2ffc00e6f3bb7c56eef83ec9b8a89ca9b23ba3895055ec078196dfe6e1d3ea66

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ffc00e6f3bb7c56eef83ec9b8a89ca9b23ba3895055ec078196dfe6e1d3ea66.exe
Size

80KB
MD5

0141f4e1912605fe2e790ea260e58b69
SHA1

5956fa1b3a6a21805ca52bf13710a24bc3110897
SHA256

2ffc00e6f3bb7c56eef83ec9b8a89ca9b23ba3895055ec078196dfe6e1d3ea66
SHA512

59479010d301e24daad5611abacff5d67c1d2a5d023ed704f8b86e73ce53b5e91cc60dcc261bc798663fc36a5a1639f4ea199e482a93c806b5895010d0ab17b4
SSDEEP

768:2lJTfyPuJQNr+J4Tnd0VBGmni8Jn7jTuIz3o/1H5vYXdnhg8+nzNdElEyeMKgMJe:QJ7y24DKV8mnifIriVqN+zL20gJi1i9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe

Executes dropped EXE 64 IoCs

pid	Process
2536	Ejjqeg32.exe
3384	Elhmablc.exe
2964	Ecbenm32.exe
1296	Efpajh32.exe
1504	Ejlmkgkl.exe
4908	Eqfeha32.exe
2196	Eoifcnid.exe
1760	Fbgbpihg.exe
1172	Fjnjqfij.exe
2084	Fmmfmbhn.exe
2028	Fokbim32.exe
1068	Ffekegon.exe
1904	Fmocba32.exe
1080	Fomonm32.exe
5052	Fjcclf32.exe
4028	Fifdgblo.exe
5116	Fopldmcl.exe
4540	Fbnhphbp.exe
1368	Fihqmb32.exe
4448	Fqohnp32.exe
1616	Fbqefhpm.exe
2212	Fjhmgeao.exe
2888	Fqaeco32.exe
3504	Gbcakg32.exe
536	Gimjhafg.exe
4660	Gogbdl32.exe
1092	Gfqjafdq.exe
2988	Gqfooodg.exe
1692	Gcekkjcj.exe
4300	Gjocgdkg.exe
916	Gpklpkio.exe
508	Gbjhlfhb.exe
3312	Gqkhjn32.exe
1696	Gbldaffp.exe
3840	Gjclbc32.exe
2792	Gifmnpnl.exe
4608	Gameonno.exe
2928	Hfjmgdlf.exe
3532	Hihicplj.exe
1756	Hbanme32.exe
3768	Hfljmdjc.exe
3104	Hmfbjnbp.exe
3252	Habnjm32.exe
2856	Hbckbepg.exe
4412	Hjjbcbqj.exe
4020	Hmioonpn.exe
2176	Hpgkkioa.exe
3080	Hfachc32.exe
1688	Hippdo32.exe
4360	Hmklen32.exe
2200	Hjolnb32.exe
232	Hmmhjm32.exe
2724	Haidklda.exe
464	Icgqggce.exe
1912	Iffmccbi.exe
4044	Iidipnal.exe
8	Iakaql32.exe
4872	Icjmmg32.exe
2464	Ifhiib32.exe
4284	Iiffen32.exe
532	Iannfk32.exe
1428	Icljbg32.exe
4488	Ifjfnb32.exe
3164	Iiibkn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Eqfeha32.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Fbnhphbp.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Hopeje32.dll	2ffc00e6f3bb7c56eef83ec9b8a89ca9b23ba3895055ec078196dfe6e1d3ea66.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fopldmcl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6948	6548	WerFault.exe	277

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmocba32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 2536	3096	2ffc00e6f3bb7c56eef83ec9b8a89ca9b23ba3895055ec078196dfe6e1d3ea66.exe	82
PID 3096 wrote to memory of 2536	3096	2ffc00e6f3bb7c56eef83ec9b8a89ca9b23ba3895055ec078196dfe6e1d3ea66.exe	82
PID 3096 wrote to memory of 2536	3096	2ffc00e6f3bb7c56eef83ec9b8a89ca9b23ba3895055ec078196dfe6e1d3ea66.exe	82
PID 2536 wrote to memory of 3384	2536	Ejjqeg32.exe	83
PID 2536 wrote to memory of 3384	2536	Ejjqeg32.exe	83
PID 2536 wrote to memory of 3384	2536	Ejjqeg32.exe	83
PID 3384 wrote to memory of 2964	3384	Elhmablc.exe	84
PID 3384 wrote to memory of 2964	3384	Elhmablc.exe	84
PID 3384 wrote to memory of 2964	3384	Elhmablc.exe	84
PID 2964 wrote to memory of 1296	2964	Ecbenm32.exe	85
PID 2964 wrote to memory of 1296	2964	Ecbenm32.exe	85
PID 2964 wrote to memory of 1296	2964	Ecbenm32.exe	85
PID 1296 wrote to memory of 1504	1296	Efpajh32.exe	86
PID 1296 wrote to memory of 1504	1296	Efpajh32.exe	86
PID 1296 wrote to memory of 1504	1296	Efpajh32.exe	86
PID 1504 wrote to memory of 4908	1504	Ejlmkgkl.exe	87
PID 1504 wrote to memory of 4908	1504	Ejlmkgkl.exe	87
PID 1504 wrote to memory of 4908	1504	Ejlmkgkl.exe	87
PID 4908 wrote to memory of 2196	4908	Eqfeha32.exe	88
PID 4908 wrote to memory of 2196	4908	Eqfeha32.exe	88
PID 4908 wrote to memory of 2196	4908	Eqfeha32.exe	88
PID 2196 wrote to memory of 1760	2196	Eoifcnid.exe	89
PID 2196 wrote to memory of 1760	2196	Eoifcnid.exe	89
PID 2196 wrote to memory of 1760	2196	Eoifcnid.exe	89
PID 1760 wrote to memory of 1172	1760	Fbgbpihg.exe	90
PID 1760 wrote to memory of 1172	1760	Fbgbpihg.exe	90
PID 1760 wrote to memory of 1172	1760	Fbgbpihg.exe	90
PID 1172 wrote to memory of 2084	1172	Fjnjqfij.exe	91
PID 1172 wrote to memory of 2084	1172	Fjnjqfij.exe	91
PID 1172 wrote to memory of 2084	1172	Fjnjqfij.exe	91
PID 2084 wrote to memory of 2028	2084	Fmmfmbhn.exe	92
PID 2084 wrote to memory of 2028	2084	Fmmfmbhn.exe	92
PID 2084 wrote to memory of 2028	2084	Fmmfmbhn.exe	92
PID 2028 wrote to memory of 1068	2028	Fokbim32.exe	93
PID 2028 wrote to memory of 1068	2028	Fokbim32.exe	93
PID 2028 wrote to memory of 1068	2028	Fokbim32.exe	93
PID 1068 wrote to memory of 1904	1068	Ffekegon.exe	94
PID 1068 wrote to memory of 1904	1068	Ffekegon.exe	94
PID 1068 wrote to memory of 1904	1068	Ffekegon.exe	94
PID 1904 wrote to memory of 1080	1904	Fmocba32.exe	95
PID 1904 wrote to memory of 1080	1904	Fmocba32.exe	95
PID 1904 wrote to memory of 1080	1904	Fmocba32.exe	95
PID 1080 wrote to memory of 5052	1080	Fomonm32.exe	96
PID 1080 wrote to memory of 5052	1080	Fomonm32.exe	96
PID 1080 wrote to memory of 5052	1080	Fomonm32.exe	96
PID 5052 wrote to memory of 4028	5052	Fjcclf32.exe	97
PID 5052 wrote to memory of 4028	5052	Fjcclf32.exe	97
PID 5052 wrote to memory of 4028	5052	Fjcclf32.exe	97
PID 4028 wrote to memory of 5116	4028	Fifdgblo.exe	98
PID 4028 wrote to memory of 5116	4028	Fifdgblo.exe	98
PID 4028 wrote to memory of 5116	4028	Fifdgblo.exe	98
PID 5116 wrote to memory of 4540	5116	Fopldmcl.exe	99
PID 5116 wrote to memory of 4540	5116	Fopldmcl.exe	99
PID 5116 wrote to memory of 4540	5116	Fopldmcl.exe	99
PID 4540 wrote to memory of 1368	4540	Fbnhphbp.exe	100
PID 4540 wrote to memory of 1368	4540	Fbnhphbp.exe	100
PID 4540 wrote to memory of 1368	4540	Fbnhphbp.exe	100
PID 1368 wrote to memory of 4448	1368	Fihqmb32.exe	101
PID 1368 wrote to memory of 4448	1368	Fihqmb32.exe	101
PID 1368 wrote to memory of 4448	1368	Fihqmb32.exe	101
PID 4448 wrote to memory of 1616	4448	Fqohnp32.exe	102
PID 4448 wrote to memory of 1616	4448	Fqohnp32.exe	102
PID 4448 wrote to memory of 1616	4448	Fqohnp32.exe	102
PID 1616 wrote to memory of 2212	1616	Fbqefhpm.exe	104

C:\Users\Admin\AppData\Local\Temp\2ffc00e6f3bb7c56eef83ec9b8a89ca9b23ba3895055ec078196dfe6e1d3ea66.exe
"C:\Users\Admin\AppData\Local\Temp\2ffc00e6f3bb7c56eef83ec9b8a89ca9b23ba3895055ec078196dfe6e1d3ea66.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\Ejjqeg32.exe
  C:\Windows\system32\Ejjqeg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\Elhmablc.exe
    C:\Windows\system32\Elhmablc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - C:\Windows\SysWOW64\Ecbenm32.exe
      C:\Windows\system32\Ecbenm32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
      - C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        33⤵
        Executes dropped EXE
        
        PID:508
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        34⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        35⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        36⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        37⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        38⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        44⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        46⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        55⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        56⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        58⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        59⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        60⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        62⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        63⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2312
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        67⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        68⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        69⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        70⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        71⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        72⤵
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        74⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        76⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        77⤵
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4312
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        79⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:512
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        81⤵
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        82⤵
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3140
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        84⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        85⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        87⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        88⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        89⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        91⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        94⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        95⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        96⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        99⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        103⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        105⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        109⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        111⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        112⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        113⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        114⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        115⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        118⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        119⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        126⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        128⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        129⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        131⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        136⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        139⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        145⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        146⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        147⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        148⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        149⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        150⤵
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        151⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6240
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        153⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        155⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        156⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        157⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        160⤵
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        162⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6752
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        164⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        165⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        166⤵
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        167⤵
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6972
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        169⤵
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        170⤵
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        171⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        172⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        173⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6216
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        176⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        177⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        179⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        183⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6960
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        185⤵
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        186⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        188⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        189⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        190⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        191⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6548 -s 400
        192⤵
        Program crash
        
        PID:6948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6548 -ip 6548
1⤵
PID:6772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
80KB

MD5
3ecc6d3e00df2d7bc057deb2f9a6ae81

SHA1
84e01db2a6759971657f4a2fd6db42051b4d738c

SHA256
176972803086913bf12fa2217761f74a265c0fe38fbba4e98df3e4dcb3f59ee2

SHA512
995f1d0fce01fa2ce0f46c8500add6bc4309e40f9f05545170cb877dd90d33ec25b4752ef739fd596c2b72ba56d1dc6fe577d39aaac4cafe29b6d87f04e2d44f

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
80KB

MD5
c9c89567ad0c3beeb627d116618864e7

SHA1
921427651e81133351b48652889ee5150302ae55

SHA256
ab3c2c20da9aeae7b60eb541bd76f66d8107a5aaaf64cc44b8f74ff70524b466

SHA512
3e39a70f4316153092a2cb579280bc3b6280eaa3e052db4a41dbcd4de32f4e85ee53d434ec83609caf165b3c5911e987bc390ec5cdc1d06431b60820ec5c61b9

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
80KB

MD5
5cc1c98499b3f805108f03408956229b

SHA1
24c661118f08a921ba9f498d052f8b5952e2b652

SHA256
a7b81b443f96d5f65c193e757d295644c171497a6f104aaaa3a5a9b7a77ba62e

SHA512
c25a3485bfc361992300cb1d644ef3f4972039f494a0ae6e6dc01478179f3a34494aaffb909bdde2b933c3cbe89c0773f914826246c3f875a9fb0e992a160e98

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
80KB

MD5
db70d4f22c53282f60589789ea08c5d0

SHA1
0e6fbc7a35ee364204df4f014cafbfb3c4b927ad

SHA256
8ce825015993db81be3766392fd6556113124d731c8119de74feaedc02fa88dc

SHA512
fa95ede08d0ca23b194a9b853a418172db4b64830c560259bb690d6cbcd8f5f68eaf67c0464e4d026491b6bcd53214ffcedc3c4352e4192d5ea3d712ef09bece

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
80KB

MD5
ec56356435bcfd5ac690a939cbe86ede

SHA1
86eac6ec52da5e4c45d6c7f86958039e8ceac0fd

SHA256
73f8a03ecd7877cebbc59b3ecf624ffadd892f83ab4266f9b532c5bc5ec950f6

SHA512
1369c904a7974ef690af2303ddbc743049e0c428e1bd166975e2e0ee24af241ed1a03c409622132ca4c0fe7eb40cefb23d9c73b98c4b124c64cad6a253370128

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
80KB

MD5
3744ae7eebfa84dba0a4e6d47059d5cc

SHA1
e51bb1fe6beafffc3074bc5acbdefb5a3d8d132b

SHA256
b97f5d78d69f2b3a1c48a31eec8386e4bc9a9e1a965eb9db9d0c51442ab244dd

SHA512
354d3486f7d806a7c069a75e8b7e7b67ea704eb3a4622663604dced0a81a95aef158f2da22f898d338df658ed075005399ab44fd490b6474269f531422c3346a

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
80KB

MD5
9ea4757bb944b63fb23f59f5aa9dc42e

SHA1
bdaf87d2c45b6e5904f702a60033461db2eba8bf

SHA256
0679d9e46ca5cf310ac7353e464766645351ea6c386baba526cc81f0c6bc2624

SHA512
83a275dd965c21268cb61b7ed68b22ac50ac92e984c0d06f1f952d6bdafe803ff7a194614a5d20e6d18e59da1984538c2d5ab0219fbb982bad5e82b895762224

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
80KB

MD5
30e12fe0d82760feda30b5637629ac40

SHA1
0bdde1db27150bb8970a9590c7edae3d655146ba

SHA256
aa0d71e1b30a281bcb7b7612fc5939f63c3f1d199b09c595c941b98ac057ea4a

SHA512
fda439eeaaff2c72febceb8339ba5719f46d3281ab5f95fec456d214fc116942ae131180df4a58c7b1c16f55463ee66d8535ad7748ffdabc008caae3639dd7a4

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
80KB

MD5
a817d86b4df8ef28ec11947afc8a609d

SHA1
af38ba4d8818b6217027004c5e6cf85ba538b25d

SHA256
fb4151dd78dc453483a4df5f41a4bb1b2d5a3500788079d5d1231275c799b23b

SHA512
e0bf6ffdf7570912a9170b6cd30c127af00fbf41056a29d42671d0a21c025712e1553aff79d083cbe0adb9a199d18f58272eaa088ba0f4d5c5e0fed1f29a863f

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
80KB

MD5
746b3d0c68c44e0ddd60c98adaac714b

SHA1
8107860995d828d35e21f6b67fad87d0e4f961b5

SHA256
e27a756202480f266038825cf934dbd42c4f403d4bc3640cfe0b00c86057e287

SHA512
f74ef1ddcaccdac29e638854920791c7800e8b005fdd4f163238ef85ed2ac2510650c2eb7c03ed0520457fa1398ee57272ce9aba5c71e292bd506c7b90af2bbd

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
80KB

MD5
2f2d5943e7db63bc64a3e26718c61e12

SHA1
21e18194bc29ca028eca62fdda617fa22062447b

SHA256
36bfdc0eb1ccbaedc281b8547b49c2fd00b704dbeb655d0198de712e595bc862

SHA512
eab2ae466cae172137f0f56a5f9fc0e6da9ad98ff3c5c927a9444f054d60cedc6f7bd102f6c2d6bcdc0c6c550d70b6e15d1a13b9c386479adc6f667cb5591e1e

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
80KB

MD5
33b777f693ceebcfcce3e7494ffb4ace

SHA1
4905ad20ac7f574d1ee8258731450f034a69ac2e

SHA256
83094dcceb3a7053c18f25023fb08b7cc5707357c329eae1022e5240c7154112

SHA512
ee045d8699cac809ea3f272214b9949e553ea73a97de3551945e688735e751c5a24b71bbdccce064b8f0c9acf6ddf6096f6ea5a5b33872ddf03fb080adddbc33

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
80KB

MD5
9862222b46b26ab823cef4693353ecfb

SHA1
8da14fca18a79c931d007af3fa072d2b487db812

SHA256
304f9b84175d2fcb8eab062a6bfbe73e800999d0c74c6def7305f1027949611c

SHA512
eb80c5e6ec193c5c8cfbcfc981a64acf921ed86e44321e006c9418dd5106d3afd2efc1ff934f37a3531b8855b6e866c0118f7aa9496484273443923934a73ed9

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
80KB

MD5
94c82841da227ba9a692a35ad90b5502

SHA1
e7e16d65e1982737c1792309cf6c47b971fee37f

SHA256
dac568d9c0100b59cbd91a60ea2c6de28ac45225e3b8b2baf0afab92acb25a96

SHA512
7f0610a3b86fff43970fc81a598b55d8658f0c603c303880d838e53e0f3983d3fe475064798f309c571300d1b4ae4470d2eb38745ea52a1771b3699db9234882

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
80KB

MD5
faeb56e2a967576a2324682cb442f400

SHA1
a21455870486cd1fe7d24f6d3f4f9ffa84c1987f

SHA256
b2441eab9356a833bb944af0b6955d25c8c40a9d93801f6f00510f349530e734

SHA512
283ed901e948a39153da7c2f9aff438181709b165ff3b341ec7a620057d518d625ccfba943c36f74df87520fec69f37c001f4d34bfa6b5e7b4331bd884c2b7ff

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
80KB

MD5
6839c8ba0b4c83a231f5b7cd7c3791a8

SHA1
a42601e56c403e54440315586f020add685afebe

SHA256
b2d768eaa9fb1a64df8feb3b1634427ccdfb3202ab0bd59d7c7a033790083126

SHA512
f75606900c796b10b7dc91b8d788f7f073d6237a6576546b908fe425c23696c19fe163946d026d7ea649d98d2635680ff418f32d37c54020c9125170fe2e267d

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
80KB

MD5
828b3398ebddf5f894b99d25dcb17862

SHA1
80d89670aed7500c8249758bfa8e4c2c1bbe6d95

SHA256
b1aea7df7f28638e4bb1e50479bf2c943b6b753468746f7fe82fac82cae75df1

SHA512
0a48d047ecf59c867ada588c843c9c2d6f0be23d1d11162407a7b1cd59dbba158fe7e1bfa79861b2005f9a42ad7400d12f189eaabdd413b5eb93be8d37994466

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
80KB

MD5
651c3b59860748d590a90575b46ddb6a

SHA1
fc5398845675c2a3de752a68a711db760c4351de

SHA256
074938d6ef842289497846c9add6dd0a5020e1c83044a571ca22bbdb695c9071

SHA512
7730b0639f218e19109239d11b56780d3cd0a0bcb233082630cdd5a982a5cf1fcde08cca48890b0430474dfae60a00ea345347606584ea10c97de69278a564d4

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
80KB

MD5
c46fd5116f2eacd8bf78adfc432add85

SHA1
2a06dfd8489a588fe66a95aa81ec0f1ea15536a1

SHA256
bd663028fc3ab2f7a6163bc410daddc2cd972a90abef12c433efc43d9cd7c9da

SHA512
5807c74f4305735d03e2df229e4464b63ffdcdbcdc6548885c5ef47b46bbf23ef77d619498e69228849a70f73ec5af8b95e700261e0740408a763a3a3e7f14ba

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
80KB

MD5
555b902d801fc3edefa11fdea003ca05

SHA1
8098356b7fdcfcad869b3fc2a705ab0f989a912f

SHA256
112ab179e15dff8d3e976d9dd30221f1b00a6c79af814e3d0bb613dfba18bbdc

SHA512
400b1f05fc3ecff28953b470871221a34dca51c563736ce53630e67dc16ba967f8ddbdb77bf959b8e9955808b0940a43ee19d10185caa48f08843578b622bfb9

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
80KB

MD5
eccdd209c9d9c5a2c2d088c92881d4d8

SHA1
7aba2db4596e8d989df4b533792f053e38875fe3

SHA256
5da247146846e42e914682021ed3f6105c58c3276f1ac5eab2dd12d367f72981

SHA512
e6fd15c3c60679c7e13da8da4dac2c653a6bac1137c74ec706c99f8e622091febe9127d6fc0f1d252274efb46fd3ba7a7ebd3ab893d6fcc00862a4ecc967ea6f

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
80KB

MD5
252cab3d6054e89cfcd576bb6a45ebbf

SHA1
bb989835aef2b642a7ba28f8f21d15076028e421

SHA256
94b0cb40af19079b897672bebf36c40e449a9179453b618bd4ad0daec44d0d3b

SHA512
8863d2332b4d5d67a45ec1ce36e24ec7c1a10754d9bd016e0636c4390a2093e952d2354666e7c105ac8d9456385b41ac64bba28c0ed524cbe7d3dd49b7f73ea7

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
80KB

MD5
f3a5cbca4cdfdf6b283bda9761a0546e

SHA1
450b8e640731df50dff6f985eb9af13c0346aa27

SHA256
986853a3b33db33e75d3f19533380d9e3c7aebba46d48f6e74a2d63f5c64818b

SHA512
4c6a2f6fcc01cafb165d3b7ec23efa6e0c14d6563aab0fb0d9ff5a8159e312273b579dbfea8e92142aa1043f69d038d820576cdedb9f080f5bbd045a425fda7b

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
80KB

MD5
73803c455667bdbfa492a815408dca57

SHA1
9b67884c8ceb3e0bbfe94dd10449c1ea780c2a42

SHA256
3d9e46ca6522beaf6a3bd6b778db458b150d8ccd58a2fdeddf56e80ae8c16c3c

SHA512
e3a5c08b43108ba30a01b1a8e19c780fd7bc2bc33990440608e86c6ff157dfce2f50888674f5a63381dbf548ac9c2c4e46558f2812b9ca6bbd2d8259db9664e0

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
80KB

MD5
034587bbd306c763ccc5140d630e0025

SHA1
66a1a7c9e8229b927adea6097efc2adcc952c6fd

SHA256
838ebc7082ec58092d2c2fa696ead24ee480af21fb0dcd137a16ef247519b7b5

SHA512
6d13dfa077612e0778180ac5980a3f8a881d07a1052db629a70d935772a24947d0b758f66a5df839bca49cbccdb45d3c1e6de986a5211507e5715730f6cc0184

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
80KB

MD5
0144e1540a5ce78cc4000b0c872e1160

SHA1
392791d9fc3a78d9d05faa143fbd2dca44cbf30e

SHA256
07d6d800976d193d1bf2e2bc2afd5ca763f8828e3519e02490df6d6a10cb00d9

SHA512
3a6ab8d894356c71ec171804d862d037b991b4cfe97c6cccd44f5923bda3d7a583da70cad6231e1333b0a7a0cd260b64697f01f44d024521dedb29e4e6926761

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
80KB

MD5
79ccd81d844711f087530092c7057acf

SHA1
ad2be9ddedeb035d7772469d0dd241a60137f3bc

SHA256
e9f7da566e52655261d9618ed469f2d8d244554ba1ee9cd4d7d9189cb1ee5fe5

SHA512
351721e260bcb6fe73effcfad20442f076ca64418cd85fc19aaad27c300dac107756a898a53c86ee2da2a17e3e374df8490937c55776bf29b5d8a8a5e7f46351

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
80KB

MD5
891724ce1bec59e9f2b53414059617d6

SHA1
68b1a5ede3d87850e7274115e41894b522c95f7b

SHA256
f6ee5b9d7745f6686ae526c34ad3f3619f1f1ec2fc1d03cce7f7be716b896c84

SHA512
a2da0f75d15022b3885d13cc1079fc10880a05bce0a9197612c2c28cf40377671c0b1414095f155fca9ee39e8ec4273a6279a2c7c87e52cb7388eacf91ddb67a

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
80KB

MD5
70fa93ff67e7c4fdff46e92e3357fd25

SHA1
3fe69bca0296cb7da4493abb23a02cff227b72da

SHA256
6af009532ad560b15aa2d0becf16a0dd6ab4fb48e9701f70609cb0d6ae22e914

SHA512
fd3076a3523cc19a95cdb3abb3e97ad6e61580d70755dea2a32d703cfb94be14848e0c3a210d5bfe2d5e98f4ff9768fdb8aa3b6ef475ea43f2cd4ed79e469c51

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
80KB

MD5
f6e90d1aa42dbff6be8a7ea0acecabf7

SHA1
c24621174c37d7a73842049ffc93fffb00e092cb

SHA256
02126a4324f2f058c55d6bbe3a8d7d3c25bc313f7306db86262d0320e9a9b73d

SHA512
8e9e9d4ad6e175430cffa7c5d68a52674dcbb091128a8e10d1f04a5afdfe40a3788149315814f1326e1ed25558f35bf9ce04e9150087215c556575bed407bc6d

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
80KB

MD5
0c7fa5a22635d06ef95bcb14c1e1c424

SHA1
77c98da0e98a50d4f843a251f2df29b081904dd2

SHA256
1b285444852a035b5021372ac1c278b21b895d15f0f5908c23236ebe2e525738

SHA512
0fea1d1ab151a77bfa24d90f6f2d2cad05b370ad307f59c4ab1c4be2a17ba5e8aefcbeeb50cc35ea4a3f7ea1e76eb4d5a9c065d11e17143576f261a18ba25fde

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
80KB

MD5
6c9a8c9a59daddb84b1900b2215e8579

SHA1
20854ed8d0f2cafff1ea7567edb3bdceced04431

SHA256
f28f991b357abf7d24441d2ea78fda8b6e9c03599fd4947e13c898464b3bf767

SHA512
b57ead439d5d2ffdd0734d213b22c877bd30f64c53b9b8e2b515d9e1e80b42430b04e74c215a2645cd09b2630d6d23489226afd95ef1751fefa74cce8a20e82d

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
80KB

MD5
f8e78d0dcfbf0ce5903ca8be0488f409

SHA1
791ee7ff680d727b6075fedfcf81e3d2e5de9448

SHA256
ae227020a194e9989402a5e67041389647c8aa87ceb1e59389565557a5da4f30

SHA512
8c0d8c6a681c44ba8048c88dae2be70aec936fc716399173cfa62bc4929185900bc933b9840b5de75a3c519d396c93e07141d176fcfdc3f676fb054aa86b6e7d

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
80KB

MD5
6b4079b882d8b95dc09dfe468a9e1222

SHA1
bedbf76259877f09170237fc77814d308674ec8e

SHA256
3db56528c23f48958d2d8df6b12cfb25fbd0ee9216da3dbe77ada9f00c47c875

SHA512
759bfad269806d6e18bbf063dc8a1a84b4e933926ba357bf60fd3db5130ceaf848b2fba4efe3893b717ce234c4dfa917d8bf77f8e5b5a66f6f61df3fca25f21f

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
80KB

MD5
f9d6903c5db730cbf6e8b2c71270ad57

SHA1
9e4389cc5a5fc7212f7fef213cc94c12f43b37c4

SHA256
fb33991f4c970b0fa28ef183a494075e852cbaee40968b76bf719c498fdeaa4b

SHA512
b5671763e5189c0d641dced7f9261ccefba7bdd4b922335595d5dc1ad7d114035045abf055ce2af079fa50585461cbf339fff337ea1c2b96223139056416500b

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
80KB

MD5
18aa84ed04a18d7b91c13e077573d5f3

SHA1
83c9ccf56a00e6c71f82099a8562d47744e72598

SHA256
92755814629154343f02196f469f860a5b2218e682b2406b4230cebda0fe9927

SHA512
606811d004404abae40a7fa3f26602d30f27fb75449eb17938d4fb699f440535932fac98ea5f1a6a9bd524ea16e38b173cacc4fd94816a925be991efcf197ad2

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
80KB

MD5
87d0607fc48ce5ad695608600ff26ae2

SHA1
43a75ce4fd82cab2872f043331a0b7a0a9e1df4f

SHA256
7e89128a404d079e7bec3ca2c9e10b098b18bfcdd84d0e49bf8a60e81adbf580

SHA512
ed55a67b1544be66e574753568883f2d56990bb64c12db15704296b1faad767db0f19bc481602f1042fd8044f558501a3b211cfb84a6da7558ff234ad292b5c5

Download Submit
memory/8-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/508-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/508-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1080-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1080-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1092-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1092-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1172-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1368-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1616-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1616-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-392-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1696-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1756-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1756-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1760-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1904-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1912-427-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2176-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2196-62-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-414-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2792-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2792-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-195-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2928-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3080-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3080-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3096-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3096-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3096-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3104-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3384-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3384-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3532-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3532-387-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3768-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4020-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4028-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4044-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4412-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4412-426-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4540-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4540-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4660-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4660-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4872-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5052-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-230-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads