6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf.exe
Size

90KB
MD5

3d3046dec383edfc63b3a8029ffb1997
SHA1

23da26ec0045f7f751d862a11786b286761c7478
SHA256

6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf
SHA512

baeee729ef0898dce5a6876a8aeb8295d92c2bb31859ef2c1473e30ccdbe81aa99f159c06b174181af62da3399e5a2402c9253eceb1d0882be9dda25beefa1a1
SSDEEP

1536:tt/F3Xeb+yZddFInmW+z5rFedp9sQ6jRuUnnp7VXqfOOQ/4BrGTI5Yxj:t7+/Z+fQF4p9sQ41nGU/4kT0Yxj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe

Executes dropped EXE 64 IoCs

pid	Process
752	Gjlfbd32.exe
2404	Gqfooodg.exe
3820	Gfcgge32.exe
3484	Giacca32.exe
3708	Gpklpkio.exe
1484	Gbjhlfhb.exe
2592	Gjapmdid.exe
2576	Gqkhjn32.exe
2420	Gcidfi32.exe
4224	Gifmnpnl.exe
5092	Hclakimb.exe
2344	Hfjmgdlf.exe
3000	Hmdedo32.exe
1392	Hpbaqj32.exe
3824	Hbanme32.exe
3764	Hpenfjad.exe
4592	Hjjbcbqj.exe
912	Hpgkkioa.exe
4392	Hbeghene.exe
1728	Haggelfd.exe
2984	Hfcpncdk.exe
2444	Hmmhjm32.exe
1720	Icgqggce.exe
3644	Iakaql32.exe
2176	Ibmmhdhm.exe
3440	Ijdeiaio.exe
1452	Icljbg32.exe
2288	Iiibkn32.exe
2540	Imgkql32.exe
1284	Ijkljp32.exe
1900	Iinlemia.exe
3580	Jmkdlkph.exe
4944	Jpjqhgol.exe
1040	Jmnaakne.exe
1960	Jplmmfmi.exe
4564	Jjbako32.exe
4524	Jpojcf32.exe
1588	Jfhbppbc.exe
2824	Jangmibi.exe
4064	Jfkoeppq.exe
2744	Jiikak32.exe
1352	Kaqcbi32.exe
2484	Kdopod32.exe
3332	Kbapjafe.exe
3640	Kkihknfg.exe
452	Kacphh32.exe
1920	Kbdmpqcb.exe
3740	Kinemkko.exe
3296	Kaemnhla.exe
2808	Kbfiep32.exe
2496	Kknafn32.exe
1916	Kmlnbi32.exe
916	Kpjjod32.exe
3944	Kcifkp32.exe
3248	Kkpnlm32.exe
1896	Kmnjhioc.exe
3204	Kajfig32.exe
4940	Kdhbec32.exe
3628	Kgfoan32.exe
4072	Kkbkamnl.exe
3352	Lmqgnhmp.exe
4408	Lpocjdld.exe
1952	Lcmofolg.exe
2796	Lgikfn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6028	5824	WerFault.exe	207

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbbnj32.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 752	1652	6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf.exe	83
PID 1652 wrote to memory of 752	1652	6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf.exe	83
PID 1652 wrote to memory of 752	1652	6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf.exe	83
PID 752 wrote to memory of 2404	752	Gjlfbd32.exe	84
PID 752 wrote to memory of 2404	752	Gjlfbd32.exe	84
PID 752 wrote to memory of 2404	752	Gjlfbd32.exe	84
PID 2404 wrote to memory of 3820	2404	Gqfooodg.exe	85
PID 2404 wrote to memory of 3820	2404	Gqfooodg.exe	85
PID 2404 wrote to memory of 3820	2404	Gqfooodg.exe	85
PID 3820 wrote to memory of 3484	3820	Gfcgge32.exe	86
PID 3820 wrote to memory of 3484	3820	Gfcgge32.exe	86
PID 3820 wrote to memory of 3484	3820	Gfcgge32.exe	86
PID 3484 wrote to memory of 3708	3484	Giacca32.exe	87
PID 3484 wrote to memory of 3708	3484	Giacca32.exe	87
PID 3484 wrote to memory of 3708	3484	Giacca32.exe	87
PID 3708 wrote to memory of 1484	3708	Gpklpkio.exe	88
PID 3708 wrote to memory of 1484	3708	Gpklpkio.exe	88
PID 3708 wrote to memory of 1484	3708	Gpklpkio.exe	88
PID 1484 wrote to memory of 2592	1484	Gbjhlfhb.exe	89
PID 1484 wrote to memory of 2592	1484	Gbjhlfhb.exe	89
PID 1484 wrote to memory of 2592	1484	Gbjhlfhb.exe	89
PID 2592 wrote to memory of 2576	2592	Gjapmdid.exe	90
PID 2592 wrote to memory of 2576	2592	Gjapmdid.exe	90
PID 2592 wrote to memory of 2576	2592	Gjapmdid.exe	90
PID 2576 wrote to memory of 2420	2576	Gqkhjn32.exe	91
PID 2576 wrote to memory of 2420	2576	Gqkhjn32.exe	91
PID 2576 wrote to memory of 2420	2576	Gqkhjn32.exe	91
PID 2420 wrote to memory of 4224	2420	Gcidfi32.exe	92
PID 2420 wrote to memory of 4224	2420	Gcidfi32.exe	92
PID 2420 wrote to memory of 4224	2420	Gcidfi32.exe	92
PID 4224 wrote to memory of 5092	4224	Gifmnpnl.exe	93
PID 4224 wrote to memory of 5092	4224	Gifmnpnl.exe	93
PID 4224 wrote to memory of 5092	4224	Gifmnpnl.exe	93
PID 5092 wrote to memory of 2344	5092	Hclakimb.exe	94
PID 5092 wrote to memory of 2344	5092	Hclakimb.exe	94
PID 5092 wrote to memory of 2344	5092	Hclakimb.exe	94
PID 2344 wrote to memory of 3000	2344	Hfjmgdlf.exe	95
PID 2344 wrote to memory of 3000	2344	Hfjmgdlf.exe	95
PID 2344 wrote to memory of 3000	2344	Hfjmgdlf.exe	95
PID 3000 wrote to memory of 1392	3000	Hmdedo32.exe	96
PID 3000 wrote to memory of 1392	3000	Hmdedo32.exe	96
PID 3000 wrote to memory of 1392	3000	Hmdedo32.exe	96
PID 1392 wrote to memory of 3824	1392	Hpbaqj32.exe	98
PID 1392 wrote to memory of 3824	1392	Hpbaqj32.exe	98
PID 1392 wrote to memory of 3824	1392	Hpbaqj32.exe	98
PID 3824 wrote to memory of 3764	3824	Hbanme32.exe	99
PID 3824 wrote to memory of 3764	3824	Hbanme32.exe	99
PID 3824 wrote to memory of 3764	3824	Hbanme32.exe	99
PID 3764 wrote to memory of 4592	3764	Hpenfjad.exe	100
PID 3764 wrote to memory of 4592	3764	Hpenfjad.exe	100
PID 3764 wrote to memory of 4592	3764	Hpenfjad.exe	100
PID 4592 wrote to memory of 912	4592	Hjjbcbqj.exe	101
PID 4592 wrote to memory of 912	4592	Hjjbcbqj.exe	101
PID 4592 wrote to memory of 912	4592	Hjjbcbqj.exe	101
PID 912 wrote to memory of 4392	912	Hpgkkioa.exe	103
PID 912 wrote to memory of 4392	912	Hpgkkioa.exe	103
PID 912 wrote to memory of 4392	912	Hpgkkioa.exe	103
PID 4392 wrote to memory of 1728	4392	Hbeghene.exe	104
PID 4392 wrote to memory of 1728	4392	Hbeghene.exe	104
PID 4392 wrote to memory of 1728	4392	Hbeghene.exe	104
PID 1728 wrote to memory of 2984	1728	Haggelfd.exe	106
PID 1728 wrote to memory of 2984	1728	Haggelfd.exe	106
PID 1728 wrote to memory of 2984	1728	Haggelfd.exe	106
PID 2984 wrote to memory of 2444	2984	Hfcpncdk.exe	107

C:\Users\Admin\AppData\Local\Temp\6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf.exe
"C:\Users\Admin\AppData\Local\Temp\6773c08519a70bc9013b4e98240bc1def938b630449099b22257047fb1d53baf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\Gjlfbd32.exe
  C:\Windows\system32\Gjlfbd32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\Gqfooodg.exe
    C:\Windows\system32\Gqfooodg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\Gfcgge32.exe
      C:\Windows\system32\Gfcgge32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        23⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        25⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        26⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        28⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3580
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        37⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        39⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3332
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        49⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        50⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        67⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3136
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1480
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        75⤵
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        76⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        78⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        79⤵
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2272
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        85⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        86⤵
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        89⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        91⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        93⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        98⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        104⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4420
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        115⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        120⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 412
        121⤵
        Program crash
        
        PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5824 -ip 5824
1⤵
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
90KB

MD5
42972869b1ee235b4206dc5f15b78a71

SHA1
d1387845c089b8e7a78a79636d44b67f40695042

SHA256
1d1177a28eeb5aa50e2654b109d5e989f1a0ffd8d61e716eaf58bce9b2495735

SHA512
1fc3a9e5826f81400309c47995870db1c142c603f417b78c93b7f5faac3da40a426de9237d2561ac2d06189d6c5430d458ff15e4446cb177b7ea883537389d12

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
90KB

MD5
adb9e0acf43e38dd15d364e8bf15bfd7

SHA1
a2e17afe5d26a0d11fffb485f01976ae5acf2507

SHA256
5946f0d1349ea563c79efd9df739e9c7c5c4ecdbc21ac918b10dcd28b5716e4d

SHA512
0ffa2cd66d89fd605ae4f8f63214bb2ec9d24388a338a2421d0e3f05f8ab9583a4170817f078e99a1adda2dbf2de2bcbbb28fd008131132b9f0766c3b06bb675

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
90KB

MD5
7efb40e0c92792cba77cf45716a32702

SHA1
9a8feecbb68590246cf3d48876e153984a728071

SHA256
b1b692b29c058b7cc9ceff75b348928bafb222b499b15c2da83df7853239bc92

SHA512
57f5da229e776bb24a130b64270aeb2a7f06eb9d432a052ec21e7fb3c19639db988b90072498a849bec4bd8acbbcfdf32e0a4819b18f9c81c752fc48d0ed1ee4

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
90KB

MD5
08817ce7e1a08c95c4d17a84fb9f02a2

SHA1
cf42729ad5430e4065a20a1e82a73fd62cb2a8b2

SHA256
61ad5a3a23802fe0d7cbca1eaecf5c2064ac2ae9c430cfedd4449ef1f2b64e52

SHA512
28135848bc2f12469579cc998c9043a76dcaef855f63e47db5ef2e8be0551e988f11abcf26810448663bf9a111702b9d94d1ce3031625774b2370d35607a8624

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
90KB

MD5
2e49e072ac0b1e072059af47090574ee

SHA1
b256418ee57e893016b333c3e03879fb96bfcd0b

SHA256
4483df6a50809387e9e9d1731ded98a7f5814dbb0d0587883132cbe96b3cc516

SHA512
ded965c1178b97d4f6d333fe9f1caefb5d4255d9e659b890409a4cf7172c1cdd1b1ee0bbf31bfe4a93d021faf80a1cd66c0bc0e101f17f9b527f6654a6329a6c

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
90KB

MD5
63f96b3a32d584a4fe9cb857ed266d04

SHA1
0bd5f2ce8c2dcaae4ac7f1623f7328b9ab3ce259

SHA256
70fe317b2033f9c0c836fed1abaaf967e1e4e9ed8755dbf719f9a1a6dea45ec7

SHA512
fbaf6f289f32aa451388631da99a7f44d1ca821d40dc4478829e2475e07fdfd5d8e1688aadcee9b4f6354d8e6831a1ab93acb5545a589da0b890c4e20e053023

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
90KB

MD5
8537ee2d5bdb438da53ce33b707c9da7

SHA1
722b475d19b8e5ca25c2bc943a97f3988fd611bd

SHA256
6074de3b49ac13a0233b2cd28fa6874ee3f30648e5695b98b3fda3cfbbc011bb

SHA512
bdad90e2a425f29a3790e6e0c6ede03c24e8a8ab69e711b690ac46fa290e9d8849dba683a4add3a873b7fac9fb930c4391308a155fce5a7d80e65f887745e0b3

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
90KB

MD5
bb10700a9173ae190dada964ca3c443e

SHA1
d989b8600f0aa7462166a4666291df0ca7df9035

SHA256
d543072b5bcaf34fa05055df1d802a5187f6af3ee3b3fc095c6f739b194a2460

SHA512
a2a922d39771e124090cc2a901d836642ef13cb1e42e97e6d35dbcb39e1c3ea9303914dc2983e91202335e301a0de9948954e497ee1789d1f6cc9a564615fb12

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
90KB

MD5
21b4b3a23873adb7dd7e70671c19b84f

SHA1
ee56726590f68b9b17753ea22fccb03099dee0f1

SHA256
e71fecc41a67ff48e5367e2b0df8ae3993de0e6040022d1a3845eec861e573e2

SHA512
8609c66d489da3a9adde06e75d56d192751e30a98ef87d31c562684fedc829b6f7d0aa836cc74f6e9caf3482593b5ea7b073dc527d7a77bbbe86cd550334f85a

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
90KB

MD5
1ecb684fb359fc80ff2c822fadf118c9

SHA1
cddff72714c945f8e66f28975b5521ed7242fe89

SHA256
a190423f2ac5dce7d1fbdad4930b2b51470651a3b8465a3bb0693ac33c78ef1d

SHA512
1663f9beb2ffcd517c6b2543222df9c797d904b8ff30fcce721d43f7f5e051d255aa92b69b8e51b1e336c73a6c476d5e1c2e12387e6e4618917690b9fe445856

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
90KB

MD5
4d61965e209a3ae9f105892ae887263d

SHA1
6865f0820dd048f1f01ed706f406f81780162755

SHA256
3a0e7ba36c37fcb6aa7dc4b114cd30ade6f782537e9f96417b1fc25a825db814

SHA512
fa0c3c5a2dfda06774aef80e09b1784c72fa2513c76eb101b524eb8c729a8a4f4b8cd810bef4b0d0b10f5a31cdad708b6baa0b6c7e67179e85467ab3d2059a24

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
90KB

MD5
1f76a3c724b241a3511585d20b3ca75e

SHA1
34be21afdd34f4af1bf4ec3d9da5ff4debfa5f9b

SHA256
33eb169465be44f03f1844c6ff21837cfa4178a37fd69cdbc23e6ad87d74ac20

SHA512
83c59edc0e78ebb50b3cd7671fe504aa022013549986db3c01494048a54da0e3a4d3b9413468b67fd01bf2eef15aaa347b3be5b8266478549861d0d1a140b1ee

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
90KB

MD5
c5c1e1b5d88413eaf0e0b362bf1d7ad4

SHA1
051745d36d25d480020dc46c54bead3aece92cfb

SHA256
39ef8b1b4f7a055bbcbafcebe8913979b782af0fb90d61ccff6aec0905f00092

SHA512
4d66485020c24d66f92c8a72c48e4b646c30dd7e4a2312d3cf7813fcac51edd341762fa907eafcd95da425b8e6028a43359a8a0af1864e962a94342acb91a51e

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
90KB

MD5
6907b1e7c923eca3a15b993bcdff6b58

SHA1
8a205e8b2af1d81a827232b3950213bf79c8726c

SHA256
7f315135d2746049ef8ee7f9d134f035545bbfd655bbe527d840b9bbf7026abf

SHA512
42d84f4bb36e3e2ed462bbe9101061d8319cf820bed5d3aad20d7d58b5c754d4b8e2bd6bc91d86baa24c68c77c41c6d19ef93fd3c67d4d4a99f8147fe4b70b15

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
90KB

MD5
c536451354933ba657bf9f9ec58d81f3

SHA1
7ec8b667c3ddf3a06d69e66719f64ecc74dc75d7

SHA256
78418a5ff72248f4f9ef78babe23c15d232b643e7601e8d667a7b6a3f32c7711

SHA512
375d230c68347ed4e46c89b1a8477e7413134bc122fb9edcd21e7aba668da3f9fd887d8b76c105f258d3a9c62faae760e226e148b282ff06adbc16e82792dd02

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
90KB

MD5
57c9f5db66b35073486470f9a8b81685

SHA1
67f641a81884deee62c2c0b79259624e8a47c23e

SHA256
ac70e4cb981fe5e87e25baadd384a5abc39f420283f3152a577595b5b59f9fea

SHA512
427ee193c592d707fcc1e792032aca3b0665fddf51b25e6fd4926068c240c6152bb394df531a12cc1a6ff0ce94c5c0baa5db215cdcce45ac11dd73a1d5455fc1

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
90KB

MD5
6a93c96627488b41dd0e580ed5487bc0

SHA1
149702c613c4d1534202111e48c21e88c3848735

SHA256
59c7823ff4431e71e4d363fb2159819531776ba0e083c6b2f01be44428393894

SHA512
e8761a1232af418d24bed96f03acb493724f97cf4da9f22c591845ce48b347c5e26a79b745098771d27b0c3c65e22d0a865de69040b2e4f40714cc2469526a81

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
90KB

MD5
ee100a6829e9691f4ea1eaae5e809eda

SHA1
88807571400973ad3d0f5030802f5b4b381ec762

SHA256
61997165e7f50ce52322607cfceb4c040ae2215aad7e7f5213b90938a2f76b85

SHA512
f0b6172e0359991eded6a6a85354ef3474c647b7daf289e19637d29dfc87a943284a0eba8c3221fabea4f3eab7716be63f36ebaa1b882ee51aa30b4ff00def10

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
90KB

MD5
a9c25fea33ea3f503fada9dab80d2db2

SHA1
9276f1445177fb39927b5514dc8327e7c456eb1d

SHA256
44dd23df7b000dc0ee9f7fd17bef33dbbe197d74aa1e4effe776b6ef071ee2d2

SHA512
d00dac459aff107d663e42212b0173a98625e759fa2b8a2a1d9fcbbc8426aef86578aa8db250eb804473c39585bde8ce6fa5a72fac7fb7d3d8bbfcc67acc59a1

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
90KB

MD5
42cb0556294e628c0b3c832db4939942

SHA1
34ea03eb8675ca94ff7b5c9d723fdfef82d3d159

SHA256
028a9b44468cf5c17cf41ad30b703087b4edbbc31a6758fff16e9c27b84adbd7

SHA512
ae4422ba887b8bc43379c9e91baf81df01288961c99b5ef3b3cf6bccc2d90428992e7bc543a27b5f8419f002f37fc465832bb3a9bce4044a8fff17c9c732c981

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
90KB

MD5
4b83f0b22bdea16e96330e3e1e52ab34

SHA1
d014f51b38b1711243cf7bc271ab0dc227cf5a2e

SHA256
c2ef18209e416c6e6f311abd6efea5934737d7208e2a6a8b3e907b9a7bbb51e1

SHA512
dadc820c8402eaee650c5574e35a6e5cbb695b98c997031e046e4e455951337233c606e1fe703aae10e8a515b157562e43cddea7245de6078d72eadb5d8f9469

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
90KB

MD5
835eb12d61dda4fc8f0aae252d421de0

SHA1
00d0482a1202b020ffd62223fb466b2106b6b22d

SHA256
b9a875be06b76af9e1d106ae46b234c632a099bc641c8ccba458c291ce1d848b

SHA512
ee75b591d6539a5f34243e6a3228ef3a30312ec6bba5cae50daa80673bc44945c080c77b0dcde2ecc137027b85c5d3c229042142d51af26f0c29be699627b546

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
90KB

MD5
adf2a25302fbf4169b02d4ee02be6a01

SHA1
c2860f8b2bc8f893407678ed4612173a1edcf74d

SHA256
993aa257f409c998c83495bae2edd686a306dae4e6539150e4b3508a7bbfd19c

SHA512
96d1edb5cc5847b32f8c4e4609dae7ec06fd0f2138b3c88f352805e4ff5ef244d5b3ee570994f3b8c2747e58bd463239ab56a42cf0902f5e7e504be983b28d3c

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
90KB

MD5
bd3c7982445761f7e8cb963e67fe0625

SHA1
de96d9ad159e9cf410af6fef8f90eb1686ca2fbc

SHA256
85297db7eb84da125682a28d59b0f75acc9d9a35e79c2a58ad047809fdf44022

SHA512
dc16d5015ad9c0d37985969ae7994c6d33a954046a0aa477d66e55599551a63a5f19a3db83711540c42df6da2d73e303cc7ec930d7b35b0176eb1d60bf9dfb52

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
90KB

MD5
dfa7269d2ab1103131bb53701513198f

SHA1
4f7eff6e0a4842bb60bc6e46e929e48f2dc64839

SHA256
35b6697d2b5995b5f81df3488b73969f856ea1ad04459a3f089cf6c40818fe80

SHA512
e43e88bdcb12691208f64d81a0026ccbfb9c7286b0b6fe7e2bb6a6ec840b6844b5be602b4a952154642057ccc72fa2692b42b8c58585da719a57079a1993bcfd

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
90KB

MD5
c0ba93b4a3187fc489fc9d2613a3ddad

SHA1
9f89b4a8044e1df39ca7dc243d8f4874aa6ec99e

SHA256
6d18708cac21fc7c07167fd54c23e60efb3209c710563a99f96ea68d8c00671e

SHA512
78194e401657bf289fd9d73964270efcd1b24eec3c2b93ccd3924e84eaa4e57da37bbb3663f4f5098e3120c50fc619f6717593824b4d55c0a9ba96bfd75cbbcc

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
90KB

MD5
42da8c873cc9a0be0120d4e5f9eb6a8b

SHA1
ed4b9169bab9920e0e96a553f5c5320ee030a860

SHA256
67dbee4311ad1af9f02bf952dcef08ede5057608a969598c4fbb754a238b0276

SHA512
6cf1828a819f07b6079c6caa10203a394f6bc46cafe2ce2c7ddeb68af6eb1c327731cbc84f85d31daf60789331c5f8ffe6025520e6bae64f8d36399cfbc514d1

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
90KB

MD5
921402403c7161a00c8e3e0c592321ec

SHA1
dfa2b2006f708c70120dab155127458a264acc5e

SHA256
2ecf02d8d8322faa8832a2b1b18a9f95bbfc83d05c5c246c0f87b80548e2d1ac

SHA512
c84ce33fab9579d883e6ca59423747fe049e5da4578284e64c02bbc9a33f609ae9fbb712e04fbfc8ec21c304be83337d41aa1b6c96cd9b00564e872954403576

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
90KB

MD5
1140572efbd92080da4d58eed54e0ab1

SHA1
e1a2b8d41b853f5e148d118443b37d26bf5206c8

SHA256
e65f59a740614c573b8c0659def68b50f3583629a989143b7614b9585bca401a

SHA512
0f674343260a60dafca8f22eaa9d995b02d717253efe844f5d4545314da4e38c3323a245ff9398da54b2cae84908957fe76311f642534784093918befd394466

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
90KB

MD5
876026e3f28b66a874e9977530425b13

SHA1
13edc3fd5a72a3ac06cb7783b03261168a38c62b

SHA256
c83a064cd0f63bb56273be86bf3b702537aad279f8f008becebfb8954bd418cd

SHA512
7d3ce7ccf458423da8980c900a7210aafae6b0e2a2f812226e371d7524010fe5c29992a8bce9fdc5086fe0f189dc24e76ac46ecfa88e5a145ce8013d5963fad8

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
90KB

MD5
f6766c9e670fd0548cd512bf04cbced1

SHA1
4f045bcea5a7f40b7df74764b79425a74f9d7494

SHA256
166aa878183072a6df1939fa034872fe44db901394504b3e69ef1551a4574700

SHA512
8ababc09d17e1549e6ecb480d08e3617b71b0b45adb6561e6672e9779187efccff661200e8b6905d843f948fd28010897ace4e6b820515e20832e8b474b600ba

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
90KB

MD5
1b6171069b231035421e1d06c6195ae6

SHA1
beddd0971c92a01a0c61f436917e4db5cbcbb465

SHA256
4692ca86461b9360d5cc53ab30561969f13a9e2d6bebeaff4120b7cafb2354dc

SHA512
d0291cff195ba6201fdafaf2f9c9deba7f481d1ec92c6245d4d6358b90341bf6eb75a91c87dc464da994e5ef7a403ec0517f5a1fe01356893e293e915bb8911f

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
90KB

MD5
11f583ea6cbca2917904971feddfc66a

SHA1
bbedc1ab7e2f9d888e3849062d64ea4f1ce7c5eb

SHA256
30ba00bb55bcc1d6ab13badf7a5deec85bdd2f055241ae57ffa85d7ccdfca587

SHA512
49f9c7f685fd0ebcd158df8808c0c85b9f31679db8f1c849a1146e5dbd275ffab02942be64e3de5b60b9efb80681573bf180cac179cbc1aaaf09a6d055c54032

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
90KB

MD5
57ec02708b8c50efb84e8f819973e555

SHA1
b8b449d65db85544257f6ccc7a6b7ce249c3002e

SHA256
ecdb04d458c8baaa9bf756fc1ef89f265d25b0b1e001e66b303be3d2edd8f9be

SHA512
51491ce51fc55e13bf3cba32ca3f69dac2d3db2288954ea139155b36f7aa58722681e2893d102e649143eebef94445c52ccd87107c8e6e968d7e6e168ed0a55d

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
90KB

MD5
d81d90323d004703ab8138b841381bc8

SHA1
f5b31949b7ac4707777e3939a2e2711f125841bd

SHA256
2cb26c754abdae387e907fe9e71aaf4116c4dc64398e891e64fe85cca12f84cf

SHA512
818fc747556df2adf5ebdb1ddbfc66ef522bdc18262b34e830052670d9aa018fa39591d0d48c244c61f4d08daa165980477a3fceabc173993447ece2c3d1c30e

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
90KB

MD5
b4a7db38b9db0a204fc31d57d1f77d2d

SHA1
b12deffdae5ad91733325befc2ad670cfedce367

SHA256
461739aa46b99d4d561df925e82db0ad271dd2d716ea1ba55ae762e88c4a9685

SHA512
884cbc64ae0cb9b60789c64db6d3bcec91229f7f8274a67fd432a2a52ae89236f9e436b442c26cd4cb94be79790cd4098eeaf8a3cdae316cd3519bc05f893db9

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
90KB

MD5
0f46985fb57c063f77a3967a36136d54

SHA1
ac077439b335f2e92499d7a00c4447f64138cb55

SHA256
26cab76bd27efbbac08628a32c2dbd5ee9659edfc2faeb8ae30283c72055aaf7

SHA512
87fd471313e273facee0af098e32ae63cb5f85b06f71bf2e4598354bca1cd04202cc573136e035c0dff1cef2c70cc38aa77818a994a0463a5925fc09b209a502

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
90KB

MD5
3850274e980f638eb0f6daeed1326e3b

SHA1
eecbd4432d2c1198329e65396a4391394b0af5ae

SHA256
9fe96cfef1fbab96af79d9db7d5c253de2171cfb159a7dfcf37c3c7456992733

SHA512
58a467973df33d9391bc9893656ba1f3556e24e6729a9abed55ccd391ccce7e87238d747596baa8a92afa009c064f4623199d518452a949c33f1c0fe64d2c9c8

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
90KB

MD5
ab5f8212f1049bb57ce1e4855522766b

SHA1
ef5bbaf07d8725bcd7a2319079090bac5e20a0fe

SHA256
20457e0b1d97cd9bc55e831008cb21b388c3f34b49a371869f8cca63f1b31ccc

SHA512
0b238c79052039cc16e40cc955cae994f8c58316d5be045918c4192e6212d0c9feda01c0a320666432211b377fff95c20a6e55ac7503c0c4c91a874506295882

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
90KB

MD5
40654598411461aac98a34c5292f6d32

SHA1
3a25829f023f96404ae32f1a25bc9d4dc38b218f

SHA256
8421a32749002292f5af6612badfd0b516c7d53cf8a7c5c9b22c972e4edd8a5b

SHA512
e27b766422fb16f9b60f093d0391e8977c48115e2d510d102b0c29483ce91534ef33b2a42417b23e7c4fc4ebb0e48848d410ba781e130598b5f8ce47e198a7ac

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
90KB

MD5
eb0ad7b325f555964438cf7fcc544eab

SHA1
eab494287b3357c9c4f6f5abe68a2c66de2ed303

SHA256
dbcd970bb0907739149eafbf533dd773b56134309a62027568d7798ba765af58

SHA512
86837df4a5bb26cde71d9b6e1ebad001f79f4087af06509318951d1c8875096f57d56f25c345d14cf656aef32c4f43a081817ba4f64e87063cc741d589892b01

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
90KB

MD5
520a4ea2de7b832806a0852e4e29b2e0

SHA1
79bc5a6dec243bc3eaeb747baa0b68907af080d8

SHA256
71e02bfdfa770e362818fd40e25b638c94c9babebcf768d6eb399da865e3ecd9

SHA512
7affb495ddae895be4e710b453f155dfda3fdad5c19b87f905bfd84c4d5372f30ccab29ce4ce744a0945e40024089004903589143869669976453e0307fc1e75

Download Submit
C:\Windows\SysWOW64\Ocdehlgh.dll

Filesize
7KB

MD5
d113526e36ce797fa2a16cd867f4272c

SHA1
4165d0212168ea16ac457a393be717f7774ef4bc

SHA256
04402268a1717885999a4b15d35a7a8dc6b3f35d9cd5304ff58532516e6596dd

SHA512
41187c72c0b9d98320577ac77389104e8d0e7bb7be944fa02bbbb5c447fc2a9049405b5af49e070f1fefa0443d307f2a3718b0e2933705fc328d0640fa0c075b

Download Submit
memory/452-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/752-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/752-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/916-428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1040-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1040-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1284-260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1284-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1392-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-236-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1728-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1900-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1900-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-368-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-214-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2288-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2288-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2404-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2404-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2496-410-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-409-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2808-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3296-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3332-362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3580-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3580-277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3640-369-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3644-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3644-285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3740-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3764-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3820-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3820-107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3824-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3824-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4064-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4224-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4224-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-313-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4592-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4592-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4944-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4944-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads