3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a.exe
Size

80KB
MD5

0cd9c1a26f49be41bd9764c7def2031e
SHA1

9fe723efad235da1ec08637deeb2a3722690d808
SHA256

3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a
SHA512

98b12c1005f2be4b9d0848f5814e9f0824c20366cbcc9b321cc2db4024b1039041783fba90c006feace82431ba60c8b4b694d15594d4fe583b4173550c323205
SSDEEP

1536:Av+BhwZX9xuQjI/fOJnLU7GCrSAEHlJuq2LYaIZTJ+7LhkiB0:AvyhwZXnuV/fCng7prS1HlaYaMU7ui

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe

Executes dropped EXE 64 IoCs

pid	Process
2608	Gjapmdid.exe
2428	Gqkhjn32.exe
2832	Gbldaffp.exe
1596	Gjclbc32.exe
5096	Gameonno.exe
4804	Gppekj32.exe
1776	Hboagf32.exe
2068	Hjfihc32.exe
1408	Hmdedo32.exe
1504	Hpbaqj32.exe
2992	Hfljmdjc.exe
4468	Hikfip32.exe
1844	Hbckbepg.exe
3208	Hjjbcbqj.exe
3480	Hpgkkioa.exe
1204	Hfachc32.exe
4728	Hippdo32.exe
624	Hcedaheh.exe
5048	Hjolnb32.exe
4292	Haidklda.exe
3532	Ibjqcd32.exe
4464	Impepm32.exe
1580	Icjmmg32.exe
4520	Ijdeiaio.exe
4436	Iannfk32.exe
4528	Ifjfnb32.exe
1976	Iiibkn32.exe
3676	Idofhfmm.exe
4564	Ijhodq32.exe
3348	Iabgaklg.exe
1020	Ifopiajn.exe
1692	Jpgdbg32.exe
2328	Jmkdlkph.exe
1696	Jbhmdbnp.exe
1040	Jibeql32.exe
1424	Jplmmfmi.exe
4696	Jdhine32.exe
3544	Jfffjqdf.exe
3112	Jidbflcj.exe
1124	Jdjfcecp.exe
3696	Jfhbppbc.exe
4276	Jigollag.exe
4268	Jpaghf32.exe
3448	Jbocea32.exe
2900	Jiikak32.exe
3100	Kaqcbi32.exe
1056	Kdopod32.exe
5064	Kgmlkp32.exe
3976	Kkihknfg.exe
4256	Kilhgk32.exe
1624	Kacphh32.exe
212	Kbdmpqcb.exe
468	Kkkdan32.exe
3740	Kmjqmi32.exe
916	Kphmie32.exe
4708	Kgbefoji.exe
1840	Kknafn32.exe
4872	Kipabjil.exe
1660	Kmlnbi32.exe
1208	Kpjjod32.exe
4988	Kdffocib.exe
316	Kgdbkohf.exe
5016	Kibnhjgj.exe
1484	Kmnjhioc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gameonno.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hippdo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6056	5924	WerFault.exe	215

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2608	4556	3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a.exe	82
PID 4556 wrote to memory of 2608	4556	3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a.exe	82
PID 4556 wrote to memory of 2608	4556	3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a.exe	82
PID 2608 wrote to memory of 2428	2608	Gjapmdid.exe	83
PID 2608 wrote to memory of 2428	2608	Gjapmdid.exe	83
PID 2608 wrote to memory of 2428	2608	Gjapmdid.exe	83
PID 2428 wrote to memory of 2832	2428	Gqkhjn32.exe	84
PID 2428 wrote to memory of 2832	2428	Gqkhjn32.exe	84
PID 2428 wrote to memory of 2832	2428	Gqkhjn32.exe	84
PID 2832 wrote to memory of 1596	2832	Gbldaffp.exe	85
PID 2832 wrote to memory of 1596	2832	Gbldaffp.exe	85
PID 2832 wrote to memory of 1596	2832	Gbldaffp.exe	85
PID 1596 wrote to memory of 5096	1596	Gjclbc32.exe	86
PID 1596 wrote to memory of 5096	1596	Gjclbc32.exe	86
PID 1596 wrote to memory of 5096	1596	Gjclbc32.exe	86
PID 5096 wrote to memory of 4804	5096	Gameonno.exe	87
PID 5096 wrote to memory of 4804	5096	Gameonno.exe	87
PID 5096 wrote to memory of 4804	5096	Gameonno.exe	87
PID 4804 wrote to memory of 1776	4804	Gppekj32.exe	88
PID 4804 wrote to memory of 1776	4804	Gppekj32.exe	88
PID 4804 wrote to memory of 1776	4804	Gppekj32.exe	88
PID 1776 wrote to memory of 2068	1776	Hboagf32.exe	89
PID 1776 wrote to memory of 2068	1776	Hboagf32.exe	89
PID 1776 wrote to memory of 2068	1776	Hboagf32.exe	89
PID 2068 wrote to memory of 1408	2068	Hjfihc32.exe	90
PID 2068 wrote to memory of 1408	2068	Hjfihc32.exe	90
PID 2068 wrote to memory of 1408	2068	Hjfihc32.exe	90
PID 1408 wrote to memory of 1504	1408	Hmdedo32.exe	91
PID 1408 wrote to memory of 1504	1408	Hmdedo32.exe	91
PID 1408 wrote to memory of 1504	1408	Hmdedo32.exe	91
PID 1504 wrote to memory of 2992	1504	Hpbaqj32.exe	93
PID 1504 wrote to memory of 2992	1504	Hpbaqj32.exe	93
PID 1504 wrote to memory of 2992	1504	Hpbaqj32.exe	93
PID 2992 wrote to memory of 4468	2992	Hfljmdjc.exe	94
PID 2992 wrote to memory of 4468	2992	Hfljmdjc.exe	94
PID 2992 wrote to memory of 4468	2992	Hfljmdjc.exe	94
PID 4468 wrote to memory of 1844	4468	Hikfip32.exe	95
PID 4468 wrote to memory of 1844	4468	Hikfip32.exe	95
PID 4468 wrote to memory of 1844	4468	Hikfip32.exe	95
PID 1844 wrote to memory of 3208	1844	Hbckbepg.exe	97
PID 1844 wrote to memory of 3208	1844	Hbckbepg.exe	97
PID 1844 wrote to memory of 3208	1844	Hbckbepg.exe	97
PID 3208 wrote to memory of 3480	3208	Hjjbcbqj.exe	98
PID 3208 wrote to memory of 3480	3208	Hjjbcbqj.exe	98
PID 3208 wrote to memory of 3480	3208	Hjjbcbqj.exe	98
PID 3480 wrote to memory of 1204	3480	Hpgkkioa.exe	99
PID 3480 wrote to memory of 1204	3480	Hpgkkioa.exe	99
PID 3480 wrote to memory of 1204	3480	Hpgkkioa.exe	99
PID 1204 wrote to memory of 4728	1204	Hfachc32.exe	100
PID 1204 wrote to memory of 4728	1204	Hfachc32.exe	100
PID 1204 wrote to memory of 4728	1204	Hfachc32.exe	100
PID 4728 wrote to memory of 624	4728	Hippdo32.exe	101
PID 4728 wrote to memory of 624	4728	Hippdo32.exe	101
PID 4728 wrote to memory of 624	4728	Hippdo32.exe	101
PID 624 wrote to memory of 5048	624	Hcedaheh.exe	103
PID 624 wrote to memory of 5048	624	Hcedaheh.exe	103
PID 624 wrote to memory of 5048	624	Hcedaheh.exe	103
PID 5048 wrote to memory of 4292	5048	Hjolnb32.exe	104
PID 5048 wrote to memory of 4292	5048	Hjolnb32.exe	104
PID 5048 wrote to memory of 4292	5048	Hjolnb32.exe	104
PID 4292 wrote to memory of 3532	4292	Haidklda.exe	105
PID 4292 wrote to memory of 3532	4292	Haidklda.exe	105
PID 4292 wrote to memory of 3532	4292	Haidklda.exe	105
PID 3532 wrote to memory of 4464	3532	Ibjqcd32.exe	106

C:\Users\Admin\AppData\Local\Temp\3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a.exe
"C:\Users\Admin\AppData\Local\Temp\3b0b2ac0cd6756de59665db7236e44299455ebcc196ae6c5e2b4823fdd3a194a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\Gjapmdid.exe
  C:\Windows\system32\Gjapmdid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\Gqkhjn32.exe
    C:\Windows\system32\Gqkhjn32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\Gbldaffp.exe
      C:\Windows\system32\Gbldaffp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        23⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        32⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        40⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        42⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        43⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        50⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        62⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:316
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        67⤵
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4700
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        70⤵
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        72⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        74⤵
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        75⤵
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2060
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        77⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3364
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        79⤵
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4356
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        83⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        85⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        86⤵
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        89⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        90⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        91⤵
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        92⤵
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        93⤵
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        97⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        98⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        99⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        101⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        102⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        106⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        108⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        110⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        118⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        120⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        122⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        126⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        130⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 400
        131⤵
        Program crash
        
        PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5924 -ip 5924
1⤵
PID:6040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
80KB

MD5
5f5533c2ac6b7859fe0b7ecf9f091f7c

SHA1
482eab2511d18cb497e8a13fc056cba0ee036f1d

SHA256
5efbc1e6823d225ac2878c5385f6ca888b98fa07ff2bce868e8df9d1a0a9acee

SHA512
070fff2ef45ded7c5dc847fae5bef023a880d9f96e0cd452eb1f5303f545dc4ba3f5fce3cdc6f5e24fbae30ac1d090c7980cab8b65ba44666a81248ca8e87e7a

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
80KB

MD5
f616579709c9e1362f276916c07b2bd4

SHA1
18fc86209e992659e051b59b1a0348f1865c4b07

SHA256
aa2dc84ef1e5f8c31cb7a70920e0e885b06895043783f3f3fd886c8eda245284

SHA512
2510db89d7478b9a686567db7ba0735e970317d50e9dfa35168bcf1a39aec9ca72d680c3519974398c5fce92cba5ff0333b9f9ca07fe5fb9eaae51c99dec5d02

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
80KB

MD5
46a55498ed8e67d58f21aa39abdbef58

SHA1
7c3d0850eb8b00be9e4a9a7397c6ec142364a89f

SHA256
ba4af0fb52f585675c4978acbd0616f0dac481b9e810a1de31eb410cbc036f06

SHA512
9ec771bd689839c05f19aa23e047ccdbe62e9c45796c18b3a99eeed5cc8af61953a4cf4805c898d18c2189e5a0b85acdb9d68505392d76a0dfc79c1846c6e4d6

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
80KB

MD5
ae98bb47944ffe0d80b38b8ec47abe66

SHA1
c00454d6302879bb3b9a557da5f5a1dd8f381eb7

SHA256
0b90182e1aef9a3433ae9e316fb807ffb880e4652d81be7e3a3ecd0130251de4

SHA512
2138781f8bd46c246a7cf1085c6fa5b3cec634ed942d6deff5b99b960e2ba702a88af47484a03c830cf43c136962b0cc75dae111ed115b4fac072eb1128cf6df

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
80KB

MD5
7ba40be8c116d780457d76ffbd934321

SHA1
0a75130ead15fae1039691826fd00e7b89840659

SHA256
50adbca73b21f4569ddd81a1e7061832817d68a425f07c68fb01015b2970cf23

SHA512
9910beec414fdd18fa1d7a44da6a5a0414cad9f41c11edcf52c89650a1871ebb0cfc96a8331b5f199a531ecfb1687cd6171743dc690d1193785cdc4907294354

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
80KB

MD5
cd44c424a4098c8065315fadf0e563a8

SHA1
b00dda6e54021fe83b7871ba8de0d23aa71166b0

SHA256
f7fdb847502560937b901ecbec4f93fe8289b544d34d7ee056433f9234257a5f

SHA512
bb7cf7e17d9ebcada9696d1ac6ae5fe93744583cae38316371973b132a2e59665c1dd056c3651b9488017dd2ce875e4a8a6913830737c29f041768d4cd4d15a0

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
64KB

MD5
32a8e4e1a7516b3be9e4a6310d0836e0

SHA1
d8b46addc814d54d1f5450904da8c07e7502d4e1

SHA256
a389060ee74959f25610ce236ab0d2b74a383c785754b32ac12dd7e758f4981f

SHA512
c86fba824c2403e01b5e66582c86f94221b0e8b875800893094345aa156c161e9ab4cc619b44b9817fe9210b727f6416dc6062d3ce74ea7f821e418477fe1c38

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
80KB

MD5
798b890cec0f9700e5eecf4c2574d8d1

SHA1
0b157b6db809d3c5c7bc5eab4d017c4de8bc13cc

SHA256
ab0ffa2ebc55ff761c38c5622261cebf769f5d7fa1a27e695981e166d44c02b1

SHA512
880073361195e7618aa9ef5b04c5d6217ebedbb9f8e2e231efea7a5775f14f56ee4fd2ff5919e80b9c00b83b968850bad896721f983fc6336328cae5340301c5

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
80KB

MD5
14cd5ebf294dba6382047f51de237b52

SHA1
135af79e6139f40dcc4ea26275af191e6969ad2e

SHA256
6376cfbad94b60b3bf9422596f0701ee6a350a39a098b8452e7075c8883bc9be

SHA512
63eb7ccbd322754347a1f4582ff346ae7035286f7941cd46a677e124242b6987bdac8c2c50e4a25eaa97160934251229e0a4b50f4db6538ad344103e8ac800c8

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
80KB

MD5
b1262579fa0477adc2e6ed555b33e08c

SHA1
48272444b6b65ed714e767ab69eea03610786a18

SHA256
c633b32a9535e92ce2c08d98a9e3b698f0f44e258aa7c6b486023bf08f0bbb53

SHA512
44ed2864b816f79b51764ba970fd7684aca1f216399177689b6bff2bd95571f3a693538d0f729c36ed0cead98ae051278649844431b912b5761ee4ba08c5c15c

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
80KB

MD5
f9866b391533ed31361d65f1c35d366c

SHA1
07bc4d5af59bc2fbd35079aadd1124c0bba88571

SHA256
f617129a52436e45b2dad2e9210e014816e127dbb2e7e03e66cf32667917e3a3

SHA512
e474ccb5740a8c637fa9d3b143622d3b2427f67c09023b2a2e705652d046198fe767d7bf61a64c45b54a840e029a9ec81bfb82ab12a09ba638b466cb0a1af00b

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
80KB

MD5
e232dd9745c4f0ead291989f91fcf6f6

SHA1
70706f641df834cc8453f00126a95230690c917e

SHA256
b29ab97cf6e69aa56665925fd232a2de969a2945a2b2ca88f0a2d04b1ac7ddff

SHA512
f6f0120ec5b89c58a0cb281ad3deccb5d71e2397f45aadcc0c0e045bba78c61cc8af8e3b40b65e3978512f6d2dacc3ac58c11d921006c63dde67590c6a150323

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
80KB

MD5
d990696bad27fad0d97ee0175daa0145

SHA1
509f67d1c0962c6d019730a51ee72e9de21f620b

SHA256
4f0a47f46cae5204f9f2568f6d2ff960f095ad183afb980c74f278891e02cbab

SHA512
6fba65ab28155328fa41511628e865d048542588b19f5f2687d9838427021579c799930b3418998433e68977a763e6334884e7e9f6c57328739c2defb18cf719

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
80KB

MD5
7a49be939d9c57309e41fb83cd086baa

SHA1
fb1e659240495b02142443c3a83d9c94b3cdca4e

SHA256
8be9895a80239141a61f2b982625cba18b88253b05f49cb06e08dc4eb31ab31a

SHA512
94a000763d8ae524565a9c044880ee7dadf05f4678f9ee811aaeccac714db816e2d0fdd8dd14eebaeb074c1b738eab9914639fd604a6c48544ad90d2675d329d

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
80KB

MD5
65a92d2a2878cd8cc1be96e7d8c25d34

SHA1
2ef4fc66f2f821cee651f4d5ff340bea131432b4

SHA256
87d187350369f85eaaa9b86bff12910e368c085a12a5223b42258e4cce9ebdfc

SHA512
fc6f211e0036276b7159cd0c5d46aba67b15323c6c0ffd38330b1a2fc005cc01095c395f2813cc943f74e1f39eec5d26a62ae9c052dfce7222d6320bf4328b06

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
80KB

MD5
5a72f0c8f2c8fc58ca6454dcd8e2abaf

SHA1
398b30b06fe803daaed8c004f57e754d999da60b

SHA256
865d7f6455c86a0f57294a1a3c5c025ab2330c272a5809e0638c171c4fd843e9

SHA512
b7bcb8a655e18076b6465efb9667a37653a08fe8be3a3dd0a6d9252e705c9507bf33fd49b40dd1511213c2d5fd39b44799833efe1bf267595a00366ef5fb8c7e

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
80KB

MD5
540d51adc8f20b66d0506b0a8ba65e2c

SHA1
baf711d202d1cbf1eb16b35ef876d7b4df166ed7

SHA256
4d8c4e09cffd703eefe4e9dc074fb0c9ae3e2b276df612a7b94d00357118f72f

SHA512
61c20769977c43e8ba827adeecb10e16a91d10e4eb4904b23d95d819ca2a00d8c843b8542c59320421365a8d415c4bb8c9cf357b5ba3831cfc53543964ea3a62

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
80KB

MD5
05bb3acbe41325071302a93b18bd17b4

SHA1
8e940e17c77b92a1829a20466bc9cde8305029ad

SHA256
2230b98157e5c4cba67299934c3b6ccaf988789340df30409997ba506eeee908

SHA512
45ee56991924a531f4048417524a245a0d7a1cc860b283dbbf33b8dbb36964dd13ca6ed3f0ab037e139e3b16a894bed098f829f8cfab353fe3a0d8d96f36c10e

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
80KB

MD5
e998c153a25869e98098baf6f749b02d

SHA1
7bf01176900c9e764c88471aad7d9318436c89ee

SHA256
046fd65001cfd9d6fdbad8014d36f21f1ea4076af42912353e0a826e188bb81f

SHA512
cb724a7c94a449c29c619551872cbf67f841469a533113d6ae973ab93a94d94ff7268b889619f27b9a679bc9f61bbc83cd3eeda4c43579d7313930f24354351a

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
80KB

MD5
9734595a12201b96f2f01dfbe8a7eeda

SHA1
240b7d0e70dcba8bb25f264a52a9077c4dd9ba13

SHA256
3a96096dfba7cd9569eaa6749878c43649106b5adbda3dce1e3b5472cf79a79b

SHA512
dd012cec57dd07c6501eb538e66d15b62a01ad0f7291bfef546d0cabebd17b5b1f99d4f9e6715bcdde56eabd3687a5934a2792675414b041680431ca74f577ba

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
80KB

MD5
4bd4a8617b7dc8357c99c619a54832d7

SHA1
72baa2610400e71e42221ad3853dd9e662e621f7

SHA256
f1523e67d0241c5fce5ee8d01d1d4e46817b12dec680792cd1262202e918b7d5

SHA512
6413294d3379c13ff0cc88b396ef1b1c034a56b0207de6b8fdea6c14ddadb59c373e85005275e50237dd0ebefc81b181eeaa38ccbc514503259b87e054d6cb5a

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
80KB

MD5
64fcf9fffb80bcf1647a336da7bfada0

SHA1
4ced5d366079728ce0948777c171e709ab693468

SHA256
44a6b4b145c2a3e4e6c9bb6255035637117e0ca00e6d17280d0031643bb0406d

SHA512
80429cc074b0652d75912794fc3037a9f62c3b8adf90ff027eac694215cc23d9a18adfdc19c0edeb3aefe84fb00ead232ab8b5d5f7420bffa071a794686478ca

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
64KB

MD5
c2ee1b952b33b05463d80ccdf19312e0

SHA1
b7d7b744c836b20b2c7dbf2645dc8ec7b278a6b2

SHA256
e90f16478fb1541ac9695997b4c1840f37a2a2a89eef6b8caf7643281ab6e87c

SHA512
6388ac6ae62e60710a04d6efafb1db17a103ada35a2a3ad3720d74c72a7973810d08f22b584ff37cb90582dea50bdbf57d26b979c660dac290e43ece8a8c74dd

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
80KB

MD5
d1e7ecc00a67026e1e90d07e1c4a0f86

SHA1
4afc280efd7dbc6133d58a1aae5c3d7eca9d17eb

SHA256
4609a329a8f18263cd1a4fa290add4c740d6c1f227ee797322931c80d3e2db7c

SHA512
11f571f7ae4795553376529d86df8a7138c5a735442360f59cc78f553e043c6b31ab440d5ead5bd3561955c719a52ba282681dcbdac715f3972b96fef0dac1a3

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
80KB

MD5
ccecac9929766ac05c8231579ad2bbd4

SHA1
8d13ebbef343a738b471b6698a455f75af0336b8

SHA256
75a6ce21841ee3a10b8fbb6d3ef45b25dfe6be349f626b148d949854baccf383

SHA512
c85ac9ac7d84fcd6a8b282f6844f8689ba532bc3034a872a6d7307b7128831caa92a89b2b42407e3e3ccdca975e948c096cbc6d56df2e45d4999b7ef1668996a

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
80KB

MD5
e03778126b9ee73fcc267f90495cdf35

SHA1
10380f285a156ea5a35a2b9c52694d0b12462ea2

SHA256
3f996afd0e5f0472a5b6ddd04e900bc9b576816deccee489b25946bcc8a3d75a

SHA512
3984ae9b3e7472375fc72c4a3faec23607a01c4e67e4960816a1ba5f81ba84430b771c0bc6c32a6df64323b54cd18453c61968eff382052f7f5cd759bba6759f

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
80KB

MD5
3c4d9274f24468bda2f5180a73f109ad

SHA1
ce19078af18345f5eb3989e65e5570c296c56d56

SHA256
303971ca56460a55e27bf8879c7ee32d86e8f09e9a34350656f76b1bb3005a6b

SHA512
19c428c8b90d42d1cd52e8643a2f14b293a58b18e9ef7b37d5643d5d74523b9d713a1bcbb814141957110f52fbed6f6b6f90094a0012a69c14b70ba266e2b2f6

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
80KB

MD5
ca79895bfafd83524bb303e163c067d5

SHA1
b65264b7f33414d59a7230b94dd4174e7d3d8de1

SHA256
620b76039460305b316a5b01a36728c68c370dafd76146f562fc4eaae416c3e0

SHA512
be10fcc6a11ab2bb394ba4e48f05199dbb10376937504091bc1823464b24f378e12eb0d35269a42d4991b09ca6919b9499c706c662d6b8307b01882e87124073

Download Submit
C:\Windows\SysWOW64\Ifopiajn.exe

Filesize
80KB

MD5
f9d7c404dd546720c3d292334502de1b

SHA1
a6efa72878eec4ad8ad257f5e5ad5c81070113de

SHA256
f9b9af5487614ea048a24d1a9d3e9cbd2998b5167e7bcfd7a95d6c8001795556

SHA512
b85b55c831021d5886be82248c1efdb4a47e9030903c8dafd185aa31658e70946907f145a5c52ef4b92c06c5bcbcab3ab7df005286c6acf8396ff02bd64f0ed7

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
80KB

MD5
2ece83323d0d470c7282ccf290fd9ff3

SHA1
cbe4fdbaeb7fe19c21408cbe2bca0f15c65a7fbb

SHA256
acd41f671f788f2d1485bf942bb1a51084955c3f4a2227f62293a579b500667c

SHA512
8fc052544239b2f913697cbcca7867f796ee8dc76eea8f2454ff8084c77367ffbe770004e1615cbe5542cfcf2c78ae548a78302f01df3402a7dcbad1e5379139

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
80KB

MD5
71210f9030bb85e92313c527f39cdcda

SHA1
04264181f9686dd42dfd89d8acbc8c31ec6bd799

SHA256
9ff43afd8e670702a12845f1fbbf98629af313b0bcd1f933b29ce9806d3b4839

SHA512
0582e371d5190bf78a99463947cd389da18f19dbc1ecf1237308486ecab473da7abfe0737238b319e83a6b96ff0859e9edc9244f78bcc08a4688b480614cfd82

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
80KB

MD5
15aec572c11a1c4418952fabf97ce9d8

SHA1
1817e1054e2f2f0151b0145402471d14d9893b68

SHA256
be2843735bb3da87c9093887d2f3e877af1456dc24f4d1f3cc471bbd827a66d4

SHA512
f729a9cb9e22b31d9484d04079dd6b9ac3e85e3aff216a3de2ea47801c8c13d098c45c476ea7b723905e0931d36c53c5e682d1b10b3081f0d59aecef1e0911d7

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
80KB

MD5
f88eda11bee948210648ebc7fd2c5c39

SHA1
386b5ef27d185d74b8b624a7e872447a363c0e0f

SHA256
b7a60479699fd72fcd6e685ff28cb62642b95250d9a94a5df536a99bf07f5a88

SHA512
4d33eb4f2dc546961cb454919ab6a46f82032c7f51fd832f6dd4d81b35725c9be03ec1322e8dcba4eeaec00edffb1f3e6795fba851b76d2fd66d53fe1053c74c

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
80KB

MD5
55bf0bb1066946a7f279d93dff274407

SHA1
8735ca04fc6fda763c664f52a1da7f086101b7cc

SHA256
e08c963761d41b16f040ca83c8f1606c713493306d542ee61f0e97ee54fa1ae2

SHA512
c275f898f31a1b1f07a2ba3fe44e45f89448b71ae7e6ef596a1ce2739bd2126d99c15f68d03eebb8bfa1741fe86ed579a8fa29f31bfb558f000169dd9b7de20d

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
80KB

MD5
9e146f64d60ecc294a736e1488a2166e

SHA1
ceb308120d46d12cde9f6f800d187f7225ef8942

SHA256
15a4669bd28f8e5c3182402a9b3f6b237ab85097017e609ea01aaa6a874aaec4

SHA512
b2bcf22b119a4d42701947664e76ca803190edf195b2c80e70161cfb7607595d33282d9eac81bc49712c01c73d8a3163d5a9212f3324c6972765528bcbf91468

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
80KB

MD5
9798ea6330093ad60a45e990da2545bf

SHA1
b420a1bd64e15b0c1052265dcaf92865913663ae

SHA256
be3a32018ecb0dd8b535ae977443c9c55e1bbd2e6e148c59b034356e0c55b43e

SHA512
3396fa0e92ffa9234815e3e89229647c601efc6b09e5eab290f52e5e35c64d86eff3bd19c2316f41f613411d1e5259cf3bcf1d1baa7aa623118556497ce384dd

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
80KB

MD5
2999bea0bf726eeacb7bc3d753f3ddb5

SHA1
2d45b9f58f66e8ee312e1f8da527a7ed3d3493ef

SHA256
3519146e657a1c659658bdfad342b369cc4bba65509de644082b1a900a7849c4

SHA512
0ae70aadf7a1cee07d0344a8bc8ebe15d821aae71c5a0a6f6079c0967346c6eca9e7e4b94f2fb37eddb93ba290d5309ab190b0aa63e1d8c050299bf56453c15c

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
80KB

MD5
6b3b55e286cd628afac0b7b8f133dcfb

SHA1
07b4a48244c5c4912032782b623cf0c360a266bb

SHA256
a877c479c1a712369e7a5c948c20a6b45f0fa6a129a84d4ce073d0623c3d54e9

SHA512
8b56e55d62a96cd5e29c7bb9dc0abe040b88a5d7be1f62b8590b3cee9193f1cd4efdc1fa41b5b6f30cbc1d0de5f9d1575848403ce1b3d94da72833cfd6fd9e45

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
80KB

MD5
c1b93156bc03668e09829f62eacf4a6b

SHA1
8de62743668865ff037f597fcabd6b2df7d739f1

SHA256
de99738312f47d0fe058b5a4fdba33e3b042c6504dce5fa7698beec0d243813f

SHA512
a9592b76cede45e7fd7cedd44ff3a594a34fe674cc878fbdfa0c6409a96213ab5acc40b31e38420e684c2e291c01670c2eeaa97222e0eff394a713eaa6f649a4

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
80KB

MD5
48ce7856057d6174626fe34526b9aaf4

SHA1
abe718742c6429f732b03777d555c5c9cb6b3305

SHA256
72c5a77efe5f1f46acf241f1832aa192a05f7b272204444aa57cf395f7082119

SHA512
0c24d0f769d719f03cecfcbdaf7d415597c0d0e6c5d7a4ab505726be7ad370e8d2bbdbfd3994055264d3fad1010c14a4bf554fa4ff2b27583616a3c0612886c4

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
80KB

MD5
7a8ae65ecaba0b9340d764e4fbab4b69

SHA1
6c3a5244b0ae312886d59e0a42d7c245e6ae9ca7

SHA256
c6800048757b16ce2b660c0ef8f659da5c3d823de57acd8e987df8ef679837df

SHA512
4b8387b2a7623dfca71f6e95d06d8816a57feb4544509c04a4eb8c1533095ab7725ba844832462cafef2185208b72f396e7e6fde7632b7dde7c5c8dad6dad701

Download Submit
memory/212-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/468-423-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/624-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1020-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1020-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1056-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1124-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1124-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1204-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1204-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1408-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1504-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1596-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-409-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-348-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1696-362-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1776-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1844-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1844-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1976-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2068-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2068-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2328-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2428-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2428-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2608-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2608-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2832-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2832-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2900-374-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2992-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3100-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3112-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3112-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3348-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3480-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3544-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3676-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3676-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3696-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3976-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4256-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4268-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4268-422-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4276-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4436-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4436-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4464-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4464-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-187-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4528-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4528-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4556-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4556-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4556-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4564-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4696-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4728-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4728-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5048-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5048-251-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads