36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d.exe
Size

92KB
MD5

c837964bb8709d18933b4356951cb560
SHA1

7b59431105f67e2dfe2caa0f3f669469b47ab70f
SHA256

36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d
SHA512

b5f433e251ac06f045e60c5dd3e5f281fb9057c5a9e2fe92b2bd404b69e079e7455ab9049a2b480526638b45484ddd0f2cdd41765a0b586100e5cacfe64a17d8
SSDEEP

1536:3uRTOKEVG1zH3Ut+iu55p5dF8EzfAwb6ROEkz/TfffX0Wr19KcbOGInKQrUoR24+:3uRTOvVSzHk+P5vF8KfAweRzkz/Tfff9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe

Executes dropped EXE 64 IoCs

pid	Process
2524	Ejlmkgkl.exe
960	Eoifcnid.exe
972	Fjnjqfij.exe
1296	Fmmfmbhn.exe
1356	Fcgoilpj.exe
1916	Ffekegon.exe
4612	Fmocba32.exe
4148	Fomonm32.exe
3200	Ffggkgmk.exe
5100	Fmapha32.exe
1036	Fopldmcl.exe
4212	Ffjdqg32.exe
3740	Fqohnp32.exe
4236	Fobiilai.exe
1580	Fjhmgeao.exe
5040	Fmficqpc.exe
1648	Fodeolof.exe
4324	Gfnnlffc.exe
4084	Gimjhafg.exe
4832	Gogbdl32.exe
2752	Gfqjafdq.exe
3140	Gqfooodg.exe
4592	Gbgkfg32.exe
3684	Giacca32.exe
4996	Gqikdn32.exe
1440	Gbjhlfhb.exe
1628	Gidphq32.exe
4660	Gcidfi32.exe
212	Gifmnpnl.exe
1128	Hclakimb.exe
4464	Hfjmgdlf.exe
4308	Hmdedo32.exe
4576	Hpbaqj32.exe
712	Hfljmdjc.exe
832	Habnjm32.exe
836	Hpenfjad.exe
4392	Hbckbepg.exe
5096	Himcoo32.exe
3016	Hccglh32.exe
4316	Hmklen32.exe
1904	Hpihai32.exe
5052	Iakaql32.exe
4808	Ibmmhdhm.exe
1756	Ijdeiaio.exe
1004	Ipqnahgf.exe
1644	Ibojncfj.exe
976	Ijfboafl.exe
4272	Iiibkn32.exe
3564	Ipckgh32.exe
4072	Ibagcc32.exe
3556	Ijhodq32.exe
2520	Iabgaklg.exe
1700	Idacmfkj.exe
4300	Ijkljp32.exe
2368	Jpgdbg32.exe
4312	Jfaloa32.exe
3376	Jmkdlkph.exe
3840	Jpjqhgol.exe
3732	Jfdida32.exe
1236	Jibeql32.exe
4540	Jplmmfmi.exe
4284	Jfffjqdf.exe
1616	Jidbflcj.exe
3908	Jpojcf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Fagmapfi.dll	36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d.exe
File created	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Giacca32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Dofqcl32.dll	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6268	6044	WerFault.exe	228

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 2524	544	36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d.exe	82
PID 544 wrote to memory of 2524	544	36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d.exe	82
PID 544 wrote to memory of 2524	544	36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d.exe	82
PID 2524 wrote to memory of 960	2524	Ejlmkgkl.exe	83
PID 2524 wrote to memory of 960	2524	Ejlmkgkl.exe	83
PID 2524 wrote to memory of 960	2524	Ejlmkgkl.exe	83
PID 960 wrote to memory of 972	960	Eoifcnid.exe	84
PID 960 wrote to memory of 972	960	Eoifcnid.exe	84
PID 960 wrote to memory of 972	960	Eoifcnid.exe	84
PID 972 wrote to memory of 1296	972	Fjnjqfij.exe	85
PID 972 wrote to memory of 1296	972	Fjnjqfij.exe	85
PID 972 wrote to memory of 1296	972	Fjnjqfij.exe	85
PID 1296 wrote to memory of 1356	1296	Fmmfmbhn.exe	86
PID 1296 wrote to memory of 1356	1296	Fmmfmbhn.exe	86
PID 1296 wrote to memory of 1356	1296	Fmmfmbhn.exe	86
PID 1356 wrote to memory of 1916	1356	Fcgoilpj.exe	87
PID 1356 wrote to memory of 1916	1356	Fcgoilpj.exe	87
PID 1356 wrote to memory of 1916	1356	Fcgoilpj.exe	87
PID 1916 wrote to memory of 4612	1916	Ffekegon.exe	88
PID 1916 wrote to memory of 4612	1916	Ffekegon.exe	88
PID 1916 wrote to memory of 4612	1916	Ffekegon.exe	88
PID 4612 wrote to memory of 4148	4612	Fmocba32.exe	89
PID 4612 wrote to memory of 4148	4612	Fmocba32.exe	89
PID 4612 wrote to memory of 4148	4612	Fmocba32.exe	89
PID 4148 wrote to memory of 3200	4148	Fomonm32.exe	90
PID 4148 wrote to memory of 3200	4148	Fomonm32.exe	90
PID 4148 wrote to memory of 3200	4148	Fomonm32.exe	90
PID 3200 wrote to memory of 5100	3200	Ffggkgmk.exe	91
PID 3200 wrote to memory of 5100	3200	Ffggkgmk.exe	91
PID 3200 wrote to memory of 5100	3200	Ffggkgmk.exe	91
PID 5100 wrote to memory of 1036	5100	Fmapha32.exe	92
PID 5100 wrote to memory of 1036	5100	Fmapha32.exe	92
PID 5100 wrote to memory of 1036	5100	Fmapha32.exe	92
PID 1036 wrote to memory of 4212	1036	Fopldmcl.exe	93
PID 1036 wrote to memory of 4212	1036	Fopldmcl.exe	93
PID 1036 wrote to memory of 4212	1036	Fopldmcl.exe	93
PID 4212 wrote to memory of 3740	4212	Ffjdqg32.exe	94
PID 4212 wrote to memory of 3740	4212	Ffjdqg32.exe	94
PID 4212 wrote to memory of 3740	4212	Ffjdqg32.exe	94
PID 3740 wrote to memory of 4236	3740	Fqohnp32.exe	95
PID 3740 wrote to memory of 4236	3740	Fqohnp32.exe	95
PID 3740 wrote to memory of 4236	3740	Fqohnp32.exe	95
PID 4236 wrote to memory of 1580	4236	Fobiilai.exe	96
PID 4236 wrote to memory of 1580	4236	Fobiilai.exe	96
PID 4236 wrote to memory of 1580	4236	Fobiilai.exe	96
PID 1580 wrote to memory of 5040	1580	Fjhmgeao.exe	97
PID 1580 wrote to memory of 5040	1580	Fjhmgeao.exe	97
PID 1580 wrote to memory of 5040	1580	Fjhmgeao.exe	97
PID 5040 wrote to memory of 1648	5040	Fmficqpc.exe	98
PID 5040 wrote to memory of 1648	5040	Fmficqpc.exe	98
PID 5040 wrote to memory of 1648	5040	Fmficqpc.exe	98
PID 1648 wrote to memory of 4324	1648	Fodeolof.exe	99
PID 1648 wrote to memory of 4324	1648	Fodeolof.exe	99
PID 1648 wrote to memory of 4324	1648	Fodeolof.exe	99
PID 4324 wrote to memory of 4084	4324	Gfnnlffc.exe	100
PID 4324 wrote to memory of 4084	4324	Gfnnlffc.exe	100
PID 4324 wrote to memory of 4084	4324	Gfnnlffc.exe	100
PID 4084 wrote to memory of 4832	4084	Gimjhafg.exe	101
PID 4084 wrote to memory of 4832	4084	Gimjhafg.exe	101
PID 4084 wrote to memory of 4832	4084	Gimjhafg.exe	101
PID 4832 wrote to memory of 2752	4832	Gogbdl32.exe	102
PID 4832 wrote to memory of 2752	4832	Gogbdl32.exe	102
PID 4832 wrote to memory of 2752	4832	Gogbdl32.exe	102
PID 2752 wrote to memory of 3140	2752	Gfqjafdq.exe	103

C:\Users\Admin\AppData\Local\Temp\36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d.exe
"C:\Users\Admin\AppData\Local\Temp\36e7a86297e82ae906e290008b11386458157d6c62888dae7d59a325414e154d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\Ejlmkgkl.exe
  C:\Windows\system32\Ejlmkgkl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\Eoifcnid.exe
    C:\Windows\system32\Eoifcnid.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\SysWOW64\Fjnjqfij.exe
      C:\Windows\system32\Fjnjqfij.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
      - C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        26⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        37⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        40⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        46⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        49⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4300
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        57⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        58⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        60⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        61⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        67⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        69⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        71⤵
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2788
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        75⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        76⤵
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        77⤵
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        78⤵
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        82⤵
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        83⤵
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        84⤵
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        85⤵
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        87⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        88⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        93⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        95⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        97⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        99⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        101⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        105⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        106⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2192
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        109⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        110⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        113⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        115⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        116⤵
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        117⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        118⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        123⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        124⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        128⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        129⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        130⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        131⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        132⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        134⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        137⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        139⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        140⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 412
        141⤵
        Program crash
        
        PID:6268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6044 -ip 6044
1⤵
PID:6180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dofqcl32.dll

Filesize
7KB

MD5
61018b1d050859b240d59a351c9881b8

SHA1
87ef9ba5b0df89540dccf0d8057a71e1b00063cc

SHA256
0b7d4cbb117ebf26f3c12b9551bd0684ac31a8dcf7dfe16f2174d090f3893d6d

SHA512
e772b9e11a943dfd469d0add8ddc60856b0858b9001af514fd38951a1bca0a738dc60a34c33bbc0cc000040709021eab6dcbe480293730abfbd15c413a411193

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
92KB

MD5
d0f8ae47e6e8e349803265887af44541

SHA1
b11d575a535400fc366791090f5e9db92229c18d

SHA256
1c8e55eaed27f3070fa90831362e4aae19aec73a4d92274a2200ab66acd34959

SHA512
65db8398c92c05e9ea91c6d833ebfb7f6b5c50c274151d33e38f5027df11bb1e6152d6f122a3609224d94fc26e23291e4fb28b3075e5276741a4617c91ac2c5c

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
92KB

MD5
cc6d62f861e333fccf376bf7f25e12aa

SHA1
3f2c48b51a20cd8c28aebda353f77385bf96da60

SHA256
0bcf8f432e49b7539218476c1d819ac66bff0216ef827b9c701fd7e57a9da53d

SHA512
362ba0a870075f4c0a6eeddfe2dda273befebe7e266be573869fa085e27d96b664b6344960867a93f7ba0b4fc31e111143eb361b765de0a89620c2bf0f217d59

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
92KB

MD5
ed641510472002d5eee0ec37b80db447

SHA1
c8f61450938837cb85b75305eb4a138dc122d1e5

SHA256
08e2aa83c1be5437e9d126a59cd056446d7db8820509709b87f6a9034485bd9b

SHA512
4343bf838edc9230b29ed507242b86ef7749f1cfc2d1aa751209e96a64bdd3dd21b22de8dd6983787df21744548ebddd1da48bba922d82dd8272aaeaf39eb372

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
92KB

MD5
0ed011f4db79f2c619e10d45e675989d

SHA1
d5871e57a6b1e925a3327c2c0d2b663f2564e840

SHA256
1797167ec6aa22b4f4387e3a2c2c06c9621ba1e666f6fbf5d2ec84a4f4e871a6

SHA512
06aefd4437e78ea2d23e600eca3241d639fa8aecb8a28ac07980975ac222b4f2c705397b9dd2f274d30094cd4287804f42b37036fda0885e5c167dbe859cda33

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
92KB

MD5
c405be9aaa3e57c08a4e4d571b94f5b8

SHA1
b7ae995f3dbe7616aed5b0a73c2842afda195bac

SHA256
8ab983ab0e9fdcb783037d621ab80ef43ab8b65850b5def5b27ac94cb941ef97

SHA512
5d1b5d96411158059bbc086cc89de4778da854a6eb03cfe20eb8b2121e9e5b06675ab23658c2a8a6227ecd863cfe8b2e4735e6a2e0be4725359f477a7194c584

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
92KB

MD5
2e08abb70b81d580c14558fef9cef530

SHA1
257d7a7ce1b6c956a714157d0aa04befe83836df

SHA256
e8d138b48a4ce7a17a1c1acadde240076fde2e7f3117040ee5f9263e9bcbd545

SHA512
a1461435a3254bc917d2245de1f77eafda7aed04508a4edcffb1bf2b1445f971eea2ef3834edf046a5a39e95089d32518f28f65f60bfeb534eb9ba77b069be27

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
92KB

MD5
d5b46d668181b9cc27d82955243522e0

SHA1
7eefec458987a2e0ceb52e79165babfd5da89fbb

SHA256
ac40d6491b2541c5db05e2ef8264808d00474591e3193f45f015d61d3224b349

SHA512
bf816d84041927a6c2a2bfab8d4b00951ffc384bd99f97a5d9b73e17005b11e4407cf97160c67c6ed0f3e55add2b59b77729f8c670e57f9f5569f1644b0384bc

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
92KB

MD5
b61aaa43cc6c9a914df8f11786d5742a

SHA1
64d9e8363bdb866cebaa752081f491964d4e2992

SHA256
4e5a91ac642316c9017c1baab679bd47aff27c69fb582cbeb85df012eafe9102

SHA512
bd12ff9be1765fddb357fd178946417cbf9f3f5445c291c2240ce46d96ad856dede6a6a8a76b7d15f0fbed06d02ea70447ae4b011e366471db3d59d8c6de7032

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
92KB

MD5
df56a9461b0876ba913bec73c90d7fe3

SHA1
b88a350b7bb5ba8309bb4c8eca5baa1edeb4f411

SHA256
b9b2847c2cf1097d5dc6bd891027fce65c6d38517e0774d80f9ac1362aa470a6

SHA512
e75f1489fab2d7533a607614db6a742b289e2564573ebe86f7770f56004d438dc0f588a3d8cbc65e209a0e72c3e937721b285356f9a54a1a26cba6ddbd9ac441

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
92KB

MD5
ef1a0dd45be576754d5b722def9ea49a

SHA1
d1702a8b1c7c9907d6ed769cafb98915671bc534

SHA256
16496d0bf112fa495779c9d69b2ae82d6910c18538acea2fb9b7a9c1da56e16f

SHA512
03d7b27bf744d323b712f90924f1513bf4e0a52fd9857835f729a55c10298917322aae9a74bac3bfe8fb2bc3cebb626202fda0e5edd3744b222ff70f23d43f7d

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
92KB

MD5
f09a6db750d31bcf7fb037c73b190451

SHA1
2e3e755dcf7b3d333692751dcad23f3680e6f2dc

SHA256
d2b21874f2c00ac7ccd015943a9578def45644a0cd8cddc935f6b9fe57aba329

SHA512
365552e75b3cf3c01f2e3bd1ddb35c3a0def84aeb8dccd0688afcf9a5ca93632723081ee77a292d793cd0f48ca291afb19cb16a6bc0050befe7dd100d74bec77

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
92KB

MD5
7d5978355b3f9910e794762f31b21ac4

SHA1
7985d1036020f9171ccb5498e864fe8542d468d5

SHA256
6b5efdf52ac13123c4802450b4f705420d62934aebe787827038d76e294e481a

SHA512
fef0993d829e66430ee8483a8047123547e27af440367be2a38faf44e9815a34ca50e40de57d4eb5b34b53a41c1ef1a5612b63d21e91a47ad5a51df670ed91f2

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
92KB

MD5
9f0543c13e3f19026c86023bee1b2ff2

SHA1
54c0414372e786acb2cf814601644469ff654447

SHA256
43f7375c4ebed47998780ce7737d098fc30396a06bb7d64b8be92bfd3dc5a029

SHA512
7cf2914e62921aa2e4ad8165cb66679805b55bc7a2838b6c29bb10ff3c13961fb3349019ce7b97f83531abe845dbffed94e103716fc2216a9a6bfa59639759b0

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
92KB

MD5
b49cbad55c63045b5a22a8f6e80e5751

SHA1
36ffdcd309177703be8e08e7d22a19061c555952

SHA256
8c559bb670d59bbbf061df06d488fa232e108d255cfa87300e43f37e3cb1ff41

SHA512
7c329dd432523c4349158c191de676b8cc80bc8bdb9daafddde8ea74910084da2e78624f0ab3114f473a5755215a5da127698f98c62c0718a112af02abf498ce

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
92KB

MD5
6ea1e608afc3daea84c7b265358b0ba5

SHA1
78e51995985a861ff0f50ef025815d01d2e333d7

SHA256
57538dd8d2614726070c33ac2183322cbfe1d96c39b44697738418540ce76276

SHA512
637761fbfd3b1ab04e10e5b5bfe7c9a3838811846b173c25ab9a5429f2205287f1fbfc54db4e23be1897915970ea290680d7df0703b337d591fa2b6c5594e446

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
92KB

MD5
f597f84b9fcd25ac14f85505e6ae83e2

SHA1
e49dae6ca0e6dc33c99b249f267aa2f7ab63b1a5

SHA256
c92afd989cebfee4a0b1043611c402acc7607ce75fb798b927d677e1c2d5b42e

SHA512
e69e7adbb6bfa43398f7f991d6079247a15a7c477bcf7e7ceb5b53838d06244f83d37ddea831dee7262ab51ddd79946381879ee90a93a4ef1d9645fdd7913b3a

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
92KB

MD5
19cd3df971aa19cb4b8e647d935ef227

SHA1
2b823bc784503eea867ac55eb17722cf8aa4bab8

SHA256
e3da69f5245ae44d31e08fa05b3e8297a7d6021cd4b1a8ac0d0813a4c7cdfcda

SHA512
3bd13d66441682a7840ebab2035dc28e03d2f0831988037482563d8447d04c8828f783b7dbc02332ad1c5bfe2efe433e320ad1faa5e52551f202b2db09047d19

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
92KB

MD5
99513f241e57aeb428c9d5eab7b441e3

SHA1
277be83b6e4d6ee843afdd175901090f862a5d99

SHA256
c55105797b863eb7c365afa0c8714dfffe6ca2dd9f66f7ec35ad45b37648dd70

SHA512
5c5e172c331b7cba4cdb4f6396bc671f3a32971031716cd9edefd9457dd81fb2485574d911fa50c7c8b19a438a5f4867c501268af50078001aa5eebc84f163be

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
92KB

MD5
a48416bcfb298654aecbe5b05388f84a

SHA1
6150e9c3023266ebecfc012d992a3f73c5324740

SHA256
5f96e2f316cdd06599686d48a230a8eb424ee4dd8f5d666eebbce453a37a19f7

SHA512
295d0ceb016d103de7c8bf8602c61fb248424ec7079ddd2004385c968f53fbfc1cf893fa0a4bfc9365ebc0c22f9b6ec3ed127c4fc4d49aff3040fc82b41a60f2

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
92KB

MD5
0894a17ac72333b45be0a418c7074590

SHA1
8f3f8ce00fb4f57653254bdaaace60f075dbdad9

SHA256
fafb417de45e1d5a70f80f912782a6e79998bcad9af9f646aedb49954abca3be

SHA512
7b34e1162b16b7297ec4195101adc69019c73d6e12b8e56293c4587b2beca8673e286a6a5f0c286248e3124cb372e269d7a1a6752332fbcea4c71da25cb5f81b

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
92KB

MD5
0554f6828351acd257c3d533de835efc

SHA1
683b09cd713b7c966a3974a5fc35e1efe9960775

SHA256
90648918d521d1ac38c0e5dbeb5a9e4cbd88d2d2071b81f31db62e71febd165d

SHA512
348254253563fc1fec2a8c2a1699c9d4bd351eecb3ffb9b7d411c232d39acd36508a5109d2c1a8878439f592d1e51edafd02abd052bacce12b2dd2530e710772

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
92KB

MD5
124a12362ac2533761afd7e3b7afe826

SHA1
b3256ec53d03939d52e5d586f380ebd8101bab6a

SHA256
ce300a826d26b2eb11d9d38be2cef94bb9e8889c431eb762950ce05f4fbce95b

SHA512
fe3560b223f8e1fe153bbd3148a97cb27a38277100d3767df907168cf1dfb3df7ee8332f9b30e4cea52ac5b1fc7dc4e4e5b4a083dbeac6f160aeca8fe1d76304

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
92KB

MD5
c26ffc82132373eedbcaed143c8c4ccd

SHA1
c8d1dd13883ff04261cc8b00d643165f08b33435

SHA256
8e238b5a4c6410347c6e2c322b18372caf684f6693af67ae7bcc3cbf6da7094f

SHA512
0db48db5e48434c266aa13a4754ba0865acfc6e4d7dda71508afe85b447abd2799d1b6ef27bb25d62a26b61516bd93f97b8520c921b5b1f1c4d87897275cb564

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
92KB

MD5
a1ae3f676298c40884cd5f715668ca51

SHA1
ee2bff5e8fa2dd4307a3f4303d669c494a9988e0

SHA256
e752f09cb8291341c214846b7b03c036f0cd492ae747b16b34a2616091af7949

SHA512
3e1b3fd17b7d805cd296e035ec20e1ca743c9cecfd69c41f0d702437cdcf0bc63006dcb06f69b2cc191411444db00cea04a7d6890518f93d91b23aef2b499751

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
92KB

MD5
186001086b6ee59aadf7615f4d267087

SHA1
7c54f22aae9045b0f66c25228cfb898146676a43

SHA256
ae5d5b4b8d4c603d8905205c874ec684b6f20575e9dcd64358f897044c598671

SHA512
ece1e5fdfa99c0eb988a62379f802a0cda0c868bffefe0934de7df0b584bfe80f790a53c0ee6f27597f9a1df446ae620c693c89700151a98fc04df978d83d500

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
92KB

MD5
4bf8ad32422dd4678ca25af62d2901fd

SHA1
5218206b5b2b52b9ab69b8b5abcab2069b24e5da

SHA256
dd53a9b99ebc4d58f3ac87f7db23748ae279e0d847a13ec40673bf6fd0e5dc1f

SHA512
5ce4356990ef676067d7650df00755ccfb4e542a5c48f20ca963d4e8af5b6e16328c4df85268dee8966dfe60a5b238814504b09385b8024c93cc46b165bff50f

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
92KB

MD5
9d3dd8d3281bd1e5f5127a0568459aa4

SHA1
8a47a8a3ccad3bb287540b47fd5dd0a79d076e6b

SHA256
02353fa40fc70849c89057b566fe5f492ad45e9eb6165af8cdf7d895af21205b

SHA512
e232db06c9a7d743eafabb976c2e1109824ff776ac279ea3ae45a3b97b739270af8193ab50abd17ec4df43433d69a23337a5981f343fbca742256533cf7c114e

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
92KB

MD5
793fee82cff602cb205107a5dc5bf908

SHA1
db0e1b37ddf544c6a2f4696accd10f4abf3b8095

SHA256
81dd1f05a91c71a34a976305f88dcaea8dd9635436a09829b74a33eedca64cd1

SHA512
2d9ddd8b1ac6fb2c6971e7994d1fdf835503583d2eac706aab212120222cb83c2572c6191ec195e10a961c38f0a1f825749196cea9cb9b0b9e283eca1ffd5a56

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
92KB

MD5
7fc0001da2ccd52a9b4162810df264fb

SHA1
076745762d95882410015da6c95ca3b2b1b528be

SHA256
4bd5155c92124989306f6009d609528a218d1ff8845668945e20e2beeabf26a3

SHA512
f9fffc5d14be7630c4a01e50ede4e248cd1be9eec2f080f7db0ce9c6a41d6636ed03c86dd7b040e8abaef42b96415c30cd0bbc557b821df425483de50eb4e27c

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
92KB

MD5
c607cefc6673fa9e8a46c0cdc379f10c

SHA1
0c6c1442fd9918fabf5e89c17509887dcc9ea405

SHA256
48b5ac2e8fb517522de663eeff2624117782ea5507dcf93d1b4b1a53ea704de2

SHA512
8db454ecf66eb9d2b2921ba14373702b90b29336ba44178d8e3d4ac70780a0dbdf64b1d775c4016d6d80e2e79b0c6a27fa8ace0601de9a598e7ba93faf468cd3

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
92KB

MD5
ecfd1fcdac0a9525c7fc4a3c5825681b

SHA1
3b5cb7dbae8d45eae49deaeb8dbab4b0e974b3a0

SHA256
15fe8ad4c95a3880d5723ae1e769fa039e46a150462c959a1053b0a2ac7a412b

SHA512
bf450a2b18ce818ed225f5a7a67d01cf72f3c014af4868f8385f188e234d825c4108eb637b4bd6b2f672dee05efd495d9894fedcb125a45e729f8d05bfab478c

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
92KB

MD5
4e32aac965cf92dc310a13c281197eea

SHA1
6d0113f4864fe4e3313416fe1abde21f0bf6c197

SHA256
a1066b48973619a7d011a946ea99cfb74ddc1d336178629798e343243941b710

SHA512
a4b5b36406b1042d79564677ac925a8d96ab3fff27b52775adf6e213327ec2fbff228517ec654fb6fa260906803d83d5b3c9d466c23853c1d4ee7e9ce2023174

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
92KB

MD5
48bd4c8ee1577f28262f98833125db38

SHA1
71363ef7c5c09688d09d5e4cd9d85527861f95ff

SHA256
04dc6ba25f4d159f23b8f94b70f50d2352ea07e9c3d04e94e283a65bc434fc09

SHA512
8c18c3af78cb0cf110b4dea22fa0657088a4760e3e546471015b719d5cf98699abdc47cf90db8a48701fc2366421f541ad998629a0d64c6eacd9649c44534040

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
92KB

MD5
001cb64a29bd6716521baaf47859148a

SHA1
db4618a843f2bced52663bd14bd5aeb5fea4f8df

SHA256
e82db689347d5ff8e7aa262f3fea21921752fbadd5039c8941413fc484c76763

SHA512
b03d80df1bee3d6e1759abc153edda6ccb471dc6d2dadf0410f6953340b0646164461bbc20511728d265614696068819573e81bb9dae3da19c99a5edff88752b

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
92KB

MD5
9512f62613a6c8fb937b1506525bf25b

SHA1
c76a864075a5471a80a3a5dafdc3717ce9c177fd

SHA256
d0a5a4142247ffa66de44233ad5c2174ba6b5b37837c65a4cf2c6dfc9c3ad1b5

SHA512
e6c016c8d008f427c0985330d0501c2e446860e17ab30436a3ab8dce5aadad59786e4a844389d955f7aa0bf03d3557ee86fba2eed46eb894c237226a6b2dd224

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
92KB

MD5
8349e358204d3ad49ff9d5030b066ea0

SHA1
408b2003da1c0047909563dabae34ebebe70ad10

SHA256
5eb21b5cfab73b7d550aaf632c0b65d9f5550fee082525ce1f00e54562324817

SHA512
e5f31071e73e9e8dac97a11ad3eb0af3e426b0bf655757a3f0fe84105822644a0f0b823d249e9a61c44e56858fc39c6d081a8e8d2fba4eef92aae05f3d740c45

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
92KB

MD5
da2949fe148a2308921da168ac36790c

SHA1
a35dff15564462962042fac37a7312bf7b2f1df0

SHA256
41774aff4cc67f016addfef77eb940345c825b5d4cd4cbd5ecef7294d4a37dc1

SHA512
c887c108e5180700d55288fa502be52e9e9cbceb6c878f15846877ca46e7d09335ba8895e97cac305ef536fc2b350824f126872d25f5f0af36843222e635f695

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
92KB

MD5
5d3138ddecb6b4cfa57052b7f8a48d41

SHA1
9ac68d702c1eaf42100d1355e33b78b83067700b

SHA256
9c7202f8d92a1d8afb6dd6d3da91b083ffcdbb4e93f54bf874a0359c47f72078

SHA512
58d5a53ba672c4c873cd9dcff5825ceadcb2c9903473b49ab6dc7e1643bc9bfb267952b858a7127085112995cc4e0c1be12b89f7529a2cdc3cc094c94a6d5d79

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
92KB

MD5
cbf183e35a9f6884a6d5f203606ec511

SHA1
d943b2ac7a878bb6a59315aca89d51c378c5e8e1

SHA256
527ab8ce6b03358d985d1a5eff5c49d13a67f498cdb7d96d092c8a510a9d86a5

SHA512
5ad30b0514e88b08168701d5df2228b2ebec8796f4b6ce7edf839df2d005ecc71f9e5ca19aa0da3d9b36e00ceaebdfe7dfdb122cdc40fa039c87ca573824a4c2

Download Submit
memory/212-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/544-544-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/544-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/712-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/832-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/836-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/884-536-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/908-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/960-563-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/960-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/972-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/972-565-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1036-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1236-428-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1268-556-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1296-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1296-577-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1320-585-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1356-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1356-584-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1404-570-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1440-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1616-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1628-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1644-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1648-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1700-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1756-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-586-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2252-512-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2368-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2520-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2752-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2788-498-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3016-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3200-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3344-530-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3376-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3556-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3564-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3568-478-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3684-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3716-484-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3732-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3740-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3840-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3908-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3960-578-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4072-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4084-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4148-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4236-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4272-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-545-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4300-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4308-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4312-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4316-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4324-145-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-470-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4464-253-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4592-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4600-465-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4612-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4612-593-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4660-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4728-519-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-538-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4808-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4832-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4932-472-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4968-564-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4996-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5052-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5096-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5100-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5152-587-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5212-594-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads