5e295a7d6abb9e0231aed722c646f33085ef6e0ccb7ffc1036fd301d3b51ec7a

Analysis

max time kernel
144s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e295a7d6abb9e0231aed722c646f33085ef6e0ccb7ffc1036fd301d3b51ec7a.exe
Size

128KB
MD5

2c674af73fe643a2357955b7407e30c5
SHA1

82c7093ee318b78a3fe373cd75dbad490ec503c3
SHA256

5e295a7d6abb9e0231aed722c646f33085ef6e0ccb7ffc1036fd301d3b51ec7a
SHA512

1448e0bfac35d5a32b8f9d571cf130d6809421165dad481c5257109174b6b95901518fb4bfad905db7788b21a11ed66e1d3e181fe76f94acc480111dc11de2f9
SSDEEP

3072:ic7pw2MgLdS9ZxaBLw8asCHNhMXi6Y0HYSx9m9jqLsFmp:Fpw2jLw92BL2xUS6UJjws6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe

Executes dropped EXE 64 IoCs

pid	Process
3012	Gfcgge32.exe
1920	Gmmocpjk.exe
2288	Gbjhlfhb.exe
3932	Gfedle32.exe
4260	Gmoliohh.exe
2924	Gqkhjn32.exe
2392	Gfhqbe32.exe
2020	Gifmnpnl.exe
2108	Gmaioo32.exe
3912	Hboagf32.exe
1084	Hjfihc32.exe
4700	Hapaemll.exe
2388	Hcnnaikp.exe
4864	Hfljmdjc.exe
2632	Hmfbjnbp.exe
4352	Hcqjfh32.exe
1336	Hfofbd32.exe
4372	Hjjbcbqj.exe
2800	Hpgkkioa.exe
4792	Hjmoibog.exe
1600	Hpihai32.exe
3504	Hbhdmd32.exe
5092	Hmmhjm32.exe
3632	Icgqggce.exe
4396	Ijaida32.exe
3180	Iidipnal.exe
4608	Iakaql32.exe
1028	Ifhiib32.exe
4528	Iiffen32.exe
652	Ipqnahgf.exe
4296	Iiibkn32.exe
3040	Iapjlk32.exe
4536	Ipckgh32.exe
2900	Ifmcdblq.exe
3192	Iikopmkd.exe
4828	Imgkql32.exe
2444	Ipegmg32.exe
1944	Ibccic32.exe
1616	Iinlemia.exe
5104	Imihfl32.exe
4024	Jpgdbg32.exe
2740	Jdcpcf32.exe
2872	Jjmhppqd.exe
4680	Jagqlj32.exe
880	Jpjqhgol.exe
2008	Jfdida32.exe
4168	Jibeql32.exe
2472	Jaimbj32.exe
4316	Jplmmfmi.exe
3448	Jbkjjblm.exe
3680	Jjbako32.exe
4112	Jaljgidl.exe
3184	Jdjfcecp.exe
3408	Jfhbppbc.exe
4256	Jigollag.exe
3468	Jangmibi.exe
2520	Jdmcidam.exe
2176	Jfkoeppq.exe
4884	Jiikak32.exe
4644	Kaqcbi32.exe
3780	Kbapjafe.exe
4660	Kkihknfg.exe
1576	Kmgdgjek.exe
3892	Kpepcedo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	5e295a7d6abb9e0231aed722c646f33085ef6e0ccb7ffc1036fd301d3b51ec7a.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5528	5248	WerFault.exe	210

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3012	1008	5e295a7d6abb9e0231aed722c646f33085ef6e0ccb7ffc1036fd301d3b51ec7a.exe	83
PID 1008 wrote to memory of 3012	1008	5e295a7d6abb9e0231aed722c646f33085ef6e0ccb7ffc1036fd301d3b51ec7a.exe	83
PID 1008 wrote to memory of 3012	1008	5e295a7d6abb9e0231aed722c646f33085ef6e0ccb7ffc1036fd301d3b51ec7a.exe	83
PID 3012 wrote to memory of 1920	3012	Gfcgge32.exe	84
PID 3012 wrote to memory of 1920	3012	Gfcgge32.exe	84
PID 3012 wrote to memory of 1920	3012	Gfcgge32.exe	84
PID 1920 wrote to memory of 2288	1920	Gmmocpjk.exe	85
PID 1920 wrote to memory of 2288	1920	Gmmocpjk.exe	85
PID 1920 wrote to memory of 2288	1920	Gmmocpjk.exe	85
PID 2288 wrote to memory of 3932	2288	Gbjhlfhb.exe	86
PID 2288 wrote to memory of 3932	2288	Gbjhlfhb.exe	86
PID 2288 wrote to memory of 3932	2288	Gbjhlfhb.exe	86
PID 3932 wrote to memory of 4260	3932	Gfedle32.exe	87
PID 3932 wrote to memory of 4260	3932	Gfedle32.exe	87
PID 3932 wrote to memory of 4260	3932	Gfedle32.exe	87
PID 4260 wrote to memory of 2924	4260	Gmoliohh.exe	88
PID 4260 wrote to memory of 2924	4260	Gmoliohh.exe	88
PID 4260 wrote to memory of 2924	4260	Gmoliohh.exe	88
PID 2924 wrote to memory of 2392	2924	Gqkhjn32.exe	89
PID 2924 wrote to memory of 2392	2924	Gqkhjn32.exe	89
PID 2924 wrote to memory of 2392	2924	Gqkhjn32.exe	89
PID 2392 wrote to memory of 2020	2392	Gfhqbe32.exe	90
PID 2392 wrote to memory of 2020	2392	Gfhqbe32.exe	90
PID 2392 wrote to memory of 2020	2392	Gfhqbe32.exe	90
PID 2020 wrote to memory of 2108	2020	Gifmnpnl.exe	91
PID 2020 wrote to memory of 2108	2020	Gifmnpnl.exe	91
PID 2020 wrote to memory of 2108	2020	Gifmnpnl.exe	91
PID 2108 wrote to memory of 3912	2108	Gmaioo32.exe	92
PID 2108 wrote to memory of 3912	2108	Gmaioo32.exe	92
PID 2108 wrote to memory of 3912	2108	Gmaioo32.exe	92
PID 3912 wrote to memory of 1084	3912	Hboagf32.exe	93
PID 3912 wrote to memory of 1084	3912	Hboagf32.exe	93
PID 3912 wrote to memory of 1084	3912	Hboagf32.exe	93
PID 1084 wrote to memory of 4700	1084	Hjfihc32.exe	94
PID 1084 wrote to memory of 4700	1084	Hjfihc32.exe	94
PID 1084 wrote to memory of 4700	1084	Hjfihc32.exe	94
PID 4700 wrote to memory of 2388	4700	Hapaemll.exe	95
PID 4700 wrote to memory of 2388	4700	Hapaemll.exe	95
PID 4700 wrote to memory of 2388	4700	Hapaemll.exe	95
PID 2388 wrote to memory of 4864	2388	Hcnnaikp.exe	96
PID 2388 wrote to memory of 4864	2388	Hcnnaikp.exe	96
PID 2388 wrote to memory of 4864	2388	Hcnnaikp.exe	96
PID 4864 wrote to memory of 2632	4864	Hfljmdjc.exe	97
PID 4864 wrote to memory of 2632	4864	Hfljmdjc.exe	97
PID 4864 wrote to memory of 2632	4864	Hfljmdjc.exe	97
PID 2632 wrote to memory of 4352	2632	Hmfbjnbp.exe	98
PID 2632 wrote to memory of 4352	2632	Hmfbjnbp.exe	98
PID 2632 wrote to memory of 4352	2632	Hmfbjnbp.exe	98
PID 4352 wrote to memory of 1336	4352	Hcqjfh32.exe	99
PID 4352 wrote to memory of 1336	4352	Hcqjfh32.exe	99
PID 4352 wrote to memory of 1336	4352	Hcqjfh32.exe	99
PID 1336 wrote to memory of 4372	1336	Hfofbd32.exe	100
PID 1336 wrote to memory of 4372	1336	Hfofbd32.exe	100
PID 1336 wrote to memory of 4372	1336	Hfofbd32.exe	100
PID 4372 wrote to memory of 2800	4372	Hjjbcbqj.exe	102
PID 4372 wrote to memory of 2800	4372	Hjjbcbqj.exe	102
PID 4372 wrote to memory of 2800	4372	Hjjbcbqj.exe	102
PID 2800 wrote to memory of 4792	2800	Hpgkkioa.exe	103
PID 2800 wrote to memory of 4792	2800	Hpgkkioa.exe	103
PID 2800 wrote to memory of 4792	2800	Hpgkkioa.exe	103
PID 4792 wrote to memory of 1600	4792	Hjmoibog.exe	105
PID 4792 wrote to memory of 1600	4792	Hjmoibog.exe	105
PID 4792 wrote to memory of 1600	4792	Hjmoibog.exe	105
PID 1600 wrote to memory of 3504	1600	Hpihai32.exe	106

C:\Users\Admin\AppData\Local\Temp\5e295a7d6abb9e0231aed722c646f33085ef6e0ccb7ffc1036fd301d3b51ec7a.exe
"C:\Users\Admin\AppData\Local\Temp\5e295a7d6abb9e0231aed722c646f33085ef6e0ccb7ffc1036fd301d3b51ec7a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\Gfcgge32.exe
  C:\Windows\system32\Gfcgge32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\Gmmocpjk.exe
    C:\Windows\system32\Gmmocpjk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\Gbjhlfhb.exe
      C:\Windows\system32\Gbjhlfhb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        40⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        41⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        51⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        61⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        62⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        64⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        66⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        67⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        68⤵
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        71⤵
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        73⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:640
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2948
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        78⤵
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        81⤵
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        82⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1548
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:512
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        87⤵
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:412
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        92⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        93⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        94⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        97⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        98⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        101⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        102⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        104⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        108⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        109⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        110⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        114⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        116⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        120⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        122⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 400
        123⤵
        Program crash
        
        PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5248 -ip 5248
1⤵
PID:5448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
128KB

MD5
17eecb372565817bc5b80fc700d460b3

SHA1
54a636cf8483ece6962fcbbee44464af41ba65c7

SHA256
06531e17d8be388792b2c6b526bfa128432ba66da4016c64f9aab7f1f9181b83

SHA512
9636aaa4cb72264904c4d61ede96254c29fdc4d5231c1cb6943259dd24102d65c158e253afb1b1a9f56bf4400f7365386bf2eda3bf2b09aa5cd41729e4f9f0cc

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
128KB

MD5
7db21b7275ead9c7065d1bf5d9f8a1ac

SHA1
f7119497e6211ac28f11a36de96529b885545da2

SHA256
0958a5d3c5f4410cf958ce920a94690ed2b29b54622df225207a8143ccf77739

SHA512
d557ca2ee5b3bbc4eb325fff562e8b7b242d3bc8b1cd5ffe252978d8a834622e19bf7a990ee3e800bb43b78cb48a290573c5bbfa18e5b4dba99cd12dcdd22010

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
128KB

MD5
73c5bd5e3d68fd7db67652c07486a22d

SHA1
830dd6dc3703250a56a6b0da545d83540097ef45

SHA256
e87d65e39a9740959fe23fe132e8c5cf341e87bf40c9d8fafdf67cc8535d06a9

SHA512
b33ec1ebbb14cc57af4c5b880c20a041817e68cfaf72d2521abcb678bcbe223270944c0c28c91f7af9e997af5d1904f386dd13d638c52c1768af33131c4f8e2b

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
128KB

MD5
a9afed50866ddeb6d148a2f0553155aa

SHA1
21cf5a7b43dd5b56115147ef3722c44572f2992d

SHA256
4d8de09a898f5fed63be1feca2723d294e4d1adb9af002215d5f373e522510a4

SHA512
d86cf7f80b26bf31c1865d97e352e8ff93368fe8068b341ee7ac533b25d4e924bd83489d81826857a193f9592aac831219ea1f66b0238635070e067b0764b869

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
128KB

MD5
9bfe78fef92e2c2f95c8ee54aa4f0d6e

SHA1
3d2add7b30dafd19eb357832e223db80cf11bbde

SHA256
6b366df1cb60296d8925b268ef7a6e8b8a1ac4b31cc7d126e5d2c9e21b2613b7

SHA512
1932657ac10f06cbe7edee304a04ed32364235f4ddd37d64eaf168c739da58696e8099a517a02d0e3356afe3af12091a49c2885a0c9e846eb8a387ca9d41ece1

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
128KB

MD5
c8e63ebbcae5c9edf72ddf4b3f3260c1

SHA1
ae4ca6db8af3206bb29e4103bdc416d334d7cc3a

SHA256
66d97325fe41291fe720692b224959f3970143b3ead7216cdaf9849e3522de21

SHA512
18f73c31dfe1d1d7996b042c8d9b31ec1a1f6c3b0bcad370ddc26ee17e5fe367052256a6a9d4c85106c46c5ff0818951661f37cdce59b5ebc6f21841dee3e451

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
128KB

MD5
fc24e00c246fd8b22bbfab7412e14d36

SHA1
32127126abc08cb9598fcd279277ddb39b81bcf6

SHA256
fda83b9a5b59538778521b8dfe6012276649ce79e5427d43e7f1d9ff84767e00

SHA512
e5cbfd91be728944010194fa9660761ef5e9f9e6d98a4868adbd6ed50d976bba86bd5b7d0d5b514e2c4cffb4eb18d85b85963f6ac4a87bc69d5cd5add9fb3096

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
128KB

MD5
0205fee723c24f3eef38e960e679fbc1

SHA1
25efdf8e0650002cb1a11a0d7df342f9572ea4a7

SHA256
9e18ba2c393c4898e9a7013c4cae8e3e39dc442a8fd7f51f5d32d4178758f7f2

SHA512
38c7a5e21e876e3f556088b675798487c3993315c1745883b9a04d8383d17b5ce8655a49ded16e000d4b047404f88c2b951bc95fe15b5c58450cb5a0f99551f2

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
128KB

MD5
ef66db559080dfd821bbb54fe0d603ac

SHA1
bd0b6b7fa018dba487b31b297cd7ea1e8a28911f

SHA256
5548a90907c30c5ed322a65eabbf8cb06860c873cf1e8974dbe1e68943f9162c

SHA512
9ffc13b8b094f48f6bd87ea44aaa6d5fe0fe089fc2bc89d5d03808db8e49ff9bf94ec83df37d9ad65737b3d5fc7b4f7efdf0044c6f870882a6efbdbb1edc20cf

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
128KB

MD5
cd687c1764427cd77d5017de85f0f223

SHA1
89940488c131a69003adfc0650fa01c6cc40f5f9

SHA256
810a10ce817956f9bf5533681714fa6904a1d2b0d6b0a906008154bf754edf99

SHA512
7b0e3ee68856a85368946442dc68f90a9fe0f3a7a99bc03704db70cd67761b43f836e34f1d747dc0a8a73e830fa15fd94db075676830bc042abc05f09ff9304a

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
128KB

MD5
b9968716f09a49ea0aa6d10dd63ea7cd

SHA1
a18957da04d4ce8177d0ea878fe195eb93385dd6

SHA256
7a6635a7fd53f6bfacf76605288bdfca3acb93d40c1c8b8a16a57fe519886a52

SHA512
a24a45f70bac0cb3ec0f9a750e0fb57cd1a3d2ff7073f9a15c9f6d888eca3c48c09cfaa7613839d4632a242eccd70af194126aa3e642386e32b32ed4f8f7a326

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
128KB

MD5
7a8419a7a53594856deac391ee5e71ea

SHA1
97209222d698509d33b6a4a9bf7337b36edfe391

SHA256
46f776f69ba81b96836cd0d825fbc3bfa0cadadb3f0f79eaf8bd793362b81d31

SHA512
40af4de733d665d7f09968febf74e13b0eb6f65dffa0d360498fdc01bded18532f79a4c6ce57a31d85046ce36a2e387cf656805d5793343a859337193544ca6c

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
128KB

MD5
c8f333d9ea11ca99882221b6b1ee37a9

SHA1
56915f38115bd333397f33c0a82dc10f30becbce

SHA256
fa26abd6c6d9df04a7f7052e2e9cda2f71f8ccccf881738b6ca44420bef33ba4

SHA512
7f1e51c5d1a9b7462bcff43c08707e288d4c6e9c8fe9014d9189d1b84b6d2566a346b0df6077b9cd15ae1041512187c373ddea6666c00ca6e43f070683a0ada7

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
128KB

MD5
06f2d1c9c4e00581ff025c1eea439b44

SHA1
b33b36788e665fd17ffe33767377358fb2795896

SHA256
fcaf9342bce0c043d61222ce650ca1e7723e8d9f3e0e341863d8a1ba2ec42ea6

SHA512
1ddf2ab0e06aa734e6dcc84b448c93fa2ae39ca8aee136bc9330da8724aabff56b54de3e641ee9996066e3d35665325dda13a1d4382345c093dbbf94b863bb64

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
128KB

MD5
73753e43192e3be4dc0f9225ef795fe1

SHA1
25ec71e7a22e03af2a9ac6cb61ae461d084e9393

SHA256
43279a33865f7ebacfcab588021a80bcb9a31aa7401cb0338fbcd6582a96e861

SHA512
a0947e1938745dc62f67ba4a56f18c76410349a7b7d68ff748c824cf47d0d3c5bc593d153bcf7c5758747948d1c754439cbda9c245e334dda04d4ccb5be9f51e

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
128KB

MD5
3093bdd4c0078374f5c0a9d415b3a0b4

SHA1
ddbda642f38636866146ae05f5a846630ffd2fb4

SHA256
153d48dfaa10aa8aad5ae1451c9df560a40d76a371b012b7e5be39bc36086226

SHA512
b322cf1a46b8be44876ae78cd3ec34dc3fcb15e334c08b2af0bc2d0401b4bcf2ff75aa66e42a312e4f0a906519f5d33cb70a28230d480a96b7170a3dcac7a605

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
128KB

MD5
9808c3bd4a497987d244cd74fb74a476

SHA1
2a5abf8543c1d0f04099c73d57fa597eea5566a4

SHA256
b1f6b8129e454f1ec1135f61a306dababb16db5e379a3e8c55c45848e5a70d51

SHA512
7078ccd3718663b7d4ed85953a1fc459136246a5fee5bcf61688732ac7824b450abca58da18d21d11f68a04a4b258c17974b8a7db933199e2c092f30b184031e

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
128KB

MD5
580722342f0131087f25adf4dc4bf064

SHA1
56615cbffea0d560229dda210df5a93515ef0153

SHA256
3a49a838ce352a2d1026a23e75514bd3fd3e58567162180780115aa09fb6c4c8

SHA512
4624ab0e9ab9451ffa050cb8b77ffa185decba5108b4a20e86ee1d06240aa912077875a8de6656b0c8d4f6fba5a31b345706590b5f0584968aee08769e8eb643

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
128KB

MD5
beee75bfc39d391b8bd8db02e25ee63c

SHA1
9412adc0e6d1078f111e4ec3890d303f90a93197

SHA256
deb6868474c2845ffbfd76146bec892735c28b1ef012b75bbb3f48316005caf9

SHA512
981f34468d5ddf1e5d388ebc6f668ede2579f2018574f3429c48e845699fc4d86f1ddfe7928f7d3e89c8248561fe328ed2fddfd11dec863b1bd323355e4324b1

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
128KB

MD5
b887f127002a07856a00b16ab4cf31cc

SHA1
d4071e839ce37626a10670c7d2ac6919b6756a77

SHA256
d4bde5e316c51431730d5837ca67802a46962ebcf81fa29dd2a8b63c7c7fd712

SHA512
586a5bffa41474003b03879fb4fdd8962b65db77fc5e35423723aab4e8eadedf4d6ff6dd77a94854b32dee40f8bd1d0451e4633594c69ec8fc40031c9598cbeb

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
128KB

MD5
a66ea1255cb74201e51085cf1ee42257

SHA1
333bad8407ce716fb774fbee07ea65a47e34f170

SHA256
905bd69f252879c3bbfed32fb38ba188d60e44a4fddf41ddc95ec6e8e56589fa

SHA512
d520c4bd52a570905c0ecf2ec760010d8e3a138024250b35d7a4404684b1733e4f10fbb78309a9dd6734fd59242d05558ca668ddd7045d27b0b99610a7e7d576

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
128KB

MD5
c5b2c43ef19b99ce8cfb179e841fd834

SHA1
a204858fe818faf50b9a2073113692677cc1f751

SHA256
43629007bfcd6c2322b446b0ea44d8ee39bb7bd71c3ec72ec2465ed69431206f

SHA512
c813d0752e2b0582172cd7b6fa8664a8438673c30c29033b2f5ceb648add2726abe8284387fc3391420ed1c74cb202fa0b08cbdb9af7445ef47ae677a014d7ee

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
128KB

MD5
1f68cd407549c1de8e795bc9a2265459

SHA1
dd26a341af41ef3460c03009084f4585e6161a24

SHA256
5ea60dec58f6bec971785e3d866713450351c5c0cba82dd466bda844f1f92e73

SHA512
21ec71e11d39a341ffdb43bbaaa331227a966469ad5c7f20ad6a6b663545abcfbdbf6e7eda0f924bbfa8b7f7e8bc08cfc0654e4862af485d22d1e4f97d342e5b

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
128KB

MD5
ced52694ed86df16de682f76c9a8ccc2

SHA1
cfa63fa30d927b67d5eeccedc4313703ef6cf8e9

SHA256
db492392582927f084c9f63de354d17f4544c441087cbb94ddea9bdc7324a498

SHA512
8e60c9439e51d43d3bec967d827a0989eec81ba7c5b866470ab566cc4f4173040399b8ff7333318d1b02bc5bfdbc37203a08c16c1401adfd47e2305080cece30

Download Submit
C:\Windows\SysWOW64\Iapjlk32.exe

Filesize
128KB

MD5
ccaece5595ce36105cd7904b93c44d05

SHA1
395617ee0daf9e7a97686074d98b423e0b18d62c

SHA256
669b0627db86dba1b66776282f5ce8daa839a763a099730165f082223977cfa6

SHA512
756ff177313ba3c19885a3e6f3e0b1bff82217894f6a17d210046eb8baf0e2fe8e1cd0927f3a73e945fea8cef9d9252b63619622b8494292c5fb437dbefe01da

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
128KB

MD5
69fddea2337a356dd2394265bfb270eb

SHA1
891b39a669cce42973618927273a9f2a05d71e2f

SHA256
593578956aa2cbd2a7d10085f2fda8c30bc4ce6644d21633135c12b7fee081f6

SHA512
43971df346c62fa9f2f9d6480ade9581b9178ccc3b27f2314d37c63418ba1e2968ef2751df9204c82afdca70a90810cde28cc640e68fe11268c61eb4918ceaf1

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
128KB

MD5
6bfe9660155cdb7a11841b581f54abe8

SHA1
1bfa105f79fd40932d908b9c713827fb76d91622

SHA256
d26fb7d4e0917bd5da5d408bd5b9d28cfb472a6016f937f8402440ba1233a24a

SHA512
e5941653a61cecb10e518d67e1ff9c00b1eac80a92d4e2c0d0eaa4db87cc07652eb32ed427102bad5183d20c999fcd91198ea8107b382fc7cd34884700697823

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
128KB

MD5
b29de425a1abe26e385dd015b58f9a2d

SHA1
7c238058732c5260931457f95e78285c929c6bd6

SHA256
034f57bb32db965b9b2ce427e7f47e2ed5aa67e211576d72a11fc09dc535dded

SHA512
3f256915072159c0ca79295dcb7580e84c58d39b61a5d763e9bc0548d0c4d6d80e55c36ab81ffe26eb1832f643242a7934aa7cf1e851875b6a776af7a53c35e9

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
128KB

MD5
1b907c49d82a1c727a39d03c0b792e75

SHA1
d3c878fff72c9cd2cc01cda02652e759f61bd25e

SHA256
5c27f11db217eb1c76ea44c3de661ddda8ebf5957d82d92427210b6452963882

SHA512
3876963a095e47d164cc92bd0f94875243f4edc6b9ea2518f5d342aa24acf9c78792f179d3c601a96cf49aa05848f4ace25e8b5e5c79d850745f60533e2ba22b

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
128KB

MD5
90f501db5380e23d15746a592e6e6193

SHA1
1d1e5b589c76e7cada295acf94e773e75e426ff6

SHA256
3e53e9210457004561657b6aaf706cdbdf5140f0ca4324f0820c8196824c42a1

SHA512
ee9d7d2ceaf5aec6646f1e1d01535ca1ca73e86171d82400d66c5bbd2e7c05dc22eb042270ea634741ebb62bd8d648b5ead8f045b476e6351925ab34305ef922

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
128KB

MD5
08fa4341b944b19b1b33ca493cd51c77

SHA1
28f2e5ab8cfbe3c2857473a6e9d7259255fe11da

SHA256
1b00ae93334e33f6865f9ee8b05fecf1bada1f2f4a67c81095f8359dadfbbfce

SHA512
2cf3a95cd21b7752f761f998ed10f91c3aaa355e4ee6e19675fd6663a854ce6d89563798d55dffecedc1774aaffc77cb9fcad316ead43112b51fe0715e1ef0f1

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
128KB

MD5
6493852339b4ee811c2e34c7188aa892

SHA1
b5155d386f9c1a7e201c2922f28d2f8d1c47cc4f

SHA256
9a1e345b346b34a116fc46d278b7476afc1ef2e9e78a7b3391f712a7e5eac5fc

SHA512
7b428b2e535f260fb671bb567ae23aa463fcd522d763546883976352722d6363315d0ce71ba4480643abfc54b89a84ff23d6866572aedb019621b65a0adf0721

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
128KB

MD5
d87d2241e0d485f442696f21e4cf41d2

SHA1
747f14b0177b1c5922fc74c022195b98681caea6

SHA256
96c1df8ede2eea170f4b67f2b478531307da51f9e204a3bbe0e8f622d0529a75

SHA512
dc479aafa143ca2dfc64a86c967c2d4e360cbcc48a276968aafb6ebc43fb4223d5756e6f89ca0b7551ef4fa68a0ff7750179039503eff4731a24fd879f84d72f

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
128KB

MD5
e2bf24166bf1d1285d1b4c2da3be58cf

SHA1
5c4a70ca4a8741d2dbce77544b966ea92b2e110e

SHA256
99a0eef459652618d31de4e9307b58127a40f5c6a3d8613eed803713f862b5cc

SHA512
07f5e882f0c348e218865bfa94ab534d9d9792a0ed7d979e61bc065ce006dd062743dad3715be19540081fe6ca940f5e8959014927aef8665481bf0a35f3e7da

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
128KB

MD5
1d8e9a086c1bcd5edb9fa7046f2c78c4

SHA1
01589f5970009d577d36040ad75b7a52f352a23d

SHA256
ffa92400dccfd857d28f9e0527e8fa91a6475e1df9ac48a04029197a59aff3b7

SHA512
8babda7d66c7f1e7e62fdbbe89b7bbc47ed860a548d6374b85b096b1cae570379b41faacc9aa4379dd0255fee435b3a353044964bb0cac244e1b8092c04c26ed

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
128KB

MD5
c82f2e8c447c88c9dba1e496a40a3cf4

SHA1
1cd129ffe1e981491b03dd89b27222e642c4bb39

SHA256
09a6d59f45664ddad0d13e1b35ed2b5b838972bad0f0b769ac2d17e22dd10216

SHA512
853ab15567a52720f11fd5dd77f9e5f2bfdc70763b9569013d3ab02ad7246c2595acebd2b0872a1f308a7cac424f77be703cc9426a5a3dc4e51a867ac58c7fc7

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
128KB

MD5
560752e29e8743ef0fa327a9c298ed07

SHA1
6c7e2c0eba3b1d3adbc4cec06403df82f177b95a

SHA256
c8ae0815b6ff4d6c9affbc2201333f20db3e74f8c66afd0286dcc5baf90d11fe

SHA512
80d0d28f971f81f8f14e51ae91ae438bb463236d0fc1d63e226c3183e8500be8d2fc05d6e2eb3ab3d8636d3392bc2b2b1b762dc99ff2a65acbe3294c1bd28dc2

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
128KB

MD5
a67f388a8f7486624948bdbed8f559c6

SHA1
f4f719f2b253c3fc256a9158e504ff1b9deff10a

SHA256
98f2afadd1b333764d87c5f91d6052f900ccf375fbf3a4f45988d3893f114387

SHA512
37cc53e70d83f1220c38e2113427f9d40c84d2506ae4c7f2d205e3ac1eb028a2e4752a5e98fe6286c5850408edc5d712d5451097ac2ef65ebc0cfde7d11cd7dd

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
64KB

MD5
900c5ed2dad3f950d1f4ecf4c1805926

SHA1
1fecbcaab9a9f0019aeeb679bed8a9e9dab46dc8

SHA256
6ae068d4fed70a80b5d4ae6a1560350329208e4693b2d5a5976710daecbdbc8f

SHA512
dbc08ba626dbc7f7c37a9e309d929a3a09d1fe7cb810b7cfb3a41b2306ad899bae0fd1618daf89f0b0c6e526545ae31034069114321141a2de94a74f210096b3

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
128KB

MD5
c6236fab27c5254ef210cf2264022ecc

SHA1
ba17c77476b70315b35ef9b093bc8a753e1abd7e

SHA256
69aa7951072f04fd6cbfff3c504de58b58de1cff54f9f13acab242e8bfbedd5a

SHA512
70e80203db0129a7562fa9988cea2660a98ded20df11f2e9d3f3fc672e4863f5d9adf0ac32f23008e0627f9ef4ad700eec072344011b16dc3663b0b4d319643a

Download Submit
memory/512-578-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-511-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/652-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/832-527-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/880-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1008-539-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1008-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1008-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1028-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1084-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1336-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1548-567-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1576-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1600-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1616-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1912-533-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-559-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1944-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2008-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2020-69-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2064-581-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2108-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2176-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2288-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2288-566-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2388-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2392-589-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2392-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2444-291-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2472-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2520-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2632-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2872-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-273-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-587-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2948-515-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-507-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3012-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3144-588-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3180-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3184-383-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3192-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3396-521-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3408-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3448-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3468-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3504-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3540-540-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3632-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3680-375-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3712-477-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3780-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3852-497-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3868-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3892-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3912-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3924-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-573-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4024-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4052-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4112-381-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4168-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4256-395-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4260-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4260-43-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4296-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4316-363-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4352-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4372-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4396-201-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-560-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4492-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4524-557-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4528-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4536-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-221-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4644-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4660-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4680-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4684-495-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4700-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4828-281-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4864-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5092-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5104-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5116-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads