8d1404b468c292a21f1b5efba9ca85ec55cf0d7586555d3a40284209efe16253

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d1404b468c292a21f1b5efba9ca85ec55cf0d7586555d3a40284209efe16253.exe
Size

64KB
MD5

d63ec39fe0529644b4bf6d14695c5b3a
SHA1

561fdc06b0c2eac325de92d30374a0bf1a409a6b
SHA256

8d1404b468c292a21f1b5efba9ca85ec55cf0d7586555d3a40284209efe16253
SHA512

c9a1b5ddf62dbbfdda8d888288bcaaf11abe2d6ea7bda5b31c06aead6c457a8809bb5ac08f96b0c993454e2fcd9c9f7ce8db8167f6e4a16901a9547fc18d0243
SSDEEP

1536:jZbDyLg0tAqTksy+c4DyurICvlBIly5VP:Rjqwsy+c4Dygvlalkt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe

Executes dropped EXE 64 IoCs

pid	Process
5004	Gbcakg32.exe
3048	Gimjhafg.exe
1652	Gqdbiofi.exe
852	Gogbdl32.exe
4756	Gbenqg32.exe
5112	Gjlfbd32.exe
3188	Gqfooodg.exe
1692	Gcekkjcj.exe
4876	Gfcgge32.exe
3528	Giacca32.exe
2060	Gqikdn32.exe
2168	Gcggpj32.exe
1460	Gfedle32.exe
4036	Gidphq32.exe
1196	Gmoliohh.exe
3044	Gpnhekgl.exe
2940	Gbldaffp.exe
4496	Gjclbc32.exe
4880	Gmaioo32.exe
4344	Gameonno.exe
4940	Hclakimb.exe
3384	Hfjmgdlf.exe
1020	Hihicplj.exe
2788	Hapaemll.exe
4696	Hbanme32.exe
3736	Hfljmdjc.exe
4164	Hcqjfh32.exe
3336	Himcoo32.exe
4292	Hadkpm32.exe
2464	Hpgkkioa.exe
2360	Hbeghene.exe
4988	Hmklen32.exe
5016	Haggelfd.exe
3008	Hfcpncdk.exe
1004	Hibljoco.exe
5012	Ipldfi32.exe
4824	Ibjqcd32.exe
4804	Iidipnal.exe
4768	Iakaql32.exe
736	Icjmmg32.exe
1540	Ifhiib32.exe
4076	Imbaemhc.exe
2932	Icljbg32.exe
1728	Ifjfnb32.exe
3700	Imdnklfp.exe
1360	Iapjlk32.exe
2884	Idofhfmm.exe
528	Ifmcdblq.exe
224	Iikopmkd.exe
4480	Ibccic32.exe
4412	Ijkljp32.exe
4552	Jpgdbg32.exe
1400	Jdcpcf32.exe
3248	Jjmhppqd.exe
4308	Jagqlj32.exe
3868	Jpjqhgol.exe
2188	Jdemhe32.exe
3436	Jibeql32.exe
1012	Jaimbj32.exe
4732	Jdhine32.exe
4716	Jbkjjblm.exe
4972	Jidbflcj.exe
756	Jaljgidl.exe
2608	Jpojcf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6068	6080	WerFault.exe	227

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 5004	4760	8d1404b468c292a21f1b5efba9ca85ec55cf0d7586555d3a40284209efe16253.exe	85
PID 4760 wrote to memory of 5004	4760	8d1404b468c292a21f1b5efba9ca85ec55cf0d7586555d3a40284209efe16253.exe	85
PID 4760 wrote to memory of 5004	4760	8d1404b468c292a21f1b5efba9ca85ec55cf0d7586555d3a40284209efe16253.exe	85
PID 5004 wrote to memory of 3048	5004	Gbcakg32.exe	86
PID 5004 wrote to memory of 3048	5004	Gbcakg32.exe	86
PID 5004 wrote to memory of 3048	5004	Gbcakg32.exe	86
PID 3048 wrote to memory of 1652	3048	Gimjhafg.exe	87
PID 3048 wrote to memory of 1652	3048	Gimjhafg.exe	87
PID 3048 wrote to memory of 1652	3048	Gimjhafg.exe	87
PID 1652 wrote to memory of 852	1652	Gqdbiofi.exe	88
PID 1652 wrote to memory of 852	1652	Gqdbiofi.exe	88
PID 1652 wrote to memory of 852	1652	Gqdbiofi.exe	88
PID 852 wrote to memory of 4756	852	Gogbdl32.exe	89
PID 852 wrote to memory of 4756	852	Gogbdl32.exe	89
PID 852 wrote to memory of 4756	852	Gogbdl32.exe	89
PID 4756 wrote to memory of 5112	4756	Gbenqg32.exe	90
PID 4756 wrote to memory of 5112	4756	Gbenqg32.exe	90
PID 4756 wrote to memory of 5112	4756	Gbenqg32.exe	90
PID 5112 wrote to memory of 3188	5112	Gjlfbd32.exe	91
PID 5112 wrote to memory of 3188	5112	Gjlfbd32.exe	91
PID 5112 wrote to memory of 3188	5112	Gjlfbd32.exe	91
PID 3188 wrote to memory of 1692	3188	Gqfooodg.exe	92
PID 3188 wrote to memory of 1692	3188	Gqfooodg.exe	92
PID 3188 wrote to memory of 1692	3188	Gqfooodg.exe	92
PID 1692 wrote to memory of 4876	1692	Gcekkjcj.exe	93
PID 1692 wrote to memory of 4876	1692	Gcekkjcj.exe	93
PID 1692 wrote to memory of 4876	1692	Gcekkjcj.exe	93
PID 4876 wrote to memory of 3528	4876	Gfcgge32.exe	94
PID 4876 wrote to memory of 3528	4876	Gfcgge32.exe	94
PID 4876 wrote to memory of 3528	4876	Gfcgge32.exe	94
PID 3528 wrote to memory of 2060	3528	Giacca32.exe	95
PID 3528 wrote to memory of 2060	3528	Giacca32.exe	95
PID 3528 wrote to memory of 2060	3528	Giacca32.exe	95
PID 2060 wrote to memory of 2168	2060	Gqikdn32.exe	96
PID 2060 wrote to memory of 2168	2060	Gqikdn32.exe	96
PID 2060 wrote to memory of 2168	2060	Gqikdn32.exe	96
PID 2168 wrote to memory of 1460	2168	Gcggpj32.exe	97
PID 2168 wrote to memory of 1460	2168	Gcggpj32.exe	97
PID 2168 wrote to memory of 1460	2168	Gcggpj32.exe	97
PID 1460 wrote to memory of 4036	1460	Gfedle32.exe	98
PID 1460 wrote to memory of 4036	1460	Gfedle32.exe	98
PID 1460 wrote to memory of 4036	1460	Gfedle32.exe	98
PID 4036 wrote to memory of 1196	4036	Gidphq32.exe	99
PID 4036 wrote to memory of 1196	4036	Gidphq32.exe	99
PID 4036 wrote to memory of 1196	4036	Gidphq32.exe	99
PID 1196 wrote to memory of 3044	1196	Gmoliohh.exe	100
PID 1196 wrote to memory of 3044	1196	Gmoliohh.exe	100
PID 1196 wrote to memory of 3044	1196	Gmoliohh.exe	100
PID 3044 wrote to memory of 2940	3044	Gpnhekgl.exe	102
PID 3044 wrote to memory of 2940	3044	Gpnhekgl.exe	102
PID 3044 wrote to memory of 2940	3044	Gpnhekgl.exe	102
PID 2940 wrote to memory of 4496	2940	Gbldaffp.exe	103
PID 2940 wrote to memory of 4496	2940	Gbldaffp.exe	103
PID 2940 wrote to memory of 4496	2940	Gbldaffp.exe	103
PID 4496 wrote to memory of 4880	4496	Gjclbc32.exe	104
PID 4496 wrote to memory of 4880	4496	Gjclbc32.exe	104
PID 4496 wrote to memory of 4880	4496	Gjclbc32.exe	104
PID 4880 wrote to memory of 4344	4880	Gmaioo32.exe	105
PID 4880 wrote to memory of 4344	4880	Gmaioo32.exe	105
PID 4880 wrote to memory of 4344	4880	Gmaioo32.exe	105
PID 4344 wrote to memory of 4940	4344	Gameonno.exe	106
PID 4344 wrote to memory of 4940	4344	Gameonno.exe	106
PID 4344 wrote to memory of 4940	4344	Gameonno.exe	106
PID 4940 wrote to memory of 3384	4940	Hclakimb.exe	107

C:\Users\Admin\AppData\Local\Temp\8d1404b468c292a21f1b5efba9ca85ec55cf0d7586555d3a40284209efe16253.exe
"C:\Users\Admin\AppData\Local\Temp\8d1404b468c292a21f1b5efba9ca85ec55cf0d7586555d3a40284209efe16253.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\Gbcakg32.exe
  C:\Windows\system32\Gbcakg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\Gimjhafg.exe
    C:\Windows\system32\Gimjhafg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\Gqdbiofi.exe
      C:\Windows\system32\Gqdbiofi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        38⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        56⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        59⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        60⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        61⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        62⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        63⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        66⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        67⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        71⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        74⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2700
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        77⤵
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:744
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        79⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        80⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4912
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        82⤵
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        85⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        92⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        93⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        95⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        100⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        101⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        105⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        106⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        109⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        111⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        113⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        116⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        122⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        123⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        124⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        125⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        126⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        128⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        129⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        133⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        134⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        135⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        137⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 408
        138⤵
        Program crash
        
        PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6080 -ip 6080
1⤵
PID:5660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
64KB

MD5
28fa79b2dfcf250a3b4715bc74e8861c

SHA1
8ebe79bb346d0a4b43e6bfdb3ce718c6403788d4

SHA256
02c962df298ac81115102477b11d3901274b6a3347a0e33c5a6ef6eea10b0e57

SHA512
d11648c1462c74f442c124cf7b4ef6fcd3715ec5c0a263713465b1b48d76311b4c5deee4ac91a4c7180aafbb957aa0e3cc8fe68261cfb86511ae3d18bf5ce875

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
64KB

MD5
895415b5e677381fa483a87f8732b438

SHA1
291d5d5f4ddc1b767569ae9e5e48ba15f0feeaf5

SHA256
5ee03d9ccf69c239dd4a654700786b4609274c20e39f552bda1f8618fd5f9dc9

SHA512
d2aec109c312f2465f0c11ff1820c1fca0cedc770ae2b5e20ace9483353993a56bbf5e0e1fc219ee112cc04b25082ae1f66a0278b4b8358237b289acb1be0894

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
64KB

MD5
42da30b932ccddbf44f799dfcbf4b349

SHA1
1464f53633c3ad62ebb85d03390bda25030be41b

SHA256
e6e070d8e4a4e211d3a072d6fccc712a9067095f8d73da8ac88fa0610173f23a

SHA512
9b5341f648c3b64f8792eacf2d383c77bccfabb315fa1b531e68082e221ba04a599f4fc56cf215ad75a797b3a55b1db2f02a8ef93dcbc82f42cae73639dc777b

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
64KB

MD5
a3983555508aec8d59f37f9628ef384b

SHA1
ec10d7963dc66ea2654ada10d26518740119c86e

SHA256
9aa3ceb776ec6d8c6785045035a9b3af62ba468e533d712665e38601da2573ce

SHA512
0bae08e263deb19a461235fdc8a3c4f65f0138239376eb2e7c6cd1ffad2e063e93bebdfea1a7ddd007ea2a4815908a39ca6c78c9f13badd86c9b94d1e536f345

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
64KB

MD5
6d6b1cffb514c48986f50a8c0a3e0fe2

SHA1
7f8614d4338923657834314ff0364f540bf93ee8

SHA256
5b456101febdae1684ed842165e491693ad7ebe32185cc04d0f88a0b4f620c37

SHA512
19ad88bf800b401143c446d1b1ab1bb38a3496f6c48de41a6c22420a753147d9f509f5739a66eaac960551932e40d75e1e1e53a2a7e436171ea0a3c36ce98d39

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
64KB

MD5
3841d1b187f63ab796e2802017373c11

SHA1
43a74fadbf486de311a0f65186052f374ce822a7

SHA256
afd3f218d8faef49001aa83c979836153379a3cd2dc4e08ea0741332819e5b59

SHA512
625f3181dac5f7db6582d2701f4ffd9962352d207ed1f80a43eb9288ed0cbd6440f2b3d8be16f0e076a812222ee400469eb6ac0128cd100f651f8050070813b5

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
64KB

MD5
a47f202de5760dddc6c88cbd0549da40

SHA1
57cb4f6f685617c8571a0fa4a92b36dc00e3da06

SHA256
add8b87e6097c07b1553d6e46934053c1525334395184730e33be5748d3d56ed

SHA512
4d8707b17c6d8aa7204735fcb5249b66ce7456a058852549977eb432bd888aa18fa436ae3cbc2630fcab8a3fdcacb6ff07b4a378001dcef5e55a34336b400bb0

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
64KB

MD5
f9cc17619ba69d09b915d919d7f17831

SHA1
302d191f7bb35bac37813eb4f2a200a09b1502f1

SHA256
492a1f9f56939d275779ce692c0521ec8e85b97f305acd2230572bd2d5ff3ed1

SHA512
8ed06b4674ca66358d8d84e2b74d109451a029d083605c3c7b49e4b31cbc395fe108d49e24fbf2ec83882f5cc0e9c829c850c1758c522d755fc2bb843230878a

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
64KB

MD5
f2260d1c886a68c33a7c53e0d8918e8b

SHA1
ba554159a4e5d7440ccafd2784bb058ca2574194

SHA256
8759e8d13cfbdcc044e74878ea93a809015619cb6e38e452961db9112e900f27

SHA512
3da4ee34f2a0e3547fbac8e093a2587963b585b907778b7d1acfa24cf16dfc63e36b73b01fd0fa95102b6c2dc33d223ab485240980257a6f59bc18856aa57835

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
64KB

MD5
2add2f50c73246d347a4f660f6814221

SHA1
d7111b5665ba3357ef2c549d968162140c34d8f9

SHA256
3ca5df782d1c1259fb4ac339c6866fdbf8e9895f245b6d5ac166e5370d9aa22d

SHA512
e8b69a8e87fc428c88c2eb716f526e48109334cafc07a93a1b74860ad60b157314459627ca80dd33d39711cdb9578f0d5d96eb5f9c6cba151c59788591e2c04c

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
64KB

MD5
44766869515dbb70b11f2549fc3ef6bb

SHA1
2f2fc8240ce44bf7b26ff1c0837fcc8ec68d2435

SHA256
4493f89daae0e971284a05b71b2dcbca6237dd06d55a9ef0a00aed3d0979ef14

SHA512
bcd083f7a49a3eed8498bf4cb8601f3f64700cb49a5ccb9a00ab7fde3ae180ade9c2b426faf89c56269a296672ec589b5c05b1bd12c9d3c26f9b3899b3e0638f

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
64KB

MD5
f84969efa343e4321b5f945277c7f603

SHA1
a75e305f452d7510a38803f72c0c67974f2167c3

SHA256
efcfc99c0100c752e4f4d2863de1f5841de5f5e4d58848f6835ef2c03a711849

SHA512
9286c92902b61eb57e0d9f218ddd92b7f0b600ef7d42bcd15e1eb717274c373816eac3042c98098f9682e761d976739a86dea87e917b767365396aec0fcdcca3

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
64KB

MD5
740379bcdae957f8ea7248d2da7b33ed

SHA1
08c0e0352e04dd1f1b43fe8b65278272de6c53f2

SHA256
b691989ebe242052edab411dd0b839cc9b375c1df26057e66d16ce287d65fe34

SHA512
d95056958c222cfbb2750d5443be88e6885c89efe2914c75b8e84f20593bdeaca5d8b91749e7c2f0aafd3198ce6b7fd9e57e7d00c6a6a1ea38f5cb1415c60873

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
64KB

MD5
e469aefd301c1c507dd670c67cf1cf65

SHA1
b32a2fdc2a6ddbdc8dac1e334363da2c7d47090d

SHA256
49722010311d61c8c3a7b80c80ebb1980c740e90451550d4a8acae65429a2f7c

SHA512
c301a5314482e7bd504eae4ed7e9d7a5de7cbaf96e7902470bd6baa13d13544a3a426aa42f277bd2732202bc72313addd2bfe1b09bd92b9ce6206a4cf9da5215

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
64KB

MD5
d9f064eafd9d1a9674fc7cfe9694ca50

SHA1
330c75acfa790fe299aaf5231794d5184ab146f2

SHA256
d3b45a21114d5abca7b27644997c3a94dc89ad5eb9de34da85b43038196e7424

SHA512
aa5c79028131cef756597b05aa001506b22b78bd573c68115e71d7f8eda7b7ad4843538bd992c9d795ab6c1e02acb8741cc7838d4d1cd9d81c2814482dc8c64e

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
64KB

MD5
12002e8f2e7778e613f194c200995788

SHA1
4aaa93343fedf7a51235facfc4ad421af39319eb

SHA256
85007f2d4551dceafac9104e7e9266f8df8b2ab3f12b80beef0b7dbfafc8707d

SHA512
b97333392d3f780679c386fa7a36a6f880f9d2b1bed9c2b98514b78d171fb55d9c13ffefd50e5a57f2f76524c83c7f33efa9b78f228d41affb2faa9266dfe972

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
64KB

MD5
61d92a276f258aa51188dbeac547bded

SHA1
81e0192864dbefe175993c958af48bad6f36b951

SHA256
6e7949254672885ed65d07f0f71befa0c556a24d3ec7a277a23ab6acddd58413

SHA512
ffc85b1e58ddd47b3c39c4d0cbf24a08b09465364e40e6f6d1aafe485342a15a88fdb4da72bd99eb1573562491a1cc05a5ba5df64275171caea4bd81638e4209

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
64KB

MD5
ecfc6e9869b501da3330f8043a3523d8

SHA1
d55eb470b431ab1108d637f042b0b42929e6639f

SHA256
2d500f17565e205841cb719aded38b8bb628eb526f0ce84f6259906e1f3ab8a8

SHA512
0bdf77c722fb31feee2aae77230c5a3f1797020f5883f9cc0d124d1beed2d942e64d8e7ee917473448bbd647eb7392befbcd52b61cb040ef192ede889403e172

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
64KB

MD5
df4ad7e00ca9736e89fa9116a9fe8ee2

SHA1
f6a635e1d02ce855526094b81d5be9bbec1cd875

SHA256
9852ac634d2fc5877f34f0320fe592e6a8ba0a27ad4e67743672ff02ac036f67

SHA512
e40805850c3cf6b9d74b9a7cb674259ee5c03837ae94ec874fdc76d8f4a1b5d8635daf47de7dd5800e5f2fd97f52bd713235c2660ac6889d8c3d9476213b94e6

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
64KB

MD5
37d67a9656f5c81f1099e092bf9d382e

SHA1
9e50905dac1e5956588bf5b15641431e67dafc6a

SHA256
c488d5c01c5abf62c080f195f49a9d86acea36acf3d804693db68ea9b835f6a2

SHA512
f3854c224b9de7b137653d404b8172a89354209dc351a221f01b63ca7b1e7dc2d32b2fba067c7a1b5bb9ffb6568cc407c436b4119e96642c187fa26e5b88652a

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
64KB

MD5
1cd630a94b1145ea40499861a5daf0fa

SHA1
38e279f78bd0f63a3f90d07a24d928d79e9ebfa4

SHA256
d0b840e443208f56b2ba0419f700a3c45b9c4a1d746c9440003e40dc8e9d8a43

SHA512
276f944e630f40cce23824809187d0c84d805696ba5b8d8ac533fa4441aac9de56968236461cc055751e916e57ca5595fd30f2a9b17c435bfb5c972995044b28

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
64KB

MD5
1f18f2f99ff56f57960f93a937fead97

SHA1
98124cd2375b62a9128f63e04f016daa5cf2bd0a

SHA256
1508dea3597599ca81a147250d93e761ca06c6efa91301e22b66f056ecf6b579

SHA512
9fb78fd33dfba65b2daee07ed7264fe82cacd53c79ab04a9e95fb3cbdf9af5867f62ffe3b69f2822a12c1639b48fd003254fd57565613807368f7f48cbdac934

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
64KB

MD5
b4d33c3047071261e81499e1dcea6678

SHA1
ef56957ba25ea6dd0e1c970454437360d04e3a7d

SHA256
5089ef1cb9cd30d96f44a4611a46d29cefeb3c49262002d2a8bc0c916c847096

SHA512
97c3a523d52b07a1dc61b7143b6ea5ad9ff1c07a7f16aa632d761d22977f4bea03b3082ab842c6080f07c11c2ac686b254bfd8cb8ff858e81e5b821b433d72f2

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
64KB

MD5
cfc6396390583d5543a23079c139d68d

SHA1
fa27b98395d0d6a34392b43d3d4c338796915688

SHA256
484a2f0eaf16d31ac2666cc5c1c3090bd0dca06098a802d4ee01dd5d837061ac

SHA512
3263ff06149a3c77314dc4ab66408d177cc5655f680caf3aa488c3849abe1f307ee68280e71ebd3719c1f317766e902ed1ac1762855125c55a70341950617ffc

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
64KB

MD5
1eb8758eb52dc6842e20e40ec16aa1c4

SHA1
aac648a3cd0f30ddb3aab228325ef70105a8f5eb

SHA256
37c485ac51fd1c118ccf93da62478c1549ca9cf80d340ad741495cf827a31ffa

SHA512
5c42e168498113f9d70867c74f2784530683c43739f133785a6eea70cc40394d50e66daa5b335201ba599e2ce5f8f6a0a9f08fc4bd8addd7d71f6d674da9d6cc

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
64KB

MD5
e97c4c339628651375e40562077c5c06

SHA1
f1d1cc197a76fbc073da9668203cb5f66477ecfb

SHA256
5d724b145659f2b9289397792418b36aff1503258a7c5ed5ff4a7543a9f23d4d

SHA512
ba62c6ef0e25ad6257b8c8c5c828f5b6c7e58af1736cdd709735d8dd7ecfa3e8e1aaa7b42a838953e4dd0d23775ecf4956079d0415e07d82831b3751f4a2f8f7

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
64KB

MD5
cfb27024f4b8f4189d00daea9f1c7acf

SHA1
b8d891061a80fb3b4cd147d8c6cbe612018d1357

SHA256
6f4b9b81814584c3094384f940f7d762cc70b54043e6c20a1baad14ac7e2240d

SHA512
6298b6b99b83575f28b46dfeada6202c8cbd5ac3d06ccb98da61413938a1e012fa1d229a1cafbcb56dc6ac70ee470db1595fdaa41271013ef344597175cdd081

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
64KB

MD5
617f32859277ee1d41de8e45d0f4de0b

SHA1
94a2e30b1f981b8cf2abc1df035bcbed8e563a72

SHA256
0c7d2d4a55212d546303ef438f1cfa6b52ca6bb598f2edb6e8d5c5ea5e544149

SHA512
bf300a6fb60fb30ba62cb9bc3a4d30e3e7c99736f6cb9e7bbac056690c4e4d081057a7cc5d78768e6c4114a7b40398f5850774ac29e6c68b9c6ee860cf735931

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
64KB

MD5
c902d568737387d703fdf040e7a54e53

SHA1
39650b7e46556c73259f686c4824e104ac74612c

SHA256
3a9696f9291488d85b10f00b393fc8f089f4a1534a0698f769a7713b49bd8423

SHA512
4d7ba97a7ad38e9f372c286d846967715d18ace16c8eb1df9664e2afdf14c12bd290f0ce5356fe6f3b596dc30428f23c8dd191d3dd04745ef4971fbbdf23e4f1

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
64KB

MD5
05218585651b3a1636c0251a15c0003c

SHA1
9af8fc7beca03dae042494c704dcf6325af1ef41

SHA256
5f52d676b00326863189cc510c5bd43a9eeab82ad2634401665c9f1466dbb43d

SHA512
9795aa7b978a33a385246e569024a618411e5d01b243f91718958a2f5fd95369cda16f575c8f88b4197a6977fee50d9fa34eff11b4cc481af532c6f63f8992b5

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
64KB

MD5
694dfb38446c8bebed88a3d5a820ced4

SHA1
a22fc5f09c6a72765d4c86cd36650f617e59487f

SHA256
5b24ad6cd724d9948cf31342c47ec798070cf02a69326519bd318296a1435e65

SHA512
74bebaec1333e8179390aaa9133c20f9eb35bd8da663a5a8e973363f70544ae1aa11ed2e3aa05e3be01b2977b47e53f50d75e1759fa0525707549473d2aff1df

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
64KB

MD5
cd89af8ca6d2bc5e479f972bf07458ee

SHA1
44774633431ce26a6fff82105dabf0fa2448389a

SHA256
96a7c1228b81b8e36cef2766dbfd3156a1b45649350e73a897042562bc584902

SHA512
bdb7ddfb629ee74317b1d3065f959e301ebf73dcf735e4bdc81f5dc18e3f854134e8b7a30cd2aef9130a9f951cc1213cb1e66475b7696e0052c645c5253b124e

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
64KB

MD5
8dc26b8733b61c8807578ddc0806a2ee

SHA1
7e814205494c863e0551b1591c6d37c76a002c3c

SHA256
2007f6bc99fb3f879f623c4e8cf6534e96af5dee1661ba22e91fbf04ddd9e870

SHA512
08241970f3b1f2e7a7a0f178d2bced5de2976edb0211d1cf078e809b23afeb79f14b8454e5f2f436a3190c171b4e96b448b4d17aab2ae35f6138481589fd8c53

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
64KB

MD5
5594ef87513e5e3b052c571943f96d17

SHA1
6a5a0832493c389501f0603215d1903b6e78eec7

SHA256
ecfb4a385393a8f5b85e6d1179d30d8d8df4d936688b37c013122b9bbd4e069f

SHA512
db51ae734aad61eb07337760db4bc76210bd62b42bfde7b7b790744f0ed7bb978386e0d27911411d78bc50bb07b7283fe0da837f947c0da74034cd5c02de5a4b

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
64KB

MD5
2f8b7b84a2414db04b58575010ba32dd

SHA1
9e6f73d1f4257c8680351bfeee68129c3fa00a85

SHA256
a7f0cf34c512059e693ac13dc5459f8af85733aabe19161cde7d8511208a7415

SHA512
a36d3974980c49436af47a145f6ddbc7842506676b3b80b5c0616911d69ef6314565f4e12a61fb16d8e9abf013a3e4ae0f32aea828e1b93d7749583fc6e43649

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
64KB

MD5
8e9418e56d5d8b0b369db52ab19169cf

SHA1
48b5d874a7d49c2601d421060c784038603db357

SHA256
7b477590e96ec61fc49cb5572517a72d9b59630d64904991ac151df7dcb30bb5

SHA512
4659ee879f69baedd8c3fec1e1f88707ce6d49abb53c098378462a6022ac1a20dea2789cb207a043c5597637f818db03e267276e427af9b9f25ba7a44d3b4a5f

Download Submit
memory/224-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-972-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-978-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-971-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-974-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-969-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-976-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5180-944-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-964-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5304-942-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-925-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-941-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5444-960-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-959-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5516-931-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5620-956-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5688-919-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5700-923-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5708-954-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5844-951-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5880-934-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-928-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5960-949-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6028-927-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6112-921-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6120-918-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads