fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b.exe
Size

346KB
MD5

839e91e6634dba38884ef8fc88d690bd
SHA1

b70d9d1f5073a1f2927e93b4bba0432c4cc96367
SHA256

fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b
SHA512

e5c91cf4cbbe3f7d0f18eb37f8d15c60b1bb7892f78b41afff0c28b41ded80f3344f8e5db7010c36011f2c277f78406d334bbd9338ce3c442f45bbf349e891a3
SSDEEP

6144:zZJjaKnAhdsFj5t13LJhrmMsFj5tzOvfFOM:zZ1nAhds15tFrls15tz4FT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe

Executes dropped EXE 64 IoCs

pid	Process
2264	Fqkocpod.exe
1432	Fbllkh32.exe
1148	Fifdgblo.exe
4444	Fqmlhpla.exe
3908	Fjepaecb.exe
912	Fqohnp32.exe
3652	Fjhmgeao.exe
4976	Fodeolof.exe
4936	Gfnnlffc.exe
380	Gqdbiofi.exe
3844	Gcbnejem.exe
5104	Gjlfbd32.exe
2504	Goiojk32.exe
960	Gmmocpjk.exe
4828	Gcggpj32.exe
4672	Gidphq32.exe
4404	Gcidfi32.exe
972	Gmaioo32.exe
4220	Hclakimb.exe
992	Hapaemll.exe
3508	Hpbaqj32.exe
4536	Hjhfnccl.exe
4204	Hfofbd32.exe
1688	Himcoo32.exe
472	Hbeghene.exe
3996	Hmklen32.exe
4888	Hcedaheh.exe
3132	Hmmhjm32.exe
1848	Icgqggce.exe
4392	Iffmccbi.exe
1424	Icjmmg32.exe
4132	Ifhiib32.exe
4476	Imbaemhc.exe
2912	Icljbg32.exe
2768	Ifjfnb32.exe
3836	Iiibkn32.exe
4412	Iapjlk32.exe
3416	Ifmcdblq.exe
2932	Imgkql32.exe
3384	Ipegmg32.exe
3644	Iinlemia.exe
756	Jpgdbg32.exe
2708	Jbfpobpb.exe
1736	Jjmhppqd.exe
3872	Jagqlj32.exe
3716	Jfdida32.exe
1324	Jmnaakne.exe
2880	Jplmmfmi.exe
3008	Jfffjqdf.exe
1680	Jidbflcj.exe
3204	Jdjfcecp.exe
1624	Jigollag.exe
1312	Jdmcidam.exe
2952	Jkfkfohj.exe
2916	Kpccnefa.exe
4960	Kgmlkp32.exe
436	Kmgdgjek.exe
3420	Kpepcedo.exe
4928	Kgphpo32.exe
4068	Kkkdan32.exe
3868	Kaemnhla.exe
3648	Kbfiep32.exe
4264	Kgbefoji.exe
2024	Kipabjil.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Gddfpk32.dll	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fjhmgeao.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6036	5552	WerFault.exe	215

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kpmfddnf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 2264	4400	fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b.exe	82
PID 4400 wrote to memory of 2264	4400	fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b.exe	82
PID 4400 wrote to memory of 2264	4400	fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b.exe	82
PID 2264 wrote to memory of 1432	2264	Fqkocpod.exe	83
PID 2264 wrote to memory of 1432	2264	Fqkocpod.exe	83
PID 2264 wrote to memory of 1432	2264	Fqkocpod.exe	83
PID 1432 wrote to memory of 1148	1432	Fbllkh32.exe	84
PID 1432 wrote to memory of 1148	1432	Fbllkh32.exe	84
PID 1432 wrote to memory of 1148	1432	Fbllkh32.exe	84
PID 1148 wrote to memory of 4444	1148	Fifdgblo.exe	85
PID 1148 wrote to memory of 4444	1148	Fifdgblo.exe	85
PID 1148 wrote to memory of 4444	1148	Fifdgblo.exe	85
PID 4444 wrote to memory of 3908	4444	Fqmlhpla.exe	86
PID 4444 wrote to memory of 3908	4444	Fqmlhpla.exe	86
PID 4444 wrote to memory of 3908	4444	Fqmlhpla.exe	86
PID 3908 wrote to memory of 912	3908	Fjepaecb.exe	87
PID 3908 wrote to memory of 912	3908	Fjepaecb.exe	87
PID 3908 wrote to memory of 912	3908	Fjepaecb.exe	87
PID 912 wrote to memory of 3652	912	Fqohnp32.exe	88
PID 912 wrote to memory of 3652	912	Fqohnp32.exe	88
PID 912 wrote to memory of 3652	912	Fqohnp32.exe	88
PID 3652 wrote to memory of 4976	3652	Fjhmgeao.exe	89
PID 3652 wrote to memory of 4976	3652	Fjhmgeao.exe	89
PID 3652 wrote to memory of 4976	3652	Fjhmgeao.exe	89
PID 4976 wrote to memory of 4936	4976	Fodeolof.exe	90
PID 4976 wrote to memory of 4936	4976	Fodeolof.exe	90
PID 4976 wrote to memory of 4936	4976	Fodeolof.exe	90
PID 4936 wrote to memory of 380	4936	Gfnnlffc.exe	91
PID 4936 wrote to memory of 380	4936	Gfnnlffc.exe	91
PID 4936 wrote to memory of 380	4936	Gfnnlffc.exe	91
PID 380 wrote to memory of 3844	380	Gqdbiofi.exe	92
PID 380 wrote to memory of 3844	380	Gqdbiofi.exe	92
PID 380 wrote to memory of 3844	380	Gqdbiofi.exe	92
PID 3844 wrote to memory of 5104	3844	Gcbnejem.exe	93
PID 3844 wrote to memory of 5104	3844	Gcbnejem.exe	93
PID 3844 wrote to memory of 5104	3844	Gcbnejem.exe	93
PID 5104 wrote to memory of 2504	5104	Gjlfbd32.exe	94
PID 5104 wrote to memory of 2504	5104	Gjlfbd32.exe	94
PID 5104 wrote to memory of 2504	5104	Gjlfbd32.exe	94
PID 2504 wrote to memory of 960	2504	Goiojk32.exe	96
PID 2504 wrote to memory of 960	2504	Goiojk32.exe	96
PID 2504 wrote to memory of 960	2504	Goiojk32.exe	96
PID 960 wrote to memory of 4828	960	Gmmocpjk.exe	97
PID 960 wrote to memory of 4828	960	Gmmocpjk.exe	97
PID 960 wrote to memory of 4828	960	Gmmocpjk.exe	97
PID 4828 wrote to memory of 4672	4828	Gcggpj32.exe	99
PID 4828 wrote to memory of 4672	4828	Gcggpj32.exe	99
PID 4828 wrote to memory of 4672	4828	Gcggpj32.exe	99
PID 4672 wrote to memory of 4404	4672	Gidphq32.exe	100
PID 4672 wrote to memory of 4404	4672	Gidphq32.exe	100
PID 4672 wrote to memory of 4404	4672	Gidphq32.exe	100
PID 4404 wrote to memory of 972	4404	Gcidfi32.exe	102
PID 4404 wrote to memory of 972	4404	Gcidfi32.exe	102
PID 4404 wrote to memory of 972	4404	Gcidfi32.exe	102
PID 972 wrote to memory of 4220	972	Gmaioo32.exe	103
PID 972 wrote to memory of 4220	972	Gmaioo32.exe	103
PID 972 wrote to memory of 4220	972	Gmaioo32.exe	103
PID 4220 wrote to memory of 992	4220	Hclakimb.exe	104
PID 4220 wrote to memory of 992	4220	Hclakimb.exe	104
PID 4220 wrote to memory of 992	4220	Hclakimb.exe	104
PID 992 wrote to memory of 3508	992	Hapaemll.exe	105
PID 992 wrote to memory of 3508	992	Hapaemll.exe	105
PID 992 wrote to memory of 3508	992	Hapaemll.exe	105
PID 3508 wrote to memory of 4536	3508	Hpbaqj32.exe	106

C:\Users\Admin\AppData\Local\Temp\fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b.exe
"C:\Users\Admin\AppData\Local\Temp\fabc5a7eb2df98ad830410f3a96e928e9239ce3425ff044ac7c7a1582cd3266b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\Fqkocpod.exe
  C:\Windows\system32\Fqkocpod.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\Fbllkh32.exe
    C:\Windows\system32\Fbllkh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\Fifdgblo.exe
      C:\Windows\system32\Fifdgblo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        24⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        29⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        32⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        33⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        34⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        39⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        44⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        48⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        55⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        56⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        60⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        67⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        71⤵
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        72⤵
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        75⤵
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:520
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        77⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        78⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        80⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        81⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        82⤵
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        84⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        85⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        86⤵
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1668
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        88⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        90⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        93⤵
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        94⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        97⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        99⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        101⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        105⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        107⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        109⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        110⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5284
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5360
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        117⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        118⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        119⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        122⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        128⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        129⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 408
        130⤵
        Program crash
        
        PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5552 -ip 5552
1⤵
PID:5816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
346KB

MD5
da3390dcaee74961b341c80ce65db64a

SHA1
fdc1e3f305a75487fb8b953b931fe1e2fd657add

SHA256
d4e8ab3c73064e2e93edebb3c92842b3187b6638c2bce430ee5e96cc87cacbca

SHA512
03c41bd7d4cfc10b0f1e586af71a4120303a22085ee393503a15a843a268e47793ae08eace7eab41e39c18f76acddc5ec4831b1fab278dbdde054c88e5829a87

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
346KB

MD5
e04297b07a335ea25584d787d72a39e6

SHA1
4e086a8f8c59dff3d2c7885504bc2b4cf9a8481d

SHA256
a0b2e9c54bfa794b5ed08c6e2c4acc4e2c41ad270b4a3e2211adb6cee8d31052

SHA512
7fe4b386ed21eb7a264cd73d95113044d643cdf0ba5554bde52e027516a7f467ec1b8df6ad5cc04cdebb05cd41a7e7dca3911047cf5c1a5347046bf06ee10770

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
346KB

MD5
972f2eef0d85c3590fbf6eb6b4011626

SHA1
0df85c5360c642217113e244643ade595314e4ed

SHA256
b7c6d3e0b32fc4115b587a2bc495ad79dc2f8e0be28032b2513df3ddc9c17727

SHA512
a1df28a1ea09a12127e0c0c652ed9d2eb8a52f729d1361acffb3106fbde1f2cc9ed72e5e17a762970070522be46bde081b3dcece3b7e9afb7d45f52c09d5b7da

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
346KB

MD5
018ceedd13e6a5c4b11e64594d42cfbf

SHA1
e75a5382e4b96eb12d12984ed9ccdd57a7517952

SHA256
71e28bf38416660317faec6454c2722374b491192168cd96b324a26e750f5814

SHA512
a23ba45700fbab035b314423d38ca18724ce018bf3f9caf2eec15b3ac17ff5fa65e0a16860ed22b288373c0813f70f1d1169094ed234fe9153dd578b99ed757c

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
346KB

MD5
d73dae3cc4c8f9e7f0a359a4da1112fd

SHA1
5df59949709090f065e7724163dd9098f9a56c67

SHA256
a7b7f3c32aff5d02645a309af67a8a847fa4e67e47aee0a8cbb6e917165115e6

SHA512
f012f3a97310ea6d6290b3076481eaf7bbf9a9cb047cf7082333f9b81916275682e577860063362b14ae74f96b77b5bc50cdcdd542d2803ad0b207b2406ef9d2

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
346KB

MD5
5c9a4fdf641c309a8f4934b4be546db3

SHA1
ad7d8d6b52ada878b1b0ebb84a806c52781c2d27

SHA256
37f501174b38c002dbe1a42e88130cbc5a321bcb93d631256d7857d474d010e5

SHA512
b00cfd429a207e7c83e594f070a24b3783238dbcbd53e29bd54cf28993fddc966f53c81b4f21ba461fa1ade14328592ace274d34f0ad507bd81d7d917cbe5db5

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
346KB

MD5
a182e85635573f07199071b5c02d56a6

SHA1
5e00b883154360c7cfaf88fe267516c71a6d36ec

SHA256
7c717d7d3c5098e9824af3a372586b82301666faef93332895d85346fcdee36c

SHA512
cff1d744cf96406ccb5e790e2618595774e87b185517d1cfe9365e451c8994a3f3a33340d830d14ca60cc5d8da4ac39553ab8e6993dbc2b30049713a9aba5116

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
346KB

MD5
a497d89b59b0dadd7aceaff6f701f4d6

SHA1
82521b85f77e0d40b40db06434ac5f4d48951fee

SHA256
3a4c8668aa427b1d4f770102ede97af9447446fbd86b55ce030496d484062d83

SHA512
bfb3f5f1169aca738c400aecc85f240d03ff784b428800f1275e38a082598cba60e1a2c142a52fefd73684d2ca3181810324da9c0e8db19001c3ec2a262df40f

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
346KB

MD5
3e685df56402707ae37201f7334b0e34

SHA1
f610db7519926ee050c4465295e65d05270f543a

SHA256
9c08e7b07d89419c6269c2600ebc99d45dfd601536b9a6335657a07b6d974856

SHA512
f52b8f21f7f76e102471c5694a27465d7e5c9b68160eacd5b1f96c7e1e2e055795c873f422d9e3e7fd8f2670e0c7c4ac9bf15b8c39a1a39fc0f8697556dae615

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
346KB

MD5
bd7710708ff45b02cc28242c08683dda

SHA1
d47755de61fd9e2acb4277965d75c73834e08578

SHA256
f1cdc3c10ea9185d1360c50b9392c555ecf5db6de26b1d09dadbb89ddb01ddd9

SHA512
d5487a0bb004217e99ee1f2679fa8750858206d0fc31800104c40099ca6e33f9b7c0d114a5d3573f74bbca49b8aeda8255353125bf52a684efd2dd48dfc6a4d6

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
346KB

MD5
552653b2699fefe3162040f758262d7b

SHA1
d39e87155d7591312f747d06b687cd6bdbd49a08

SHA256
6c53948e213f8210f5a9a4b101530ca34dc098c0187223959bc5cf7b78e87ea6

SHA512
90a321df9fe38a56e86fee9af8bf8f35fd4a1c6bdc57dd5fd519338c6e8ed4fdf38b7787a924cc0538a4cc8ac084522cd7f120b7fa09b570bf95caa5fba3bf6c

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
346KB

MD5
8627dbbfde2adb0d459f086548c4d36c

SHA1
3afbc9f7002bcc51418c609560fb64af87dfe481

SHA256
19c25616358e95133342540f20b9a105abd6448aca523eb862448878352226d9

SHA512
d9134174f60e9010cc8b1734237a4e455f9a4f40a25a2a075b0b16484152d03db4d2ea129980650bf1d6946fbfb819382589722a62040c59993fae3a7fe09d0f

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
346KB

MD5
330d817574aa037841c2d3ccd7988ad5

SHA1
5833273f070c965c30fcc30f1c804b93030be0a2

SHA256
c18e2496d2dc37bc7f8471a3a3618ca2e996af02308d11e41ca8cbb39a9c66f0

SHA512
cb5f6ebb1b3590ad45ae8c1df192562e995e56a53e9a10ad0ec5f85c350d3f47e65c58a28d2753f980d265989ef3773b72b4e2691bb390a0cdc80d404fa655ea

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
346KB

MD5
cecb6659ef36e8e61710673892dbeedf

SHA1
a8b23017d7f0b25443bfc65dea9dc487183c1679

SHA256
c90c39831fe9191c0020446a7be9377f345f8e270aa0b8f4fd5a0e7d54bd7407

SHA512
8d97b9b05d9471115655d2516819688782066e6bb503346ebd2d94b7e3100048f3fc7964b962a7edab3b56214eeaf66a5c2586f5602e66e8a92da9adee1e3922

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
346KB

MD5
4ce8745d790cb85f40c90f5a1d7b5cd4

SHA1
bcadeae0d4e065fab9f98ac7225aeb8c82317671

SHA256
53f2db6be8884e1c51040cfe784fc1fd590090fe52e8cb9c4a6c2205915c5ed3

SHA512
19ff31e4d1a3d59f600494e910a46a22661a881ec5a9f21946ada553a7c4d3c08866054c2cfb70784e9f885b083438c2d4937718d74ea60fd313f845c443060e

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
346KB

MD5
e365cc9d90b3f7a5a8e681fb1e5041e4

SHA1
ea7599752d80a75670eb234d4d738095bbd29f24

SHA256
a042e02ccd32d7138b96c99fbf23361f6e8af5babed9d1cbd64965ddbba3b724

SHA512
7dfe95838c539a21d46517394816055abd2e1586812656fa87976103b64ad25eb171ecae1984fb3688bcca155111ea4151345f98e58996f533a93676e05d4359

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
346KB

MD5
f9e308ab8f0af45a8dc921ce417b340e

SHA1
98d47f6a3084439390257cc93f6d64b630280769

SHA256
e27c8b3f49fd44c3b69cfb8e8d87b2a1855f2b57b5126bf1bfa50cd2682e50b4

SHA512
4e28d22aa14315cfaf715c0f2944c41ef52427af4f8da8434901804030bea228319f14f45772208693e29d44f4f3d2b6f9923915de6886a8b08ad249143ca0da

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
346KB

MD5
02da75c5e572fe6efa5314c32db4c803

SHA1
2417ef660765b64d0822dff2f34240055b0e108d

SHA256
8b4bab9dfad40470e6a48ecccdba71758b8d35d43f767d15e773b3db4672d083

SHA512
dcef8acfd3db9377afa6187bd9ff40b009f2b0913e689e88623cc97fd0901efb67d6cc1eec68b8b67c34ed43cd10457b71ee342b5a9f6be142666ce9a0776acc

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
346KB

MD5
57b0ae78ff1ac0945ed2e984c417918b

SHA1
b599a9abab7c6fb94e737377d546e133908ee7d2

SHA256
a4f41ed33488eb5ed0a1f2c5c8734ae5e9bdafbf702dd7d495f960b2b617e632

SHA512
436e362c0590d002ac241fbf5a121b61c9e85b9d64975d26f84c9ba37ae6c2a1e70f4eeb61e1616fdb1e1d0fe8949edc1cb6b441e76077a508456a357ce47d22

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
346KB

MD5
cb8758ef134a83d3fe9cdcc20927170a

SHA1
c368630b85ba358d8d70ce5eb886d6f74fd0ec23

SHA256
b0734a437b3993ef9f35fc9f0cc0affcec450476da2d26ac80b5bfda3ac3241f

SHA512
67aff54d158b9e9fb465c8ef1b7c86b785b8e27cdda2804d81d9b65b2bba86153042fa1472ad65de1a6fc3f9a8d6aa38b203fbaed1d3ea5bcc7235e05c4994b3

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
346KB

MD5
55959a27c2b9b599b8c17ed0d2be9e0e

SHA1
817b067c2f0acd01f401188d930b225aae0505aa

SHA256
8172d66f11c85801c62556dc23b820a22ea28d39c8940b8c4fd4ac1cd8a00125

SHA512
d9f6b7a9346d7085097a1fbfc8aa04ccf309aeb5db88ee4b416d87ac6bb87ba4330c42956eb030f710f3729993c44949767f1fbb1d6a6d712993737f40636bdd

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
346KB

MD5
44825bdb4a227d6c242ad39ced75a656

SHA1
089149db1339a741230dabb52752778862a478f0

SHA256
cd91de135790ac61f60344c84cf1ea054d33a6960eb113c2b5a33e7c2d24e01a

SHA512
d54b97a9f3bf064d80641a28c155b1521a3f23093e2116ae9c852b84d64f9d0019f22d8cbbd3e3ffd694eeac46a6dbf31fa526db5a52dd952c20bd4585dd648c

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
346KB

MD5
a3c62486d80c6bb0e1303594cdade813

SHA1
76610090317868d4ec57aafec9b57a8f03fd7147

SHA256
dcc77057df3c4539325b1d93ded53dc4b30dda4cd1f17279a0e0544fc6ba9f92

SHA512
8750374ec1d83f5cca52db24e5ec0d24728e1ec1b62bee896d454069cd55049575638673201a17b49a147c00b897cd21ce5ca5bbab78613f6aa034fbf78756da

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
346KB

MD5
e260297bf65a00964230ab9eed190e9a

SHA1
514475d344191279521af485233612943efe0e92

SHA256
f76c95d1d68dbd4e80e171d11b7fa22fbf86dbcf70dc39fe6aab567c4abc9305

SHA512
db6f16e613dc03685b4de42f3420acca41d407ca9eef839b98427fabada645b9e87e115ce5f1f4b00c0a3f623eed1a1d386bb8f2ff4eda7649174d90a3e6b4c3

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
346KB

MD5
0a6f038ce5dfb58c9d8a8cd981ddee9e

SHA1
cc90a8981ae467b819e6abc23d859e42872f8891

SHA256
bf61b1c12e972811f9e6121a3a8ead2e0d2c3ce5460d4d733c3706cc7a5b0ffb

SHA512
9c0c5f8a940c3eb3f0542d78f3b1726c3c882206aca838b1e7a7c2dbb105f066a7ff868d74e8da00a2c61cef5126a38581b48d3f58b7622644d67eb7727a6753

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
346KB

MD5
2a785e7f208e72af8ddf287701f4757d

SHA1
c4411fe213b2b007397d1141d64d6529babbdadb

SHA256
a61dcbb933d9d9b3b9211ec48b5de6d6e40f52aafadd36903b9c0f25f35d732c

SHA512
eb5cf90666b57d57d2be18521daafcb2a5191f9bdbf2a91c63ea8b5b6cbc3af4f8e0ca13f71331bb82b299015736b25a95b37c70a4b766f0486d39cc44cdb403

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
346KB

MD5
910b21f2e8535f2cf733c8b1d54252c6

SHA1
7225dd508e49b3aa31a6fed7c471b3cc71e41c62

SHA256
a4a05e66372a2137f80cc0911f7f37f266c44f8cc59bec02134bbcc8d844c66d

SHA512
c50f93ddcb02cefc1bb9201a8be0d4c4220598c29d58cc747108a46eb8649ee8cc3d6b4cc846bd8cb11f3d522380c14e6640caf8887a9646ceb403b6c18ceb0e

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
346KB

MD5
b32aa3317de2e8448baea430cf384e8d

SHA1
577f570a39d3077b619ce07dd104abe4b81b2a91

SHA256
5dee0d1bb83a48253b4a7d924a9a6d2445d09760beab6dae872adad822166acc

SHA512
188093c3ddff9017cabcdefa39b6f485f2e437b9da709c9c17ffdd78393e79b5a1f2da7fcc55bf085e1d4bf6821c690e4eda9d4e2f898e4b996e46cbb461694c

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
346KB

MD5
eb902ed2b613098be72b003137be5d17

SHA1
deb34c2e358ede3fb7ef7881391b4ebe7a0556c7

SHA256
cf9ca50a0c0b90fdb67c90d180dc2094ba1d451d59980bdb9410073eebcbefd6

SHA512
b1df41954447ae2c7051b4a090a7af4a69ff7c9c3a16c2706be10d849f27ec74897b7ac1c28732da412d28b122732e0039e99c0032d77942323e7be555bb7974

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
346KB

MD5
b47f99fe16489a3bc020dde045a21361

SHA1
8bf02f6e4476588253030994841d90b6d18458bb

SHA256
b833b7ac91d1e1d8f9f6641a291dd4400bb6609d71bca8bc9b7f5c7e5d444ec6

SHA512
da67765a071415a1daf6d867d26987aca814d64d1e355773038074c78eef4847530f7a543de7ae823dca14d8a37d139cd744ad089ccc2d0ea5c28d379a704d8b

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
346KB

MD5
980f7214979e174b1063959a6ab8f8fd

SHA1
db90159fccab050b00906d39b3c41ead1f979862

SHA256
03660b501433f6a94c407dc867ee40395a94633554bc2c31fb193cb35dfefea4

SHA512
1996f12f35bd3e33e15330fcde083f2da507e80c5960b97864a473cea3235bdf692eb114cbdc70038d574d2022576954562ca14e309c5d0622c56756e216a4e8

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
346KB

MD5
a5e1e8ec5803a5849fc3e7f51b602151

SHA1
a22e5f6c5258ce7d1f5c79d97238a65a358bcbac

SHA256
e2dec5a93cb08c04bdb953aed0a6f238c80888a469718f7a8792e900f8e305f6

SHA512
f8aabd00b2d09c2067f04b28c34f888df3df7b3b1ca517a68b325c4e1b01908bc80d37b1b5eb9575ebb32daccc3f1ab35deb8a3f49ec1ed4f7d1142c14db07e7

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
346KB

MD5
e24ad9b9b6a08a2a80f7976a5687607b

SHA1
b7a41d7bd8a9768438c38d040ad9076d80f3a4ef

SHA256
6e7e2a8be778e5a7fc156b9f5525463bf7db236ba21c788c5819ba46af4633bd

SHA512
a70f264d645efdabb2b26be355f42ac34439d0da678370b6fe35b9f4ce66ff81ae038f5edc92942995d6e961a5504603711430cf540855fcdbb97c0472a3552d

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
346KB

MD5
a42e71ebed072dfc31a08617f7ce3298

SHA1
87e83f83637f7a03eaef353b8d1773611f417b89

SHA256
5f9d22ad584a0cabee7e3df2ee63f7cddcc9266b7eaf581864b23c036783fec6

SHA512
db8fb8cd8832c53c86a2145870f1b21cf7675456d7fd61a0e83664235314f01950d0c3c432d7e83c4dbbb5caf717fdc7b5be85a684fc485d10378aa8187b4261

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
346KB

MD5
a282c7dce4d34fe3c7d9453eb3adee16

SHA1
1d4dd6113aeb71ed51b59792cc74b2c61fecc320

SHA256
84328bb677f82f6ebfeaf150d86942397761c9fe51725a1294a24cfeecc80d67

SHA512
e92d79889dc705254622fba2a2d61b6fddc1dc5d12ac15db47da4f5d3923c654809977cbd3582a69af5e15fbc9f732f276c1acdb9b933a2c1e1e3480fd86dbdf

Download Submit
C:\Windows\SysWOW64\Jjmhppqd.exe

Filesize
346KB

MD5
75e94c1966d9afff814407be1b35209f

SHA1
5ec947dbd7fa26ffde8e344f899ba816ef330060

SHA256
b21d826ad39bf9131405e62889f4cea6e095d5b5ca18071ad2159e18aedbebb5

SHA512
49b08b500826e90365e5da8ecd14e00b1d32ffaff950162215e28d40a947ec12f2e2ca4e191e88bdca782dba6231a534d8a4181e0f08916433c577e69bdd7a8c

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
346KB

MD5
0761b341497e8e89b2a24f46c31d5546

SHA1
6e3cebb28923865527b1c9fd4151ddfcccb2497d

SHA256
b28a44a3e12a0135717c159c28f62be3134751f3cf5f5329606da6f5e974bf06

SHA512
9c4893fe1b617b963edd04f4c7ef519c7f98b7cd69633e41e72f9565cfc2578e6cb1cbeec91fd835f9bab9b4fc993a049046a2d516191ea05a6d99f8358f61c9

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
346KB

MD5
02153dbb1c6724d0e14779220f238514

SHA1
dc2a3d1ccd2bce8ac614a175ff22c6464708b3c2

SHA256
c9c5b81ae3b299e1d7d17ea9438866f6f235b807ee52e8b8c3b319694bec537f

SHA512
8503a18c9ecc1ecefe2389422898ddcc099e56cf9911655d579fe5209fc0239f93f123f85a45fef02bb8b4a8536bd6e84e2962d21dc4be68eeb1a8fc7670c626

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
346KB

MD5
6013876a2a18dabf992bf34e07e9ab74

SHA1
04d155dabde29b7dcb5820722b6db651bc906732

SHA256
31eb0109ea174c4b210fcd77e36ec9b9532983db0e2eeeb7ff50d0443d918d98

SHA512
290a85acefc6d5876840095f9649426b652e3e5193349632fc8aa39d5ab6ef903bfe24e03df63ca54b3f680907b6142a685657974f69f59556d978d82a6b228a

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
346KB

MD5
322ded07cd7bcbc8f02df68382e86c82

SHA1
3b2119d8dbeda801003004632623fa8ff4cd3c4c

SHA256
de2a4afe0b88bdf9c7ad4092615810cab2e915ff4d0ee0bdd7b174dc47d6ace4

SHA512
8195dde35974e7aede595f1f78cd1dfaa49d5819d9aed39189e11d72e4003e6bc7a321cdec5609bf055b3a1dd474fe6f83f0abcd272476b7d567a0758ca94c14

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
256KB

MD5
7241485bc8b489dfb470bb6ee1d0f1d4

SHA1
f201e0a1c9b61f43df3d1cbf3b43fd344fbb3dff

SHA256
d8e25bf2558bfe1ecb49102d634f619913021b29979a15a114851bb60b6cadb0

SHA512
9cfae96b443a3f58c119fcae74643918730efb209bd531139d987ecf715c25650affcbbf555e23ff8fa8fe02876abf1bdaa4f4f3e9fb933c0afa72e0f7b4fc3d

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
346KB

MD5
737e53c5e218d5ec2524c16b8d2e7ed6

SHA1
b4608a9d6f12b83bd19512a8ae25291c82f71a60

SHA256
a79639c9823ea62751a1d3349434398fd5e2606ba04e93aab2a4daeab3a76292

SHA512
040ef7e6b42153c1cb3c35a7818dadeca683870bed43bf70a93d6f00260ded3c97212bbd8468d1dfbf6afb4ee47b64d1eb46bb9024d2d206cc8c76d2face1fbb

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
346KB

MD5
42349e9fa6e12cfa40b6895cf5e71b6a

SHA1
542ca20bd22937ece69eac178a901a2cccdc41ed

SHA256
f77b8c7bd0eb041d08d447b3a720c9a74eaf7bba9fbf9695ddfb6ce7f8cab569

SHA512
36fcb4e9978b18178f11697d6dc6c5baf5aba514d87ba40bd210faac18745397ee6dbc7fb6f545ca51a6ec801251598c3bf9674f84a79fdf9f006657baf19eb7

Download Submit
memory/380-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/380-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/472-213-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/472-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/756-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/756-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/912-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/912-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-203-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/972-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/972-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/992-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1148-105-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1148-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1312-420-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1324-378-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1432-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1736-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1736-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1848-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1848-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2264-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2264-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2504-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2504-195-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2708-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2768-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2880-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2912-357-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2912-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2916-434-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2952-427-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3132-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3132-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3384-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3384-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3416-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3416-384-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-182-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3644-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3652-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3652-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3836-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3836-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3844-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3872-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3872-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3908-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3996-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4132-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4132-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4204-200-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4220-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4220-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4392-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4400-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4400-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4412-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4444-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4444-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-350-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4536-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4672-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4672-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4828-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4828-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4888-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4888-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4936-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4976-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4976-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-186-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads