157911998b399f236715bc7f46ccbad1e76d3712ceef94f83a21e45b99f381d7

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

462616c26662be331b913df376ccf174.exe
Size

192KB
MD5

462616c26662be331b913df376ccf174
SHA1

99300f26433fb85959e943e1f1aad0e084557abc
SHA256

157911998b399f236715bc7f46ccbad1e76d3712ceef94f83a21e45b99f381d7
SHA512

3e6c08b35397e9cb9bceda3a94cfc949318668b205c615df11361014d998d6c87ec34194969c100732884e147887a176240a5669db675cad1fd445fea7a50673
SSDEEP

3072:w4hfV2BpF7X2YzSt2B1xdLm102VZjuajDMyap9jCyFsWtex:PyJX2uSt2B1xBm102VQltex

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe

Executes dropped EXE 64 IoCs

pid	Process
4396	Gcbnejem.exe
3056	Gfqjafdq.exe
4180	Giofnacd.exe
1928	Goiojk32.exe
2124	Gjocgdkg.exe
2620	Gmmocpjk.exe
3496	Gpklpkio.exe
4040	Gjapmdid.exe
3524	Gmoliohh.exe
4204	Gpnhekgl.exe
2880	Gfhqbe32.exe
4544	Gifmnpnl.exe
2476	Hboagf32.exe
872	Hjfihc32.exe
4884	Hapaemll.exe
3948	Hbanme32.exe
1884	Hpenfjad.exe
4032	Hjjbcbqj.exe
4448	Hadkpm32.exe
1936	Hbeghene.exe
1252	Hjmoibog.exe
2580	Haggelfd.exe
3220	Hbhdmd32.exe
2304	Haidklda.exe
2964	Icgqggce.exe
1540	Ijaida32.exe
4144	Iidipnal.exe
220	Iakaql32.exe
3984	Icjmmg32.exe
2120	Iannfk32.exe
5100	Icljbg32.exe
1064	Ijfboafl.exe
3476	Ipckgh32.exe
4712	Idofhfmm.exe
3976	Ifmcdblq.exe
5048	Ijhodq32.exe
3116	Imgkql32.exe
1368	Ipegmg32.exe
4844	Ibccic32.exe
3020	Iinlemia.exe
3468	Jaedgjjd.exe
532	Jdcpcf32.exe
1216	Jfaloa32.exe
2660	Jiphkm32.exe
2116	Jpjqhgol.exe
528	Jfdida32.exe
2796	Jibeql32.exe
2572	Jaimbj32.exe
516	Jdhine32.exe
4832	Jfffjqdf.exe
4420	Jjbako32.exe
4464	Jidbflcj.exe
5052	Jaljgidl.exe
2296	Jpojcf32.exe
2940	Jbmfoa32.exe
2148	Jfhbppbc.exe
3132	Jigollag.exe
4372	Jmbklj32.exe
3548	Jdmcidam.exe
4796	Jkfkfohj.exe
2284	Kaqcbi32.exe
544	Kdopod32.exe
2748	Kkihknfg.exe
3320	Kpepcedo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Gmlfmg32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Egoqlckf.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	462616c26662be331b913df376ccf174.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Goiojk32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Ijfboafl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6128	5844	WerFault.exe	227

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	462616c26662be331b913df376ccf174.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbbnj32.dll"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	462616c26662be331b913df376ccf174.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4396	4736	462616c26662be331b913df376ccf174.exe	85
PID 4736 wrote to memory of 4396	4736	462616c26662be331b913df376ccf174.exe	85
PID 4736 wrote to memory of 4396	4736	462616c26662be331b913df376ccf174.exe	85
PID 4396 wrote to memory of 3056	4396	Gcbnejem.exe	86
PID 4396 wrote to memory of 3056	4396	Gcbnejem.exe	86
PID 4396 wrote to memory of 3056	4396	Gcbnejem.exe	86
PID 3056 wrote to memory of 4180	3056	Gfqjafdq.exe	87
PID 3056 wrote to memory of 4180	3056	Gfqjafdq.exe	87
PID 3056 wrote to memory of 4180	3056	Gfqjafdq.exe	87
PID 4180 wrote to memory of 1928	4180	Giofnacd.exe	88
PID 4180 wrote to memory of 1928	4180	Giofnacd.exe	88
PID 4180 wrote to memory of 1928	4180	Giofnacd.exe	88
PID 1928 wrote to memory of 2124	1928	Goiojk32.exe	89
PID 1928 wrote to memory of 2124	1928	Goiojk32.exe	89
PID 1928 wrote to memory of 2124	1928	Goiojk32.exe	89
PID 2124 wrote to memory of 2620	2124	Gjocgdkg.exe	90
PID 2124 wrote to memory of 2620	2124	Gjocgdkg.exe	90
PID 2124 wrote to memory of 2620	2124	Gjocgdkg.exe	90
PID 2620 wrote to memory of 3496	2620	Gmmocpjk.exe	91
PID 2620 wrote to memory of 3496	2620	Gmmocpjk.exe	91
PID 2620 wrote to memory of 3496	2620	Gmmocpjk.exe	91
PID 3496 wrote to memory of 4040	3496	Gpklpkio.exe	92
PID 3496 wrote to memory of 4040	3496	Gpklpkio.exe	92
PID 3496 wrote to memory of 4040	3496	Gpklpkio.exe	92
PID 4040 wrote to memory of 3524	4040	Gjapmdid.exe	93
PID 4040 wrote to memory of 3524	4040	Gjapmdid.exe	93
PID 4040 wrote to memory of 3524	4040	Gjapmdid.exe	93
PID 3524 wrote to memory of 4204	3524	Gmoliohh.exe	94
PID 3524 wrote to memory of 4204	3524	Gmoliohh.exe	94
PID 3524 wrote to memory of 4204	3524	Gmoliohh.exe	94
PID 4204 wrote to memory of 2880	4204	Gpnhekgl.exe	95
PID 4204 wrote to memory of 2880	4204	Gpnhekgl.exe	95
PID 4204 wrote to memory of 2880	4204	Gpnhekgl.exe	95
PID 2880 wrote to memory of 4544	2880	Gfhqbe32.exe	96
PID 2880 wrote to memory of 4544	2880	Gfhqbe32.exe	96
PID 2880 wrote to memory of 4544	2880	Gfhqbe32.exe	96
PID 4544 wrote to memory of 2476	4544	Gifmnpnl.exe	97
PID 4544 wrote to memory of 2476	4544	Gifmnpnl.exe	97
PID 4544 wrote to memory of 2476	4544	Gifmnpnl.exe	97
PID 2476 wrote to memory of 872	2476	Hboagf32.exe	99
PID 2476 wrote to memory of 872	2476	Hboagf32.exe	99
PID 2476 wrote to memory of 872	2476	Hboagf32.exe	99
PID 872 wrote to memory of 4884	872	Hjfihc32.exe	100
PID 872 wrote to memory of 4884	872	Hjfihc32.exe	100
PID 872 wrote to memory of 4884	872	Hjfihc32.exe	100
PID 4884 wrote to memory of 3948	4884	Hapaemll.exe	101
PID 4884 wrote to memory of 3948	4884	Hapaemll.exe	101
PID 4884 wrote to memory of 3948	4884	Hapaemll.exe	101
PID 3948 wrote to memory of 1884	3948	Hbanme32.exe	103
PID 3948 wrote to memory of 1884	3948	Hbanme32.exe	103
PID 3948 wrote to memory of 1884	3948	Hbanme32.exe	103
PID 1884 wrote to memory of 4032	1884	Hpenfjad.exe	104
PID 1884 wrote to memory of 4032	1884	Hpenfjad.exe	104
PID 1884 wrote to memory of 4032	1884	Hpenfjad.exe	104
PID 4032 wrote to memory of 4448	4032	Hjjbcbqj.exe	105
PID 4032 wrote to memory of 4448	4032	Hjjbcbqj.exe	105
PID 4032 wrote to memory of 4448	4032	Hjjbcbqj.exe	105
PID 4448 wrote to memory of 1936	4448	Hadkpm32.exe	106
PID 4448 wrote to memory of 1936	4448	Hadkpm32.exe	106
PID 4448 wrote to memory of 1936	4448	Hadkpm32.exe	106
PID 1936 wrote to memory of 1252	1936	Hbeghene.exe	107
PID 1936 wrote to memory of 1252	1936	Hbeghene.exe	107
PID 1936 wrote to memory of 1252	1936	Hbeghene.exe	107
PID 1252 wrote to memory of 2580	1252	Hjmoibog.exe	109

C:\Users\Admin\AppData\Local\Temp\462616c26662be331b913df376ccf174.exe
"C:\Users\Admin\AppData\Local\Temp\462616c26662be331b913df376ccf174.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\Gcbnejem.exe
  C:\Windows\system32\Gcbnejem.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\Gfqjafdq.exe
    C:\Windows\system32\Gfqjafdq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\Giofnacd.exe
      C:\Windows\system32\Giofnacd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        27⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        29⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        31⤵
        Drops file in System32 directory
        
        PID:2408
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        32⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        59⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        61⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        67⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        68⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        72⤵
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3508
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        75⤵
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        77⤵
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2032
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        80⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        81⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        84⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        85⤵
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        86⤵
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        87⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        88⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        91⤵
        
        PID:920
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1004
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        93⤵
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        95⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        98⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        100⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        101⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        104⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        107⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        108⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        109⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        110⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        111⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        115⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        120⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        126⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        127⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        131⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        132⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1672
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        135⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        137⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        140⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        141⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 408
        142⤵
        Program crash
        
        PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5844 -ip 5844
1⤵
PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
192KB

MD5
a6f0cb59e2cdba492f64d98ffe8a3d29

SHA1
4aa09c0e1e9d8f6fed4714f6877998463516be73

SHA256
f487a79d0643c6e3670a82efa4ea4d1ccd0a87c7ff2bd88ff1dee6dfa5f70c9b

SHA512
b6d040bac1357606a7e99530571fba39d834519765c68d823231b972cf08b65e23e26d95b9c200dc4e48432a998ce9ffa2f70d9d2b50b25dd5d192ed04f3b955

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
192KB

MD5
67f6dbaff422769a452cbf0cf53275af

SHA1
573b0bbe93646ec74a1feb88d6c53387e83db498

SHA256
1cffe4e1ef52d854597ec1a21189decddb788bc8c305289bc046a3cff4426f8f

SHA512
6b8ba5eda45a0e6cae2bb785fda384408eaaa990cfefa96ac4c6a764e83df94b43507bb0c1190c8dadf51f7119182dbea70e5872d8f920c0c5ad16b4478c44df

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
192KB

MD5
253d4bba473e0be8f4f67d76f2e8c00a

SHA1
eb56a3a79ecc9a91c741ea7c7cc0e2440773c5ad

SHA256
598003422bb5f586d3f4e487f80c2634419cbef3f6d39d402c7478af897b076f

SHA512
ef2da65e53fa39826eb73b6e6e9c31fcf797dfbc7231a95a56fb94d450cc6859d95a1d76d9561dcbbf2bc99fc5c19f743c7a229717b996a9049ab48592dd2fa5

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
192KB

MD5
cfcd407917406c5e123f44f2f34b7daf

SHA1
28062bf9fda363a2e6758995e842a6eb954d048e

SHA256
fb0161936da53c4034725fd411c7cace79dbeeabef6e49fa6ea197da23617e20

SHA512
523125dec053783a70d2e0f37583515e17ebfad742fdc0e31b76ff39a93d702d7ba818e858ea55bc811e9ff94468d3845ff87337f8750a8d22b6564a84f2665e

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
192KB

MD5
d48ec2aa86f083d816a7312bc9eb5e7a

SHA1
79beb75619d9e216e1ba166d6c536a139c4e14d9

SHA256
f0889b7779d28012670ddf030cef4978f06cfaf95bfccc38c97a27eb33d57cf6

SHA512
e4169bf7a71d0a71dc2ef42537e495c094faca801cde070d5810c647b4474646b44a405051cf33ed83339e2bd0d4c50df7a41c88092b7d56750d547695337542

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
192KB

MD5
d8620474bd264f759ccc0722aa138773

SHA1
6858e207bcaf8d249d175e68275daf6714acdb1f

SHA256
bb579b04627515e7d1c04d3c40a0c569ae4929c1ac587eb7f3e054d537b6457b

SHA512
94e637753a16cfb52e17766701c5253cdbd04acbd7576ba605086a58ab336a1e166b874f7d694ef51f41199a9feefa686d718b833eb78370ea6c8670f1bfbcb3

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
192KB

MD5
81f3e94af7ceb8d0fe81e80c94a6bd54

SHA1
07f506834a78a621b9523d8800f6537155cf4786

SHA256
51f7f9ce71ada9dc85a92b5acbb651af5c408ec6715320d3557a3de0eb933e30

SHA512
1d9b5afbe0902178a0dc7b6440ddd5f6f9e5890f766b8b12a9e4a4bf7163e23f7118234e1f5f11ced39b72293b36fc8ed5652d4169603ca119aa20687f2acdb0

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
192KB

MD5
7cf051a25ea93e41fc65c4e15f9d11b8

SHA1
02a2dce87198c9dca2e7e649ecd0678e9f047ecf

SHA256
07b7fded832abb4363650aad206fe43703fc60b8828e520349bd55878b596c9e

SHA512
39762ac4da53271abb494456905d6cd80e19d6404dccc1634a31920b16fd6745731af3fa32e2dd0c4e2ca2b98d86eba18404432b4385841700e021288a733df6

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
192KB

MD5
3d7fe49773560ac2fad38f2146a56f26

SHA1
3575982fc32578f71018cecd7849b44d6fc373f5

SHA256
b0230a39211b6b1a52a8ab3c49cce4263530428a05043d53b786486626e17181

SHA512
fda06b48a44134d02b877d92af636245044798496b3c2fd0fc47390aeb3c91272cba1700b9cc8c9535d60fb9a56e23050aa954a5b62cbd8c172503e7221b3790

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
192KB

MD5
e303e718370760560a4264567c270dbd

SHA1
73cda31945e9af04df676bb667776beacdd37417

SHA256
ab307a8b964c521c0078412b0a68fc3302d044597568be51cb679425f180e347

SHA512
a5b41987377e2acf578cd6e484f32b2555a1795ec21fb4ed2ad2bc8190ca1e9893822798875754c16fe3ecab7999b64b0d19ac74e7ebfb07ea98d84b86c2fed1

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
192KB

MD5
eeb75ce38a177cc1f57460e663cc031c

SHA1
0ea524cf9b2e585ab7ea463378cde3f3cd5bcd7c

SHA256
eaaf63c0808d67638cbdf3ea13c57f5cd033487652586b297eeb1bc427b13ffa

SHA512
a193733b7a37a117917085be83bfaa0a4c6e10f192833b1451114239fd1c0ef4b2a48219ce389a17fb3f22906989cb81bf4f25fdbf686f18b582901a6e38023c

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
192KB

MD5
f761b0529d338bd3b439762a14ad3485

SHA1
932a162778cab4b48912652c6b4bef5b68bc0a0d

SHA256
bad65f59921cb91d842cc964a82f309b8b77fc4fca34817a94fea9a98ad21950

SHA512
b09c0e7861636add5362e2c99921387eee95c04e044e80651a4ebd18da639c9cce69af5a9a2ed01e661650d892f575d38d82c238352135b33dc71ce103a319cf

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
192KB

MD5
4a224fc38c02786a2cb618b90481dc7a

SHA1
ea97e88ba23164529776fb3fee34cfb94d73ef8b

SHA256
991d92466ffb5e330ff95eca44ed00608f9cf41fca3a23d8c0ee479e6ff1c46c

SHA512
af696ea469c411deb99d25516f2a120083add2f78a6a103b4d5bc1c622b5ddcdfa6d5ace0e25cde7e7b3caa2eda8d887e312e210ca6c6132dc0a58249cd7b0e2

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
192KB

MD5
f5749f52e2b7916a4eb366670c48467f

SHA1
f265a4c309c1d3cb352176a75e37beb0d2fc283e

SHA256
ad1bbee693966f73494a3b8bfab2ff0fafea0af2c7b3fc77d42af89b3e6341af

SHA512
5970af1067013368f716d38491295db2c3de65fb831f61cfa24372de13f39c823613fb2d6ea02baf0b25dfc0d4369319ec98d98a40a4d1b12a7e9803ce270f42

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
192KB

MD5
0506c836f174b1dbd470355215446c08

SHA1
387716c7251e7dc60b8ef810fa437b596e9a5362

SHA256
0e918e321107d08216810fca98358e9a310ac4d9fafc237a4e7833bf839a7208

SHA512
ebb713678a65e6328b3bd5bd06eef66d82738fb0e0693d3201bc5cf880bd74ef6be69964b891b1e4bcb1063441174c1532d0cd50381d76aa962e6d6b64a94cc4

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
192KB

MD5
158918522e1bc875a020a1620900997d

SHA1
48009db78bfcb191a97d67dbd7365a986c4debd6

SHA256
a64b1575e00a5db3bd3deb98fe176cbb4adc0f58a89dbf37918e99ef0f9ef44d

SHA512
851a92e68cb49aa9dbe96ebf8bb5270f47ab2e9152b833a6729d97151eba4cabb47856cc380d7f8d28ab5bfef43a35b73c241acd620908ff572d1a592b22e8a1

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
192KB

MD5
dae9f61256b3a9fba747d0f7e46a7ab2

SHA1
f06568a70f478828915dece7cb5e5650e7b354e9

SHA256
bf25b4f809db562bac49810edb64be68b77ea825a9a2a418d633c3011b84bf5a

SHA512
83becd3c65887b45f016215abf2e6e9159c289ec9c4bfee03bb4932c5d71b2ccc1c1508fa02a139d38b8209058d26a900a17dd6e9f035acdef00027ed2cff284

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
192KB

MD5
e14d4bcdd009fdcd42d9ba88d030e426

SHA1
171ab3a9e1fc29707c46e542b7bd2c4bef38aa73

SHA256
4c7dde609d931493cbc1f62d88770b7307a87a04714a55e4470b165eddf709d7

SHA512
cf6f2c946dc68ef352a996283f5527a134cf7bdd9dae3f11a26c67455ef34947ea7432c3978a0077e2c042dd5ec388291613695497e399991aa17709d27a43ae

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
192KB

MD5
1e40435bd9eb54aeddb7a926d564d151

SHA1
1b8ef1f303d9e60453c418b15ee9838d99f91b07

SHA256
35b7fb53ba5149de537824bd39e71ae7b51ce3a7afa901f4021087e959957526

SHA512
1924f9f79a14daf15b0b7c47e6393ab7bf6f67b5410ed5c72fcc689bf60e6fea693920cc6113098814ba41bdecbc07b3faf4ec0ee3a88505a4abf40adc8f3ed7

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
192KB

MD5
a275f1f0908e00477785017a84ffb347

SHA1
c0db569c36aa4d478b6eb0e207385fddf7e0c91d

SHA256
424bdc909e3ad9294eacfea2f372a8eccbb1b368214c82a7333805451864734e

SHA512
ee4189ba7cc947f88f3f6ac04f630def10850a43bdcf65b0c1040c5530eb3cbc876ff04f5f78f50e5afbd566881e32311609733f457c2415b2908b481fcd93e0

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
192KB

MD5
2744fc797a4a51bd8004d12be04c2649

SHA1
6d5c573482c3db0739ed04394dc45a115375f349

SHA256
76c6f2229bc3bcac947072231b1a82a2e25ae4f30abc0a9f516ae658c0d2d68e

SHA512
c0619362e05d2cb475e0bae1579aa4a65dec3b3f1259912cd8bb21a223ce8f100db771fe922ce62490c766c970e6f1fd3d0f81477c865d7e1342754c258f44b1

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
192KB

MD5
6e1d6c583de0e8f86392889c41cfbaad

SHA1
f1a4827d22468b1742ea57d91f0dabc12e82ea75

SHA256
63c317e9a959152513b7bdbd9094ad1a4a180fd7e19d8e30f9d09dd0c6a621e0

SHA512
47338f2d15d2e51f6877868822f29d4e17a0163e8063c78edd552a6a104d155a0da7a73d44fa19c40610476ade1de401408a90d6c187e69b9dd2d72eec0abf3f

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
192KB

MD5
889ab97c391373ed6b6257e716e8bd80

SHA1
48666da1190aa30d2b67ba1de0b09582fde289c6

SHA256
553bbb1e3fcc2c6792316410de0497a77f8ee32f6c366c2806e8ae789deed431

SHA512
10cf6a0c8e88372bfca32116d717e4df8813933737d9997a0b0842180420ff9ca67deef88b7a825d129eb5121cdd650fad4e0854c02e4219b747efe0cb008740

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
192KB

MD5
977f1fd25cd07c0c6229400bf080c7cd

SHA1
b08890e4c7a08955afdb290fa3aac5bdeead3fad

SHA256
761eea47f52535bdaed4bbef591ae5e00facb5f415c846c393cb554e7d4960cc

SHA512
f880eb29ff9ca1fcac2cbd2ad9acfd4ef0432b8bb4f1ee03e01da73ca242e353365bf5df7c2a468516362a49634ff9787f254b2c5afbb1ed558c8a865bfeb882

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
192KB

MD5
bceefc1f758ed8743dcf34b037884257

SHA1
ac28c307f8f478468e310e6cc1060bc26cfb6818

SHA256
9941d14c19726cc94d430cde7f5e371df9c2a2bf3ef0ca35cabc210e402f9bfd

SHA512
caff1bd96b72cd91405c2798e4f1cafc630999d50c1a8d81b15874832ac565ffe9873479f3f647a27fa2a2c6799caf246a80b68dc7c09f771b36b8bb7b55852c

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
192KB

MD5
545a2b31d50d488984180a96544b3d5b

SHA1
6c242239b20fc43234997fa2ef1c8e632127a09f

SHA256
e1648ac3a2d3ca1d17c7c602b6929620eab409a1ea6bcae44d84445378480278

SHA512
63a261f35fe819d4878a09fa4d8df5f872d1356758f4b85f707d8dd9d6ea0b8e10c905186106e84b28c58c69ed00f01532c0622b372c5eda5e8fba3ac7503480

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
192KB

MD5
1329ce6ecb863779454b53a91b45b589

SHA1
8319fdc5d50d7d0bf3226ac1b88fdd692fd68b2b

SHA256
c1cb16eb1643e281e0422602a4d68fda18568c9c050ef4652ee4582b93609177

SHA512
31de2e0bb295d646838ad12f28ee48081b3025b2217419ec5b08ae68c4a007713cf8afe728c3c2e2f8d2aea47f827b900092ba976e99828bfa061ab8f50bb0a1

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
192KB

MD5
5870671e1d914677406ed2b09ca4448d

SHA1
e6f5671bc81c270cab618ce283dbc631a0c4be8d

SHA256
44294ed336b9926addcd3042b948ea6fa824461b020dc2cb65d7d695e912a6e1

SHA512
904a76e2a230716e6940e58d941c967c65424919e1ed19f87229951bfa80df54055ae78275cd7763cffc5fbf2c967567afe536c09759ae9956c9cdaafb17cffd

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
192KB

MD5
8e2c34c417645d719b6108de6385763c

SHA1
3d46fd78da291c59f64190a0d97ab7054a16e023

SHA256
040bfbb6c265b5cc222d8a10d322e8c715410a786118eee4b2a5055d1cad786b

SHA512
6e41cb90d75c3c478b0b6009ea340b653682abd4f1d96ce33807635769728bb4946df798e1fd9fae36e9da7e08b5c914699c3667629853a39af224eb72234132

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
192KB

MD5
f4452d2b23f735b3b14b9c1a973355f1

SHA1
1b30d695426bb85511ec00859b1c293b1cc971b9

SHA256
ec11eb30e2bb210229c82b3fa81bdd9f9719934fdb44a0ff3a72329cac36e09c

SHA512
49276c9d09817a0ba0b006500f9789b3882b7cf0d0ba94dac7390413489b5720ac1c66b0740f44c17141217f047856f2d1c0709350c24aea2070ed6f6175009d

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
192KB

MD5
ef03f312b4f4bc137a107bb42ad3ece6

SHA1
e8c042318d13c6ca93d00af749186a7b65683032

SHA256
603f3606af76112df03ea34795880d23ece2ab36d0513eabaa9d4a66d8060cfe

SHA512
7019cb49b3b49d96b496fb238e074db1e0789547d46b02784477d1844b9adc872520906366ac18defade73899883645e11f8f2f4b4bf626d76083e8b90ca0687

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
192KB

MD5
f1c210913e57f1d8672e121778cd6fa8

SHA1
1377cbd0261809413a17c0e52bbdf717bc6475cf

SHA256
08dde5ebbd86f2dee0cde0cae0e2a0e128a3a9a074bcffce767ef8a52021faa1

SHA512
752461af37a42f28f8f800ff582854be74bf1e202344850b66b0ed5a652ae7cfeffdc4b055b6899a240728a5744794bc7d84b51af78c0e7d109bd2c31899ddcb

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
192KB

MD5
34db153cf4784e8f11747824c8d151d8

SHA1
2315d006e1854b8c5df7d13e292315a41527ca47

SHA256
4973911248133ecee32791a7c6d54e6ab5315090f18cbe2c6d0efd2b43e61d53

SHA512
796c3c00b54e48badcfc7961bd8618fcca9e43734aec89e89fefa68b1cace7ed4484a8e9378cccb905fbb3a0f740b00b2a76a267ca41692252894f20d0d4ac0c

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
192KB

MD5
5fa97c77b81e52ea5cca4505058ddc05

SHA1
48784ffca4d49c636b75a229b4ba0b2e7ed03411

SHA256
fcd7841d031abe19d184e20e4f4ae09ea03d228f6fba355b91824f7d2939bf6d

SHA512
e2833556cd8de3eaed166a6886470460bb5c0d6ec53dbe2b8e8a69ecf8f6128cbc4726fc31a3b767eee5a87cf65922de6304de14219377759991ec793eb3a354

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
192KB

MD5
3fb435c018d416672ee5d22d8ce03218

SHA1
21d45137b2344f9e6e52c0c6106f0fa43fede455

SHA256
0fcedf4625d85a93038dc5cb63b13e5f114abaa85f219a3eca042c7e068cb712

SHA512
8200b2b9bab1837b29a78efe5145fc73d3dc53220a3cd92d4723c8781a06f3c25e1e691017e7522c56e29d1ee5e6eae506edb19f22e5b8f74e0cd8d2e64153c1

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
192KB

MD5
2c36b16721957bf38d82fff9662532a1

SHA1
79e2c266582d85842b266724ab43ea0e4d154578

SHA256
66c81d385b993cdd0071392cc3fc1189f69f39e65544e1fcf376a7b74a535eb8

SHA512
c2d0d200acd9fe2c25167141170c3d12e44a996ca68de39037cee34c615dd34de66077f2bff92df41133c856c2855c2e584e7898ced8ceccfb077c535f501b68

Download Submit
memory/220-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-974-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5732-968-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5844-967-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6052-975-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads