765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe
Size

107KB
MD5

cd55b567c7d2e6f3d3459492ce0b8467
SHA1

cc1f3e4a444232992af09c0853b699f7467e71cc
SHA256

765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce
SHA512

404576ef73a14ce376630b982b3563be077c33d08bad522c2404f815f7f5ca4bafa9c1b3de2d58e044160cab5e689f50fd5b49b908c23d86416fbedd567ffa61
SSDEEP

3072:i/d9Yqjf12fuHs9A/szgaMU7uihJ5233y:i/d94gni5i3y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe

Executes dropped EXE 64 IoCs

pid	Process
4940	Goiojk32.exe
1504	Gjocgdkg.exe
3824	Gmmocpjk.exe
3484	Gpklpkio.exe
6064	Gjapmdid.exe
4616	Gmoliohh.exe
2308	Gpnhekgl.exe
3684	Gbldaffp.exe
2632	Gmaioo32.exe
3872	Hboagf32.exe
4260	Hihicplj.exe
5256	Hapaemll.exe
2720	Hcnnaikp.exe
2852	Hjhfnccl.exe
3556	Hpenfjad.exe
3828	Hjjbcbqj.exe
2716	Himcoo32.exe
5712	Hpgkkioa.exe
5800	Hfachc32.exe
568	Hmklen32.exe
5936	Hpihai32.exe
6088	Hfcpncdk.exe
5124	Haidklda.exe
5592	Icgqggce.exe
2972	Iidipnal.exe
5340	Iakaql32.exe
4432	Ibmmhdhm.exe
1816	Iiffen32.exe
5484	Ipqnahgf.exe
5708	Ibojncfj.exe
2728	Idofhfmm.exe
3436	Ijhodq32.exe
1976	Ipegmg32.exe
4932	Ijkljp32.exe
3664	Imihfl32.exe
2372	Jbfpobpb.exe
2672	Jmkdlkph.exe
1784	Jagqlj32.exe
5132	Jdemhe32.exe
5976	Jaimbj32.exe
608	Jfffjqdf.exe
5108	Jidbflcj.exe
116	Jpojcf32.exe
3020	Jigollag.exe
1988	Jpaghf32.exe
5828	Jfkoeppq.exe
3580	Jkfkfohj.exe
3936	Kmegbjgn.exe
548	Kpccnefa.exe
4836	Kilhgk32.exe
3084	Kpepcedo.exe
5520	Kgphpo32.exe
3972	Kinemkko.exe
2920	Kdcijcke.exe
2256	Kbfiep32.exe
4104	Kknafn32.exe
4480	Kipabjil.exe
3380	Kagichjo.exe
5252	Kpjjod32.exe
2584	Kcifkp32.exe
4536	Kgdbkohf.exe
4312	Kibnhjgj.exe
5784	Kajfig32.exe
660	Kpmfddnf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Iidipnal.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
332	1276	WerFault.exe	222

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5224 wrote to memory of 4940	5224	765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe	83
PID 5224 wrote to memory of 4940	5224	765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe	83
PID 5224 wrote to memory of 4940	5224	765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe	83
PID 4940 wrote to memory of 1504	4940	Goiojk32.exe	84
PID 4940 wrote to memory of 1504	4940	Goiojk32.exe	84
PID 4940 wrote to memory of 1504	4940	Goiojk32.exe	84
PID 1504 wrote to memory of 3824	1504	Gjocgdkg.exe	85
PID 1504 wrote to memory of 3824	1504	Gjocgdkg.exe	85
PID 1504 wrote to memory of 3824	1504	Gjocgdkg.exe	85
PID 3824 wrote to memory of 3484	3824	Gmmocpjk.exe	86
PID 3824 wrote to memory of 3484	3824	Gmmocpjk.exe	86
PID 3824 wrote to memory of 3484	3824	Gmmocpjk.exe	86
PID 3484 wrote to memory of 6064	3484	Gpklpkio.exe	87
PID 3484 wrote to memory of 6064	3484	Gpklpkio.exe	87
PID 3484 wrote to memory of 6064	3484	Gpklpkio.exe	87
PID 6064 wrote to memory of 4616	6064	Gjapmdid.exe	88
PID 6064 wrote to memory of 4616	6064	Gjapmdid.exe	88
PID 6064 wrote to memory of 4616	6064	Gjapmdid.exe	88
PID 4616 wrote to memory of 2308	4616	Gmoliohh.exe	89
PID 4616 wrote to memory of 2308	4616	Gmoliohh.exe	89
PID 4616 wrote to memory of 2308	4616	Gmoliohh.exe	89
PID 2308 wrote to memory of 3684	2308	Gpnhekgl.exe	90
PID 2308 wrote to memory of 3684	2308	Gpnhekgl.exe	90
PID 2308 wrote to memory of 3684	2308	Gpnhekgl.exe	90
PID 3684 wrote to memory of 2632	3684	Gbldaffp.exe	92
PID 3684 wrote to memory of 2632	3684	Gbldaffp.exe	92
PID 3684 wrote to memory of 2632	3684	Gbldaffp.exe	92
PID 2632 wrote to memory of 3872	2632	Gmaioo32.exe	93
PID 2632 wrote to memory of 3872	2632	Gmaioo32.exe	93
PID 2632 wrote to memory of 3872	2632	Gmaioo32.exe	93
PID 3872 wrote to memory of 4260	3872	Hboagf32.exe	94
PID 3872 wrote to memory of 4260	3872	Hboagf32.exe	94
PID 3872 wrote to memory of 4260	3872	Hboagf32.exe	94
PID 4260 wrote to memory of 5256	4260	Hihicplj.exe	95
PID 4260 wrote to memory of 5256	4260	Hihicplj.exe	95
PID 4260 wrote to memory of 5256	4260	Hihicplj.exe	95
PID 5256 wrote to memory of 2720	5256	Hapaemll.exe	97
PID 5256 wrote to memory of 2720	5256	Hapaemll.exe	97
PID 5256 wrote to memory of 2720	5256	Hapaemll.exe	97
PID 2720 wrote to memory of 2852	2720	Hcnnaikp.exe	98
PID 2720 wrote to memory of 2852	2720	Hcnnaikp.exe	98
PID 2720 wrote to memory of 2852	2720	Hcnnaikp.exe	98
PID 2852 wrote to memory of 3556	2852	Hjhfnccl.exe	99
PID 2852 wrote to memory of 3556	2852	Hjhfnccl.exe	99
PID 2852 wrote to memory of 3556	2852	Hjhfnccl.exe	99
PID 3556 wrote to memory of 3828	3556	Hpenfjad.exe	100
PID 3556 wrote to memory of 3828	3556	Hpenfjad.exe	100
PID 3556 wrote to memory of 3828	3556	Hpenfjad.exe	100
PID 3828 wrote to memory of 2716	3828	Hjjbcbqj.exe	101
PID 3828 wrote to memory of 2716	3828	Hjjbcbqj.exe	101
PID 3828 wrote to memory of 2716	3828	Hjjbcbqj.exe	101
PID 2716 wrote to memory of 5712	2716	Himcoo32.exe	103
PID 2716 wrote to memory of 5712	2716	Himcoo32.exe	103
PID 2716 wrote to memory of 5712	2716	Himcoo32.exe	103
PID 5712 wrote to memory of 5800	5712	Hpgkkioa.exe	104
PID 5712 wrote to memory of 5800	5712	Hpgkkioa.exe	104
PID 5712 wrote to memory of 5800	5712	Hpgkkioa.exe	104
PID 5800 wrote to memory of 568	5800	Hfachc32.exe	105
PID 5800 wrote to memory of 568	5800	Hfachc32.exe	105
PID 5800 wrote to memory of 568	5800	Hfachc32.exe	105
PID 568 wrote to memory of 5936	568	Hmklen32.exe	106
PID 568 wrote to memory of 5936	568	Hmklen32.exe	106
PID 568 wrote to memory of 5936	568	Hmklen32.exe	106
PID 5936 wrote to memory of 6088	5936	Hpihai32.exe	107

C:\Users\Admin\AppData\Local\Temp\765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe
"C:\Users\Admin\AppData\Local\Temp\765ddba8bf7c86eebf978ea9d2a5372f37d2b9e495414cf5eeb43af64f5d55ce.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5224
- C:\Windows\SysWOW64\Goiojk32.exe
  C:\Windows\system32\Goiojk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\Gjocgdkg.exe
    C:\Windows\system32\Gjocgdkg.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\Gmmocpjk.exe
      C:\Windows\system32\Gmmocpjk.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6064
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5256
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5712
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5936
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        23⤵
        Executes dropped EXE
        
        PID:6088
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        27⤵
        Executes dropped EXE
        
        PID:5340
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        28⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        31⤵
        Executes dropped EXE
        
        PID:5708
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        34⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        40⤵
        Executes dropped EXE
        
        PID:5132
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        41⤵
        Executes dropped EXE
        
        PID:5976
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:608
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        43⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        45⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        48⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        50⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        51⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        56⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        63⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        66⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        68⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        69⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        71⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3024
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        75⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1112
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        78⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2224
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        86⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        87⤵
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3172
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        92⤵
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        93⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        94⤵
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        98⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        99⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        100⤵
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1084
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        104⤵
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        105⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        109⤵
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        112⤵
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        113⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1736
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        118⤵
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        119⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        121⤵
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        123⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2868
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        126⤵
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5000
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4084
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        131⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        132⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 408
        133⤵
        Program crash
        
        PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1276 -ip 1276
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
107KB

MD5
3e01ea0322904352e59555a2df6195ca

SHA1
3739d0a51e66e9253bd281a1dbb53877480aaa9d

SHA256
acda27dba661d903b6185cf7e8687dbd2138b1bdbf0d0ca8e6cb259bf4ea072b

SHA512
9392f86ed62e48d0d133d1e7bcd803da95b548e5621a3c923e8981be6bd3b4866c4405e013517d23b62c5a6b3515ae11bab69b4edd7b73c5f7e63f80410d9b1b

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
107KB

MD5
13d3a994ac0c8ae3c2432305a188a676

SHA1
726f3d27204680ca4d24dbbac16c22b0b33d2fd9

SHA256
17000250df92a61d1e814885070bef61b26d8a06953fcaddf2a4a5c8d2aa7aae

SHA512
5bb17006b94b2e0b5ac55ad89db0d769c4a57a06a97631483484d226b447d31fce4d3125c74560e992f628df035db5e10e807916e9bb463a3445dd7e330a2437

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
107KB

MD5
2f5b4de44f8f8350cfded859536f3005

SHA1
cad524562ab38685baa0ddff6e4ce80457e704b0

SHA256
98d980f23c983229c1479781c77aee1a115ac95b9843194dbb4bfc9a6cb8f27c

SHA512
aa6ff380025537970c43c72b84034b4916f1cf7126acda972e5aeae087f75455bf43a1d92fd9b2783b45e925575b1713268bbe0bdab6e5671331eaaecab03ccd

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
107KB

MD5
216b580fa8243d9bd8c84a1f31eeb100

SHA1
351483e1a9638cab676dacca3b52d8202dc41bf4

SHA256
c17383b16c79def6465128fea72527dd77ef0a62c1152b3c93c9d9ce5ab77152

SHA512
fbc1c82063832a296dac2a2159403660ca21fbf955573ae8955f923abb842007f8c298f01882cf17ceed6de706b7c7a0ad38ec381459b610535e4296a19f0b6c

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
107KB

MD5
0c76a86883345b7510a5aba361b4c17e

SHA1
2c9aa63c73b3871fd29bff6bf9b14d1fc813530d

SHA256
25b05962500b06e60aab7f870cf3e3f870ecc32b5c4d2b1a64254bb2df6885c5

SHA512
a7507b59b80d4cb8db191c0418bf5a7f8be6b61b108c9b25d369ab7b02c264b9476c2b74c95d1bf0d751b95769dda0dd823537a5539e50a77659a6c583eb15c4

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
107KB

MD5
508948036208b92677e57cad599f4a0e

SHA1
d1abb337a2c739f2698066696502b9f7eb126a74

SHA256
5cb6b74afdb73448a48e9338e3e63fa8133ccdf57cab04c183052f1c2c98f81d

SHA512
958d4504b12a2a8d60dadfae2d15dd0a6bbe739f54eee04ac88ec12d86b0d19bef72bdf3fdc90471524dbd02184174c1441ac3111d40e68967e5ef9614bf24bb

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
107KB

MD5
5bf5e2a1ba25edb67b995b950ff19c24

SHA1
b10aaca58e1b1fbc05755d83d65c0d56a8cd0bb5

SHA256
fe1a05761b65ad9babb603798b20bd1d29264dafb6e534daad615b7bc6de8266

SHA512
f80725cb9aa2ebc9fada9d4f6fa11de6bca6f74a0590b6ac05e32056c0d4c8dc7f0fdd9ddd5c3b45dd63bcb548d6a46e9b7d993fec3a9116214d443231462172

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
107KB

MD5
7c2e258db8273993d0a03147cdbd7ca2

SHA1
6e8c50d140ccc0021738e635212110001ed39a74

SHA256
3367d98d762af7c502074cae885baceb65278c3d6c73ba95b71919dc53309d77

SHA512
b305e8b28b8acb99b35fb760b8cffc6bd41802e8194bd8b3891f630881860a2878049fc0fac523cf1d0dafbe0175f4221ae515eba7a133f95ad969925e8bb800

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
107KB

MD5
0ba5fb7db0ecca57102d18255c8868cf

SHA1
bfc19382e27cdc8411d14a9768c2799ea814f9bb

SHA256
c94116b87bf52e11ea635f474a7388cc44e756fe9e1c84c7b21d255487f7ce7c

SHA512
c92f8808ba27f5232884fa9a33d0a89021e2e59565ac04307566d16e2f7032b8598b61fe4453977f0797767e254ec2d31fdf2a8df37ca909cc2f98b280217156

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
107KB

MD5
026c93a21f850562ac41f9780df3cbaf

SHA1
c0d2cc16ca7e1208824f00c7fd49f7de3cbf1561

SHA256
7de95acd2ce8ff82629278bd4f570d6e1f70830cfe7a36352250cc4da4993f2c

SHA512
2f6a0e6847a947c035bf96223386ca9c8a6bcb8524947ba86eedf34debb1b137e58b09f06af6a505495b9680a8eed4726aa36fb51f9e1e18db4420f4253b3e87

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
107KB

MD5
64d47d80277b8d644ff7a64fbf294471

SHA1
0228c1bd32d6d0a7d199af85cc16ace13dbea20f

SHA256
4f72cd6748c21dc33cfa34f66c2d119ec193da275ccd708a5d05385af0a4e54d

SHA512
ad69ad27bb34d8fde8567d76050c1543e157bf0bd50a581e4c18264593bc5d12ad7cfaa6f699e1632235ede2d77707876b9f5012ea0619ee58b8b4a6e1a89808

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
107KB

MD5
2a979c037051e540b93969cd3d4c0d2b

SHA1
e6fbbc1455b7b3499b3cdfee8d400cd2bd14eb5f

SHA256
ad46f603942478553546f187147f7619d4354d27ec63ea1eb567fbee6acae7e9

SHA512
74ec4c6bb2c54b1c0aca2640f66456ba2484ec0d2f89a13e28ba63281660e622b82e4c7ceef3fd0897023cc5977e4e78ef79841e31fa456f156988bae71649e1

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
107KB

MD5
f1c8f33d43c3e2dc807b7e396fd01a06

SHA1
f9786952a301583742b21fb67fee6448067cc230

SHA256
8df741b6664dfd945549dce2d3d106dbb3d8282ee0bf743a9c48397bad6ecb7f

SHA512
3a04c28e6fbe55e34d8ed5b70a68edc5b11e3ad10d7b848da34f20681cfc6b99b4367fdca977c935787a58f18f0f33959553378d695f61302f166c3f166d45cc

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
107KB

MD5
de473187644eaafceffb5e653d5ce461

SHA1
422b808c087c55da9dc377aa9d914eb1a5a5767d

SHA256
c0a590733913b35e43df85fbe2e234c4b7ad1d56db0ae777888a3c31dfec7e5b

SHA512
a45345bbe8388e38f6a64bd915d57d92af0873d8108fb102b85a03ee16cccdef67ea3c73c429c2217e0ca68f757de73ccfc41425ac35686c6b8d6b3e4738a61b

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
107KB

MD5
d517a8b2644b0ddfaee3d7fee03afe13

SHA1
a6721409f8292c355ae8af36ab8b4f2d8b4f4ddf

SHA256
0c46ad0949397c15e6cc59b79dd945a9258bb3fd17f24a223c28f92c80a33a62

SHA512
2bab7f2d68368d1f67d1bd3dcbb3a9bd351c8129c401b012e4203d414db1b3acae23eb561f4a3abf5be4f1788caee4f31ae4f0bc3537fee274af48618cc79745

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
107KB

MD5
80723dd2a3cde948cb3c10fbdc7ff753

SHA1
70c3fa15de9f1b472502c0b7898a05d692c0081a

SHA256
1cfd514461a7eeeb643736ac7565a7a5868bc29d7cdf98975165df52ee1b6010

SHA512
e38a994efeb029889dfcb7f8b301ee922f0040fa6b883e8698be91ead2ffaf29cf5b354eed0c29b4ba4b09e75cc7446d9ede5bd03f2d8c32cbf583648d42e3ac

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
107KB

MD5
40abad1d33bf8e183d81070a17d24622

SHA1
c3dc40d9f18561aa4613cb57d9002da3ae78ab48

SHA256
bdc4f80e13f676ce5cd76fe1b1442fd2d96409105129b382afe11f960656f5d8

SHA512
2bf4beb3f4a19ce7e1e18b9cdafbd66253e07c2ebaf830cd05d0fd391ee5a1c571a2d3917a2ba12f8a923ec750086813eeee1106fc86cbbeaf857540883071d4

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
107KB

MD5
ca5d2712457fd82fb6dd7bdb1836af7a

SHA1
25c7304c83d62715502968c6ccab14e85203aab4

SHA256
cdc3f04b64a247d69304a7444fdf0bfd85bd5b46b72fef7aa2955062b6c331d2

SHA512
fd0334fc6ec2fd8028dad1ae9a4badd755ebc3603c3f6573ea96611d2cca2d409eff16a8b6b54933830f17ac5fad9f4bc6db3852564a0c3d21d6e5cc1a331a65

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
107KB

MD5
74477f9d27e4d43f0ed39bc222e2c66f

SHA1
802709530daba49888127c8899f4e198681b7029

SHA256
e19a0b6f20b7eb48fbd2159cb6abeb491c207229c698bff0b6126cb1c2a5c43d

SHA512
138c425a15628cab3fe54e40f71803f78b29416780d6c3d481392d81f0daa82957635e16e333ed382fbaaa76b3ce9be4f198ae708c02ce82217a88906e1a574c

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
107KB

MD5
1e3251774ef4635a3517b9008f929a2c

SHA1
941cb0a3a8b1ff9a3468496db400d6cb510e7577

SHA256
53564f17bec60a97ed2125f434cdfa4ea90f481738deca90ddb821718339e0de

SHA512
b85dc95cfdf0ff1011a1b2625b33852dc1a58702260bdfae9863f4b1bb882f895c63cd925556c9005b562f6826188837c0b15bb4617992bc624685c44d312a66

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
107KB

MD5
1a60384bc87e49601ce234d0fcd5661b

SHA1
39182f5cb43ae95accfd7b9a56b70fc573e4b4db

SHA256
ff37d1f42563b6fa8c2b6fa1b9406c18b0deab90bac5d726b96c5ed73b18d10a

SHA512
e6ae54d54effe03cd362fcaf6331489266065bbe7fa6aaefa3552f5273f5f3b39a9bae8b8e87c6991a3b2632d1f5a8d0b8ee0ab34f0d5280c1b2d1f3f72024bd

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
107KB

MD5
cfd90bcf54c90815a3003932e58214ec

SHA1
f1a4e275bb0e4231a04a17e6ecf868a681dffd9a

SHA256
b5ca5c5d9ce112b9bfcbc7bcb94ca8d49df51894d65126ae3928e0f980cdfeb2

SHA512
6c3d0a203ff578fefd821f8429372dd65b1cfbcbaea0a083fdfdf5e52039e5d547cb46d6120d8bbcac397ec30c355c99adf0060485c98827eaa2f7b0937070fa

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
107KB

MD5
c31f6ced79f297b8390b9de643c32c4f

SHA1
5d083e3b25df62151f8d1f7698e991890edc72a8

SHA256
bc38455cace3d0b66b1b75b53ee1982679f213f8c2932ea77d6b77a94fb98154

SHA512
3f6c8d829ecdc96d4fa6fd5efa82d8a2d9cede8765f06f3ac7255df7a9b57d079ebfc99c9db9c8c21ccc1c6821c488613c339a7014cd56ccf4c3c11ca7b561a7

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
107KB

MD5
6dd46c9c36681770a21ae01f97126834

SHA1
4b398062d60b95c8fdd95ed7d8959c1efa8594e6

SHA256
9cc94b4676aee78d251f93a59c4d880402c5de31371b5dc0ae44e50e9c1b82ca

SHA512
2aa394f5c2d2b19a7a40ab9ffac1817503838623d4a574b3a9e8d4c658b9893157097dffbe0e92d4e1c9c810808b036df58c986d628a62e224a1d70a885488bc

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
107KB

MD5
4c461b210b953cb21c71f61b916aa2b3

SHA1
250dc02ef72cc951e33b8b6e8f5464bb8b2694d3

SHA256
f40503589ccd18fff20c944d3d3c47aa6ff1a699fe7d210ff2a7434febdedbc7

SHA512
d01dc595aa3d568816a3bac223f7012a6b5d5a58103941f3f938e620686cc0cc342716c7f5bd9f7d0230abad1a3b6cc0f0e6cb429bf78a0f763e7c4609031030

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
107KB

MD5
492dc62f4aaeae2ab53a9d1b6ab1d797

SHA1
4c518a22b2da739a64e25d1b1e34cffc68e297c6

SHA256
11bcd35a41927f085865397b972af3f91c52a040f14bf485e15a157ac30ffc89

SHA512
d8f2a58ffc64f203368b19f5baf7152fbe00a11e66488af08caf5333e9cde444b26ae220ae5976ab8a35572bc78fedced4b77f871dbe03ccaa1eba0f9d5fad07

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
107KB

MD5
124f78bcf2e7a94223b6312b067629b5

SHA1
984fe76235427ca28d146cecdef79888c58add74

SHA256
5f808f7682ed8faca85781428b9c7fef334935ebce3e999257e607bc90acc137

SHA512
35a815dfa31d2db150f818ee42958562386d0c12e21d5e423ceec5ef966063e1cf91626195f3a1890a7149544b89eee4fbe252903161065c7ecc1624869e4157

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
107KB

MD5
aa2251cc32eb832c8aeea274b9c063f1

SHA1
d45cf54182bfc9f467a28639fbdc746dbe1c8fcd

SHA256
05f454d7f4805a5da02748d88082d974218c24b82f77e4649d6bcb4dc03628eb

SHA512
f9686c29f290ce46a9730e594bad5c8003fe784e8c67f7664186fb61559c9b96564b56e1023379061d536cbae0d88729d7df198dff4f07efc961b237d7af712f

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
107KB

MD5
c7ca3376c5f6934a390036763b9d2201

SHA1
373484e3775849249d3ce1879376c8cd303829f4

SHA256
a6502bcd23c060f465965aef85670b2593c153d2d95c2517f04b8e3c2e836819

SHA512
11a4480c10c08a775433c626c306f1595f3fea4b5070999f66e5dfdeeabcf65a7cae5bc28c7f954962d434300e9896d093045b78449710a070e01e0ad1014bc2

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
107KB

MD5
216879de5812a3986a25f3c7d76f93dd

SHA1
42c291f21ae1489cc119d3d314dd09786000cc9e

SHA256
c4a8e891ed1180447f8adab5bc2e13f24a0c9e447836923898e99be21ff4df7a

SHA512
ec648d29bd6088c4dd2fc5593cd7831254e9d0cfeda8f7303999df98f43e3c2c3f12819110146a58a77c5898eeebe246876a4de0651a2a77c8f799487b13e98c

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
107KB

MD5
d07ec3da0cdd2aae5730a8b7312ab5f1

SHA1
bbcfc042ed5cda9ead6c7ca5327e23e4cf923c38

SHA256
494139da1eea84087cb719e4be9b1a675bfadbbe0eba190c07c0257eda61cfab

SHA512
a0ce0fef3b36828278048caa0797ca1cb4a3c5e99b532102b35ba2e3f6ba78f4a16227cca43f31c37aa18438eaf53310eaf01c897c2556feb59ad9d6086ccede

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
107KB

MD5
88290516cbc74658b302a80c042ebf02

SHA1
2bbbbda02b39ad85ce74a1d99e53badb9861b0be

SHA256
e934a315759addbc8a9ae9a2b1c4f24d40be0e08c19e1016758e9a8ccb42e14f

SHA512
5836f819c0e642969ce601b09031eeb4974d4c61a986faf322554d302063c2439bf83b6fa33d6451debca841b0b342818494af664dba7d01e886790dabfb7494

Download Submit
C:\Windows\SysWOW64\Jfffjqdf.exe

Filesize
107KB

MD5
f459fff485452b949fbda20ae08ffe19

SHA1
5bd7cce0c2f599bb8404cd48aaf2edbf904a8398

SHA256
9b805ccb31c015985adfc4d03863a931a837c52190706d227ea758b57e5979e5

SHA512
91c7ad37abeb822acaf97ec48af7d1891e319cb01d10ac72b413e8fbf5d29c6b419db23ff8369296a8f9a2d28c82806a2e773c85546d85398dcaf9f1f3f9cf8e

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
107KB

MD5
4fe8f56ed78194c885674bdbb2830062

SHA1
4b04005d5a53e55d4fa9f6660e0ac555e71f4283

SHA256
7e2f15497ab42660b9b22a0dcdc36f5e42e6687c5821e92c67157477f0da5edd

SHA512
f8188287574f4f23c00d1a12d722a1bd57010d4c92e786f1282c5a43fccd5d2dc29e633653f2be420de69877acd9469c51fefd8046970e0ad89ce6a67b51271f

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
107KB

MD5
36e590d38695db610e1167d6184fe258

SHA1
0b49366a2fec1ae689cf2fef49fe5f3e3db5a607

SHA256
53ed6305bab0bc228012045f41e38f422cb7762e5c5594dba1d61758799cb45f

SHA512
26631ae027df7433fcba33793a688d4b484d56d14b982644ccf4d4c13953385605f93f79a248bf0959569ee6a28b2c9beda0fe28cb289f2257d807daf89903a2

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
107KB

MD5
774be420ac71e4d860e4adf8ebde99f6

SHA1
aaee268ff637ec697319fa891f174de49f5f43da

SHA256
6a7ef86c7ddb7eae0bc67cc194720e1aad0dec771f54c4321d72a49132295c00

SHA512
e8bca63f183d0e6608915cbdfca9e55ef30b0497c664f971851ae0278dde5d02993ad589009db96c607f4e35f77f7a489d19280674e6dc039a0b4caa55c24131

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
64KB

MD5
10b596018d528bba97193ecb072f085c

SHA1
f19b54c019cdc8342bd2b5bbf71e36a2866f7b45

SHA256
b92be4572fc1ebbe4437861c047f41d2d44c251ed9dd3b7848cf2343d675965a

SHA512
fa1b12c5461a52355e0dff09fac5d76da54fde1522aab6672d4dffd68ceec3bbc4a9ac7da2e59733342c16ad66561cf0a89e1e0c8f6c38229ae0ac74e92b0ac9

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
107KB

MD5
ec811639761c3dfc3054a5f30c0f7e5c

SHA1
4436ee5644d570143c83f5970c948841bd550517

SHA256
33479941eb4602ff9c4dd58b293425c5882b4255682a653364a351e559192d4d

SHA512
ed7bd39d3cf3e7bd4e6c518e4a8c326f2b05227fa0b6e81b1eeedff30cd9b19e74103a12e2ed167acfe6fe0a5e4ed9a134e83d06cf6a38e03df3317b8ae6c1d1

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
107KB

MD5
e9934b07685afa3bdb209ed397edaf97

SHA1
00f406377497edeab86f4c3c3f113045d70bf079

SHA256
f7dd8e99a52cc1e5addbdca931822a00ead8121e74c8aa88a25da74b3addf32b

SHA512
81325bf0131afe6000c1f6820799d441c68e99bbb62ff35936eea272840ab00b60bc7c54dd4a13c53bd89396bcee3593096c61b69b7bfa076cd5f145fdc1fd51

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
107KB

MD5
7de1c1fb2c48c9dcabfd40934fdd2fd4

SHA1
8f320136b2d311be249fc6823f2bbdefebfa80c0

SHA256
eedcc48dae477cc85e1c50e11ed5b9c70b4f1be6c9d5ca0f5e7ff989528f3568

SHA512
aeaf08e1e81bf607b18e17d896746a276bb4deb88e7b8c6d80510dda3835ed3eb074c165fd84697fb024499f4a42ea069867ffbbc5decdc988f5783e73fa3bde

Download Submit
memory/116-417-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/116-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/548-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/568-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/568-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/608-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/608-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1784-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1784-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1816-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1816-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1988-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2308-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2308-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-374-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2672-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2720-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2728-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2728-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-205-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2972-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3020-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3020-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3084-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3436-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3436-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3556-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3556-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3580-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3664-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3664-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3684-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3684-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3824-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3828-142-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3872-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3872-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3936-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4260-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-315-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4836-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4932-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4940-93-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4940-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5108-410-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5124-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5132-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5132-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5224-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5224-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5224-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5256-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5256-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5272-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5340-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5340-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5484-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5484-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5520-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5592-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5592-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5708-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5708-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5712-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5712-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5800-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5800-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5828-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5936-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5936-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5976-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5976-396-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6064-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6064-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6088-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6088-277-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads