1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9

Analysis

max time kernel
148s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Size

180KB
MD5

0a947b618f4f0e34908edf3147764dc3
SHA1

c118ec066504d1b6e84a116c971972e7e14a957f
SHA256

1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9
SHA512

98fb411b020423d4823b207e6aa7706c83e1fb90c9726dcb83b25cc8e154acd9eebaea247137538f6bf854a03902c6c4add015a7e926c045c12c18e8e36c7f25
SSDEEP

3072:YvN8c1AD2AxOFcza6miE6Wj4/glEeqZYLtLw32NX/qs/YTJv1tFk+Fkkuj8UA8UA:5cFAxnzLdE6D/gaeFq32NX/qs/YTJ1tY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe

Executes dropped EXE 64 IoCs

pid	Process
3088	Gbcakg32.exe
2232	Gmhfhp32.exe
2084	Gogbdl32.exe
3584	Gfqjafdq.exe
2992	Goiojk32.exe
3300	Gfcgge32.exe
3020	Gmmocpjk.exe
4764	Gpklpkio.exe
4972	Gcggpj32.exe
4708	Gjapmdid.exe
3932	Gqkhjn32.exe
2064	Gbldaffp.exe
4832	Gjclbc32.exe
5016	Gameonno.exe
1440	Hclakimb.exe
2568	Hjfihc32.exe
4928	Hapaemll.exe
4792	Hbanme32.exe
3108	Hjhfnccl.exe
2388	Habnjm32.exe
1432	Hbckbepg.exe
4624	Himcoo32.exe
3736	Hccglh32.exe
2236	Hfachc32.exe
1840	Hippdo32.exe
3228	Haggelfd.exe
4604	Hcedaheh.exe
5044	Hfcpncdk.exe
2468	Hibljoco.exe
3576	Ipldfi32.exe
1460	Iffmccbi.exe
5108	Impepm32.exe
3776	Ipnalhii.exe
4760	Ibmmhdhm.exe
4108	Ifhiib32.exe
1608	Icljbg32.exe
3944	Ifjfnb32.exe
5060	Iiibkn32.exe
1320	Ipckgh32.exe
2156	Ibagcc32.exe
5048	Ijhodq32.exe
5096	Iabgaklg.exe
3912	Ipegmg32.exe
4696	Ifopiajn.exe
1092	Iinlemia.exe
2044	Imihfl32.exe
3428	Jaedgjjd.exe
3424	Jjmhppqd.exe
3112	Jiphkm32.exe
4188	Jmkdlkph.exe
1448	Jpjqhgol.exe
2580	Jaimbj32.exe
920	Jplmmfmi.exe
1388	Jbkjjblm.exe
1604	Jidbflcj.exe
4256	Jaljgidl.exe
4204	Jdjfcecp.exe
748	Jfhbppbc.exe
2296	Jmbklj32.exe
1616	Jdmcidam.exe
2760	Jfkoeppq.exe
4396	Jiikak32.exe
2964	Kaqcbi32.exe
4856	Kdopod32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6284	5248	WerFault.exe	232

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Ipldfi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 3088	464	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe	88
PID 464 wrote to memory of 3088	464	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe	88
PID 464 wrote to memory of 3088	464	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe	88
PID 3088 wrote to memory of 2232	3088	Gbcakg32.exe	89
PID 3088 wrote to memory of 2232	3088	Gbcakg32.exe	89
PID 3088 wrote to memory of 2232	3088	Gbcakg32.exe	89
PID 2232 wrote to memory of 2084	2232	Gmhfhp32.exe	90
PID 2232 wrote to memory of 2084	2232	Gmhfhp32.exe	90
PID 2232 wrote to memory of 2084	2232	Gmhfhp32.exe	90
PID 2084 wrote to memory of 3584	2084	Gogbdl32.exe	91
PID 2084 wrote to memory of 3584	2084	Gogbdl32.exe	91
PID 2084 wrote to memory of 3584	2084	Gogbdl32.exe	91
PID 3584 wrote to memory of 2992	3584	Gfqjafdq.exe	92
PID 3584 wrote to memory of 2992	3584	Gfqjafdq.exe	92
PID 3584 wrote to memory of 2992	3584	Gfqjafdq.exe	92
PID 2992 wrote to memory of 3300	2992	Goiojk32.exe	93
PID 2992 wrote to memory of 3300	2992	Goiojk32.exe	93
PID 2992 wrote to memory of 3300	2992	Goiojk32.exe	93
PID 3300 wrote to memory of 3020	3300	Gfcgge32.exe	94
PID 3300 wrote to memory of 3020	3300	Gfcgge32.exe	94
PID 3300 wrote to memory of 3020	3300	Gfcgge32.exe	94
PID 3020 wrote to memory of 4764	3020	Gmmocpjk.exe	95
PID 3020 wrote to memory of 4764	3020	Gmmocpjk.exe	95
PID 3020 wrote to memory of 4764	3020	Gmmocpjk.exe	95
PID 4764 wrote to memory of 4972	4764	Gpklpkio.exe	96
PID 4764 wrote to memory of 4972	4764	Gpklpkio.exe	96
PID 4764 wrote to memory of 4972	4764	Gpklpkio.exe	96
PID 4972 wrote to memory of 4708	4972	Gcggpj32.exe	97
PID 4972 wrote to memory of 4708	4972	Gcggpj32.exe	97
PID 4972 wrote to memory of 4708	4972	Gcggpj32.exe	97
PID 4708 wrote to memory of 3932	4708	Gjapmdid.exe	98
PID 4708 wrote to memory of 3932	4708	Gjapmdid.exe	98
PID 4708 wrote to memory of 3932	4708	Gjapmdid.exe	98
PID 3932 wrote to memory of 2064	3932	Gqkhjn32.exe	99
PID 3932 wrote to memory of 2064	3932	Gqkhjn32.exe	99
PID 3932 wrote to memory of 2064	3932	Gqkhjn32.exe	99
PID 2064 wrote to memory of 4832	2064	Gbldaffp.exe	100
PID 2064 wrote to memory of 4832	2064	Gbldaffp.exe	100
PID 2064 wrote to memory of 4832	2064	Gbldaffp.exe	100
PID 4832 wrote to memory of 5016	4832	Gjclbc32.exe	101
PID 4832 wrote to memory of 5016	4832	Gjclbc32.exe	101
PID 4832 wrote to memory of 5016	4832	Gjclbc32.exe	101
PID 5016 wrote to memory of 1440	5016	Gameonno.exe	102
PID 5016 wrote to memory of 1440	5016	Gameonno.exe	102
PID 5016 wrote to memory of 1440	5016	Gameonno.exe	102
PID 1440 wrote to memory of 2568	1440	Hclakimb.exe	104
PID 1440 wrote to memory of 2568	1440	Hclakimb.exe	104
PID 1440 wrote to memory of 2568	1440	Hclakimb.exe	104
PID 2568 wrote to memory of 4928	2568	Hjfihc32.exe	105
PID 2568 wrote to memory of 4928	2568	Hjfihc32.exe	105
PID 2568 wrote to memory of 4928	2568	Hjfihc32.exe	105
PID 4928 wrote to memory of 4792	4928	Hapaemll.exe	106
PID 4928 wrote to memory of 4792	4928	Hapaemll.exe	106
PID 4928 wrote to memory of 4792	4928	Hapaemll.exe	106
PID 4792 wrote to memory of 3108	4792	Hbanme32.exe	108
PID 4792 wrote to memory of 3108	4792	Hbanme32.exe	108
PID 4792 wrote to memory of 3108	4792	Hbanme32.exe	108
PID 3108 wrote to memory of 2388	3108	Hjhfnccl.exe	109
PID 3108 wrote to memory of 2388	3108	Hjhfnccl.exe	109
PID 3108 wrote to memory of 2388	3108	Hjhfnccl.exe	109
PID 2388 wrote to memory of 1432	2388	Habnjm32.exe	110
PID 2388 wrote to memory of 1432	2388	Habnjm32.exe	110
PID 2388 wrote to memory of 1432	2388	Habnjm32.exe	110
PID 1432 wrote to memory of 4624	1432	Hbckbepg.exe	111

C:\Users\Admin\AppData\Local\Temp\1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
"C:\Users\Admin\AppData\Local\Temp\1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\SysWOW64\Gbcakg32.exe
  C:\Windows\system32\Gbcakg32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\Gmhfhp32.exe
    C:\Windows\system32\Gmhfhp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\Gogbdl32.exe
      C:\Windows\system32\Gogbdl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4604
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        35⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        36⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        42⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        44⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        47⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        50⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        54⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        55⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        57⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        58⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        61⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1900
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        67⤵
        
        PID:524
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        71⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4424
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        75⤵
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1236
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        80⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        84⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        85⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        86⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        87⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        88⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        94⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        95⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        99⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        103⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        107⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        108⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        113⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        117⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        119⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        120⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        121⤵
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        125⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        127⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        131⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        132⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        133⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        134⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        136⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        137⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        138⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        139⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        141⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        142⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 400
        143⤵
        Program crash
        
        PID:6284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5248 -ip 5248
1⤵
PID:6244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
180KB

MD5
6481a800be19e8f4f37a09ff93362d39

SHA1
d0cb61475c7e6bbc42741654ab1aba5f5475357c

SHA256
461811bb22652acac9a9f193137a4d149a05f8e71197879f7977abbabac7ed6f

SHA512
e38b339cdce7d01610dcd0e0b0caee999a62e695234a3c52319507773d93842f9298461f7d90ba59a10fe65d97191fbd15811faca38a58e26c9d75ffda3af160

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
180KB

MD5
f701e841c59e2d0befa7e51637f98883

SHA1
d52b6036d4a5af0d268a520b48e328089dd80bc2

SHA256
17ecfbcfe56274f30b3a77c1ec5d923fbb00b7877205d22df8809a7a61b6d996

SHA512
3ca4a5f9004dfb1b8d57982a7b1aa1ce8b88adb3913ae5c62041190834d9c1ca640bc2b071d23488b7dff1517e12d591175e8e50a32945f55a30edb2f2099c4c

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
180KB

MD5
56c27ec6ddde27d0fc8a04f2521b6d99

SHA1
d4ebecdb32dc97bb5fe0b612c2ef46e78aae57a8

SHA256
b63a438b21cc5cbdcc8a1ccd9ceeb49db3eebb3d89e705a572d349c0a852d4cd

SHA512
c4f65fb6378efa329f328382cfa58ded904cac15e294f6b83474a6114e7e87a627bc2f720a0e2455d4aaad3ed2367799557b6e7bb62fceaead55bc0d850d421b

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
180KB

MD5
a542528402856f4defe054eb6e6f10b2

SHA1
e507e026c4a2f76cddfd8b4acc61912a9e8157dd

SHA256
78a8587ed4a6ac95026153285853ceeb337a0c41f16d0b285dc37f462fa259f5

SHA512
d09c0463478461034087eaae3c000d31b6dd204a83364638de32d841baa2b55219d9b4d42c27ed8276f2c6162c7e261ac307bc2673e878631f68a07509c1a088

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
180KB

MD5
a7b99f205e2671eb3f3a1df57564a812

SHA1
d5c36e106a4317afa800ff1deda8b294ffe7b253

SHA256
6e281d909717151b941a3cf498399fbdc9eb340c9175beb8c1439acefd465619

SHA512
9c533057928aaf56a62f94223e1fa93f45e0ec7c1b3a21f18eef61b19049523d7ba8e8d125abce911ba1d8051e15f0b0181b96570fd12a6ad5618cd5f3161e8b

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
180KB

MD5
11b150a089c400e94e1e75b86ea3ed1c

SHA1
bdf7912d8e5979a4dae3907741f154f8c8a7a9df

SHA256
30f10f3daf3b0860b73b1b73f21c3ebe68e84e7c03e7e334c35f137dd60a0eec

SHA512
dfcc72e31953d47a95c20d657b4606d1450339b39180e136efc97c7b0fd93a2052497638960cb287bf8ac56edc66a646346694f9fcf8987defba8c78a64e2e1b

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
180KB

MD5
55ff7cc34d814a250c7b04a419d5dc75

SHA1
95bac270c268545c6bc5287ff3865afbb47ff9e6

SHA256
fead7bcb1a98466fb128c4ba0bf6ff4b44dff430c4ec10975ddbd4ecc868bebd

SHA512
08b052b61d412922955a3c7abd7d9e5be46d0a2be74406d83344910267bc7a9b4a567f073888a08f0fbfd6830173a5756e747e65bfd0ce5cebfa1c1e6a37a450

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
180KB

MD5
44ae250fc58cb0b8a1cf2e218a02b115

SHA1
438bd4d1afc590dab20b7826b026c04cd94e310b

SHA256
864ba61031516130d317ef341e4c8d3fc9038a06b10173f7e70df9dd5a1e71ee

SHA512
db4e8611da9c25e8bc6ca67c03dffa887f42e3af546e1601eb412db6bc267654d30b2c7c228c76d7d31eb2f9b36ccdc9aaa2c9bbe74e63fa22e767980c2ac660

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
180KB

MD5
9cc198a1ccf33334741dfe060b734bc6

SHA1
2c9510fc69c6981cbc4d8ff5d23fa0f9d24e713a

SHA256
0535c4f5a2c622ffb443bcf02ecdf3ce4ba02d77538d7b8c98646b2116cf9d01

SHA512
13ce3c401e9b0e7a747efa4432b76ffa6ee871ad46e4c41eef25afff150fa8a78f5195e7b20363f75d517e5abd4cb8a0adbe3fa6c033691cbc963af963d335bc

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
180KB

MD5
4e623359fd2a6274995965febc20885c

SHA1
39a27017de561d8ae72c0e4ca425a93b9fcb17d8

SHA256
0fa9aecb01d67159d1f1fc2ad102352e7d3c721666f0d13f89436d244bb8dedf

SHA512
dfce2605473dc0b8dd67162c5c300f8372b35addc69f6a816737a8977ead688b0cf0c881487d46d3f56f762a89ffad61dae27e818e2c5fde22d854c5d7152c31

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
180KB

MD5
06d8e1e8cfc0e848e4d876b0e5cfa79c

SHA1
a4e6813c909f4a5ea0903f675b54eb55d0fce3f8

SHA256
76d5978f37c70cdefdf20051fdcb6a1d08d482026aba3ff563759f0aa15eb52a

SHA512
1d41987a83aa6b48691dea7edccc2f8ea936ff191a5631830867ee4a59ae30646faeb562f7f30ed185e5ca6786811625fc3c6edf980249116a86ff7d5a52ecd2

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
180KB

MD5
9eaf93b93d0391e86174f4395fa17527

SHA1
cf57de61ed02726a47ed0be04751af5bcc927932

SHA256
968869b60777a4cee340e5952c10a8538c39266e4b063a7769426c72ecea0cf9

SHA512
7eee725caa9b74adcb3211737eebe9e5e457d4caeaa97af424921ced76a9c9514e17b51b791570abbf3f7b3235e28e3a71e1d1068675c5ee483d30be7fa5f8d7

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
180KB

MD5
d2ce2787d02e1179af34e3230e1b56d0

SHA1
f44ed2f2c482b231fa8195ab8e22d05b84771e66

SHA256
2d0568ff2d669bbc41effd1679005e37bbc8e46663e48b01c1da62eb1c27a8a2

SHA512
cd1799fafa40143634c3fbf4f0810feb254b21fbe69500284d913a3c225c5c104f111a29cd69aa80ca34d3c3d2a250faa8d911d00af2713e4630afadf597f1f1

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
180KB

MD5
b5a8a958c3f72631c9060c60145a7d87

SHA1
81c14ce6b72d8e86b5aee7012567e214d3e5edec

SHA256
ef24b6653e9ecdfe5a55d6293793a3e0de40de4a4947ec9cc658df6125757991

SHA512
c3cae8049685800227e9ae2e6087c80ad4c95ac183b71c4d638d080248f814a942f922992bd16b3d0fb27507fd9fe3bb1b83f3dbf63f08df2f28aeed227e73e1

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
180KB

MD5
651be980a4318c25c6dcc1df7b60dac4

SHA1
1e515c079687d82194cbe810c0439051a3db77ee

SHA256
c297301a403000bc64b786747d457643dd22ea310614fa777ce3262d58e4c1d4

SHA512
dc74d4c0ebeb5c1ec6f1c52b5d116e85411637632d3f0afc9b0e46d27a8f87e70b90d585e8f29807fea7dbe2b1e0b3f57151fc0c2d157abb6f518349bdbb154f

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
180KB

MD5
c731d6508175b95aeecb8b18c1face8b

SHA1
70e1bb38431b973219e1f59a8a5cbb85fed58212

SHA256
2de99001296eeeed53a3dfa70ed0f6b73bf280fef84d183cf8abce7efd640120

SHA512
c4ad1307be532f7317a9e6f37c50aef86fb1b199ec7398feabd562c05dd2dd4568098b2d26ff42044c2750bbfe6d053e6acf7054844c8e46ac584dda65810901

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
180KB

MD5
6d229d9417213ce48b03dc067767e4ff

SHA1
2a7704880953b2bbc7dd142a5f6059aafa9de661

SHA256
ddbcbe6bb1f96293757d3544842cd5573684da86a53eb4de9737b3fa42c30cdd

SHA512
35f40de566709da91501e358d50d6821e69928b25ed28ceb8434330aacd6af7cdcb3290997ba02c54e4e4b5cd9fc070f8f1365c07e3d23cebbca373db0a347a4

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
180KB

MD5
591d3ad865b56a9fe57682a2868e1202

SHA1
f6e25289c5f000011801d9b9e9eec5aa20366158

SHA256
dde661f6d4ff4d25473b32b5cce74a8b2a490d8ae2613d660d2e6c505385c918

SHA512
122d4579e84b126474b74396ce8896703a0f2b49cdc62ff1bad703c5418ee1d49a66686c48e030fc4b6568c4dd2241a886873379b14a35c31b4c2c6e02d18b6d

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
180KB

MD5
d99c4a2d4985f3f05d34e3b5560f7220

SHA1
529bc40062b9210624c32b124343d1db207bef51

SHA256
aabb5b122b9d1e735c4ed1586c97c0a57b019e8409493f9fb8a9d15c17fa7866

SHA512
bf30c9606b3783a3c49da1ef9fc793fd7f38a67b4041475e722230293a545847a345d26d6a805f3694c7b30e6362bd3fcdce9f2f45465a16437ef7f40d99a688

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
180KB

MD5
9a1a54f28763e69c0bfefe7ebf75e0f3

SHA1
8d831b5aa7b425845770566852d3ad5807fa9bce

SHA256
6455b1742439c63063f257696ad041bc42b5242fa6a03df6c25ecbcc1159ddb7

SHA512
0949d64dd06eeffc6b2d1e15b0bd03468e53c137311dd0e1624b6b2dfeeeee742b4d2cc2f65da42157d53b65d5368bf38c5c3c4fb0b0ed91d58a6dff43447070

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
180KB

MD5
32f953ba43468adda247469e315e6ebc

SHA1
1796e853dc859b18e8e2749102cc5e02ffce1a29

SHA256
79556f8b9155b2a2ebcdb43be6a893692cb0f6099ef134721a1124f1ec275baa

SHA512
1af37c2789079b383ce99e3e1c1cc82b30e9bea7afea2ba0695c1c938e29507ec04b164799476c0cd6185979623e517dcc9108c49625162eebeeea5456f8764c

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
180KB

MD5
ecce63b40631a51fe27fb5b0accdae10

SHA1
b286765bd573c04775e77e8a22f67138879ff41c

SHA256
4beef83096e43ebd0fe86d96e85409c21f7b6b03e3e328831f5bbd85210a471d

SHA512
039e8beff8f7f7622ade351dc16d3978e0291b8535c95c4d44b4bf1c97362e083eeb6ea34c7154e12aeefbb66f68d10eeb92e52ff9b91671ca130a6a910162e2

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
180KB

MD5
cbbb4a8b3c3d7e74bfcad46aa3850382

SHA1
85186b3b2ad0d67d0dba976f34b31bafa5fb21d7

SHA256
d970f893bd459562a71eef731d9e0735991854f8783457f4699bee0bae6e540f

SHA512
f37f840010c68bfdded903a2d69675c8eb2304f1d4cc6e0808eedd97629f1ad7b7b846c77105d2ea610bd3043d0671fa5d25cd38886df7ef37fa118ea35a66f9

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
180KB

MD5
58ebc75ffb56f65805bbb3335e1bccd2

SHA1
8080128eb17e1cbbdf5282f155e03b904baf4a27

SHA256
8964a2b093a835a0f85215874c0b89d9b9aba1479343eecfb42c672422115a71

SHA512
97b73b8c24110b2304e4b702a6a776f6c992bf8a4549c84bbd55a46c91a6fd8f47f0867d1ece8587ca71bce7104c0b4cdd740224b667981a3dd1a93c639ffbe2

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
180KB

MD5
d064ca47f7c051616f8f9ece8531ba72

SHA1
7843d79e9f60f327ae94a1350d32249b3559f8ba

SHA256
d867274d57f90082725a55e6dc47ef7b4fa2319f490eb664c7a8e73e9d034748

SHA512
f2735052d2849da1241a43d49a7cd8fbc7ea231f41d7d2e66bc5bc0b35e80adbd93dc9853f9845a7aa723c13e128f84c24d98043491049e3031f47149971c88c

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
180KB

MD5
8ca060b3eaea5e8d99233cbe59a36cb4

SHA1
088b84f3e663b1d6faf7ba0b5eb188d9220960ef

SHA256
9856fafe8f95bc3c33aabe89e1cdd0892e856cce39e8a57c135812078c29824a

SHA512
688ddef2c91944c451dc39d900e2e011e7ce6b891da37e59e769aecfaa7ba8e2a91dbf168e104e2c4fefefe1c65061aaf4a5b6cc77c4808ab7cd36500b65cca0

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
180KB

MD5
4567ec11589eade0bd3a4a9e53ea1cc3

SHA1
8f7db2314af9c393764485664cc21d80028d456b

SHA256
757cd96448a57f9888d2ad77e52b9ef2f8242f2fef68df84281306c4d1575b2e

SHA512
3dbc0305efc3cae9be91b8b6bfb117c0329b204b24fc48b806f2634cb0719d33e555ac260d9c0b4ae46d27cc015c5e1639809a67fa428c5b5f0f2d57ffc585c4

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
180KB

MD5
804d966b961b69044cf0a0852141b194

SHA1
394168c4f05b2915a5804b7eacd0afd8fe7817f4

SHA256
d2c451679a53d2a00931cda7a465384a9525751ee1e585962bb52cc016f919cf

SHA512
9069fa6efd951a339b2ba178ac67d8fab86bef1e8c1e2176f374c896c2e03c3399d586fb3617510be4fcdfe6a1ff8a649286710085b1f92890a61f3ab04d5909

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
180KB

MD5
4fdef450488e49591327de73ec88f4cc

SHA1
939dda6caf28967d23ec5ae06e2ad671d126114b

SHA256
558409792480231c16e6f1df8f6f0f7c965bafefc7dd0388f19e4f54f988c5bc

SHA512
106a2413138d5d198283f8cad9007c0b3f66f00ac5d933496b283954666db54d8563ef8b76f3e846c7681fc3ff7a1a21df7cd4d3f396eb28e139cc4eb7c8149a

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
180KB

MD5
167dabb35e220985a2d61aff8e20207e

SHA1
917f1b195f5e7c2d2d47d0335242155a28e6a589

SHA256
0f89f2705db6a9acdbb3e487bfbe60c566fdab8e7f755c733d25c67e163687dc

SHA512
c90ee6559d6985e38d07e1a4938fc199ff8fce877459a3451a603d412d18860635add5793b019ca391861914b81805febd7964021aa711c498a62e6b9f6a6eb9

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
180KB

MD5
8cc264fb05634d90caa81ccad6252f2b

SHA1
5922df9bad1fa3141b6b07a32c513bc46d6ecda2

SHA256
e20d4d516bdad5a01c00e9db522ebd9c7ba56d103d852dbf915460cbaee56b61

SHA512
46580cb9feebf6dedf203062fd5296823c89aac31c6fc464ac09ba37e1dfb6baf8e07e22f1dc0ba1196bd0287bcc884750b79b16e5dd1bb3af781a9e76f6a5a1

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
180KB

MD5
f69c6c7c9906c2ff2e7cfb1552410b84

SHA1
54380d6a70e0a2cc4f47191cdd42a5b90d31a4fb

SHA256
fc23eda87c69eaaa7bb303fd951e0435c8595252b08f8e18b3d359a9c8c59447

SHA512
a65979315af1cdf161aed0e6f028e4a7668e307bc25f213586c25d706e22f5aebdc5825232b5af399ee4d4d7fde9221afbfe820aef66734f7d0114941da82548

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
180KB

MD5
288911f1b6c54f2ef0cf0f845ae1aba1

SHA1
fd241f4ab752458be5864f92ba7c774dd531d4b7

SHA256
e2b3f17734c688424cba59fa876883bc99fe793dd1ae0cc545c7164eb5e33e14

SHA512
76d126cb1141b4e692c2cb6d1e5c401b2541689359a7816987cc68a2337e571131db1df2d85a66c278e25838329074f04209dec58b5108b329c28a421fdd51fe

Download Submit
memory/464-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1840-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3428-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5152-974-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5164-1011-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5248-953-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5532-1003-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5540-983-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5580-1002-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5604-970-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5608-982-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5652-1000-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5772-969-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5788-997-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5828-968-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5848-979-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5944-961-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5976-977-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6140-965-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads