg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5944	4280	WerFault.exe	217

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfnlmai.dll"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 4656	624	dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651.exe	81
PID 624 wrote to memory of 4656	624	dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651.exe	81
PID 624 wrote to memory of 4656	624	dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651.exe	81
PID 4656 wrote to memory of 2052	4656	Ebeejijj.exe	82
PID 4656 wrote to memory of 2052	4656	Ebeejijj.exe	82
PID 4656 wrote to memory of 2052	4656	Ebeejijj.exe	82
PID 2052 wrote to memory of 2732	2052	Emjjgbjp.exe	83
PID 2052 wrote to memory of 2732	2052	Emjjgbjp.exe	83
PID 2052 wrote to memory of 2732	2052	Emjjgbjp.exe	83
PID 2732 wrote to memory of 232	2732	Fmmfmbhn.exe	84
PID 2732 wrote to memory of 232	2732	Fmmfmbhn.exe	84
PID 2732 wrote to memory of 232	2732	Fmmfmbhn.exe	84
PID 232 wrote to memory of 4932	232	Fcgoilpj.exe	85
PID 232 wrote to memory of 4932	232	Fcgoilpj.exe	85
PID 232 wrote to memory of 4932	232	Fcgoilpj.exe	85
PID 4932 wrote to memory of 836	4932	Fbioei32.exe	86
PID 4932 wrote to memory of 836	4932	Fbioei32.exe	86
PID 4932 wrote to memory of 836	4932	Fbioei32.exe	86
PID 836 wrote to memory of 3232	836	Ffggkgmk.exe	87
PID 836 wrote to memory of 3232	836	Ffggkgmk.exe	87
PID 836 wrote to memory of 3232	836	Ffggkgmk.exe	87
PID 3232 wrote to memory of 2644	3232	Fifdgblo.exe	88
PID 3232 wrote to memory of 2644	3232	Fifdgblo.exe	88
PID 3232 wrote to memory of 2644	3232	Fifdgblo.exe	88
PID 2644 wrote to memory of 4992	2644	Fopldmcl.exe	89
PID 2644 wrote to memory of 4992	2644	Fopldmcl.exe	89
PID 2644 wrote to memory of 4992	2644	Fopldmcl.exe	89
PID 4992 wrote to memory of 4828	4992	Fckhdk32.exe	90
PID 4992 wrote to memory of 4828	4992	Fckhdk32.exe	90
PID 4992 wrote to memory of 4828	4992	Fckhdk32.exe	90
PID 4828 wrote to memory of 4208	4828	Ffjdqg32.exe	92
PID 4828 wrote to memory of 4208	4828	Ffjdqg32.exe	92
PID 4828 wrote to memory of 4208	4828	Ffjdqg32.exe	92
PID 4208 wrote to memory of 2352	4208	Fmclmabe.exe	93
PID 4208 wrote to memory of 2352	4208	Fmclmabe.exe	93
PID 4208 wrote to memory of 2352	4208	Fmclmabe.exe	93
PID 2352 wrote to memory of 5024	2352	Fcnejk32.exe	94
PID 2352 wrote to memory of 5024	2352	Fcnejk32.exe	94
PID 2352 wrote to memory of 5024	2352	Fcnejk32.exe	94
PID 5024 wrote to memory of 4844	5024	Fjhmgeao.exe	95
PID 5024 wrote to memory of 4844	5024	Fjhmgeao.exe	95
PID 5024 wrote to memory of 4844	5024	Fjhmgeao.exe	95
PID 4844 wrote to memory of 2932	4844	Gimjhafg.exe	96
PID 4844 wrote to memory of 2932	4844	Gimjhafg.exe	96
PID 4844 wrote to memory of 2932	4844	Gimjhafg.exe	96
PID 2932 wrote to memory of 2772	2932	Gogbdl32.exe	97
PID 2932 wrote to memory of 2772	2932	Gogbdl32.exe	97
PID 2932 wrote to memory of 2772	2932	Gogbdl32.exe	97
PID 2772 wrote to memory of 4872	2772	Gbenqg32.exe	99
PID 2772 wrote to memory of 4872	2772	Gbenqg32.exe	99
PID 2772 wrote to memory of 4872	2772	Gbenqg32.exe	99
PID 4872 wrote to memory of 1648	4872	Gcekkjcj.exe	100
PID 4872 wrote to memory of 1648	4872	Gcekkjcj.exe	100
PID 4872 wrote to memory of 1648	4872	Gcekkjcj.exe	100
PID 1648 wrote to memory of 4540	1648	Gqikdn32.exe	101
PID 1648 wrote to memory of 4540	1648	Gqikdn32.exe	101
PID 1648 wrote to memory of 4540	1648	Gqikdn32.exe	101
PID 4540 wrote to memory of 1368	4540	Gcggpj32.exe	102
PID 4540 wrote to memory of 1368	4540	Gcggpj32.exe	102
PID 4540 wrote to memory of 1368	4540	Gcggpj32.exe	102
PID 1368 wrote to memory of 1460	1368	Gidphq32.exe	104
PID 1368 wrote to memory of 1460	1368	Gidphq32.exe	104
PID 1368 wrote to memory of 1460	1368	Gidphq32.exe	104
PID 1460 wrote to memory of 1616	1460	Gfhqbe32.exe	105

C:\Users\Admin\AppData\Local\Temp\dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651.exe
"C:\Users\Admin\AppData\Local\Temp\dc9523b9d19da80ab23a08a0e882dbd41cfb68045d9f77ad166e666e7482f651.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\SysWOW64\Ebeejijj.exe
  C:\Windows\system32\Ebeejijj.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\Emjjgbjp.exe
    C:\Windows\system32\Emjjgbjp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\Fmmfmbhn.exe
      C:\Windows\system32\Fmmfmbhn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:232
      - C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        28⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        29⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        42⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        45⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        50⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        52⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        55⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        57⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        59⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        62⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        63⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4476
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:916
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        72⤵
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        73⤵
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        75⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        79⤵
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3732
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        83⤵
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2472
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        85⤵
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4636
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        92⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        98⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        100⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        103⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        107⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        112⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        114⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        122⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        125⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        126⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        129⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5596
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        132⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 404
        133⤵
        Program crash
        
        PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4280 -ip 4280
1⤵
PID:5888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
376KB

MD5
57cbe3af81fc9c73703ee3bb13026503

SHA1
9d80dd8fd1f272e443463ae69556677937de5202

SHA256
73d1f93c50e1ce647b2eeaa458b206deb772ce3dfe264cbb834d4639e4447548

SHA512
0de39ded4950f876356d0b4d073a31a5cfcc5a2c6035bb2dbdee240ae98e885e2a5e41227429a92123585369c79b55c8b5f39e9034846058a8b1820ca63d726c

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
376KB

MD5
75a0af35bfb6a7b02cea32d3f3950dda

SHA1
22beda511d13fb4f5a8ca3674d8d6b8830ff2da6

SHA256
392a96e9f43567818e3fef5f8a925c5af677f5a3edbf9f7c929db3753cd17bfa

SHA512
28aa52cbd511ae0ebcf63565149969dd86b253e12b98172415b74f4a9d69e137b98d9abf94070109aa9ea21815b3167180eef77031450afb2c15fe25ca3862bb

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
376KB

MD5
c87e0cafb0fa9d0d4b0a4e7d314fabc3

SHA1
22059f678ec150f687a885fcf07bf043eb7d2442

SHA256
84fc5732ce6e9ec5cd8658e3151ade9818abb9c47adeedb15028e06e1b3fa5b6

SHA512
7f1713bbf56e2b2bc4f271d3b1a4d3b03396ecf6983fdccd8b99a3109cca9a60c1c07c082c74be3e72aab9e714ea92dee267aecdf9fd2fb46af39caa2b51b525

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
376KB

MD5
e4053b8e0552ec854e80d7a79ceb530a

SHA1
ad144fd66c5bf70e8e4e1536aa3f411aa07d7567

SHA256
832204ad92aeb4854605aa0cb0eac698ed97fe71af13e65b0705413889b95ce0

SHA512
7300c940fd5d5c4f50cabd83ac0d80cac7e1439668b73d1fe19a5a0ace32ecba2e335e8c190f49aeefddcd5582b87600f8a82b57672cd291c100c14c58bfe636

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
376KB

MD5
854f0e5a2006b9a14a431a6fcaa8eee0

SHA1
5e207af80fb54ad3b57ef860070751e5c7c0aee5

SHA256
8051fce1b4d8d072f47d82bddb6d7b485c45a924e73e850154dd7f0c4252e4b1

SHA512
c80c37842f907c3dcb4482aecccf7836f7f06a263eda78f53a6d7465f00a8a802b56d3cde81599273569f0b3ac3adff7472afdd2a36e07bd9d50cb867d1f5fb6

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
376KB

MD5
f8c66f9877d795ae2b5ac550e1af929b

SHA1
570b59cc1f4e0e5f4ab54d50ccc577259fd4559f

SHA256
04ab717ffba2f93cd21af8d966a77e6e41b0f38ba7d2c6d0945cc76b8b0c7cec

SHA512
1beda3dbe05cccca5c138217e4f3c994c02fc6f40d0a29006b5182cdeed0466b4af016d9e2cb2bb12794d3a87942bec809f52469959464f35c3463f2d310351a

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
376KB

MD5
934f781930b55e4884de752ef172afe0

SHA1
4a2d01e226ced00aad49fe4e11c457b96468f96f

SHA256
4647a197e9f6a447a1484b9a3f64b09e6c354f5aaf8340c6d1d849c2c008b4ee

SHA512
73e084af5d425fdf469a0fd6e249e61275ef5619725310b1ec445bf47fe6b6cf09a5f7dbc6b2a84cfff823f35a0b18a6173f87aad78feabda69e1559e6ce49b1

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
376KB

MD5
2218e7d4333888e611a8d2af2c1c39cb

SHA1
0a4a8d8b6559600a260b32e24f2599edf1e4aa29

SHA256
e773d2efcb89cb07e0c15d08e2500f3597dea2aaf233555278f7c7919d2ce189

SHA512
bc92cdeb6aadaf38729068579d103eded78c0852276fad1ed031a74a0a54858388397bb418a18049a2c2f0a763f681205c00c77fde8ec5326fa1b881349f1cca

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
376KB

MD5
52091694eca16e8a0473a750ec0cb668

SHA1
6b53eb0b94e446677ba944d205b5da633e3cca8b

SHA256
e7d7fe9db378bc3d179b3e0281ee2cc6a043e9cf50ce0d7d03589c2aaecc9676

SHA512
ba24cf72f0fedfbeb19e0962422f0461bcca9def910f5ae3641a1904e0b4639c9d1ebe8a7d23648340df2a39687c6a4c720233bbd54e963b8ca09721f94ae12c

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
376KB

MD5
cca2cbbb40cc93f0a78c0156c3069d71

SHA1
f6153c87f8afe2b6a06e0f06caac1c6a3757c384

SHA256
975969571e43708d641ea48040d25e63454e59450e3a33a684f8490a7a48fb1e

SHA512
2d8f5f1d69c95b58daa2d075d6b1cc12a2518153a0b83b9966e3b72a59cc341f29ee186db6741a4740754075ac86927fcdd02fa83f117c4da87a53690ffed8d3

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
376KB

MD5
2fc6ffa7cb0381c004164be519cb77b3

SHA1
45310525ae1ac04c0c9b3b023e4e162b8dc6937f

SHA256
c4fd2874da09e2dd6e8eafba8d6f1c40def96fcbe0bc2ef6602dac81a2300134

SHA512
42b1e62e4e37bbdcd47305d73187b4ac48a7c83f2a1432c06e0f4f42dc96b3042969ee3181cef1be7a63194cfddc2b3181199983109f25ba2dd51c3e21280bf3

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
376KB

MD5
4cbdeea9c23cb3c814e0b14d2afce7bf

SHA1
0d4163821d694a7b606347178c0198431a7ec47a

SHA256
5df6881e93a21fdda14b712c4259ca5b0936d5edf43f99631c54642e71d02acf

SHA512
f46c2ff3792304f77e9f1670bce862b648766dddf37106f57682ffee1f63a34ad907986a8942f83b700ac676ee7366d8a0924e9f464ed916f40ffb357c80b3d9

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
376KB

MD5
dcf87d6426d59d3d47a585b6fd6a24da

SHA1
4ff3f688304c065e8ada192ac36d0a4e150b756b

SHA256
794297dc93f82e6beba0e008c09c05fab483042c044e8a4bedc4d16783a0756b

SHA512
00c5c577da6b34ad3b5750e97451f2ea36722d6c0c43d86ad54ea08bbccba980c1f4b60edd421db196332cb193ed7cc627ee0cace33b5cc6d6fcbe101fb8f142

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
376KB

MD5
775a47ac9ab76aee3e562e16b326a382

SHA1
84fd47be83923254ae26f9c7331c006a0947c134

SHA256
05de2428c9a07f5684788f33549d68351ba6a9ec46768a73574688a3cae36f69

SHA512
25b56110cf8b950897c48c2fd878c3b20189d154f50e6cb14c4ecec311ba3add2e1bb87d497b3ed23165afa86981aa8322daccf723a167c34a5744cedf10e59b

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
376KB

MD5
b7e3bea603351be09ab70bc3d481d45e

SHA1
445f536bedc391cd4d249a350133e52674335e08

SHA256
0bf2921eaa01a8e65b2c46635e3f7a173ecb1c1abe7718e2a86d5978cf4b18d9

SHA512
3ee669aa8898d0a41e1e507a4c0daec853901e7e2cc483b48f5a669edaf25f44f538f69562dc91b21df657051ecd760045a6e945a0099fe5f75b5a5eb31322f8

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
376KB

MD5
221e091a93c73b829b15b6ed20f746c2

SHA1
186edad55391c07489025f89e222e513a9e2d407

SHA256
add1b32138a6a11eb2c6f8cccf3191453a4d6e19fd26b2b6307ad274bfbee02c

SHA512
90c15b79fe70cf315658c75a023d19310dc1e18794fe6ff0f194d2b67cf830d4a30e00aab39a007f514ca67bf4920ee9dd75626a815bcde02750049faf2bb133

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
376KB

MD5
a0daf849e2d0df350a4adbd58f8ab8bb

SHA1
a94f8523c8d550dde9590a348db5ca27d7d65286

SHA256
482e4b2fe20177d2f1ec61f77e1ee177f249b0c668bf69ada6e7974f7e566bd7

SHA512
7fd83c2022e0b3362f38a8b1ba5832332bfbd1ffbd10fdfb1670b2108d68516ae418946d0b85809ef7aa33e87304bb06353608058e9fdc00f78171fea26c3bf2

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
376KB

MD5
a66593c9d18c7f5f72cd2328b33367e0

SHA1
423972f772b9f36919e5313f3db6a8f317043e74

SHA256
ada1211d4a138d6c426fe6318228bebf9ed2b185a8a3afad71da6dbd040f7cc3

SHA512
16ad09e312a75eda8f46dfcb67cb834728744a112f02e73d3644e2893b06cb3fea60d74992eea75f42b174f8344942ee52cb4cca515250eab3ca22c3636efced

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
376KB

MD5
e95c51b19bb5f1c8f10fce0b2b70b4c5

SHA1
f49e421d4d0664d0da6e85269dc1e3a7ca1ce7ce

SHA256
8fdea5630d203315be5cabb8ace0ceb1b6ece8fa09f6d0a723232ad74768b1c6

SHA512
89ddaa03c7a2a97e1e27cbd933325c5c85bfc19a6de7c408fd7255018b48a610739d73c52013877ae2846262c734bd5990027ab789aabf236169902702376421

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
376KB

MD5
a81754f14e4318681af74ac1f64d29de

SHA1
dc5f4c446a7a21c4f5526db9ac895410689be685

SHA256
7d409a2a49480fcaf022a4dc7aa13761ca320c0b86178029da06deeda70897f2

SHA512
cbac5ba4de3afdac310a4f6895b7f6eda473b4a4389d33ea3d564ccf95ed9bd5f4f7a23b71f3146002f729aa1e3e0ce598453730ab86ea7eda3c778468dfd5e8

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
376KB

MD5
ab62709cd8f2b8804dc38049df0d6924

SHA1
e78d39334b7a4c282cf3bfefbbbd5dd83f4e6dbf

SHA256
280b91abf68ed87f7497b9b1f94b38c37a877c93b89d3fc37e9d4226cd82df9f

SHA512
b426fafe44738ecbcff7cf32524e30e27f4967e48b1a16bf915b853224c569a312924f479a15dd87809431391ba7953c38e8bfc9544361b02b126efb0b6d57c0

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
376KB

MD5
dd7247bcf71abcd4aaf4e8d3e13ee53f

SHA1
bfe1d2947739630cb5d70c9cbf6fb73e33909e0a

SHA256
c99f5a60a00404f68a234ca955dce2415be3658795ed9458efa527aa5931b13e

SHA512
3fdbf9b116bc6b7b17fbd48d56f8224a2f8feea0204f21a0dc88c2d5c5c76169d0bce534b7554fda389c228a7b54bc0ed7c6c3a5c3cbbe4121dd6b4e9efedefe

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
376KB

MD5
66e3756879a5fbeb5c0b5d4ef4b2cfaa

SHA1
9ed9f2d3b17d6aca118db38ecb922668d963adbb

SHA256
75b75b4c8f4f09efe7457924a5513871ec281355ccd7678fcc4a5ae4c45d3adf

SHA512
b8282bd971532ff4241ea9ba5cc2fe5b7d7484a5f11e10dea1dd197eaabafb5fee883ad152fc5e8c73b2261579a561682d5b54f7ab7bf141e6a3f9c2e898b825

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
376KB

MD5
9f26f85681630b880a9a0e5d04fdbb91

SHA1
70c78bb8e3f1645a269409e2c20f6e370d29baad

SHA256
1eae7910fb137cee097f84dd27fd9becf6c19d4ca13e0e0a6cd9a79aa040a3ca

SHA512
f4027ca504b29f01e31e49fe1b4887c4b40c9891f64b32f155b70690a3926c601687d986a3a36b6bac0801538be28f356ecc78da35170e4a03105cef503c0d6a

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
376KB

MD5
fba3c76d51a234176bcc34dd62101172

SHA1
24eb56f9b3e9c713250a92ca455c7775262aa2a8

SHA256
129e5543e4f023ae16e370cb7e5248c1c7e6c185c7983f4880bdeb2cef5c742a

SHA512
91566d038cb83d354d554cc1cf384710875398e775e31aa69e4bcf704f9fed429434052a4bad9a4952a805c102d309d4fed6cf57f669ca3edf3ec867123e1f00

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
376KB

MD5
cec9d7a88c75f7fa39f4b60b428fed7d

SHA1
28e9773d65790eb1b30cc8152d7c1759cb505b18

SHA256
75b66544fbeac9f6c89b7c91443ce5f3ac30a892dd133f16441a3ef67bfc7d4b

SHA512
4fb42b7ed3239b4438eb0098f07e168b67b08b57953eaff4c9b657e30d605b0895be045d13c96143c06545e28c74295d3ac7f24fae1908037913c70194c03e73

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
376KB

MD5
39a9b149cec82fc90be789f8ef82ba38

SHA1
942e4d0e9b360bc9faec41be50bca6a943c00c22

SHA256
02f80893ff27dfc0027b7d4bb45844f37eaba546f9021141608d167328906acf

SHA512
21805feb5bf105e2b78bb9ddbd44a91a83efec7e04d50ec7e1e32a50ef88a5ee6342a91bf567fc77f7a6999160e3057546d0351511631641e07c998e916e9107

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
376KB

MD5
1900f3054f54bc4da660516e5a470156

SHA1
4eed0a73edbb74c630d2efb9fcd2e99207068a07

SHA256
e1912d91e5891ec39149c56bce47b62da039c96b267efe9f30f08cd53679b6a6

SHA512
254b8cfd104f8dbaca216fd696152d62048b5c530cb3005a288bd25d68cbbc491770b0959857fec501281939978c7f30fba8f3e888ce7454b2b46a3dc6a4273f

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
376KB

MD5
f3f4f9d2a97689cf4a91b196db6a4ba1

SHA1
74c3a27ef0968b5ee1ad845a49edeced31660cf0

SHA256
c46a4ecf1912693f2fc5dc3cc9b3f8b73ffce9084c8eff7af3d75b7c539badf7

SHA512
120253eb66a458529ff9d1d14628a6c7ccc6bc59271d7fe02644355b9e01dee485afb80f304c84e87114ff5f1d842854c53cfdffeeb08c077950e4e7f5e247ee

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
376KB

MD5
67b407525d4f6321aae08a4a768e49d9

SHA1
d9d2d3095858c461916c4305a04674717126e29a

SHA256
658f73dc4977f8524f5713be5c9ed45c29f74aba1cc14d55c10f77dc8e466b32

SHA512
8aaa77b72e9324b29dd2f6c4e494a8661383b66c491ddde9431aee3e11631866426fad92e9e0ee48af1bc9f5669d530ced1ceb5ee6d9b36a72566042c2ee05e8

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
376KB

MD5
8b79ad97857f70fca9f07f522be66166

SHA1
5cd320bbc1d5d701b3612cb31c5549dd2d050b1a

SHA256
539614f2038c588417f6fcab106bcbfe665d7c82d82fac0e86cfc82115e7ed66

SHA512
cfd7b41a6197b8b7c4008633956955c03fa36e23920619e7d47b0ad955c8103880f0738f6eee7f8fbbc9b92b9cb950be943423afeb77dcbb9190a810ec06755b

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
376KB

MD5
cba48164f68a42cea7e1996a4280ed49

SHA1
af2d898620d7ecc0171f96aab20aa94ea5206662

SHA256
12a603193a611383f9149ea0ab09c70f3708c416f7eda9aa77ac559335db14e1

SHA512
f173e52dae9e02f934d5f15e883cc3f56947e6f5986a3d4740b02382044eddaae523fbd1272e68a4e0fd1f2dcfcfc9b92dc3fa82e315307443a02a5612d3e56d

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
376KB

MD5
1e1f962cacf40093674150677734f892

SHA1
8d2730e27a7405575102bc60f90923bcd5ebf15e

SHA256
8d7e397c7f24a1cae38361ee8329eac6a046f15e25db654b622ed7f3973b1287

SHA512
69525509058991d8950f85a941fa76f0cb4036422649a66c4697baa02e2a1c3837636875c3796fe3649becc5c6222c6d7aadf40ba3b6702b06701b5b79b3a515

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
376KB

MD5
c2a204462c8464aaabf792a6a92f4265

SHA1
fd7e577c674d77f5e139a7978c76b856ad9797e1

SHA256
0401af25f0ca544c472c7ce56c2b39cd16eac872245d87e2766321106f61f2cd

SHA512
27917692941cdb8024ff5da9c639c13d40f5cbc9a5bf06199ce0e65ebeb1144ee51646c53e6ba8c743c945591ef44342d9bab8f0ac8c405748f584e17a04df70

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
376KB

MD5
214a6e1b01694159129c3e1e331df480

SHA1
084a0db2bf32125d2d0c03234667fff09dd4ccda

SHA256
75d5707a601e5888ff2944d0b1959b7a1d642befd2120e2e74fcac7b46a1951a

SHA512
11748d1a8132f4d59c30a3ff84680d67c4fe9d2e1b77cfe59add543893e6f103fb365e7c1aa0e52050d74fe1737b65cf2ca9318c1af4e342c897b6a5184034d6

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
376KB

MD5
c4bbaa499140bf38c152c61bc6269137

SHA1
b9abb896617d686b177eb8f36dd6b8f5ed9659ea

SHA256
e50021a59fe9c7fc99a709dfb98105c389be1f702c4c89467cf239a91d5914c6

SHA512
73c68957b4382cf5a3e7a3122b701ad50bf5b3bf11d7646a4eee62c788ee5112c4b31438886d44143c273c1bdb88bd01bcbfc2d42b08571e290e6e40a3e31725

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
376KB

MD5
5a9d9699ba213068a9b01215b738de09

SHA1
afdf922703c7f7cd8783120a35e6388b3a595c58

SHA256
e7edc8e87d695f38e12fbcb861e71c4aca07b5a38ec418fa1b1041001169621b

SHA512
5796adcd1986dad7285b5950ded10f9b1c80b4f999b9201c63be3385385f8978fb75e617ad5f033c1e1b6981fb4d7c6f833ea466688d5e083d43dea7ba3ce430

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
376KB

MD5
a473de76cdfcf3309d53aae38793ac97

SHA1
aff1c8516fe033dc2b989df12338cc3f009e95a3

SHA256
e5af4c739ed6ffbbb12f03cc71578efbed7fbcb91b6104b7c1ba6d28de395d66

SHA512
e8b22cf5b2c34f8b1ba0124b21a37c61fc8e675337f7f18775752eb13cfdd863c3ed17099b505541a0025923c85971902ca570c0bc3969e2b58cd1133d7074e6

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
376KB

MD5
10fdfd51de6f2b3b753045d7766774dc

SHA1
4fb8661bb8dce8a56e7af963a0248097689b1b5f

SHA256
913b63a851c422e8a47e076542a3376a9cf3fb99bee38951a56f8008ef5d9815

SHA512
44d261ec3030cc7ca85ed94a68d6db51b4d5d245d460e91fc6bf633e5bf34868b7a22b954b78597e13bcad3eb3d868a382f87937cbae2bb1bd24fe8a0379763e

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
376KB

MD5
b0f1658172b44549fc02fc5c9c22fca4

SHA1
53aa0936c2cdc181202509af1153dc6fe7331805

SHA256
3aad6716df79bf6f73836e815adf1272e17abb64a7895ec8d8f296936968cbbc

SHA512
f9537ad1aac92807b9545e607a94294cc6d3e03d42210e016084ff46a0fa1b01dcc7b09951d678b91687ca251c0447516e1e6eeb538de542b568c652f85f64a3

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
376KB

MD5
c655bcf8f56802783eb01c2f5e436c2a

SHA1
dd3872ca0bca0bd0d514141b4c56f1129db91d30

SHA256
4e54c14ef6799e5930c79f5504cc107d3028f23444d0c6d2b4b517e28575c6eb

SHA512
1d32f6add79c3d9715547e4bb2419b93290c8c24974e99a06d6090f129a4f52d53c8306cc57fda218713321359a0240afbba9fd2b2b2772e8aae5b995e2904af

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
376KB

MD5
e8a32d668416b52369ea487c962220b1

SHA1
a6cebb35968525dcb65f50b743a423a31a24060a

SHA256
26b7762d348bc3cf5fd3d51f1fbec598b56049bc9d4372bac6943fed1982d8a2

SHA512
a7d0bf10415135d966c2370eaa79d146c64c8163a9906bb511520bd2623b4ea57f68a9057f1e894f93fb32443fc5213f4e6cd5345a5afa551521c0326a240bac

Download Submit
memory/232-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/624-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/836-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-584-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-591-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5164-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5164-961-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5640-943-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5732-939-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads