e3635f8e8e0f3f814788ecd0774d0a57669cdff89b2b3d2fa0ee75831468808f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3635f8e8e0f3f814788ecd0774d0a57669cdff89b2b3d2fa0ee75831468808f.exe
Size

80KB
MD5

dc386c9b1bc844e3ceb2e2ecd6a4a9fa
SHA1

c6d93173c65dcf299d408ec3b16124718ac1bf8f
SHA256

e3635f8e8e0f3f814788ecd0774d0a57669cdff89b2b3d2fa0ee75831468808f
SHA512

4d13ac9f1b6ef74e7f545a4e111a94c3ef6c17724df5ea25f47dab4796aca0ab321967e4505e7d7a0b02a6687ec1bc31adec56071a8b2acc5e15139f9cd75842
SSDEEP

1536:N/2DVxlIgM5VkKMyAO2LbJaIZTJ+7LhkiB0:NuDT+JVkgSlaMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe

Executes dropped EXE 64 IoCs

pid	Process
4540	Fmocba32.exe
2748	Fomonm32.exe
1068	Fbllkh32.exe
1432	Ffggkgmk.exe
772	Fjcclf32.exe
1624	Fckhdk32.exe
3728	Ffjdqg32.exe
3644	Fihqmb32.exe
216	Fqohnp32.exe
3288	Fcnejk32.exe
4408	Fflaff32.exe
4728	Fmficqpc.exe
3056	Fodeolof.exe
592	Gbcakg32.exe
1236	Gqdbiofi.exe
4616	Gcbnejem.exe
1732	Gjlfbd32.exe
1332	Gqfooodg.exe
2976	Gcekkjcj.exe
4340	Gfcgge32.exe
3624	Giacca32.exe
2120	Gcggpj32.exe
3324	Gjapmdid.exe
3180	Gqkhjn32.exe
1584	Gjclbc32.exe
2592	Gppekj32.exe
2192	Hjfihc32.exe
4128	Hpbaqj32.exe
3284	Hjhfnccl.exe
4292	Habnjm32.exe
2608	Hjjbcbqj.exe
3864	Hpgkkioa.exe
1488	Hfachc32.exe
4592	Hpihai32.exe
552	Hjolnb32.exe
1580	Ipldfi32.exe
2024	Iffmccbi.exe
3696	Ipnalhii.exe
5008	Iiffen32.exe
1360	Ipqnahgf.exe
4628	Ifjfnb32.exe
2112	Imdnklfp.exe
2876	Iapjlk32.exe
3680	Idofhfmm.exe
1168	Ifmcdblq.exe
3720	Imgkql32.exe
3004	Ipegmg32.exe
1552	Ifopiajn.exe
4196	Iinlemia.exe
3480	Jaedgjjd.exe
1972	Jjmhppqd.exe
1472	Jagqlj32.exe
3192	Jdemhe32.exe
3620	Jjpeepnb.exe
3872	Jbkjjblm.exe
4652	Jidbflcj.exe
3412	Jmpngk32.exe
656	Jpojcf32.exe
3220	Jfhbppbc.exe
3476	Jigollag.exe
5104	Jpaghf32.exe
2724	Jfkoeppq.exe
3732	Jkfkfohj.exe
2260	Kmegbjgn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5736	5616	WerFault.exe	218

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e3635f8e8e0f3f814788ecd0774d0a57669cdff89b2b3d2fa0ee75831468808f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqfooodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4540	1988	e3635f8e8e0f3f814788ecd0774d0a57669cdff89b2b3d2fa0ee75831468808f.exe	81
PID 1988 wrote to memory of 4540	1988	e3635f8e8e0f3f814788ecd0774d0a57669cdff89b2b3d2fa0ee75831468808f.exe	81
PID 1988 wrote to memory of 4540	1988	e3635f8e8e0f3f814788ecd0774d0a57669cdff89b2b3d2fa0ee75831468808f.exe	81
PID 4540 wrote to memory of 2748	4540	Fmocba32.exe	82
PID 4540 wrote to memory of 2748	4540	Fmocba32.exe	82
PID 4540 wrote to memory of 2748	4540	Fmocba32.exe	82
PID 2748 wrote to memory of 1068	2748	Fomonm32.exe	83
PID 2748 wrote to memory of 1068	2748	Fomonm32.exe	83
PID 2748 wrote to memory of 1068	2748	Fomonm32.exe	83
PID 1068 wrote to memory of 1432	1068	Fbllkh32.exe	84
PID 1068 wrote to memory of 1432	1068	Fbllkh32.exe	84
PID 1068 wrote to memory of 1432	1068	Fbllkh32.exe	84
PID 1432 wrote to memory of 772	1432	Ffggkgmk.exe	85
PID 1432 wrote to memory of 772	1432	Ffggkgmk.exe	85
PID 1432 wrote to memory of 772	1432	Ffggkgmk.exe	85
PID 772 wrote to memory of 1624	772	Fjcclf32.exe	86
PID 772 wrote to memory of 1624	772	Fjcclf32.exe	86
PID 772 wrote to memory of 1624	772	Fjcclf32.exe	86
PID 1624 wrote to memory of 3728	1624	Fckhdk32.exe	88
PID 1624 wrote to memory of 3728	1624	Fckhdk32.exe	88
PID 1624 wrote to memory of 3728	1624	Fckhdk32.exe	88
PID 3728 wrote to memory of 3644	3728	Ffjdqg32.exe	89
PID 3728 wrote to memory of 3644	3728	Ffjdqg32.exe	89
PID 3728 wrote to memory of 3644	3728	Ffjdqg32.exe	89
PID 3644 wrote to memory of 216	3644	Fihqmb32.exe	90
PID 3644 wrote to memory of 216	3644	Fihqmb32.exe	90
PID 3644 wrote to memory of 216	3644	Fihqmb32.exe	90
PID 216 wrote to memory of 3288	216	Fqohnp32.exe	91
PID 216 wrote to memory of 3288	216	Fqohnp32.exe	91
PID 216 wrote to memory of 3288	216	Fqohnp32.exe	91
PID 3288 wrote to memory of 4408	3288	Fcnejk32.exe	92
PID 3288 wrote to memory of 4408	3288	Fcnejk32.exe	92
PID 3288 wrote to memory of 4408	3288	Fcnejk32.exe	92
PID 4408 wrote to memory of 4728	4408	Fflaff32.exe	93
PID 4408 wrote to memory of 4728	4408	Fflaff32.exe	93
PID 4408 wrote to memory of 4728	4408	Fflaff32.exe	93
PID 4728 wrote to memory of 3056	4728	Fmficqpc.exe	94
PID 4728 wrote to memory of 3056	4728	Fmficqpc.exe	94
PID 4728 wrote to memory of 3056	4728	Fmficqpc.exe	94
PID 3056 wrote to memory of 592	3056	Fodeolof.exe	96
PID 3056 wrote to memory of 592	3056	Fodeolof.exe	96
PID 3056 wrote to memory of 592	3056	Fodeolof.exe	96
PID 592 wrote to memory of 1236	592	Gbcakg32.exe	97
PID 592 wrote to memory of 1236	592	Gbcakg32.exe	97
PID 592 wrote to memory of 1236	592	Gbcakg32.exe	97
PID 1236 wrote to memory of 4616	1236	Gqdbiofi.exe	98
PID 1236 wrote to memory of 4616	1236	Gqdbiofi.exe	98
PID 1236 wrote to memory of 4616	1236	Gqdbiofi.exe	98
PID 4616 wrote to memory of 1732	4616	Gcbnejem.exe	100
PID 4616 wrote to memory of 1732	4616	Gcbnejem.exe	100
PID 4616 wrote to memory of 1732	4616	Gcbnejem.exe	100
PID 1732 wrote to memory of 1332	1732	Gjlfbd32.exe	101
PID 1732 wrote to memory of 1332	1732	Gjlfbd32.exe	101
PID 1732 wrote to memory of 1332	1732	Gjlfbd32.exe	101
PID 1332 wrote to memory of 2976	1332	Gqfooodg.exe	102
PID 1332 wrote to memory of 2976	1332	Gqfooodg.exe	102
PID 1332 wrote to memory of 2976	1332	Gqfooodg.exe	102
PID 2976 wrote to memory of 4340	2976	Gcekkjcj.exe	103
PID 2976 wrote to memory of 4340	2976	Gcekkjcj.exe	103
PID 2976 wrote to memory of 4340	2976	Gcekkjcj.exe	103
PID 4340 wrote to memory of 3624	4340	Gfcgge32.exe	104
PID 4340 wrote to memory of 3624	4340	Gfcgge32.exe	104
PID 4340 wrote to memory of 3624	4340	Gfcgge32.exe	104
PID 3624 wrote to memory of 2120	3624	Giacca32.exe	105

C:\Users\Admin\AppData\Local\Temp\e3635f8e8e0f3f814788ecd0774d0a57669cdff89b2b3d2fa0ee75831468808f.exe
"C:\Users\Admin\AppData\Local\Temp\e3635f8e8e0f3f814788ecd0774d0a57669cdff89b2b3d2fa0ee75831468808f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\Fmocba32.exe
  C:\Windows\system32\Fmocba32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\SysWOW64\Fomonm32.exe
    C:\Windows\system32\Fomonm32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\Fbllkh32.exe
      C:\Windows\system32\Fbllkh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        25⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        33⤵
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        36⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        53⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        56⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        58⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2724
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        67⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        71⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        73⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        75⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1572
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        79⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        82⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        83⤵
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        84⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        86⤵
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        87⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        91⤵
        
        PID:60
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        92⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        93⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        95⤵
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        96⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        97⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        98⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4356
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        101⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        102⤵
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        103⤵
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        104⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        109⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        110⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        111⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        115⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        117⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        119⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        121⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        122⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        125⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        129⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        132⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        133⤵
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        135⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        136⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 400
        137⤵
        Program crash
        
        PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5616 -ip 5616
1⤵
PID:5716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
80KB

MD5
fd24b1871a9338ad9c51342549c57c64

SHA1
287c785a4943b596269595fd3d662e201ff205f2

SHA256
1c5f396f6ec59f3db1a03929a11c8ad61ba5422b286bc87c9f09565ac16aa251

SHA512
91c906e1c076ddfe78690a7897360d399ea64465985909b4c5a279b7e8a80cf3c243e4c39cd72f44f7703e6730f9bc0c00fdf376c6e70a86d8e6bc9a5715b8b7

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
80KB

MD5
f8c8f17597a453c1b9707587e1b0dfac

SHA1
34acc062cb541e52b212c95df1147a3460c7c6a1

SHA256
c03b546bfd6839b8db76c95771a929deb155a8e7d334d085d3572b2fb6ae4d60

SHA512
623e4eec277313d4b5fe99684d0d90bec137b32857e6926975fda9fe440ec56c2919256cb7e76d8c7eee6ed99d505668cb594b3d700b47ac3c6a2c86f3ceb704

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
80KB

MD5
d83a94cca9f29b05cd8a2c1b9f326651

SHA1
19f9078b983a9d93f74afb9d29da519b7fa291af

SHA256
bce699e6052581cdb3c17cd9e4d3874190463afa4ff0e5066dc48e5da5b23628

SHA512
5475bc439f1094320743f50335e8b186d4d5f5c6e4d0b0e399a46d8a3a388ee122689c44f198742cb0a99e1f41ffe9feb722bd18602a5b1891f6229ebfb3e4cd

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
80KB

MD5
c3caa783217b4c2767016c21380c8e32

SHA1
87058addc32d133cad00c9b0b20bc0278a9143f8

SHA256
e82faf3deb557ec25b8a42e1d11a3262b4704246768c5df7ca51883fdd3b145b

SHA512
b4ae9564d705b478132434af17d38c6307e9b598ee02eea2d7825e6031acf27c4328fc18c66e960ed23cd594005e1e444dfa2f5ad2dda5aabd0797079e52b783

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
80KB

MD5
639c78aaa9d11d134dcbc8cd9ca69157

SHA1
73669dba6957b1c12b80883b06a1ababc90ce091

SHA256
9dd4803488b358e88beb5320cc63d38e8fd7401ac3d092fb10cd85500f535d19

SHA512
8df665f48780804d2d8ebd284ac84e891ee0857df15e3346da225559496287369522e221130282db20b4603ee313d73fb890c62f65c93684732fc18813e27515

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
80KB

MD5
78b0962dba3d65988808491a47ac9d81

SHA1
41e36368271347a9a42f9c848ba269b8e8a95c95

SHA256
4940dd1cb38b9e01dfece9911126923996d39e766a782c8b637598d51ce7dc1d

SHA512
cfce29d244cfc633959b2bca3c02adb65dbee54ed82d5d71eb23af56044ea7ce8d658e2aa88069b1b036ccf2b95a1218638f6d07a00040bb1582661e6ec3216b

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
80KB

MD5
6fb5f838eeb826e7232525878aa91d2c

SHA1
03ff4fc1c5e0d9689923bb5d1b7f21f1ca3b8e56

SHA256
fd5745edc5d113638b3dd188a69221325686dad9e3c0e3b73db3398519acca35

SHA512
be9bf144286f21b5afc7c4472b23e36f8879ff200ef8b2f7320780359153225cadc4c42c444bb15ec51014b236a4e435d443f5a358b4acb07f05e7adcc914dcf

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
80KB

MD5
b5a8ac85e8e5bb8e54f8dc94f55c52ea

SHA1
365d574a76189f141a3026f2c9e39f1bfd9d3f15

SHA256
b0e2448501529068247d9a9c57f4bc128f590a364c9c17ff1af3492f6bffdaeb

SHA512
2a200718e6cb15123e701d81bff07f40dce8fe7fc35156bb029bb9e22fec4c46a35a9fb210af855c94997d223455a26f058ff0342516316a175f5b7829cc1c64

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
80KB

MD5
582ddd8012e895893a7246c8368bf971

SHA1
a814b49e2f5ad0a934ec16aeaa56f6adec08987b

SHA256
b7e9cde9ffab9056c51039f1cf37effa8e82d19b9010edf5f7eef68ae7413028

SHA512
8f791237f1670c846cf685bceab8fa0da496c3ef4b95680d693fa1d6a7c8931421a13b178fee30055e2f6adebc1810348062b24bced112d78c3345ab009c66cc

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
80KB

MD5
8c7803315836b941d74dd569d536745a

SHA1
9d7c9b92b28a02ce021324098696e78ed16e2df6

SHA256
eb348bd1566561b18e88088674018d1ea5b093ec2dcf579d6af7edb98883e7fd

SHA512
c9bf2d98ee3fb7ee9c4123c827820f8bc510d6584b30fc895ab41ca83c833f919d99f072eea58510cab15294f9a4e9c9bf9c2b807a9d0f54bf5bf778118f2360

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
80KB

MD5
f8bdfabb4fea2a21ac5c7a90cf648c93

SHA1
1bfb8049c43bea96dbf96490d761a2acc92a2cae

SHA256
aae7bd68765bee79624146b86dadff588c75804f379f30c0f0dcc306ffe5640c

SHA512
de22c6e453686cf2f3761c8ea6a2d00d2d65c4a4cf9a3248f276f7f172bff6eeff9b36314265ddb3af73324fe16259b6245f83e1f337a4e37f28e8fd5900ce52

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
80KB

MD5
d088c27bcf8d1e451ad3d51ce126d58c

SHA1
3271ec0180264f07267b3d476c4da5a83b76b6cf

SHA256
877aa8dd5b84f46545575bf885b2611f4d4dc4ba4a6c0d1be32b21a4beda8b3e

SHA512
ef455245442566e1127fc5f90151d2679de87407339e4372db1838bc8acc9dc4722e5596903f05704e4db71a1513c11c7eebb21d1254d48ce176820c010a7502

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
80KB

MD5
949e59ca21ad65a052786ca609dc3cc6

SHA1
f251ea99157270cab5f58708f9e3e6f3779eb1aa

SHA256
e278b869f916890b96c74b0c21e8c0118e023439840850e29663d00d213e05c5

SHA512
174038eea8bef252d237d3dd450b5243f1f7bb8e35d395ff2d466f4e2e24b172333a64fc0c8f1a8882e328e42d2c7b16a040727f8dc4cb5ba30383ee7984b2e1

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
80KB

MD5
d815eeb5cfd5b5442ad205da013e5ffd

SHA1
5087c589b93b201b1e2023d868abfbeeaf06e9d3

SHA256
300a3543243c46f84ea8f9ed645b5d7fc32e34729dcf14586d323fde9faa4ef5

SHA512
0fcb8c0630639295ffae87a7e50059d0c718d98e0412b87bea2b898b77460c9cc970f29dd689603a4fb5b5e89ec6f4abe16529fb1854b49883bc08858b17f98b

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
80KB

MD5
e2b731fd594d8fa7efc7be75954ab7b9

SHA1
8767beb65b2806719f12f7d090746888aa3de7d3

SHA256
31ecc51ee3d88964895409ca4d873ef459e43fbcafd39989c5c5237a6675480e

SHA512
ac7bd8e89887ab29a507e7f657fec84eca32986cb156b31220bda6147f501106d70063a1ce5369a97825c6c83cb4753916cc9a02f03735c0afe2ec2b45c6e08e

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
80KB

MD5
de526b68639633669ef612b83e0d37e1

SHA1
c3ea566d8d70e59dde3bc300e8619054952e40db

SHA256
00439e0683c1d403b30a925e61d4703e9fd8e834bf691b397a4d781ca2d19bcc

SHA512
fc38b0778caecb27839fec5ccc89c8e001c3b7404caa3fcfbf530aa3b3561fbb755e908e4fc169d2408c4f682c87e21fe655804f48fdad308b07796540742714

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
80KB

MD5
9769aa718fbdee4789b117dbb2ee4813

SHA1
4fc666a37510a60086b3fc74216f8405c8119e94

SHA256
8400729d82e8c94779ff5c2b6144b78940549f06f0e0d7d685362e0d60a1604c

SHA512
0bd2237e6788023e83ca5f13896efb0c1c52ae2b00b7f6aa31ac038dbcf56198262a1844309999a4249c5b628f95d71fa36e7e4d21616040bf984d81c799dbfd

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
80KB

MD5
bb296d42fa9a614ff9a327e6deda6b3a

SHA1
893b0027e452954e0be1e79f90f465b1157d7557

SHA256
0d1b260823d8013e0bd8cc71d099b10b627e5ac9dd1c8dd50ea0516d01a1053b

SHA512
a95c24c2ae4f7e64cd0b9714a783e01482320a0da2bccc3cc722de9b3a6d52821f0b3ae40e89748d2cc90b0effbe00e3da113bb22716d289fb0303d3ced10a78

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
80KB

MD5
8f997b04b804e079dcb0f637c7ce9e63

SHA1
9b04ac7b0a2e5451aa8ea3bb6df6e95539ee3123

SHA256
7820335f4988cdf4e6fae192b5488b2c87bcb8e9a75a7efcf017258dea7f7bc1

SHA512
255efd1d919918d89ce5d99d061632341dd4750b5925e695dac73fe972cb58a21025ea03acdd335d40abfd44919e5001f6a7a6acccf2d9a96568ba19521af078

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
80KB

MD5
e0ab1851047cf6f285f9e963ce28793a

SHA1
536cb1d06e6b0892afb237258173c266bf78a6e0

SHA256
31f5e993d886925b18a656968c16a1dc18b7fa31323f94fa25f08077ce8e98e7

SHA512
5cb9345b6859e5b243e58a4d51b541485f04d2f886df251b925f6bb352e43c6637c3a468de071462c6b9f6d2378def8804241968db3c6947fbce8dfd54f72adb

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
80KB

MD5
ae98bb47944ffe0d80b38b8ec47abe66

SHA1
c00454d6302879bb3b9a557da5f5a1dd8f381eb7

SHA256
0b90182e1aef9a3433ae9e316fb807ffb880e4652d81be7e3a3ecd0130251de4

SHA512
2138781f8bd46c246a7cf1085c6fa5b3cec634ed942d6deff5b99b960e2ba702a88af47484a03c830cf43c136962b0cc75dae111ed115b4fac072eb1128cf6df

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
80KB

MD5
e634371c96b491b10a1dcb0fa39b62b0

SHA1
ba15b105025432067b5fa7900715edfce1495926

SHA256
049a2bfaf3befa8c39fe3018a62bd330b6ad3b9c24fbe0e70da2431fe0e0f158

SHA512
3b592c36db6da815d6b282adb73a213b44051fba1f95224edb4a321c2dc999f37d09090ef94ef78f339959178f612797edc2307f7fd3db1300963e0cef488d22

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
80KB

MD5
7ba40be8c116d780457d76ffbd934321

SHA1
0a75130ead15fae1039691826fd00e7b89840659

SHA256
50adbca73b21f4569ddd81a1e7061832817d68a425f07c68fb01015b2970cf23

SHA512
9910beec414fdd18fa1d7a44da6a5a0414cad9f41c11edcf52c89650a1871ebb0cfc96a8331b5f199a531ecfb1687cd6171743dc690d1193785cdc4907294354

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
80KB

MD5
a05f3a7ccf2eadd94048583811a64982

SHA1
4c94ba69d63dd5e2bd53156f8bf1bfafc538593e

SHA256
be1fba5184a2a8fc434e608e3d685030c981d501abc772abee06ad402d579ac3

SHA512
554a04813dff074517197c6c9ccc1a9b0c0810d010f7dabff291410b7f30670f4fad39243965dcd2be49c41b47a68f065ec9325c7d1d57acf9d229e219ba5a57

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
80KB

MD5
a768b889bafc7e2fe296396b887d7a7f

SHA1
03ac5800f8c11893be3cbfd4a2a7d18e6f6a28a3

SHA256
f6b52ef1e48fb2226e5e58bb68aa4a79c859f8fe319be8a8e44fc9dbed527724

SHA512
ec82f0fc0955cdadae5afbe6340acfe6b7e64ebf5f0dab43d1c44241231badcbcb327374e8329c2a8dfd0d14f181b7c3174dc6b96eea4fb154d15ac7f890ea22

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
80KB

MD5
cd44c424a4098c8065315fadf0e563a8

SHA1
b00dda6e54021fe83b7871ba8de0d23aa71166b0

SHA256
f7fdb847502560937b901ecbec4f93fe8289b544d34d7ee056433f9234257a5f

SHA512
bb7cf7e17d9ebcada9696d1ac6ae5fe93744583cae38316371973b132a2e59665c1dd056c3651b9488017dd2ce875e4a8a6913830737c29f041768d4cd4d15a0

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
80KB

MD5
35ec66331ddb983b504803ac7d77423d

SHA1
066e3f2ccdf9d360d185fe8808d22a6f83877696

SHA256
2798bbe27e6c35d79103ad6f07bd0e76695b9bc04d8b12431e206dbd5163f6a0

SHA512
a610a1a67b331e3623c1a0ce43a1f5de57d0d7ae35dbe3f5f96522ff815a717f212695e31dcd5ccda499f3a8da8c0979028a1c6d480e9e50b9abe96868085933

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
80KB

MD5
5a72f0c8f2c8fc58ca6454dcd8e2abaf

SHA1
398b30b06fe803daaed8c004f57e754d999da60b

SHA256
865d7f6455c86a0f57294a1a3c5c025ab2330c272a5809e0638c171c4fd843e9

SHA512
b7bcb8a655e18076b6465efb9667a37653a08fe8be3a3dd0a6d9252e705c9507bf33fd49b40dd1511213c2d5fd39b44799833efe1bf267595a00366ef5fb8c7e

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
80KB

MD5
8748e5abcff59ba324505694965f2fd0

SHA1
59de6d613c65fe6793a8f4d9b4e2ef32ff7d22a6

SHA256
2256fb2a06df739b2179f923f6c5da5d2a4bb23e2b9a3713b70b7c73e33fb949

SHA512
4b5a83ad0d4c88389ddbc2785b0f97897828b5cb5840095e270c3c8dc84c4b22758e58bb1695d579131690d947d487c1e16a4c930cbca62667900e7fdcb09d28

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
80KB

MD5
540d51adc8f20b66d0506b0a8ba65e2c

SHA1
baf711d202d1cbf1eb16b35ef876d7b4df166ed7

SHA256
4d8c4e09cffd703eefe4e9dc074fb0c9ae3e2b276df612a7b94d00357118f72f

SHA512
61c20769977c43e8ba827adeecb10e16a91d10e4eb4904b23d95d819ca2a00d8c843b8542c59320421365a8d415c4bb8c9cf357b5ba3831cfc53543964ea3a62

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
80KB

MD5
a053fcb45653e45a65f5896f10eff148

SHA1
7d337901c19cd3480a4c7efd4a20d24379baa770

SHA256
869baaff832429326fb29272a7cbc84e705ec556134166c12a2e1d7459de2749

SHA512
7b7d17a81d65e82a3ccc01e8ece20ba6a720cae23b030313447d93fad12f1c33ff48937c75172c4a4a8f36e258319daacad9af9dc3063b3963a800f7a04c9308

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
80KB

MD5
4bd4a8617b7dc8357c99c619a54832d7

SHA1
72baa2610400e71e42221ad3853dd9e662e621f7

SHA256
f1523e67d0241c5fce5ee8d01d1d4e46817b12dec680792cd1262202e918b7d5

SHA512
6413294d3379c13ff0cc88b396ef1b1c034a56b0207de6b8fdea6c14ddadb59c373e85005275e50237dd0ebefc81b181eeaa38ccbc514503259b87e054d6cb5a

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
80KB

MD5
e232dd9745c4f0ead291989f91fcf6f6

SHA1
70706f641df834cc8453f00126a95230690c917e

SHA256
b29ab97cf6e69aa56665925fd232a2de969a2945a2b2ca88f0a2d04b1ac7ddff

SHA512
f6f0120ec5b89c58a0cb281ad3deccb5d71e2397f45aadcc0c0e045bba78c61cc8af8e3b40b65e3978512f6d2dacc3ac58c11d921006c63dde67590c6a150323

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
80KB

MD5
7ecadf385f45444bf74e7f47fd34524c

SHA1
89d1cadb74f092f0b453504087503d810f7e0746

SHA256
9f9504da9c3a2668e373c78d713b354c59b26230ee01d9a1844b277bf463b7fa

SHA512
c2d2bf60141813ba86beea4fc7a6e42804105247dbbb36ff89a9603d3f17da162805bc647fdf7ff48cce2fdcc54d075c0b63023375c0068abed92b8c48a10bf0

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
80KB

MD5
398ba2796ffdbbc3d090acb826d044a4

SHA1
f271c086e9416470bf909e14cb822b10a5efcd31

SHA256
92e8f91d191d88ce0803726677848d99c76c46f30624c698971a75206bd53bb3

SHA512
f47c231c51b54df4e78f820bd8393b2342e7942c715808b6b5041b8a9bbc094f1ed723d99352033d8d92e0f119d1b4762ad1efbefce8e44fb130c37d979f9d21

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
80KB

MD5
9b14b48cf1c7bdfe95172f0908d09a91

SHA1
18cc5efa96db961b308ab8648f43aeb3f92277d8

SHA256
e3f431fdc3f8ec7f1f630819558eca5cbf7cb2784c2075bab506fb97546ade0a

SHA512
c44db6945854ee98692c230287a8be5d1d9834450fdfd0f16fd90be26db3c4b62dcd6c91fee79569ecb34687e7555e59e16303a05694cac61aa6a31069a98fe8

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
80KB

MD5
c5ae31ad8c0858eb073d92be6dd9d285

SHA1
2e6d3d890422db4b80ddf55c9e813b4ebc4c40a9

SHA256
c16d99e4ae6c0fec7d021630b0a6aeaf58586a30d33f5109513c6fe2dfacb15f

SHA512
53ecff0de0d38c7a549d3ac1b32da3150d6be7df72d3c97faf61eedec41248f6a4636035eda83115bc0c9e1b347690134c01c2d6b76acafd2fe763cbcffed6ad

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
80KB

MD5
26ada5eda2b60ea6e7754f8d7a4df585

SHA1
e3505a55068bce1a2f998bc66f1120e9b057880f

SHA256
6d9822b2099f558a45204102909a64dab01d8fb81a0335642714a51ecff82de8

SHA512
c5667247cf4643a727b802942a4680672faa92cf6c33e9c4b61753326866969b99dc3d98bd48766526e2de29d06cc463b8882be939271eecbc19b3e32a63808b

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
80KB

MD5
cfb5ff622a24b6bb2ba8238627f9cb77

SHA1
f9953fc43a8a8867a6a5409193696db8a88bd1cf

SHA256
721d1246dd5e1b449048bc5f39c376adb7a0cd2621d5d512ead90d2f9a94c03a

SHA512
67a585efc26c7cc08b2c418bcc4fde5c26b6d902488f0900bfea717e91befa2bcae3665adeb4abec834516ec17083380b330137b94749b1f0824be5240159553

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
80KB

MD5
1ce3080d19de99911abca0d11f92986d

SHA1
c76ef4abd9e31b6b80c6f33b1576dc4f13c8713e

SHA256
9ae1c59a4a04dd2bea12e8a5f1d678f32c1ce2fe2bb29230ed3d30a807baaeef

SHA512
c02395d91e5001698a1ae9f53a2d2891a6a6f94f5cc85a9283a24bb94a8186a79649ba1b9cefd8269ea41429673db5b414bce82d0146a2081672b934ea82b39b

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
80KB

MD5
d1f2a7c077a7fbda4ee95fbb2a46510b

SHA1
f29142ad2c784bec15ca89c9ade1fe331bf2928d

SHA256
426176d4bd467c43f349dc055e9137101d2cdace46a11288e0b5dbed7b469f54

SHA512
ea8711230dbe73a234830d9fb2c42c1b10680ac504bba4e5136ee651179aa1f44bf7b8c1c57e3b46234fda68d71efd24b606621350bf1c63c8ce96f73f33396c

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
80KB

MD5
18102d2f6c643c523bafaa5740e9f805

SHA1
7a9d552542af62c0bd381307ac19ae2f0c263a42

SHA256
2ee18f36b97f51ed93c3fe1982704920f9d2f3d507fe837204a35ba9fb5bc11e

SHA512
6bc4c22b8d41a2b63908fc95c36842b9534f6bb820b5bf54fe3d6bb068835c6d6fe945ecb68f3fb47b723b1808fb273459515fb4b34d1d6fe9b6ae039f939abc

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
80KB

MD5
c616fcde340e2baf9368d0ee949ddfdf

SHA1
cf949fb233afb4aa12ea79ce2608d13457f05deb

SHA256
7c8930318b0e06a3d62c2ed6b0dc90c3f77a23630ea9f76fca2215d924018d2e

SHA512
49537a763f3502437990819679b48e38384658b6aaaa5b2edd949bfb81079ae3ab24bc81896db19722c9c2d3e953e3d10cb071960356fc535694480678dea963

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
80KB

MD5
d63dae0f8d8f6e955ce7123249a8b0ca

SHA1
faa3ec6ad734ae1c13f968566a039b236f696676

SHA256
62b0d7016f153d3b8f13342f90f04f212bb0929c0cafbffed00efd2fe216035c

SHA512
dfc2cae6c6d184d7710da71d486f17ead0666d7c715d30772335fca26abe52a75893cd6b414d21ca15197b383b447db5ab6764b701cac7a5313b028cb4afa51e

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
80KB

MD5
ff5b2e269bb8a59d901bec36b25f3893

SHA1
f419227a26e67cb5d848a0ed84f24d3a0d3aadf6

SHA256
9efd6cfd1ac76aa90b210d2f8ac37ecbd240df02f00aa7dae0cc14959bd37e67

SHA512
2101da1e9718ad5cc85cab0612f9623156d748256c3c8b13740ca1310905920f853deaefe7b6a5d2370b3a0cdff1310dbfb5de286c347a90d4291f6cf022356c

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
80KB

MD5
29c07cc81cf9b79a3e5a3358aad00c0b

SHA1
1875455a56dfaa78f01b8cf9b039c4a3359da9a9

SHA256
3fe60a6ce5f28c89a36556fd94927ece1680fc7ef16bc37c5ad05df3c35deb7a

SHA512
2248e48e4ea36f5a7b99ba9bd2a0ae8b0fae3637df65b2268e0a089f48cb76a261a8c900a5dd6b197603c96d126cdb0136ab45da949bab0d9d361be126791d03

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
80KB

MD5
6fb684b0b569d80b2919c8064a1585b0

SHA1
48729b78fe837269f9be7b9ed5e20bf0d23d934e

SHA256
d860825dc67e751521535a132d08f40f152f4c274317acdd013538e59547bc90

SHA512
570a3a30ef1a78e2d603e44df94ae66d4f634103ba85ba94233346610c1ee742ff54fa620097438c9d4d0b145337892674ee06dbefef070b9236882955c51ba7

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
80KB

MD5
0dfbdc88e363f3916ab7e8856e4cb1bb

SHA1
9395c6b7834106bbe662dce17bce82d6c39634ba

SHA256
e0a0473ee2284d5d4a02dd9d502366500f5d9997cad5f800b5f2f352eb90f091

SHA512
649883eeda24208edb70922d11dbf02c3abfcbee524f62b1f9d5b8327f96c5aef1a420f3cb9c8d79eaf74245ee822ea0a0545007aff69e96878725975c435a60

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
80KB

MD5
2b5e6cf70c6fdd5745c7fcca6af6a770

SHA1
b4389d8cae26e2ed681bfd95128b0e01f8f18f61

SHA256
9278e75e0ebe48b1f69aa994fb977e5134e1614e4edf91cc825e2a415dfc160b

SHA512
863a98f98f2ddbb36b852f255a7d2e5eb1f186170fefcbdace370c6d09bbf7da6639166273dc80283500a8304d13296a8ac6408bc399d4c96a608642efeb1dc9

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
93ec0c053e46c4e9bf74987f7189a26a

SHA1
b944f665a304a74423b8db2b37320edcadd748c3

SHA256
0cfcc8552e8d2d1fcb56d93e9a22c5df0a85206ae5328011f946e68203b70b42

SHA512
16fc21d2cd80c8b9d6f6331079ea850acac3a8a3134c3b6899f9e1733b9420b6ab43a278f970b9c5b5b131cb89829b9cc9a93ee475464240feebf98f6cbafa81

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
80KB

MD5
47c8321bc8c91642ec8bfce702d44cbe

SHA1
ee0116a51efe381009f46e9f5cd97b5ff36f4fff

SHA256
4a0abda7e79d6a74c0bbb3c0f11806a7104156627ac651ddb00b0190a72aa7ed

SHA512
6f09d0ad93d9159b06df5edf270773ff0cb9fb16e2667a9405269bfb75f20cdd7815ba9d2b3b162fb3cbe510893730054cd528c80e1a8e1541b2f49fb64660c9

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
80KB

MD5
b98330e68ae7e7fb9700bf554fe20fa6

SHA1
62e597b18f87ca66f6959e80ea5222d0a55488a4

SHA256
44d17681dee8cb285d5fc4b1655e357d0f39d700e315cb7f19a8b1f9a15df0cb

SHA512
74062569425bab95db4fda1df0d8042b39d2689b7f2c4af486d547200b7483f86c5d67e2363012545ff256dc8336fec5ed14586fc71997241df459fe674a23c9

Download Submit
memory/216-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/216-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/552-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/552-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/592-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/592-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/772-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/772-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1068-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1068-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1236-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1236-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1360-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1472-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1488-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1488-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1732-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1732-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1988-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-381-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2192-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2192-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2608-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2608-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2748-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2748-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2876-423-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2876-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2976-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2976-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3004-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3056-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3180-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3180-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3284-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3284-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3288-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3324-283-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3624-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3624-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3680-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3720-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3728-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3728-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3864-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4128-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4196-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-178-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4540-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4540-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4592-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4592-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4728-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4728-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5008-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads