cda2d8960d72d8ca095ee96dd7241d7b114d2d4b8908523f65edfdd11151bad9

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cda2d8960d72d8ca095ee96dd7241d7b114d2d4b8908523f65edfdd11151bad9.exe
Size

380KB
MD5

46952b220d03b02187b075e2904f0f6c
SHA1

fac68383fb348eaaba62c2f619d93ce6c12db8ae
SHA256

cda2d8960d72d8ca095ee96dd7241d7b114d2d4b8908523f65edfdd11151bad9
SHA512

0146f0d8df5909e7473fe790a149c5cba19c2b9e30d33fd8c84ef13fd0f312ff0e1135bd167c493cb08fae3e00db21f46c81ebb93b5039b77fd16603b163721e
SSDEEP

6144:Hc+DJs09psnERxCN9Otopg5tTDUZNSN58VU5tTvnVn5tTDUZNSN58Vh:Hc+DJsnLOtoq5t6NSN6G5tbt5t6NSN6T

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cda2d8960d72d8ca095ee96dd7241d7b114d2d4b8908523f65edfdd11151bad9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe

Executes dropped EXE 64 IoCs

pid	Process
1824	Gqdbiofi.exe
1088	Gcbnejem.exe
2808	Gfqjafdq.exe
4400	Gjlfbd32.exe
5112	Giofnacd.exe
4792	Gqfooodg.exe
3372	Goiojk32.exe
3964	Gcekkjcj.exe
1916	Gbgkfg32.exe
2800	Gjocgdkg.exe
1600	Giacca32.exe
2348	Gqikdn32.exe
4224	Gpklpkio.exe
1472	Gcggpj32.exe
1704	Gbjhlfhb.exe
8	Gfedle32.exe
4604	Gjapmdid.exe
4364	Gmoliohh.exe
2492	Gqkhjn32.exe
5068	Gpnhekgl.exe
3764	Gcidfi32.exe
1304	Gfhqbe32.exe
2560	Gjclbc32.exe
5116	Gifmnpnl.exe
2196	Gmaioo32.exe
1276	Gameonno.exe
1352	Hclakimb.exe
4688	Hboagf32.exe
4088	Hfjmgdlf.exe
1816	Hjfihc32.exe
1272	Hihicplj.exe
4408	Hmdedo32.exe
2788	Hcnnaikp.exe
3300	Hbanme32.exe
1920	Hfljmdjc.exe
2684	Hjhfnccl.exe
3140	Hikfip32.exe
4572	Hmfbjnbp.exe
1596	Habnjm32.exe
4796	Hpenfjad.exe
1084	Hcqjfh32.exe
3108	Hfofbd32.exe
2540	Hjjbcbqj.exe
1204	Himcoo32.exe
4100	Hmioonpn.exe
4640	Hadkpm32.exe
1384	Hpgkkioa.exe
5004	Hccglh32.exe
668	Hfachc32.exe
4644	Hjmoibog.exe
3992	Hippdo32.exe
4724	Hmklen32.exe
3204	Haggelfd.exe
3136	Hpihai32.exe
1624	Hbhdmd32.exe
912	Hfcpncdk.exe
1152	Hjolnb32.exe
3628	Hibljoco.exe
936	Hmmhjm32.exe
1904	Ipldfi32.exe
3724	Icgqggce.exe
1484	Ibjqcd32.exe
4776	Iffmccbi.exe
3620	Ijaida32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hjolnb32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7096	7012	WerFault.exe	272

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1824	1496	cda2d8960d72d8ca095ee96dd7241d7b114d2d4b8908523f65edfdd11151bad9.exe	82
PID 1496 wrote to memory of 1824	1496	cda2d8960d72d8ca095ee96dd7241d7b114d2d4b8908523f65edfdd11151bad9.exe	82
PID 1496 wrote to memory of 1824	1496	cda2d8960d72d8ca095ee96dd7241d7b114d2d4b8908523f65edfdd11151bad9.exe	82
PID 1824 wrote to memory of 1088	1824	Gqdbiofi.exe	83
PID 1824 wrote to memory of 1088	1824	Gqdbiofi.exe	83
PID 1824 wrote to memory of 1088	1824	Gqdbiofi.exe	83
PID 1088 wrote to memory of 2808	1088	Gcbnejem.exe	84
PID 1088 wrote to memory of 2808	1088	Gcbnejem.exe	84
PID 1088 wrote to memory of 2808	1088	Gcbnejem.exe	84
PID 2808 wrote to memory of 4400	2808	Gfqjafdq.exe	85
PID 2808 wrote to memory of 4400	2808	Gfqjafdq.exe	85
PID 2808 wrote to memory of 4400	2808	Gfqjafdq.exe	85
PID 4400 wrote to memory of 5112	4400	Gjlfbd32.exe	86
PID 4400 wrote to memory of 5112	4400	Gjlfbd32.exe	86
PID 4400 wrote to memory of 5112	4400	Gjlfbd32.exe	86
PID 5112 wrote to memory of 4792	5112	Giofnacd.exe	87
PID 5112 wrote to memory of 4792	5112	Giofnacd.exe	87
PID 5112 wrote to memory of 4792	5112	Giofnacd.exe	87
PID 4792 wrote to memory of 3372	4792	Gqfooodg.exe	88
PID 4792 wrote to memory of 3372	4792	Gqfooodg.exe	88
PID 4792 wrote to memory of 3372	4792	Gqfooodg.exe	88
PID 3372 wrote to memory of 3964	3372	Goiojk32.exe	89
PID 3372 wrote to memory of 3964	3372	Goiojk32.exe	89
PID 3372 wrote to memory of 3964	3372	Goiojk32.exe	89
PID 3964 wrote to memory of 1916	3964	Gcekkjcj.exe	90
PID 3964 wrote to memory of 1916	3964	Gcekkjcj.exe	90
PID 3964 wrote to memory of 1916	3964	Gcekkjcj.exe	90
PID 1916 wrote to memory of 2800	1916	Gbgkfg32.exe	91
PID 1916 wrote to memory of 2800	1916	Gbgkfg32.exe	91
PID 1916 wrote to memory of 2800	1916	Gbgkfg32.exe	91
PID 2800 wrote to memory of 1600	2800	Gjocgdkg.exe	92
PID 2800 wrote to memory of 1600	2800	Gjocgdkg.exe	92
PID 2800 wrote to memory of 1600	2800	Gjocgdkg.exe	92
PID 1600 wrote to memory of 2348	1600	Giacca32.exe	93
PID 1600 wrote to memory of 2348	1600	Giacca32.exe	93
PID 1600 wrote to memory of 2348	1600	Giacca32.exe	93
PID 2348 wrote to memory of 4224	2348	Gqikdn32.exe	94
PID 2348 wrote to memory of 4224	2348	Gqikdn32.exe	94
PID 2348 wrote to memory of 4224	2348	Gqikdn32.exe	94
PID 4224 wrote to memory of 1472	4224	Gpklpkio.exe	95
PID 4224 wrote to memory of 1472	4224	Gpklpkio.exe	95
PID 4224 wrote to memory of 1472	4224	Gpklpkio.exe	95
PID 1472 wrote to memory of 1704	1472	Gcggpj32.exe	96
PID 1472 wrote to memory of 1704	1472	Gcggpj32.exe	96
PID 1472 wrote to memory of 1704	1472	Gcggpj32.exe	96
PID 1704 wrote to memory of 8	1704	Gbjhlfhb.exe	97
PID 1704 wrote to memory of 8	1704	Gbjhlfhb.exe	97
PID 1704 wrote to memory of 8	1704	Gbjhlfhb.exe	97
PID 8 wrote to memory of 4604	8	Gfedle32.exe	98
PID 8 wrote to memory of 4604	8	Gfedle32.exe	98
PID 8 wrote to memory of 4604	8	Gfedle32.exe	98
PID 4604 wrote to memory of 4364	4604	Gjapmdid.exe	99
PID 4604 wrote to memory of 4364	4604	Gjapmdid.exe	99
PID 4604 wrote to memory of 4364	4604	Gjapmdid.exe	99
PID 4364 wrote to memory of 2492	4364	Gmoliohh.exe	100
PID 4364 wrote to memory of 2492	4364	Gmoliohh.exe	100
PID 4364 wrote to memory of 2492	4364	Gmoliohh.exe	100
PID 2492 wrote to memory of 5068	2492	Gqkhjn32.exe	101
PID 2492 wrote to memory of 5068	2492	Gqkhjn32.exe	101
PID 2492 wrote to memory of 5068	2492	Gqkhjn32.exe	101
PID 5068 wrote to memory of 3764	5068	Gpnhekgl.exe	102
PID 5068 wrote to memory of 3764	5068	Gpnhekgl.exe	102
PID 5068 wrote to memory of 3764	5068	Gpnhekgl.exe	102
PID 3764 wrote to memory of 1304	3764	Gcidfi32.exe	103

C:\Users\Admin\AppData\Local\Temp\cda2d8960d72d8ca095ee96dd7241d7b114d2d4b8908523f65edfdd11151bad9.exe
"C:\Users\Admin\AppData\Local\Temp\cda2d8960d72d8ca095ee96dd7241d7b114d2d4b8908523f65edfdd11151bad9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\Gqdbiofi.exe
  C:\Windows\system32\Gqdbiofi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\Gcbnejem.exe
    C:\Windows\system32\Gcbnejem.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\Gfqjafdq.exe
      C:\Windows\system32\Gfqjafdq.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        27⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        35⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        42⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        44⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4640
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        48⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        50⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        56⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        59⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        60⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        63⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4560
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        67⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        69⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1448
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        71⤵
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        72⤵
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        73⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        74⤵
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1392
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        76⤵
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1632
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        78⤵
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        79⤵
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        80⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3264
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        83⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        84⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        86⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        87⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        89⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        90⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        92⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        93⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        95⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        99⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        100⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        102⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        103⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        104⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        106⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        107⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        108⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        109⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        110⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        111⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        113⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        115⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        116⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        117⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        119⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        121⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        122⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        123⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        124⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        125⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        126⤵
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        127⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        129⤵
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        130⤵
        
        PID:624
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        131⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        134⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        135⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4004
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        138⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        139⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        140⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        143⤵
        
        PID:840
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        144⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        145⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3096
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        148⤵
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        149⤵
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        151⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        153⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1260
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        157⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        158⤵
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        160⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        161⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        162⤵
        
        PID:540
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        165⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        166⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        167⤵
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        168⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        169⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        170⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        172⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        173⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        174⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        175⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        176⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        177⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        178⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        179⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        180⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6720
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6760
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        184⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        185⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        187⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        189⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 404
        190⤵
        Program crash
        
        PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7012 -ip 7012
1⤵
PID:7072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
380KB

MD5
04a95dc1d819ec3f7faa5b76157562ab

SHA1
2b4f27b3e956e44009217269de3d333d34a4f247

SHA256
3c79adc92f97bc5749f1d52ae5cfe7e00fa7eaaffa01d1138eb1b0c82c091f9c

SHA512
3ca518cb241d554b3e0955ea88e50387f8385d931b543a6948d976ebecbeb906dbba3108dd10e90170f5a503619faa436cee44f4eef71171a917b6a585c0736f

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
380KB

MD5
c2e8edc233d35efd9591602fbdc3f921

SHA1
8ba41936e43a59ced7da4784c90585811c1ab83f

SHA256
bc5cc435e29afb6ddf789c0a323197f5f6a4d0fc694c7cd736d84c6d05987710

SHA512
2a62a9fd1e29c51aa3c13811a4e3bffdad3fe7fd35e443e7d4568fe4e370aceff3d39d07bf04057bf50067cbc174d53e0464b97c3bfae2e9c404b903fe07fd10

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
380KB

MD5
7394e1e547e1cda8b526c5a0723ad3db

SHA1
f968490faa4e0a526457fc2e658fc1b3f0460711

SHA256
d6426ed71f09e9adaae8fa68ff038a84a0b8579cad479e6d35befc7c7f44243c

SHA512
466dcee896d888268c3278c3e26786797c74eecf7ef2e2569222281d6f00de8a13527741592daf5eaa88ad711b5ab03d14ccd70353b62d321c94946720eef862

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
380KB

MD5
c8af512f7687272d682895b97e8fb302

SHA1
23858ddbd71b5828334dc7cd0d16abf1803c372f

SHA256
2f705b14d598bd274b65474f33bc0a4e86555b67f4cbeb05e65364a7423779eb

SHA512
f1056b2ceac9484351ef48657ba87a98c8e809f45e25edec4eeedc345df616a75ab746f3493ce1b95e387f89d2d2ec799d759c89f5cbfa8407c424da113a4ac4

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
380KB

MD5
17891c33a14689582e0b2c600631f6ea

SHA1
4cc4e83436f523879ad9719ffa11ebe0778225db

SHA256
79e27502deab21f4c7a7973e88ff1502fe743d0e20edcf994aa3e90c39dce811

SHA512
858e8ff9f3a5d15c6245b3c892478a4c76e3de16575579dfa997a3d7640b60baeeddd4472ba423a59fe75017b9d1c361f38e03ab6a3e4995faafc86d65ad8f82

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
380KB

MD5
eac50199816ca821c2f69e89c5c27ca1

SHA1
1da7d771fe833a9dc2e5689f0248004fe948d098

SHA256
bb635c878f87ae4630769f89189f5b436853adac4be5cd554feda94c3c0eb9d1

SHA512
ea5bdfbb2285b8bb8ef6cd9401e5a71f40361c75e38c539146dad9bb8e810f5ed1eacc063c4dcca3cbb1d1b1208d4c57a718c2cd422d8d61131555e62233d737

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
380KB

MD5
a8f30f9ba241563533417f07f6be1826

SHA1
a52024bbe92be08cbdecc10762beeff3c338fca6

SHA256
5acab07a1c761d3e017b35dce47dd2869506cb1674714d91663497944f8709c8

SHA512
a03495f6cbd77664ef692a58c2c4e0963c3c0132c2c6fc9d3bfd73f565cd59c85a3ef19592aa8af5ef9cbb2da3d682db5da2a6f4231f5ae00b4f1528c73263dc

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
380KB

MD5
f6b30341c0ad4cdf1df24a66398fe266

SHA1
b0d77b332dfb2de00290764458d2888352a70ccd

SHA256
ee822884faa84e05182f76aac8c244966e21db265e08dff1a4cbc87f7a1c9f3b

SHA512
137ac24d0d953443451a653e82c640344b829f457361862f3ff78dcc7ab1b6740ada3efc3227eb998496e544e9ea26b1c694a939276884797c0aa6da3c2298ff

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
380KB

MD5
5abeede6cd569523189fc8c0fcb0aa61

SHA1
ac5c3d32ad34b9a3d069c0f40b64895bc010470d

SHA256
7e9a595ac5621ae05f86e2fb1675083ac8f7244f340949b91b3e7296e6bd60ed

SHA512
e0cabf531abac031765ff6ac52bf47711ebabb993ae516d93bc9cd21b89857b3462bdafba26663dd19afea40e5662e98089e47722f763e0698bb2bc0a9622a65

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
380KB

MD5
dc0c6ae5bd6c49040d8cc8eb4b0a9e2e

SHA1
c41b61daa10ac1c7e695db538836607ecf8169b0

SHA256
f35c5a29e3815842f036824e4acbd78a6fbb2a8748295a87376a0b9f831138d7

SHA512
054bded7fddce016df4b270803849e46f8987e82e01a0d332d174330b363325179813223abec58c9bc7a692cda210675aee6a96695f8e721ad57c9d927089b25

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
380KB

MD5
23bb689c5d282fd333a1b74a57d959b3

SHA1
2883a40ca42752d0370bf982fb0224099ade7073

SHA256
d1d2798aa84857c9e2f517d0581b788283876e33ab2a19c84d6147020b935dc2

SHA512
c16b14e10a82393ef812c72cbd686c117390fa63c6dbcbfc171f4c3007ed32bb482f06c250272dbec397855b308fd0df2a0411926165ed613a3e282457a99d0c

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
380KB

MD5
ac6ed3ae1fdfbd98f8231a5b9bbf496a

SHA1
e09d5bd2dd140b568eed5aa19f08a64bf895f7f7

SHA256
2b2a2c45d608de5285cd25e10534faa09e22ed021aa0644d4c5b252759dc28ee

SHA512
58cb6d38647d37fa0234ae45ec05a0e691db32731e8da33a4e2f72c346b322c263b65c52dc1e04e12b3b336aa2a81748ad466e32222c85b3f65f3c2f49fc464e

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
380KB

MD5
cb3a0d5cd8f6ada7b5bf472766d4cb61

SHA1
9884c3890e646e536eb4a44f1fd9861487ac011c

SHA256
6696d0cc5e703ab7f02ab82323d88a0582938b644bf4538c20e6f1017ee7bcc2

SHA512
32b3c4f9ee76c54deabf7e364ea30caa880ef413f29da6b23063d2e2d65971f582ec8d872226d577b5205cbb8bcdef7fc3f9a1c2c8ef5f46a166e1be596d6e33

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
380KB

MD5
6203772ae4c12f7116a1d8700b52f583

SHA1
96566c40dc8472133d4cfe329e74c5778a0acbff

SHA256
ba42c9b3476c58856385c24c08e71b7c9295c2dcd9412dfef9f7ebfa74222eb0

SHA512
607d79638edf70acddc31b2a3d0d9cecec88b28a05d38a3650d40fce22cfbff4da1f3a6c613b0c12b243a2738b1185801e892ddb59141b9e46de0c19914a4776

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
380KB

MD5
4ebdb723ccee12d77e9567cfa5247ca8

SHA1
0b9178970343b9012961f4bf28bdf500825984d1

SHA256
6049296da82a1da3bbf8ba73d8bd944a7209c6826342a83189f39ca63fe82f1b

SHA512
65aa2517e7111cda8cc4e3b31ce6e249d2576c0bcd0b87f5ad7f8b626e4252987c0a9d60611f4c1ff9ecc808476ab90fc14c6e5000e273394d5cc9425382fa55

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
380KB

MD5
0ccaba0219f501ad4c9e718ae3fa58c4

SHA1
9900c7975d417b273aff16eb6bfc6a8c9d8b2420

SHA256
5c129158b715500135487240cfa0c73c4df312d5eb9550d8ab7e1407eb1deb50

SHA512
f6677b8fff5d74d0bf0208839088c6aaa7e30cfe398a1ddc3a97d9596b4f7f8d3c0f80aa0e609e1e6e00f236da462b65fde5e30a548bc7aeff2da12a26b9fb91

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
380KB

MD5
10b9b435431b4c740fa775f1d743fcb5

SHA1
fd305029921da433f6ffe95bce3c5a5a6aab94cf

SHA256
35cc7a15238da5e80c79f1fca9ed19ebe10be1513920d63ec3a69cca4c639929

SHA512
4c83d36cb2724339f95083a4f06160bec259275e64113594302cb6d24f8ec50a6b5ee5b36a11b805a324e90a8a41cb45d6125b2f8b92dfe1e195faa27b97e944

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
380KB

MD5
efb7e97e33f64167f2604a6cd6a7dd27

SHA1
1ea841980927ed85233d7897eed7a96cd085e71a

SHA256
c58eb8c455684ec7da8fa39ab5c99e428464c5b08d5a9968ca6fb111a297422f

SHA512
3acd86c3ccb3857a74ca4e2b7fb0c4550724913319ffaa4db98aa51cedfb6c8f50fd65dba8bb0ef225b43c76b4867d3d69b91f8ca1d33ef16bedbcfb391c4c6e

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
380KB

MD5
9dea4e10a4cb737c326c4f36d2425064

SHA1
99ab8d0245a8b4bcb453fe011db7e217abc2e427

SHA256
3377acca54e53729dc24bcc6f2a119b8c9a18f622510fb8d74564c0ceb2e7d6f

SHA512
8ba7f6bd7eccc5e0616d4bd5d56f31db4efa7d73e2b55d6a0cb672526bd7116deb2b29aef101658f41e264447a5e303cc7bfc95147c005e6e5775174d4141385

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
380KB

MD5
79608852ef60d5ce7f3268d2f6946768

SHA1
a495b0b9bc6bf95d919205b96064047317bb7030

SHA256
ad13aac9971ae86fbb5b28c731d7ea1ebbe0fdcc29985a7e770dea5e6b96c347

SHA512
6f359d5b03d32aef175579855fce5a904c112d2cd57732090f63aaea3c4b5e275a19978e199103b483efd4dc589d05d684e0081e6e7c75e117bfec69fcb2129f

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
380KB

MD5
53a65d96156b7ac8005701872a72a62c

SHA1
3ba8f1d1fcf97331978c5278d37c312fb38764c7

SHA256
d6125cccedc207731c54a294288fb176825ae332596eb4885e4b9c6d7d810a0a

SHA512
2af02cd4e623fc627dfbfecec1371cc9fb6dea6ea50a77445808ea29bd66de028dd7cd007d733e0275dc2423e40a8839961dd6da67b341067ec25040da1e9b3e

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
380KB

MD5
ac69edc498f177cbeb72251c156736ce

SHA1
42bb65410062ad2a6dfffd9647452d27eaaa984a

SHA256
eebcd4cb585cbced901b3fd5f425bf18b17cea5972370c32d82a824b2547b73e

SHA512
a916c19c3bc37176c1ccb94bc3a0c09e59016b591cc3e86b86813a7216c71d9c76e3a3ed499320d582e3c27947cdce81782418ace88fed17de8f0c9c3a6f7940

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
380KB

MD5
3fa0608005188f2c1c552ebb789742bf

SHA1
cb6e67116a453a0b6f17196bd8b5abc0175c6434

SHA256
071283a78f1a8568cc7e6f449572bd2bff3d24c366511b9748d235ad06dc6e4e

SHA512
f608cc6ea42a0ab777ca282518b7d4b8cea8090bfb9789bd0e3c27993121aec6329afcd318b78543f26a855759b8b9247708d6aa36b605ec5111d1d10f0aa339

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
380KB

MD5
12bfe812e00d8566a6b1ac844a590234

SHA1
ad2b17b644f34370c7d37d869d3473127e717f87

SHA256
99429f94a60e637cef322c28f452fd82118ef4784024e3591a2d61cc08b8fe1d

SHA512
f4fd3c33911b7d8cc76f6fa74cfc85ae3da2f2929bfa263650a24d2f4da2bca69c7c711f1cf79058212299c84c40984c68620e27c5ad6f2e93ca5172ebdf6c37

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
380KB

MD5
02537a7e829e027e4a220c74daf569de

SHA1
e05e2276fb818bcfe7e682c02129942360fc0f02

SHA256
52dab9c4420d74bce2cda74e65d65ee2d1f6db8c213ea57253a0a69601cd792a

SHA512
677b02e5eb6c446d083805188aedb22d8903466f290b0cdb6b77ca78405fb14721adef59ecda772c68b3c189844a2aac0c2e31c93182beead23e29616bf5d301

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
380KB

MD5
a54ebeee98cc1609e48b7d6dc93ce159

SHA1
f76d280dd118b1ecf4cafea1f91894231207fc9f

SHA256
eed4b07531b26584a981cae2c8a6678ce7bce0e9a0d130483cc67d886d718433

SHA512
c2d68c1712cc5090ad01a0b322b36c127016f5bad83c3c5b13cbd68b5118b2baa72e5701e1328a469ea90f4e215749e7fe8dd6d00f8e12e6f36444cdff5c370f

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
380KB

MD5
9a767ecf1dfcc8f530d51f63d7d83275

SHA1
2656de071ba4da4d1b9a300bf2e46ccb935d0d40

SHA256
515b37888d01358d5f1135601ca5ca658373236c504641819257c1f92f4c37e1

SHA512
387f64a715213ac2fb9f8a796237b5ea786cf9a425b164b722ee35885b955f0b46a6bbc0ca135cccc678884a2265d0f8308daa8f4fd42d16675ffa2419d4b1a7

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
380KB

MD5
3528bcad0952915291331e8e3f9890a6

SHA1
08e89d1a8ee9a5a82d6226e0f5906dfb68b389ad

SHA256
3b31bedf2c033dc595082307dca274bafe458d3d1e7b12958f99bba23985afbf

SHA512
8797f42b2c24e982aff91675ef50509c054640513c174dc1478e7d0941ea8526fc87897761e703b71f40f41703bb869341f15a47240fcc916441e5c9af072bbc

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
380KB

MD5
983525eb8fd6c78bcae8f965565bb081

SHA1
329c051b30e6e7dbf8113694885f5cecdb2c3145

SHA256
625a814d32241ea92fcbfaa40a58557c5b8cfed6408d9c983acf929e645f8b0d

SHA512
81cfb1d8b6c06ee7b62612c41a01992e8772ef29343ab52138faf208c6ce6c65bd6b9ac6f1dbba5f4f5fca6555c8335c3b48c5b9f9515a63f49ad7a581308093

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
380KB

MD5
c196e96e2968737682dba72700847410

SHA1
0b59503e7e65b2d01ddcf006f70b0d5f580e1347

SHA256
87ecb6bb1c274e49e08e05e0924cee39e78028af52425c70a2f9e7ad437fc30d

SHA512
3d4c6e1334e5560bc2c53625bba2fbc43c1b8d300381ad6d4e0e16d1d4229edd3a5603af989a585180126ba25da23522faca96714c3744b3855b4b519e9d5d48

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
380KB

MD5
e2ac3f21a2e9e728c969f83b04ec9bae

SHA1
38650b16b236186f3d72a375bdccb5b89bd2c05f

SHA256
983f2e6b9febed16c5b7a887b1cf02c561abf0d9f9f35ad38ab7a33f59670983

SHA512
4e8457ad6ea32fada225b209ca136416510c2223b8470a62c87a63fe59c02f04a7bdcd27df48eb71a52a469858ba3c7b0179852c89a354ba922ff6d7c634ecd1

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
380KB

MD5
a0f8bb46536e787685b8cb60b660542e

SHA1
715c45708b7a75ab8ed0eaf124a838b749979726

SHA256
128b19b454f4bf8112b9c03691c1998df0a70294bdb720a8f76c63a04d315ea7

SHA512
cf1ef61558b8afe9e8a69065015bb71db784f4ca34866cec22c2605d13d7e6603172c7ee7f442d902988c7ca47fd337172c887a4e60dc7d31d11232149505b5a

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
380KB

MD5
5e918656552a16d07d951af2ef747020

SHA1
a4376756f5639a8662b9ec120cfc1e7399711407

SHA256
9634fff9e794e2512f59e76cb3961b8b7c8b25e50af9807beee9a19b3ce5f2ef

SHA512
efa07cf72c0652cbeb1bef3f5623fff881e951b4b6968623ea797d4445a62e1d762468c1cfe26756cd329eb8873695b4ffe6af5bb6fd2f84ab5e4eacac9ea43a

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
380KB

MD5
a522fcee726b484cb54fc78be4bcf556

SHA1
73556e59b5561d59f4626b83180fdec0ed815492

SHA256
1fd815df6a34211891554a7313f4701d542c1cfccedd0181a3819c824c45e003

SHA512
c7a73d11d16a6961e910d024005d5994623b863780f602a3e11bd8c22bd29cb05570e51bf42ba5422a1e53217ff9e2ba7787b6425bacf4bb6b224f407b0861e5

Download Submit
memory/8-495-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/668-532-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/804-722-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/912-540-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/916-715-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/936-548-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1084-520-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1088-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1152-541-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1204-523-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1272-510-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1276-505-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1304-501-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1352-506-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1384-526-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1392-719-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1448-714-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-493-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1484-551-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1596-518-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-490-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1624-539-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1632-721-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-494-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1816-509-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1824-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1904-549-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1916-488-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-514-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1936-723-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2196-504-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2304-726-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2348-491-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2384-713-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2492-498-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-522-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-502-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2684-515-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2788-512-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2796-711-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2800-489-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-35-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-712-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3000-718-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3108-521-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3136-537-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-516-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3204-536-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3264-725-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3300-513-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3372-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3620-553-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3628-542-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3724-550-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3764-500-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3840-720-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3964-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3972-716-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3992-534-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4088-508-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4100-524-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-724-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4224-492-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4336-728-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4364-497-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4400-36-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-511-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-727-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4560-554-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4572-517-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-496-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4640-525-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-533-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-717-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4688-507-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4724-535-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4776-552-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4792-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4796-519-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4956-729-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-529-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-499-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5112-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5116-503-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5144-730-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5176-731-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5220-732-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5256-733-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5288-734-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5332-735-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5372-736-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5404-737-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5444-738-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5476-739-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5516-740-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads