b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc

Analysis

max time kernel
145s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc.exe
Size

71KB
MD5

c835a0cf5ae70e30964ebc17182db1a8
SHA1

c3da759cc477976c1340f355be633e387a363243
SHA256

b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc
SHA512

580d487dc8d99c40ffc9c10a16d8f78a783e71a3c768830b9b9d9d5f204ff42304aa75d4bfd2106621c3c46b5c31ab4ac7b085be8cd2ede8819682beea5a2e37
SSDEEP

1536:MQOBP5dg5UIRhY6cCmoEM7OEnTWLBdS7ThGiWB6bcqnThRQMDbEyRCRRRoR4Rk:MNGOroEM77nKLBdwlpI6b1TheqEy032t

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe

Executes dropped EXE 64 IoCs

pid	Process
3416	Fbnhphbp.exe
3208	Fjepaecb.exe
3428	Fmclmabe.exe
400	Fcnejk32.exe
4420	Fflaff32.exe
2908	Fmficqpc.exe
1164	Fodeolof.exe
1920	Gbcakg32.exe
3100	Gjjjle32.exe
2956	Gqdbiofi.exe
2636	Gbenqg32.exe
2932	Gjlfbd32.exe
1884	Gmkbnp32.exe
2196	Goiojk32.exe
2548	Gfcgge32.exe
4520	Gmmocpjk.exe
3872	Gpklpkio.exe
2192	Gbjhlfhb.exe
368	Gidphq32.exe
2116	Gqkhjn32.exe
3480	Gcidfi32.exe
3912	Gifmnpnl.exe
4392	Gppekj32.exe
4472	Hfjmgdlf.exe
4976	Hihicplj.exe
2652	Hpbaqj32.exe
3520	Hfljmdjc.exe
2620	Hikfip32.exe
1060	Hpenfjad.exe
2532	Hbckbepg.exe
4288	Hjjbcbqj.exe
2592	Himcoo32.exe
3384	Hadkpm32.exe
716	Hpgkkioa.exe
4196	Hbeghene.exe
5100	Hmklen32.exe
5016	Hcedaheh.exe
2924	Hfcpncdk.exe
1124	Hibljoco.exe
1016	Haidklda.exe
2240	Ibjqcd32.exe
1112	Iidipnal.exe
3860	Iakaql32.exe
808	Ibmmhdhm.exe
884	Ijdeiaio.exe
624	Iiffen32.exe
1304	Ipqnahgf.exe
3792	Ibojncfj.exe
5044	Imdnklfp.exe
1480	Idofhfmm.exe
4608	Ifmcdblq.exe
1068	Iikopmkd.exe
2740	Ipegmg32.exe
4296	Idacmfkj.exe
3084	Ijkljp32.exe
2028	Jaedgjjd.exe
4624	Jdcpcf32.exe
2700	Jfaloa32.exe
2940	Jagqlj32.exe
3308	Jdemhe32.exe
4788	Jfdida32.exe
216	Jibeql32.exe
3672	Jaimbj32.exe
1620	Jdhine32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6440	6340	WerFault.exe	230

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fodeolof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 3416	1456	b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc.exe	84
PID 1456 wrote to memory of 3416	1456	b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc.exe	84
PID 1456 wrote to memory of 3416	1456	b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc.exe	84
PID 3416 wrote to memory of 3208	3416	Fbnhphbp.exe	85
PID 3416 wrote to memory of 3208	3416	Fbnhphbp.exe	85
PID 3416 wrote to memory of 3208	3416	Fbnhphbp.exe	85
PID 3208 wrote to memory of 3428	3208	Fjepaecb.exe	86
PID 3208 wrote to memory of 3428	3208	Fjepaecb.exe	86
PID 3208 wrote to memory of 3428	3208	Fjepaecb.exe	86
PID 3428 wrote to memory of 400	3428	Fmclmabe.exe	87
PID 3428 wrote to memory of 400	3428	Fmclmabe.exe	87
PID 3428 wrote to memory of 400	3428	Fmclmabe.exe	87
PID 400 wrote to memory of 4420	400	Fcnejk32.exe	88
PID 400 wrote to memory of 4420	400	Fcnejk32.exe	88
PID 400 wrote to memory of 4420	400	Fcnejk32.exe	88
PID 4420 wrote to memory of 2908	4420	Fflaff32.exe	89
PID 4420 wrote to memory of 2908	4420	Fflaff32.exe	89
PID 4420 wrote to memory of 2908	4420	Fflaff32.exe	89
PID 2908 wrote to memory of 1164	2908	Fmficqpc.exe	90
PID 2908 wrote to memory of 1164	2908	Fmficqpc.exe	90
PID 2908 wrote to memory of 1164	2908	Fmficqpc.exe	90
PID 1164 wrote to memory of 1920	1164	Fodeolof.exe	91
PID 1164 wrote to memory of 1920	1164	Fodeolof.exe	91
PID 1164 wrote to memory of 1920	1164	Fodeolof.exe	91
PID 1920 wrote to memory of 3100	1920	Gbcakg32.exe	92
PID 1920 wrote to memory of 3100	1920	Gbcakg32.exe	92
PID 1920 wrote to memory of 3100	1920	Gbcakg32.exe	92
PID 3100 wrote to memory of 2956	3100	Gjjjle32.exe	93
PID 3100 wrote to memory of 2956	3100	Gjjjle32.exe	93
PID 3100 wrote to memory of 2956	3100	Gjjjle32.exe	93
PID 2956 wrote to memory of 2636	2956	Gqdbiofi.exe	94
PID 2956 wrote to memory of 2636	2956	Gqdbiofi.exe	94
PID 2956 wrote to memory of 2636	2956	Gqdbiofi.exe	94
PID 2636 wrote to memory of 2932	2636	Gbenqg32.exe	95
PID 2636 wrote to memory of 2932	2636	Gbenqg32.exe	95
PID 2636 wrote to memory of 2932	2636	Gbenqg32.exe	95
PID 2932 wrote to memory of 1884	2932	Gjlfbd32.exe	96
PID 2932 wrote to memory of 1884	2932	Gjlfbd32.exe	96
PID 2932 wrote to memory of 1884	2932	Gjlfbd32.exe	96
PID 1884 wrote to memory of 2196	1884	Gmkbnp32.exe	97
PID 1884 wrote to memory of 2196	1884	Gmkbnp32.exe	97
PID 1884 wrote to memory of 2196	1884	Gmkbnp32.exe	97
PID 2196 wrote to memory of 2548	2196	Goiojk32.exe	98
PID 2196 wrote to memory of 2548	2196	Goiojk32.exe	98
PID 2196 wrote to memory of 2548	2196	Goiojk32.exe	98
PID 2548 wrote to memory of 4520	2548	Gfcgge32.exe	99
PID 2548 wrote to memory of 4520	2548	Gfcgge32.exe	99
PID 2548 wrote to memory of 4520	2548	Gfcgge32.exe	99
PID 4520 wrote to memory of 3872	4520	Gmmocpjk.exe	100
PID 4520 wrote to memory of 3872	4520	Gmmocpjk.exe	100
PID 4520 wrote to memory of 3872	4520	Gmmocpjk.exe	100
PID 3872 wrote to memory of 2192	3872	Gpklpkio.exe	101
PID 3872 wrote to memory of 2192	3872	Gpklpkio.exe	101
PID 3872 wrote to memory of 2192	3872	Gpklpkio.exe	101
PID 2192 wrote to memory of 368	2192	Gbjhlfhb.exe	102
PID 2192 wrote to memory of 368	2192	Gbjhlfhb.exe	102
PID 2192 wrote to memory of 368	2192	Gbjhlfhb.exe	102
PID 368 wrote to memory of 2116	368	Gidphq32.exe	104
PID 368 wrote to memory of 2116	368	Gidphq32.exe	104
PID 368 wrote to memory of 2116	368	Gidphq32.exe	104
PID 2116 wrote to memory of 3480	2116	Gqkhjn32.exe	105
PID 2116 wrote to memory of 3480	2116	Gqkhjn32.exe	105
PID 2116 wrote to memory of 3480	2116	Gqkhjn32.exe	105
PID 3480 wrote to memory of 3912	3480	Gcidfi32.exe	106

C:\Users\Admin\AppData\Local\Temp\b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc.exe
"C:\Users\Admin\AppData\Local\Temp\b5d7d4c71c57e31de89ff6e363e818787a605b527da078e9f3e229b3d397c0fc.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\Fbnhphbp.exe
  C:\Windows\system32\Fbnhphbp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\Fjepaecb.exe
    C:\Windows\system32\Fjepaecb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\SysWOW64\Fmclmabe.exe
      C:\Windows\system32\Fmclmabe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        27⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        30⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        33⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        35⤵
        Executes dropped EXE
        
        PID:716
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        39⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        43⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        45⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        53⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        57⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        62⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        67⤵
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        68⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        69⤵
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1232
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        71⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        75⤵
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        78⤵
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3108
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        80⤵
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        81⤵
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        82⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2624
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        87⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        90⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        94⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        100⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        101⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        102⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        103⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        106⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        109⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        110⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        113⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        115⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        118⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        119⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        124⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        127⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        130⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        133⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        134⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        135⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        136⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        140⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 420
        141⤵
        Program crash
        
        PID:6440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6340 -ip 6340
1⤵
PID:6412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
71KB

MD5
ce6deb679030ce489e89ed903578baa0

SHA1
7d3490cef5ed02aa23d54f563b423a5d195829ef

SHA256
63628247f6908d677303dfc547285e6052546437e90be4a95fef61499e242b8b

SHA512
1fe095141c15b05ebe3c57a00b08ed0e38a7ac241a22b5b6af44461a5f8c6c61aaece1d533c5f36cc859d13a3fcc27b7c0e5d9bce51c7884070cea0525c173dc

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
71KB

MD5
4f601de7a739dbbe2510278330802df3

SHA1
5c6c4eef448254bbede650144c121bc077eb1296

SHA256
8c5533bf92c072506ccbf1ecb5eb26c2f8df5905eef3b04218b019168554186b

SHA512
22b2c7d4c44779cedc8d4a94bcf0015a6ba09cebb77509c3d3ac872aa80bf809f4a3fac74954077f42c18fb0f8f20245bd179231ac778ec8430c203a9632398a

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
71KB

MD5
c3a7e295b816777e5bca5abc93270c3d

SHA1
a9a4758fef4a2e63967a71762db08100b4847636

SHA256
50267df811e561b04cc1134fe44e54ff6f48e3a3a5a410a240c8118da1506bd0

SHA512
a57f5af5d695e364f02f445d6eb3c2ba2d10f0ce3af6f885716f13672cf4c91caed456f0c38c37bf5b59a1b2aa9c25d9fff3639674aec2350fd52bcaf30e032e

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
71KB

MD5
5f5500355c18c1e6ea858a566676ced5

SHA1
845550818e2f1193aab3b923d669c0b7c70e3795

SHA256
75052c2cfd4b41e28cab9c1d653ff531ad3683f3402e969d94611fb6cb6f9a0f

SHA512
aee2920f89a14926ca8148cbf7c37b06dc2668b7287b14bae740feb0fa2e9b409dfa3fdb2ad4be24dcfb442e973698d8753431ca6afd4a5d88f673f64d4fb1c3

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
71KB

MD5
0b9558d89f859d364c4f4f580e177347

SHA1
cb540efa096d761e36667718c32387df9285f873

SHA256
0d77a84e4bb22e87bd82a10e1910a7e58c720748612d4ff3c712922b347fa2c0

SHA512
8392ab2581987f0fddc97e3ee5caa3834c76fdb389c286eadfe935b64023ab3ca99a18100787b62f4ccb321c76f953e31393674efcd784fdc6a118288d52dc32

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
71KB

MD5
e5529b15fa0554235ce3d107777b6b6e

SHA1
5cf08fa91099157de8951cd49c46623d9d9cb1c1

SHA256
b8752b077abfb40fd0fb839213d16f6c993359e24e2ebc71d5e58c67a3b3bc9b

SHA512
387f53b6d38e417513f6c00fd62d256f4338d14c3efa8655d04f39a9a1f6db5c462627762c2959a300208e8a4249842325d7fd3b9fde0b115bb4e42ea961e159

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
71KB

MD5
3d3addb9b5462ea1060b19f0d76864a4

SHA1
168932e072350bea213a3c1bcc911242f31f81ea

SHA256
f8541811af9f2dcd3ce932f2b10b81b2aa778746910f7af5a5f765e903156335

SHA512
5bdf7cacde266abdd156070e0945ed121c5b18fca6f516336fbe7e223245a18c62283a2af73170d2f84a0099fd91c05ced30ef477650fd491632a4bcd53c620a

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
71KB

MD5
62f182d7d3249b45bc97e9a076446365

SHA1
4a0e6810dd6d794f3058eeb1872a849e1abb2e2b

SHA256
7fd4241905b59873c9fdc68103c367aeec78cfef7665010c34daaf237fb2fb67

SHA512
fe9b404f43beecb9a93016d04bf3618832c6b45ff72160220b9452dbdac1eadf6c307d4af63edea7dac2faea8f8c7ea4a92c299f0bba7bd57caffc6db31b04d2

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
71KB

MD5
b0b6aa3357be3c5b3613711cd0c0366a

SHA1
8ff6d9fe373e99673b0d45e483a7183c27dfdbc4

SHA256
eed7cb90dcb43d38d9d539f4320188bf9969d7841a59a560386b28506ec97829

SHA512
57fccafa136eec1ff8b510aaf0e4057b40d20b73b655098f386d74bf96067348df1036949ca6f825b464cff8b942160c0af330f77421ebe2f048f4c83f1ecad3

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
71KB

MD5
0c83a8a361bb40a30759e7a4e8eaf327

SHA1
4e5546f8870514db76e3a1798404f7e04ca6987c

SHA256
430c9271180fd61950baff27cbdb5b48704f99a5cdc0488927e5ede58b754c34

SHA512
b496ea85dc0199b713b4b0b21f2e3478df1887d7bf4539e86173b263c665144139e2ecd8e5f26002319c2ee32394727426a670a7ed15fd5e471712500bee895a

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
71KB

MD5
6817986d32b68b0c217a90e08d865cee

SHA1
f75c845b153152fa2d414c2426e3e200f32f3e67

SHA256
ae4cc58c8b16c2a1202d8994a82cfcf9b134e22efb81d7550ffbf27d6a42b042

SHA512
ab7c67e663c456300dbaa8b4ae076486bf805cd20fc8642bd03987f2f86e7883f8b8385e6e1d49738caca8788c5fb8f510ccfa1cdcdfd9aa6d15836f590bb90a

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
71KB

MD5
3f48e395e231edc0d0361980a6fcb9ad

SHA1
8c4676e788d9589e3e2d6f57e89e3ec8853b73b2

SHA256
9d5035b7b49e5c8143fa64be17b5f3a8e83e24a90dcff4ac23c634fce8359af1

SHA512
eb1a04f80fcc3b60352adc8c890313ff6aeec801f81f1e56543e11015c36ab92f0c92e7543fb945d75e39e95e49e16f890342a06469763fe7f8cc5d9d3a4c3ac

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
71KB

MD5
4135a4ae9c128fb2d6c4e063b39a886d

SHA1
f043474d19a7ee2956fd57583838c9ab893e2b1d

SHA256
fdfe05169a917fa36c2b684794d1c3e44953268727914e714438e2002c8c36b3

SHA512
82734e39f96c1292619ca5107105e17e230e3845f51ea80f89128204ad71d6d92b202786744b4e7a9e7b8040ab356c8973402f440a613c5e804c5df02e63735e

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
71KB

MD5
4d2e67c7b6c5301a8072dfd20312a4fa

SHA1
699a15109fe0901cd10616f8dd74502cd4d39b72

SHA256
d1426f7fb5d548132cec8fcf33fb0899c1f8d9937fa1209180a2b4559a93a2f1

SHA512
c5fea5a33e315718f79c4f20f0bb9ae0df136bab462813056df844447144ae186becc40a8895b86843f7106bd9b53f7ad248ca6fcaf2c50c3f49f0ffbe769c19

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
71KB

MD5
502d26761cd421665b106017319edc7b

SHA1
c47a49459146467d6a3882369d5698204e1db238

SHA256
3e4506e25cb1146bacc1c46f2fc4fbe6ef36f67cace0b4cc8c3463621149749a

SHA512
0ee181e97b9d4355abd0648a245495254426c34ce40ac54a1d3799ee1126a2eac25335df3528287940c75f819b0eff01bdfb381207d6b4eed4ddb4f7a13261b3

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
71KB

MD5
8bb926f38eb25d18602eae712cf96b88

SHA1
5a64792dd1d2ad04a5554ef221fc49c9f022687f

SHA256
6cfae501d8136cf1d9f93d12b78290bfb972273c5c58880a639e7f8e64023447

SHA512
8d1160a69b0f76ed16f7637f3bf115bda7626b08c0cb976787cc444f8cc88247429070f4d60deb0fe8d1b648cfbd76804ad3b5b67e18c4dd66ee9b71b4217686

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
71KB

MD5
ebec2c788b3b4955fc0df57e3ab29068

SHA1
800da4d2111cb6f9c48b0bc88a78daa09ad84524

SHA256
b26bde8de43b5cb27b511b990fa2c9021d9982076360a41fe50f09605e116916

SHA512
60c4ddc31dcf1fa1fd65cc0de6639181ef4ddbfaaefcd8df4af4035071ae1d4739c3edef573aa8724ac4a8dc9352db3a6e037e74af9b5ed8957b72a512549a32

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
71KB

MD5
a29174c2886f5a573965482f78fcb5d6

SHA1
c2d452f0e755a4f816241ef8df00518be6569993

SHA256
a22f9fba8beb9b750972044c427a3fb2efd3fb5d09598b4f6b8518a8a2ecb68b

SHA512
c5df307f0f7503e93f6aeabc11a154e636881e9127afb07ac14c1c334c22e529d173fed7093318d0d7a51fcdd8a61fc96a6e9b130e6f950c0f0bc3fb1d81c6c4

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
71KB

MD5
381471fb1355bb7847859ba6a596eadf

SHA1
37c5fed20a4b7bd326cddd55d0129083034a0fd1

SHA256
07363e4903ce072468a9a89bababa38313397628405809ba8b5389aa30d492c7

SHA512
b552e1c2ce5148b398d3a0c47bd1ddcadeb1c55e465bfc790da841310736615bf5102ced504665c7e6308711e72abd812c74d44c93a6eacbf53efff7c378681d

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
71KB

MD5
bda38ea88a54dd746d7f56c62c3d7bd8

SHA1
3623f3b8cd26b3924c53b2b5fa66defec93d8e15

SHA256
b3ab168354e66f5fcb450363575e437c37824d7c1f0627ac2901907d6489fb0d

SHA512
55334cd5ec4822d35635e80be4ce483bd5e748f72608207149f13cff7b00211709a1062e561a29a73e46a548d3676fea0361c9d864a70842715dc9c9d4feb199

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
71KB

MD5
d6378f9634f50344d8f0678af9053edc

SHA1
e757350e293cd399e85b58ee8a473c05180f6f19

SHA256
4c930c2661382e758c3dc73f059e983d59908b516df67498075d4a4e67237150

SHA512
7c8e5ed93a87689cfe0d5ee198c962ab31a2120708f74ee82b9031b8a3685634c78eab0508084fe3c0f0271ad1af0d7b8ace58a280cf44f9353fd81a119fdb72

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
71KB

MD5
80fa56b2a317442e9d3e521e34803189

SHA1
47d4487e1adb9b4a82c5b0c41dcedd6a50a42863

SHA256
d9d20f7a4772c8fa7a28de2cd4b0ca866293e9befff4181e0427d21b7f5f6a3a

SHA512
5295cdb0024d22d027e6480a89a129114064d05e23d597d3d6c48b928f57097dc3aa18cebe6955bbe2fd5e8ec34397fcb2a72220952c198a13bac168f75fccdf

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
71KB

MD5
fb2184e02333d0295706a9cd895d8fde

SHA1
93db933b508abf89c9d18469fe16ca4b5f217cd6

SHA256
ae365b1c1898102a733d7e5619885a70f529e130953b2b2eda3b939762d8caaf

SHA512
b24a4a227ff825f009ac23f6da53b8f5333e0c89cb87cacf856445c6e296a1ab7bc2a3c99558794f51bad9a7a6adbd3a4c9c94426705af16de9c6181aafed18d

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
71KB

MD5
11a602b0021f445d1ac51c1048658552

SHA1
bb77497aa4610918253f2dfb73944f9a87d131db

SHA256
92acebb8c79e87d84c19ac3c8016dc87c3c4ac96961f359e18745df31267c8c0

SHA512
0b56b3571deacb6ff578723649879fa3a758ea03a64391077f52128e7c05aef7659da038302dac050c0bf5bb5f32bac1ec879b8e2e775b8abb323a2b7ede964f

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
71KB

MD5
58e1456634c976c100631b517cf80f52

SHA1
4569b3a2a5e916c6d645b68be6a4d00883e7ca28

SHA256
56b2c82b72603855bc53859e3ef7b4ac1617214b20a7bf494819c6f94cf23546

SHA512
813a886624b4259f1e2d0f8c77cb608d9355ece279f1188f5ae89610214f161f351846662d872a7ef6c4b1b68afec23ec76cde95fdd0e7548963a75fe66c875d

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
71KB

MD5
026b1128ace2809ad915031e3dd7c8c2

SHA1
36f52fa77a1eb003171d4b843fe4cef8de17fe2f

SHA256
b15b6292391b0495ad20a7906e90263a6d4e2a9dea51a27570c4b6d7b01d3e38

SHA512
21951c10ae77e4a567f22a7fe0bf19bdd6fde76d135bec52a7853ec808abb1308459a9d6cfceba76fea2fe1f741d4da8ac6d19fa82f770f40ea1e49f92d88b56

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
71KB

MD5
e6201416efbbc9ad31f4df044d6af2d5

SHA1
afdac83a5e2a2bac933c39ce88ba003a27635117

SHA256
139128a5f0d4ef103735fc711b8ad3e09f0b21c88297af0b0ead6a5ac45b46e4

SHA512
70bdcca71c5e14d5c7acdc1cb64940131ddfe15980db4f9654189e3e5f8e84eeb11c1343a8253bd0e4109e81106b7c4fa1f9215b13455943a44e3efa07b19672

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
71KB

MD5
06f339d8a4054dcf9933229decd376e8

SHA1
b2ebfbc16fd4716bd4951110667e3ee42ea4a9c1

SHA256
ed744e97509aa70a78809f5897f68050d0eb1a8d7c4964917f3fee48b1427763

SHA512
eb1f4208d584d2c7e5c1de99807a0a40166a12b1ff5cf5ac55d835bc867a30adf264220f77e1e5a22ff8ad562a17fde12aae1c03e9ebdf063c8d963a2166bee9

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
71KB

MD5
19a340c1116ccca14cf3baaaa87e4acc

SHA1
c9a9aef5ad13d4e642285970bd3e07ad6b530c26

SHA256
61c540e778811304cfb812d12e541bbe999d0997e5da54060afa4bb9a873d354

SHA512
08f98312756e0e064b6747cd61b3d37c7ae06c349d940812a3ad3389d84b0b3de1a4666db6b4fc064c157b269b040111586c5fbef4eb36cbcc767fc92d4964c5

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
71KB

MD5
b56ab053f66183887115ae75456d4af0

SHA1
be90da15858c5a98e78240617593c05dc294962c

SHA256
0b5ce512cff8cfc8fe07aea778c0a8119c3807e554aedab2e6ea32cf039e5223

SHA512
33faa82ba75826271cb6bd1386d07d9afd9525e8dc67e6e91281d69c1f7f844b6f055dd359cce3d5691ddb7df89d7366b6b2bc6dc04d545d4f1d9e873d74f24f

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
71KB

MD5
eb087f0e941a6e3db33956ed09c540c0

SHA1
9f674e2180b7a2f05af700a6af7590ecbf7738f3

SHA256
c753130bbc25962c5601125191007978967792c41d7f9faa168e9f88583ead95

SHA512
6934dbcf0791429798baf7e0606cf2e8a5af89574c12a8b0e112cf5f07cb7557079d59460cccbdbc8e75f6eb6172144590c638d599839dac8c691cdf4f851d44

Download Submit
C:\Windows\SysWOW64\Hpbjkl32.dll

Filesize
7KB

MD5
8c0b8fc3e8f4a1e58a5ab1d17194ee1f

SHA1
10a9f54e7286aad979690626e5baffa2d0ef6da9

SHA256
648cb5e01920493f01c370323061da4675eb190c39ce379f18e26f1b2b14ab2b

SHA512
f9a51203dffe1f778167944efb23264a922d31e1d94b3e56ae7ea00dd71562e77ed3c851f1cb787700c98ae7343e2a4d8a05c0bf70e800f5830f7604684b28d6

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
71KB

MD5
13ea32be3774ad726cc04f4d62c29010

SHA1
30b23b908a4097bec0d80cf07de642bf30c4ba85

SHA256
5bff5c90734739a0b55ad4b7d7ad551eb0969321ddba98b3e49acd88b5a2ba3d

SHA512
1b038a527e59cc4541d4d805e650a90cd638217150af595e3f4fc953222b6bb7837cbf3e82bf606f8d813479d7fe156647b4133c3830fa7172d1bf741df716f0

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
71KB

MD5
8de8abeeff627b7c1e8406c47a99abb0

SHA1
a6d27316939dffbad2ea9b122e8e983288934b1b

SHA256
4232948bee500dc5ca2ae4df2075c51b55be8d5759009f6bd70a3de06bea87f8

SHA512
9aded69fb5571c511d8de119eed0e493cd369826f0fd4f6dba645094aefb13e9258ceb656448d1be599256e6dd5ed3d6a82ce29e7c008c8c1578ad756ef81ff0

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
71KB

MD5
a5ccbc491b188a926f48ba95701fea22

SHA1
83e9baf20413ccd89247c1960d2c5b782f46d988

SHA256
e4e226cff648f883f3e2d4766b9cb9219ff7cdf6c50d5c337ef68639c6f88716

SHA512
2de320b4f741388e85e7dc87b80e1c8ba3a7ee8ea0cba68c02912e132a2c09a9f7f4ec22ff6ec5a273a5829e0bb83b1dabd03a47b16787f48887b3db89aadc48

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
71KB

MD5
944512e3667004b56c5fa528023e39ca

SHA1
599579a96a3997980f863229dee0da6708c72ec8

SHA256
2a9cfb9e72f2011dcfd6db31036e86f39e89e66452ee9159d52351c64762f262

SHA512
48203267575daa70a7f250b85dfb44fb860facd87dd7da9485462e08761a29a4b1e63e6d85b02c35cae9739f10d3fc6288f6efb5727bf8cf2c6ad0b2b3a300b6

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
71KB

MD5
23f1bea6830c83c6e5af5be20f7469de

SHA1
f6ffbea1b7f049cbc8149173a3afb3098efa0ddb

SHA256
e8c57b814f080bb7997d47bbbb1263f9fb924b2e0b7e5b4ba21fd08157fe7442

SHA512
81e9bc59d95827f448d2a0aa876bc0d56eea529150e267125149e951595066e1d2c97f0e7da336c824544f3bac50075954a3f720af0b9e2a6b1820d5353cf75b

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
71KB

MD5
e6667acde5b91fbfca8ad536e24993c0

SHA1
c6a151b207e221db98bfc877dc30d8d3a92043e5

SHA256
2adb50c80ff3561a9f17e29c752f49eac906ba644334d44c8c6c46a108c99698

SHA512
51a529e9b65eba21480520cf5e2250ace830d05d9e07a5d9aaf940400552f73c259f4ac06dc42c5d94cc406c3890fc28fb14b3d5923a2f2e67de8d1fe2fc3326

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
71KB

MD5
e323058feae2b8558c70bc8443a5f723

SHA1
f90829d94f31c78a30af3a2f2eec5bda46d4be3b

SHA256
998bb44eb04cea774f9477f74e50a8e9508e49032689bb8719a899fbba6013e1

SHA512
c039b626008bcfb48e8d4b05c2322946b2279b6a472f0e67f969a7ab0f3a3d1a4a24e97857e37b3e5408f735c8ca160cfbc2d8fb06d87d32330c07b364203f75

Download Submit
memory/216-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/368-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/400-577-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/400-37-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/540-490-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/624-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/628-502-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/716-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/808-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/884-339-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1016-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1060-237-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1068-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1112-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1124-303-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1164-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1164-597-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1304-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1368-551-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1456-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1456-550-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1480-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1620-453-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1884-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1920-604-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2116-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2196-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2240-310-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2384-484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2532-252-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2548-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2592-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2620-228-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2624-571-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2636-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2652-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-590-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2924-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2932-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2956-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2984-578-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3084-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3100-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3108-537-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3208-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3308-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3384-267-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3400-512-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3416-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3416-557-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3428-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3428-570-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-523-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3480-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3520-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3620-471-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3672-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3792-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3860-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3872-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3912-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-459-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4196-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4232-548-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4284-526-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4288-253-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4296-390-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4320-538-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4392-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4420-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4464-564-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4472-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4520-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4608-373-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4640-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4720-496-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4788-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-558-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4916-514-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4928-464-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5016-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5044-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5100-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5128-584-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5168-594-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5212-598-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads