c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc.exe
Size

96KB
MD5

56bceda04249d4409f5d7e2b3dd3abfd
SHA1

9d31e936b96c8aa27dbd0f1f8e9b718d2cbf4a72
SHA256

c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc
SHA512

609f4e6829379eea654029d43f9ad756425eba4d3d292908605f01ba5b75b55f97ec6dd718601f4e04855ff5b556fc6cc6e931333d5bdce8cc27d5d61c3098f8
SSDEEP

1536:tQ9Xp4Af9Ppj1JpKjk6zBze9MbinV39+ChnSdFFn7Elz45zFV3zMetM:KXpbJpKjkwzAMbqV39ThSdn7Elz45P34

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe

Executes dropped EXE 64 IoCs

pid	Process
5092	Gbgkfg32.exe
1952	Giacca32.exe
4852	Gmmocpjk.exe
3660	Gqikdn32.exe
2608	Gjapmdid.exe
4200	Gmoliohh.exe
4912	Gpnhekgl.exe
4836	Gfhqbe32.exe
4904	Gifmnpnl.exe
1640	Gameonno.exe
1776	Hclakimb.exe
2776	Hfjmgdlf.exe
2312	Hmdedo32.exe
4068	Hpbaqj32.exe
1964	Hfljmdjc.exe
3412	Hikfip32.exe
2328	Hcqjfh32.exe
944	Hfofbd32.exe
2592	Hmioonpn.exe
5028	Hccglh32.exe
3840	Hfachc32.exe
1608	Hpihai32.exe
1008	Hbhdmd32.exe
1996	Hjolnb32.exe
968	Ipldfi32.exe
1856	Ibjqcd32.exe
4064	Iidipnal.exe
3912	Impepm32.exe
4480	Icjmmg32.exe
1488	Ifhiib32.exe
2968	Iiffen32.exe
3628	Ipqnahgf.exe
2612	Icljbg32.exe
5112	Ifjfnb32.exe
3564	Imdnklfp.exe
3016	Idofhfmm.exe
3924	Ifmcdblq.exe
1536	Imgkql32.exe
4160	Ipegmg32.exe
3116	Ibccic32.exe
5084	Ifopiajn.exe
4988	Imihfl32.exe
1804	Jbfpobpb.exe
3324	Jjmhppqd.exe
1080	Jmkdlkph.exe
3448	Jdemhe32.exe
2828	Jjpeepnb.exe
3224	Jplmmfmi.exe
1160	Jbkjjblm.exe
1736	Jfffjqdf.exe
2644	Jmpngk32.exe
4584	Jdjfcecp.exe
1936	Jigollag.exe
1436	Jpaghf32.exe
3452	Jbocea32.exe
5052	Jiikak32.exe
3872	Kpccnefa.exe
4860	Kgmlkp32.exe
4812	Kkihknfg.exe
4420	Kacphh32.exe
3620	Kdaldd32.exe
3432	Kkkdan32.exe
4596	Kaemnhla.exe
4440	Kdcijcke.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5468	6064	WerFault.exe	221

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 5092	1948	c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc.exe	83
PID 1948 wrote to memory of 5092	1948	c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc.exe	83
PID 1948 wrote to memory of 5092	1948	c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc.exe	83
PID 5092 wrote to memory of 1952	5092	Gbgkfg32.exe	84
PID 5092 wrote to memory of 1952	5092	Gbgkfg32.exe	84
PID 5092 wrote to memory of 1952	5092	Gbgkfg32.exe	84
PID 1952 wrote to memory of 4852	1952	Giacca32.exe	85
PID 1952 wrote to memory of 4852	1952	Giacca32.exe	85
PID 1952 wrote to memory of 4852	1952	Giacca32.exe	85
PID 4852 wrote to memory of 3660	4852	Gmmocpjk.exe	86
PID 4852 wrote to memory of 3660	4852	Gmmocpjk.exe	86
PID 4852 wrote to memory of 3660	4852	Gmmocpjk.exe	86
PID 3660 wrote to memory of 2608	3660	Gqikdn32.exe	87
PID 3660 wrote to memory of 2608	3660	Gqikdn32.exe	87
PID 3660 wrote to memory of 2608	3660	Gqikdn32.exe	87
PID 2608 wrote to memory of 4200	2608	Gjapmdid.exe	88
PID 2608 wrote to memory of 4200	2608	Gjapmdid.exe	88
PID 2608 wrote to memory of 4200	2608	Gjapmdid.exe	88
PID 4200 wrote to memory of 4912	4200	Gmoliohh.exe	89
PID 4200 wrote to memory of 4912	4200	Gmoliohh.exe	89
PID 4200 wrote to memory of 4912	4200	Gmoliohh.exe	89
PID 4912 wrote to memory of 4836	4912	Gpnhekgl.exe	90
PID 4912 wrote to memory of 4836	4912	Gpnhekgl.exe	90
PID 4912 wrote to memory of 4836	4912	Gpnhekgl.exe	90
PID 4836 wrote to memory of 4904	4836	Gfhqbe32.exe	91
PID 4836 wrote to memory of 4904	4836	Gfhqbe32.exe	91
PID 4836 wrote to memory of 4904	4836	Gfhqbe32.exe	91
PID 4904 wrote to memory of 1640	4904	Gifmnpnl.exe	92
PID 4904 wrote to memory of 1640	4904	Gifmnpnl.exe	92
PID 4904 wrote to memory of 1640	4904	Gifmnpnl.exe	92
PID 1640 wrote to memory of 1776	1640	Gameonno.exe	93
PID 1640 wrote to memory of 1776	1640	Gameonno.exe	93
PID 1640 wrote to memory of 1776	1640	Gameonno.exe	93
PID 1776 wrote to memory of 2776	1776	Hclakimb.exe	94
PID 1776 wrote to memory of 2776	1776	Hclakimb.exe	94
PID 1776 wrote to memory of 2776	1776	Hclakimb.exe	94
PID 2776 wrote to memory of 2312	2776	Hfjmgdlf.exe	95
PID 2776 wrote to memory of 2312	2776	Hfjmgdlf.exe	95
PID 2776 wrote to memory of 2312	2776	Hfjmgdlf.exe	95
PID 2312 wrote to memory of 4068	2312	Hmdedo32.exe	96
PID 2312 wrote to memory of 4068	2312	Hmdedo32.exe	96
PID 2312 wrote to memory of 4068	2312	Hmdedo32.exe	96
PID 4068 wrote to memory of 1964	4068	Hpbaqj32.exe	97
PID 4068 wrote to memory of 1964	4068	Hpbaqj32.exe	97
PID 4068 wrote to memory of 1964	4068	Hpbaqj32.exe	97
PID 1964 wrote to memory of 3412	1964	Hfljmdjc.exe	98
PID 1964 wrote to memory of 3412	1964	Hfljmdjc.exe	98
PID 1964 wrote to memory of 3412	1964	Hfljmdjc.exe	98
PID 3412 wrote to memory of 2328	3412	Hikfip32.exe	100
PID 3412 wrote to memory of 2328	3412	Hikfip32.exe	100
PID 3412 wrote to memory of 2328	3412	Hikfip32.exe	100
PID 2328 wrote to memory of 944	2328	Hcqjfh32.exe	101
PID 2328 wrote to memory of 944	2328	Hcqjfh32.exe	101
PID 2328 wrote to memory of 944	2328	Hcqjfh32.exe	101
PID 944 wrote to memory of 2592	944	Hfofbd32.exe	102
PID 944 wrote to memory of 2592	944	Hfofbd32.exe	102
PID 944 wrote to memory of 2592	944	Hfofbd32.exe	102
PID 2592 wrote to memory of 5028	2592	Hmioonpn.exe	103
PID 2592 wrote to memory of 5028	2592	Hmioonpn.exe	103
PID 2592 wrote to memory of 5028	2592	Hmioonpn.exe	103
PID 5028 wrote to memory of 3840	5028	Hccglh32.exe	104
PID 5028 wrote to memory of 3840	5028	Hccglh32.exe	104
PID 5028 wrote to memory of 3840	5028	Hccglh32.exe	104
PID 3840 wrote to memory of 1608	3840	Hfachc32.exe	106

C:\Users\Admin\AppData\Local\Temp\c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc.exe
"C:\Users\Admin\AppData\Local\Temp\c297606076192a65a741bd361d259b4e86e8e6a1ed7d0b18a9863368af7517cc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\Gbgkfg32.exe
  C:\Windows\system32\Gbgkfg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\Giacca32.exe
    C:\Windows\system32\Giacca32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\Gmmocpjk.exe
      C:\Windows\system32\Gmmocpjk.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        25⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        41⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        51⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        52⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        57⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        64⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1632
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        68⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        70⤵
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        71⤵
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        72⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        73⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        74⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        75⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3076
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        79⤵
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4256
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        83⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        86⤵
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        87⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        89⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        90⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        91⤵
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        92⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5172
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        97⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        98⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        105⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        107⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        108⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        109⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        113⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        115⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        122⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5816
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        124⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        126⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        127⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        128⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        129⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        130⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        132⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        133⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 404
        134⤵
        Program crash
        
        PID:5468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6064 -ip 6064
1⤵
PID:5284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
96KB

MD5
8267d56ea77ff16dcdc78ef37533159e

SHA1
8aa7949aabc31f481badd49562df53c242728cc9

SHA256
bd179e13deee195e655be37fa14c62c6b4e8f402270108133e7da56e5460701e

SHA512
475cbad981780fcef01b1a058b4dbf0741ed60054286f2597666a228cfeec5546dc8951cd3854a17a34e197debe171f95eb4b677ad34f9b005b54041ead2c539

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
96KB

MD5
f0647e69f7ad143e61fa5f7cb4fbf5de

SHA1
ee1af21d0c85735f6365e700de4285d9470f4759

SHA256
d0c3bcf0a34ef09f55d29139d2e81560777d6acae6057886532f2c92084088e0

SHA512
8c6e7da7eff3af5323bbfc33fb12678db34c45e4a183505772e3eaa59899ec45f260bba2520a801620f040d6306b4e7e4c725447ad034b88b3bd71e7279abf98

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
96KB

MD5
b02793f9e08841e333bc8cbf66af172e

SHA1
18d6e8cd4af85983848c5c42c214b358fe6f5030

SHA256
6235a19a553ff6b49f1e12979febc345454624efedfeeff92c95aa9106db0e9a

SHA512
d8811f2cf17263a7a4874703e0b759450602d1082ce49e22e5efb43c91d27ec44a0ee4dbec4abed4870208bbbfcd204af33dbedcf168916d3acdd222f1215eab

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
96KB

MD5
a79c37d991d0fec641063b4ea99def77

SHA1
2ed5a24593ab3086262f0a4212cc723412432ef9

SHA256
b0804e21393ebb51bf172d29c9a60a5e14450ac321b90797f0e32b2482be59f1

SHA512
ec71610b452502291f14dbc1a23752b5f7c5f9a0f92813053cb1c8704687e6fd96c9a1298d5ea99ec4112379843c7acc44a519c176b2573279062afc38750dca

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
96KB

MD5
214b994dfb028776588097b1f6582b1a

SHA1
6e20ec0876e5deae3625a24781e9f132ced243b9

SHA256
476783bfc583c648b8ad5679125aae3c70ad29459de3e77a6193e3e7bd354ca1

SHA512
cfcb7d63895586330d6e0be1be5bff154ca0c2b321dfb17f295a08a93bd1302ba8e321f0e7857a495a93cf4e7d8f0d054163deda123d3890be10163c8d8c5236

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
96KB

MD5
16d8ce0cf0183745857b44095f7ee9e7

SHA1
1da52074e5f1eecc5b421d39287c6be8235e8c8d

SHA256
d8b3045bfa62d3f77b2233f37e7c726afcf83ac8465bd17ef080e69cab29c201

SHA512
e5dd7756abafe2251342d8d79d8acf06ca7e392894318e9323b8e7a4d1579e5a05fdb34f5f20a0f2067df526684f891a15e642ab3646f476729c2cbd7344e6c4

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
96KB

MD5
6682d45949154bec33a978fc30514c4a

SHA1
06e345c009b57cea5cd4d24bdd1f0e107160fdd8

SHA256
e36a105eaa3a5fc4fc1e15a2e470ad253e894a5f1a7de90dc348713bf188671c

SHA512
6f5532fed3636e9aab3a58df08827bc074966fed083696886a376cbb4fd241af8275ddb8358a95b48c8c7522f8262409d9164cda985b1dacaf80642685e11d68

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
96KB

MD5
7901923c2a802b7f2f2698b3a9bdfc0d

SHA1
2b32c9a412872de6b8e8d5db8ac43abb8a437537

SHA256
a488a7dc1f163faaec7fe3afb0887c1445ffe6e506b468f753932c2f855d4cea

SHA512
71de037421fa2f6e66a6c41980f17da2b958586cab115b3307a6ebd1591b12534840e8d8dd47eb21231bef44961742f5b76f2fc02b95f95e8cb1435664e39b60

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
96KB

MD5
47f89cf5214dacaf98170d4c2b47232f

SHA1
35572df7b7456c9a7bab7eae363dfa93284b0252

SHA256
c64bc4b5921157a4034e8c36b7055c00376249a0201b243d02b13227c7225d70

SHA512
607c82ad25201507e0d5e116ebbd24daf818f925fa57f0cc5edc0f6071dbbeef4e8c5e7494035a36f0d499f38f37b7b2cf4d579327bfe823e426b5dc333a610a

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
96KB

MD5
b53633038dadae5043595c54698cbd21

SHA1
788d4d6e93c62e6875a00119d24a38d8d0becc32

SHA256
a82106da243faf6736f7b39b22d10229d586c15a3efcd8ee5218a64a9ef407fc

SHA512
f7be23d4dde02d4fc559ad75841fccf4b32733fcd6f0b8b49f54ae0649816465ed06ea638df063cd6985fec464efc7659fc8e030e07c4e7cd924e165212d0c57

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
96KB

MD5
1bd505a3552181af60213653a86a5d0a

SHA1
62a02c6e6ea6fb47750df68d30c712b4724d6992

SHA256
724d1ea25fe4d32815b94bbf90e9e49868dadf5bdda654b5f445642557edbedb

SHA512
b84c35163a22ee1997c670f8f083f7b627e943f7ad13ccb4df16093e2929b34e18f2ad008a16526bd49800d70790946bc56a8b79a925dd6e4575e20703d48c84

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
96KB

MD5
3e990f3c1761589c4a04fbae59d8ca1f

SHA1
5678efb148259767461e96dc050c442d81accd13

SHA256
7840c9f256917901762a1a99779111fab404ba00df2b48616e6ebde6ef82b821

SHA512
ebd93897f161390de7bcd3fa18b0e3177c94f8d857679d04e64e20baa4d391ee84298c2b1939dcbdc1bf47676ef5f0e4a932572dca9a2df0694e95501f1e037c

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
96KB

MD5
2180ae64da8815663b6f80c6feca6034

SHA1
784858db01d79cfbb51c9917030b2c32332c53a8

SHA256
4740d1ac978209e0a32a5b2ab991a32c8a6ad9abff0a46312f82e2c22852279a

SHA512
a86552a2d4cd8d9c1de66380781d60f7850871fcfc06b8c035994cb7805a1c61c627bd961922ff3c0303905c734eba7f2d4e32c902069540415336de7d16ce6a

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
96KB

MD5
bbd5283cbd1953d8b63e8a743e738395

SHA1
b16673c180a298801ab1b4875dcabff57b24eaa2

SHA256
8ba0cb8cbf10aa35831a76d4eac585e5f5347b695105b6a9898c982d2529d2f1

SHA512
061c387bcbe8ed8fa0ee12835beb97518ecde7c8be354ddceb1281e3138dc7ddb83bc669a269271f72b6043cdb384a09c478e9f8a2d4ae59c8c2b743483a924d

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
96KB

MD5
abd30dcce131d670672fc1554c85f236

SHA1
dd7ea203dbac918755e6db4836ef4516401bcf44

SHA256
e5c0c3a850c531c8b26dd05ed743d5805d86d1b85118112bb11a9acf45a963e2

SHA512
3d90a6ef533e2744fb41e04306ca064a6eaca60ee58e535ba96c718235bcef56f79377fe2f42751cc6b1864b67222d734b3ec5420717f52094d7c5568b27f277

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
96KB

MD5
61f081a79ae65ee51d5fe65130f16f75

SHA1
ef3bc6557ec6c94bb4f192e8beb7d8f48b281039

SHA256
791511b3ef1b893139817a208b664d15c3eaf4446a36fef5dbf41cd6b3a5ff65

SHA512
531a0c80db9f9e21ede9db53cd4ce1ec051a67529dc01fb213e8ff86817eaa839f324d843928462631f7dbd02509465f1d5addddafbd023297d8c7d65643144b

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
96KB

MD5
ef90ea80202b0d245d6805e9163bdbe1

SHA1
ade84d55c2cd2b64f0cf4e13fafd9b5d7759bbb5

SHA256
2f64e0a48a3c627b65e3287eedd239cb3729600d683348146eaf9cd0dc1b4068

SHA512
704ad79352548e95206db129e25ea715f1d22c8095aceb263ab6b7aa48caa068a44ba1b8287f0009b32477be0e924839db6cfaebccb5c7d7786c478adbfd116a

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
96KB

MD5
b3ac99ad69bb45ef36d93f0acd1ff679

SHA1
82967d0e38003d4708008ff7b1c4ad723f519d5d

SHA256
54e764fd38dd13f5a6cbc615b9cc45be75275da2046bc083508c55d9029599da

SHA512
a801dcd024f5d56d4be989caa4d1604dee1cf8469411df677e75c0b1a3e7bedd1d8dc078433e3320d2cf81e85d93c7a42139354b31148c6979bdccc18e1bb05f

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
96KB

MD5
24abf993bbbd425ec4252341bb626182

SHA1
8d62509f4e7216fcc923077afa154b827537f43b

SHA256
fb5975fb3b452cd6d566967e6f0cfadaa9d5d3e17d067a85319058f211ab7693

SHA512
6e1ff96f284a66c1ca1a03c4a27aa2b0bb3085ec60ada3afc38c88ce8f8742123edffba4723ca72cf2cf3e3333a7f45d0ba53d40a2f9e49f9eeff28b906ba8b0

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
96KB

MD5
54b4c85500679df9b4b10a02b76470b1

SHA1
b52567140608de8a8763b6e99d054ced4ae86e58

SHA256
d47726f73efefaed21aecddf4ba339310826b72689d1b202b365784ba33aaf88

SHA512
72c1eb274df1fb6c70f129b4d21b013a79c76b6f1b1e06ca4d4d6490eef3e13d662d4d59dafe023471d892a3d1b596550f024a0ead3c17094df74fe3d423694e

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
96KB

MD5
5fa37580285d5c9def9de3cfa4a92a81

SHA1
74a6834fa95481549a9dbaccf89281b10048aa7f

SHA256
096e9249649d61e504494ac74ab4cff8448b0e5dd0239df2f2b939a1d23a01dd

SHA512
f6ef020deee6d1dd2772779e0d47c154a829855b8f585636cc70661f3ab9b1845bd3ec7fd2cf42800cb5013c5df2ccb60a3bdb73cc120355d7809e6e61ee98de

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
96KB

MD5
19e9c0fff278a3cd835e586f74a18b3d

SHA1
688b72f86463b39687563a43d000f611a79abbb7

SHA256
13a05a62f7e79aa3ae1b2e8272a8915319a8ba1976cb94a64bbc55aea2ade80c

SHA512
11a85169372929576c6df870381730488ee7105c1ac4589a9931230649035942130986cfe5a783385a6affe897276345358683c5a1db4e597af6291032b131e8

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
96KB

MD5
ba373cf13a2d862472280942c0f3c7b7

SHA1
f44b6c1760e7dd70fa192d47f5dad8874aced247

SHA256
d779ed6a0166312dd385983abd47cdcf74a9d3b440266c933090a49f4a0d330f

SHA512
fde6f7fd55343231cd0854beb5c2dcb741c38a676e0e0e4b9cd43693cc12265099ff2ebfbadcdd686edbfb5f466dbce4b647fe4b434ead24212471c3ee74377f

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
96KB

MD5
f80fc2fae59b3c9f3920ecbcdf35e148

SHA1
61aae8a021a67442434eb66c53e5a3fb8c37634e

SHA256
dc1a895722d309db44862d93ea733aede26d784cfa21a31d5e341d2ad3057eb0

SHA512
48ae9b96b5b1c5550be2a53599c18708120600ab806775f3d2aa84b6a3f04767a3272e5db520fb28a08b26521b91dcb1fc2c930e888148f20247f24b256a3ab8

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
96KB

MD5
3008c81f31fd92d4171d120714c05b35

SHA1
e1da86b993eaf2741bc2f99b312f2eb44ef5a5d7

SHA256
672ce84f10a38f0e3ea79c95444caa0cdf8b702558fe07c3ca2a705732e26952

SHA512
e4b4e405745cd637eef8eabb87e67977d9922d263677262c2037906126f45305748c0145405ce69f21dd6aad011313b01bef548f6035c88bf7fd484e81ebf3d7

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
96KB

MD5
0580f99b98a8901a8ef7547dff56e02e

SHA1
48723e4c7807d0094639f5b5f6c663d1caafb5ef

SHA256
efc6c902002113cd6a8658b8bd5214a1423ac27b28de164c9a6d8b18a1ada54d

SHA512
bcc4240120f21750c46f0c98bcc5e154d0c2485ff17739a1a6aeb45d991a66899b16f6a531a89baebf7717856c350b9cdb2d6d77f5b0e4d9eb5f102e4c792c2f

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
96KB

MD5
2d0fb69f9e05f7d0a6a6359fa38a23ca

SHA1
9b5b281007b519ed2d614f7c7ba51ddebaa7f1ce

SHA256
5a2a2662135d79984cad1505151d5fbd70f712a04381b3b36c1f8f87d0ea1443

SHA512
eeb2075d55c9705d32cfb6dd9a077777e7ecbea7b9c4b4a2cb35d278efc32b77af71053d438b62249e71514045c7e12a0e08333883540abc5db521911903c26f

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
96KB

MD5
a5564d669411b82bcdb03b9d8fe32f80

SHA1
7f2b6180eb6f685f1b72e37cc3ecd2097c21f9f6

SHA256
b792f31ef02a23e0b5fad5b6c9da2f504d8ebf17823d1923f0185f0ff0920385

SHA512
7ac34c922cfe44d0ffb87f7a56f49d47434517d4c7ed6e075290b4d3c301fd1f2b6ac1064793efacc29683516165cbe935f33fa4bf3e71d4b0b671d670096c6a

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
96KB

MD5
3222e8d973d191619476be3d4700eda2

SHA1
f805d0613372b5d501c467d1d592995ee5c55251

SHA256
ffb6b218a11456d4371b070cc06aca35bfede1889a05436bc61569a962faf59d

SHA512
e5912f3b18d176fedad5974fbc02b06ffc2e0207e3d5f9d1abca48e43c4aef1f737e55cacc391d15f5e51e540cd6f8e5ef8a361c00280f994d15d7fd0f034784

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
96KB

MD5
395912ff94917e3faf7b9ce2f2b1aa5f

SHA1
533dd0bb853a39c2951a6e8556ba212913b57c90

SHA256
e35192ca31770309b071659465f3996c6521c4d437000ef21bfea66e1245528a

SHA512
2a37b6e37e7fa73f9b27284251698abad4d168028acc8195c758e26ea6075456ff223e4365ffce2eef88f929cce6f0a3d324605263fb8faf4c907416be97a0d6

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
96KB

MD5
e2756cb469758752dc1e4deb5125aab9

SHA1
7efc844b77820eb340e888703d02c1fafcbdd301

SHA256
562597550aa2b45df76856a748eddb593f0cf09e1b38023e0ffb7f6f8362a101

SHA512
2b45d4735f7fc62751a538427987545990974008a02942569eda561e7fc979bdeac0e1b7bb16abf85042bdd8efd104929bcc15624299ee05717d5141f6f6cc8f

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
96KB

MD5
83467626b4a4ecc3ea226f968aaef946

SHA1
7bb4da6b28917cb6fcd11d0a3cf210c1136fd1a9

SHA256
c09aadab7360b11db743b4bd431737c1d089a3aacbadefa7af74e9e2c1ded94b

SHA512
a5cbd108f435d6496772086a6581ff93e89950cc1ba330f381e773f4dd29b560b7f343fb74ae7d29d481e9cd7d576dcdc6f896cf9c6746438401f5cad2eb0076

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
96KB

MD5
03f1af18ad60159a13bdf4dd09df12ce

SHA1
12082cf39b64bc6ba99254727c8e83cff75dcc4e

SHA256
00f8c02ddc5d989979b2c9afd205807a017ffd13ef55d72f607d60676554d6a4

SHA512
cf8505fb67aa4d7d1985c9cc1438cb8dbc762d6feb80db5d58e0e93f7381f56d314b435592b472e288afd0c96610702cbc82592bcc5013be59f91a043f45c8a9

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
96KB

MD5
5b6c5e82a1ed387921348ed6a9a9f67c

SHA1
589c3175cc9e60c0adb953fe097f7e953522a6a9

SHA256
67e6313d2cea7440f524a8f6a17336b0425816f016efef851948db4758f07577

SHA512
bb5444ade6bb89100e5df019c7f9d508d14a25cd2ccda751065e34a1bfe53641a14e2e61e9fe740b1ea577cbc90ed442e20fb4c2a4e30d96066f96bc2ead818b

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
96KB

MD5
eff49c07acc0ceadff88b2289be95b88

SHA1
0c89b6a4b8394709b1ccaa5918d8061858018a11

SHA256
613ee8630a35fb2b5d3ad9c9741a00f3e5fa33d3403a8129cb7627c93b39e691

SHA512
9f6e60e56765f520f9e48a8890dd18154d7b9749be61428b74b1ab05d81730eb50b8cb45708554c193d613f8907df149cdc9764b476efede29c345a56aa6a616

Download Submit
C:\Windows\SysWOW64\Jigollag.exe

Filesize
96KB

MD5
2312c1aeb06f9932cb9e5604f0b86c92

SHA1
31043e5bc00e1ff410acb81ca6ad0987931cf958

SHA256
2903cd6a963fffe3f085d4af88844cab6d2227524e5f3f688b33aaeb45058add

SHA512
d8126069faabdb724bb35e633988334009824f13b16e53b9b67916bed288fb63e406b1337ae3118dbdf3748581b00d75613306b1708564f28740cf614382b6e9

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
96KB

MD5
22d1a280ca8ad233b94ad81ccdb23ffa

SHA1
89dccc1ddd556899dc9395d453de06562df07c67

SHA256
692e479933b3ab44a3e53f54b23a2afd1993703af895b4af094748fe9a655015

SHA512
a125d35a68f9392c8552537892711f2ab058ba1b1de08a39db319fa8297f4730fd5259bcc99ae02f8dff03daa7e9d5c1d4251485a02abe35ac871e7cc20958e8

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
96KB

MD5
93f5e706a007cc3b82ef85f20255b34d

SHA1
fa885f9ce0894ac88edb04276ae87b05bab10d8f

SHA256
758ac2f803afb79df429c36c122812ebde72f6f1a7f84b6907fd47c69a05444d

SHA512
845876589253fdf085c8ea62424444febc9dfdf912922426f9fcfbae088f7f0eeda52d0f56ed1a2e45dcd3f30ef7dc8044dd840053b75ba28f061aa75aac86de

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
96KB

MD5
d0fcf41d53f20f0ec1d092152ffa10ce

SHA1
eb76093cfe60e1871cc7d1cdec824ce2ecfcb143

SHA256
d30038ec6a335b159eccc24e506ac5ee0ffffc4b8fc458f0a9f215170082ed65

SHA512
5ef387c081c3def49519fb87b644c87b7b40b1e8c5dd48800c0e0f340305033a9d62d22ce46d544e0f3c9b0cf2ed3559d71749c51801912e10f46f746106b216

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
96KB

MD5
8e75cfe2b960ed3813df13333e0cd7e9

SHA1
04b05a3e96a7db4455cd03835263a0b4777c49c7

SHA256
ca675cefab3911c2e3e79085382fb01b0f8e2a406cabf5e8082b06853c3ab858

SHA512
bb2751e5cc97bfcdce38bcb21f7181e07df3f63e2417db922282bdc241e5f8acfc4d3549478277b26f8c5b3c3873c81e9636271986100df8ef4e0920eadfcbe2

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
96KB

MD5
c69bedfb4c46fb2f295bdcc94ab02287

SHA1
afccb41121ca6d288f9c0529cc24a66d07877a93

SHA256
bf6ddb7d145d56d571ec118c0f8ca4389bcb03ad0f5bc2c520333dec821190d6

SHA512
94a4e8d927495c9a8195ebde731298796e5bdd84fb773b917ef8721aa0c863451a2bc406fcaae77fe16871060fad5d661103adae757cfc84552429c4117a601a

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
96KB

MD5
df89e686576c710acbe6e7989e6cb0eb

SHA1
2700c46de8977358cbe02263d72d2a6371ac2957

SHA256
a04e94c02e8f2cfd9154447fc1c1076f8c04b6604ca4f433e504c575e01b7899

SHA512
11d9dde4275e132c1af1a4982eb260a8e977aaa70cef610da04dd676d711c0e611654bb0ff8eb2af7278cb2b3b0bbaad1f636c8dc461f9b3a13f70f215825d2f

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
96KB

MD5
fc961f41085008a85ef96a1cbdca7ef1

SHA1
eac696df9bef5bb251b8af18374d552481e6807f

SHA256
7b8d1ecc5a28750e4a5c443b4d549617a188687dbc2dbd8ac6bd65b8b7a0a8c9

SHA512
2f3100e0cad8b0a34193646b7861cd64ff451de4fe959fa3427cc60235e0d55d59986ab1ab6f8eee1a33254b3a90425452a4a4cf092d628a97c80c8365f404f7

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
96KB

MD5
540f6fabf606457e0eaed182be7f92f2

SHA1
ae56b7016c0c44e09284770103fcbbe85dc52521

SHA256
67d240a42cfbf2b680c4bf16f1004d16d2c24f71549129fcfcf33525bc325347

SHA512
d64160dc1c85a3c0a1cabd2c208e97de72d39fabf461fc6099dac022324e5f52284a5b8be78275db12604de832023b714a717663b7f7e8abd62d7311cb59c003

Download Submit
memory/216-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/968-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1436-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3660-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4200-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4596-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads