aa45c20efb3601ab7637cf8975f0b3080268bb92fd75fc3466e346c4fba498f0

Analysis

max time kernel
131s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa45c20efb3601ab7637cf8975f0b3080268bb92fd75fc3466e346c4fba498f0.exe
Size

63KB
MD5

75069228501a245618482e2be2efcc9b
SHA1

84aba09ec4e95a4a6d3ff3f8da6c760ee46b4104
SHA256

aa45c20efb3601ab7637cf8975f0b3080268bb92fd75fc3466e346c4fba498f0
SHA512

f300a576f66a81888c7b22922eee96870e6b389bf88bf4ef830bbe9c82b6b1bd8be3b653f4c88cbedb42a1e88c5686c5b33842a4f4378e994c2089eaea232c7e
SSDEEP

1536:SmwIQz87FK1wskv9Wmamq11g2xI3kH1juIZo:DQGo94WmDRuI3kH1juIZo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe

Executes dropped EXE 64 IoCs

pid	Process
440	Gjlfbd32.exe
3792	Gmkbnp32.exe
2608	Gcekkjcj.exe
1704	Gjocgdkg.exe
4888	Gmmocpjk.exe
4060	Gcggpj32.exe
2892	Gfedle32.exe
4976	Gidphq32.exe
748	Gpnhekgl.exe
5020	Gbldaffp.exe
5040	Gifmnpnl.exe
5008	Gppekj32.exe
1668	Hboagf32.exe
3388	Hjfihc32.exe
1700	Hapaemll.exe
1628	Hcnnaikp.exe
3484	Hfljmdjc.exe
3408	Hikfip32.exe
1612	Habnjm32.exe
1976	Hbckbepg.exe
2348	Hjjbcbqj.exe
4800	Hadkpm32.exe
2396	Hccglh32.exe
4860	Hjmoibog.exe
1696	Haggelfd.exe
3364	Hbhdmd32.exe
2340	Hfcpncdk.exe
4012	Hmmhjm32.exe
404	Ipldfi32.exe
1148	Ibjqcd32.exe
4340	Ijaida32.exe
1900	Iakaql32.exe
624	Icjmmg32.exe
3104	Ifhiib32.exe
1184	Iiffen32.exe
1740	Iannfk32.exe
4588	Ipqnahgf.exe
4320	Ibojncfj.exe
3760	Ijfboafl.exe
5004	Imdnklfp.exe
3992	Ipckgh32.exe
1428	Idofhfmm.exe
1748	Ifmcdblq.exe
2856	Iikopmkd.exe
3912	Imgkql32.exe
4444	Idacmfkj.exe
3160	Ifopiajn.exe
1160	Iinlemia.exe
920	Jaedgjjd.exe
4960	Jdcpcf32.exe
1352	Jfaloa32.exe
2908	Jiphkm32.exe
3764	Jpjqhgol.exe
5048	Jbhmdbnp.exe
2192	Jjpeepnb.exe
1408	Jaimbj32.exe
4268	Jdhine32.exe
2964	Jfffjqdf.exe
720	Jidbflcj.exe
3676	Jaljgidl.exe
3492	Jdjfcecp.exe
1656	Jfhbppbc.exe
5052	Jigollag.exe
4432	Jangmibi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gfedle32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Lcnodhch.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5836	5600	WerFault.exe	217

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	aa45c20efb3601ab7637cf8975f0b3080268bb92fd75fc3466e346c4fba498f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceaklo32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 440	368	aa45c20efb3601ab7637cf8975f0b3080268bb92fd75fc3466e346c4fba498f0.exe	82
PID 368 wrote to memory of 440	368	aa45c20efb3601ab7637cf8975f0b3080268bb92fd75fc3466e346c4fba498f0.exe	82
PID 368 wrote to memory of 440	368	aa45c20efb3601ab7637cf8975f0b3080268bb92fd75fc3466e346c4fba498f0.exe	82
PID 440 wrote to memory of 3792	440	Gjlfbd32.exe	83
PID 440 wrote to memory of 3792	440	Gjlfbd32.exe	83
PID 440 wrote to memory of 3792	440	Gjlfbd32.exe	83
PID 3792 wrote to memory of 2608	3792	Gmkbnp32.exe	84
PID 3792 wrote to memory of 2608	3792	Gmkbnp32.exe	84
PID 3792 wrote to memory of 2608	3792	Gmkbnp32.exe	84
PID 2608 wrote to memory of 1704	2608	Gcekkjcj.exe	85
PID 2608 wrote to memory of 1704	2608	Gcekkjcj.exe	85
PID 2608 wrote to memory of 1704	2608	Gcekkjcj.exe	85
PID 1704 wrote to memory of 4888	1704	Gjocgdkg.exe	86
PID 1704 wrote to memory of 4888	1704	Gjocgdkg.exe	86
PID 1704 wrote to memory of 4888	1704	Gjocgdkg.exe	86
PID 4888 wrote to memory of 4060	4888	Gmmocpjk.exe	87
PID 4888 wrote to memory of 4060	4888	Gmmocpjk.exe	87
PID 4888 wrote to memory of 4060	4888	Gmmocpjk.exe	87
PID 4060 wrote to memory of 2892	4060	Gcggpj32.exe	88
PID 4060 wrote to memory of 2892	4060	Gcggpj32.exe	88
PID 4060 wrote to memory of 2892	4060	Gcggpj32.exe	88
PID 2892 wrote to memory of 4976	2892	Gfedle32.exe	89
PID 2892 wrote to memory of 4976	2892	Gfedle32.exe	89
PID 2892 wrote to memory of 4976	2892	Gfedle32.exe	89
PID 4976 wrote to memory of 748	4976	Gidphq32.exe	90
PID 4976 wrote to memory of 748	4976	Gidphq32.exe	90
PID 4976 wrote to memory of 748	4976	Gidphq32.exe	90
PID 748 wrote to memory of 5020	748	Gpnhekgl.exe	91
PID 748 wrote to memory of 5020	748	Gpnhekgl.exe	91
PID 748 wrote to memory of 5020	748	Gpnhekgl.exe	91
PID 5020 wrote to memory of 5040	5020	Gbldaffp.exe	92
PID 5020 wrote to memory of 5040	5020	Gbldaffp.exe	92
PID 5020 wrote to memory of 5040	5020	Gbldaffp.exe	92
PID 5040 wrote to memory of 5008	5040	Gifmnpnl.exe	93
PID 5040 wrote to memory of 5008	5040	Gifmnpnl.exe	93
PID 5040 wrote to memory of 5008	5040	Gifmnpnl.exe	93
PID 5008 wrote to memory of 1668	5008	Gppekj32.exe	94
PID 5008 wrote to memory of 1668	5008	Gppekj32.exe	94
PID 5008 wrote to memory of 1668	5008	Gppekj32.exe	94
PID 1668 wrote to memory of 3388	1668	Hboagf32.exe	95
PID 1668 wrote to memory of 3388	1668	Hboagf32.exe	95
PID 1668 wrote to memory of 3388	1668	Hboagf32.exe	95
PID 3388 wrote to memory of 1700	3388	Hjfihc32.exe	96
PID 3388 wrote to memory of 1700	3388	Hjfihc32.exe	96
PID 3388 wrote to memory of 1700	3388	Hjfihc32.exe	96
PID 1700 wrote to memory of 1628	1700	Hapaemll.exe	97
PID 1700 wrote to memory of 1628	1700	Hapaemll.exe	97
PID 1700 wrote to memory of 1628	1700	Hapaemll.exe	97
PID 1628 wrote to memory of 3484	1628	Hcnnaikp.exe	98
PID 1628 wrote to memory of 3484	1628	Hcnnaikp.exe	98
PID 1628 wrote to memory of 3484	1628	Hcnnaikp.exe	98
PID 3484 wrote to memory of 3408	3484	Hfljmdjc.exe	100
PID 3484 wrote to memory of 3408	3484	Hfljmdjc.exe	100
PID 3484 wrote to memory of 3408	3484	Hfljmdjc.exe	100
PID 3408 wrote to memory of 1612	3408	Hikfip32.exe	101
PID 3408 wrote to memory of 1612	3408	Hikfip32.exe	101
PID 3408 wrote to memory of 1612	3408	Hikfip32.exe	101
PID 1612 wrote to memory of 1976	1612	Habnjm32.exe	102
PID 1612 wrote to memory of 1976	1612	Habnjm32.exe	102
PID 1612 wrote to memory of 1976	1612	Habnjm32.exe	102
PID 1976 wrote to memory of 2348	1976	Hbckbepg.exe	103
PID 1976 wrote to memory of 2348	1976	Hbckbepg.exe	103
PID 1976 wrote to memory of 2348	1976	Hbckbepg.exe	103
PID 2348 wrote to memory of 4800	2348	Hjjbcbqj.exe	104

C:\Users\Admin\AppData\Local\Temp\aa45c20efb3601ab7637cf8975f0b3080268bb92fd75fc3466e346c4fba498f0.exe
"C:\Users\Admin\AppData\Local\Temp\aa45c20efb3601ab7637cf8975f0b3080268bb92fd75fc3466e346c4fba498f0.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\Gjlfbd32.exe
  C:\Windows\system32\Gjlfbd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\Gmkbnp32.exe
    C:\Windows\system32\Gmkbnp32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\SysWOW64\Gcekkjcj.exe
      C:\Windows\system32\Gcekkjcj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
      - C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        23⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        36⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        38⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        42⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        49⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        50⤵
        Executes dropped EXE
        
        PID:920
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        55⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        61⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        62⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        67⤵
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2852
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        73⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        74⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        75⤵
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        76⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        79⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        82⤵
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        83⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        85⤵
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        87⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2272
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        89⤵
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        90⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        91⤵
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        95⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        100⤵
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        101⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        103⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        105⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        108⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        110⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        114⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        119⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        120⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        125⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        126⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        127⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        128⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        131⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        132⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 432
        133⤵
        Program crash
        
        PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5600 -ip 5600
1⤵
PID:5760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
63KB

MD5
33050e504292a3eab8e65b23f9ab9f83

SHA1
59bca7770c98e07ea97625f10974c5e5cbb863b2

SHA256
9bb63f73672b83bb349d488240b30374f3900bc0522c148ce6b8d5b12b03d4e9

SHA512
b4eeb112906cf25f4d70eafd02cc8bd635254dbb6f48714ece5889ce1d3c30349833c61462251990de9325f378aaa190fc6163d770717e531eb1ed96a7bec302

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
63KB

MD5
0723fbbccb082ce615c075abfef4af7f

SHA1
4c9cee13daa0941a0c77ebf66b700a83b1428465

SHA256
5d4d6ecff3de014bf0251c097577a0684e3f866878f34c67db65b91de11be0a4

SHA512
ace228deb618539ed0cd1937740e77a8e22b6afe39d0def0dd7b50bc5dd50cc52d092732838fde2d27fe08567a86ba4ecdfde6ffe92f456ef13443264444dd8f

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
63KB

MD5
ecd058aabaa845080fed54d32ebb0d1f

SHA1
022e00f6f21e2c88a80f43129b140ef1c01e1e24

SHA256
25ac3557a67960983cb9f042d13fffeba795c16b787aa8fdf067543996a1cebc

SHA512
c21a08a056c39d55e8102c5bb904d377554afa608413b1fcedcaafe82989fb66de57a0a98272488f3fdf2e1f7c3d979d8d15ed50e6b007cc881b0eca969e1144

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
63KB

MD5
9ca9758f37c698dbc640c0b19616b947

SHA1
2b709bf05b002a699d28703444f3015392dfa8ac

SHA256
6d6550348405f7132c4f36ececbe8826f30662bf7f102cfad002c4eaad5a5f74

SHA512
adf78767f7838f44c3256eff84930749ecc4a43baf51d1f7fdb84498f688548dc635160c95f174857889784a98664c798bfd702b1917c407f246cc34619b7e83

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
63KB

MD5
833fa7548ef56a8bf6e0d692726e901f

SHA1
2440e706377ce7cd0f70c383bd2af28ec497f047

SHA256
fa63e1cd9fa85e6ef954329f866d2b99db9dd89960c3d91fcc1fe522913558e7

SHA512
aa7b812d95793ba099da428b5f038ff215591ecd668008f811a25a228a5a3cec19420247afebf59ff76ac86edd2b71ba2439e1e4ae3f413d81f213e8260f9c61

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
63KB

MD5
181996ff163fca5fc9a66a2c83d79336

SHA1
f1d5dcf6ff45078a8de07c4f7c30d3394b338562

SHA256
d9e5fff4aa96a61968bfab24a009f4ded034dbcb1f28bac3fb0b1389e526f137

SHA512
fdec3152386e6f92c3786b84c648eb9bc43ce769a8e0395f646e9374b13b5f52235cfa5f62fd71a1a6779fe14f32fabd980ede085ae4b570f90575a55793f9e5

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
63KB

MD5
348f30ed4018b0556fa219e6d2b17eb5

SHA1
7922835f1cd37463d0be2f8ff61ea97c57cfd335

SHA256
fa9c87c3c7a4444f54b439e4ada7d55d06348498fb8ea5983f0b39dcd5d5809b

SHA512
5dc54eb8550fd74e67399502818f9f77d62c9341fae62f5b0a97220ea326e702da3d4dd86f3081e85c431d410f31744b6cfa08c42619d552bddf49e0dc779ed8

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
63KB

MD5
ebe35eff6ff41c027d89dc59aed9c1f8

SHA1
58d8f86d0670eef406402f3782e7242fb68ab543

SHA256
74236d99f11667b5253dcb5c5304920dbf48bf45500eb89f7853d4be5d1a656d

SHA512
b332d9088cf4faff90ad92a6cc08c35bba0b76ddfc90a564cecd0da69b314eae7417a3e3f746999bd05d8adbca8e627cebcc90ba6c4709eb7e3903132137d831

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
63KB

MD5
35388d72f3af40cc9bc30fb5f56999d8

SHA1
f365721991fb3694285923685c0017c199b9646b

SHA256
fd249294267c9bb859845b26fcc76f1b6e44e83bb4c7bed1dfc87c4d07d60eeb

SHA512
0c52fd0e894c939615437e49a283471d7d53db1d7d103c14874b91ab3d75688a325d33bd5e7457b311dcf07a9d9e75c330d50fb05d59dec8dac45890d8f57806

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
63KB

MD5
2e23afacb413e7593f36f4dc5ccfac59

SHA1
261fe8d00c6fee11d889fcfb1745e77a96383321

SHA256
a6c7cb4c7145a040f53fbc9342337f26feb0d805e8c9ec99e719066a1ec4726c

SHA512
2cae92bf6825ac14e068302efc8df2101693cbfac26c522323f82dc1fb03810e0eaef412181e7586296d60c2f4d3af1b48670917a8e8a41b647c9cfe9af688c3

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
63KB

MD5
11420bfebb8aee156c77dd283974052f

SHA1
091ab38e4760984c5ac62d30fee63cb896d2a120

SHA256
c345437fbc57e5f0b1d7541811aaa00d4b47c2bc25c8e0200bff66385b785c80

SHA512
a3802d478a13aef5dac8b0ccdf675a17bc8f0558b04105a21643e6bd91fc7e77616c5353adfb4f30ae2268ddfed150f9d2dbc0bfbbf9ff34e85ffae1da421ee0

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
63KB

MD5
3941b982b5b65f3e8af3f2c2ff27c158

SHA1
f123fbe31c3955e375a9fdadeaf979becaedafb2

SHA256
9b451edda1f42dbfea6f57f2014b0af9afdb7c21a13ea7f77a22cd0d1fa67fa9

SHA512
e087aad803da48b28ed89695a969a1f61940435deff13d19a80e2f631ae7f2c8a1bf04ecf891b36fc80f5905fd05d7cafe5fb879468d4705730cc433df1b1706

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
63KB

MD5
4564a9737357e1a532c5c14da9c789fb

SHA1
5d0c76967369f5f9fe520e6e5b0e4c22c3603296

SHA256
c015f77f31a4ee07701009f1bc0b6cf7436f8cffc79035eb7e9276b72a377043

SHA512
0a2cd353f8fa4b2e227d185fa1e3085afd04ccbe354d715f5d7fa49a8b4ce70ddb786f498305b4e9d8c1ef68761f26980c785e501554c29e7835467d669ae5ab

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
63KB

MD5
5d6c4405ef8c6f70793ef0bdb062502b

SHA1
b8be1628043ce34c86e357755c65051b8164c57b

SHA256
7436328cb784934202bda47ee13572f15d979a86f3490d4547d2cd934cec01df

SHA512
cfb9c698cf654c1e29642d8131dba1293303d81027cd9d7f956996b641afd405b266341a183bca0fd95335c994565ea6affd7c67d05d49dd6e9c3d03993182f6

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
63KB

MD5
ee976866707f1b46955c146b3494a202

SHA1
bdbb5827ce252dfc8aec4377dbe9ed86c58f8f4f

SHA256
4d483cefb08bb253d2569958381a742e4f7332d7e77dc311fa548bf32d06551b

SHA512
1d2838841e5ab25b39ba8f821225319c573d70a439dee329aa5fd0d46e54846b6df3dee64eddde34134009880bba2ec4dd26994383c5b4c3bc45c40e194ed378

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
63KB

MD5
5caa05f7ca25531f9230d4902defc8c5

SHA1
532a0c3227b2089b60311fc13db7b4b96d6462b3

SHA256
130525edeca42e5ee2c23c2d9262cc5996315ed0833b491137d10c51a6cc91a7

SHA512
153acbd31613786640286c7b5507ff2bb8b8b01f1134262ed36180e700bbaf63d0f59a0035536eb66de64589d26003639668ceecdd30f10e66ab8ebc362b6baa

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
63KB

MD5
5b23e6eec3c19ad612a92036d3d61d22

SHA1
4e309f02212c260a05c1f3af72d77048b5d5a0ea

SHA256
c833e3532d07b07999aeb7a6a0b96ec02bb74c97b1725450652589a69ba8edf1

SHA512
6b1283336bc9b49c063f0a3affc15494c45afa4e8782a42cc08b00b6d8dd3c96839e8e6f4d9c64ee2f13f76fd629bc94122f438914f015b85b787763956ef438

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
63KB

MD5
1d005b73efd9fb344fca97677424f889

SHA1
f9c72bf9fbabaa5e1bd9230213d9b07ea396cd82

SHA256
a7d1dcc2f4f1cc5166a3c334b1611eebd306f69b6c064fb70e432ee56be33c00

SHA512
3d6a964a28947d6d9240af36b7ea5555b6f308b51d2cabbd3d2049efed9b813011725ff59537440eb9218e9450a249303152e9bfcf287907292f562a185719d2

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
63KB

MD5
db34ecbd1d91de9f3459f39f2d6e9ecf

SHA1
f282157199fe3fbf52e4b24ed5053619257b4401

SHA256
5020f86229f3994215e083a7e65267575546febb8db193d00ea46085387877a4

SHA512
8e2eb0d88e7db68bfc5f610405d763b8166d76a18d6764509c0a45504455a5a8311b55b0909ad372ebfe681af3899ba79f5f981161b2acb67cb99f7d3829f842

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
63KB

MD5
8a56ef2bf3c16ebe8689fa52aa7cdbdc

SHA1
a100b33cc87731e0d49f81bbdb4dcbc909cdc18b

SHA256
caf3645153002be43ecc64857c6e7de50f84aa3c74f7462cf1c0bb0f458202a7

SHA512
974caff07ef36048536ec9fd7bec3ab27e2593b079922a9a92551304bb7bdc0e2df48aae88d67401b92aecfd86b4f5ae47b7242b5186bcf094165c40b5ae2f10

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
63KB

MD5
72a8e5ed239f46fcf61930c1d931b57e

SHA1
c8abfa0ec67f459aebf795b653b5f63b0a9f170c

SHA256
4cb9db179bec13ef9a313390a5fe5a96e32674af3a4ebe42036556691774df74

SHA512
5ab99a421b96d164cd53365e24ca7aef1e5d38e3087337fd40e8f8fc3894dd7739ac44ae0d46fab2570a4ba961580dfec0888155b3a27d09ebd46df770e42229

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
63KB

MD5
2b08ef8b4793df63220b4481dec24c54

SHA1
fdffb0e8b7344374c529d7a86a4b14f4a732c1ef

SHA256
ec2787431aa742d1bfc0de449a4fd4275e7676de79c300dbe7361d957c4dda13

SHA512
636236a184ba9c57eee9d3b5fcd85f0f78964629a6b1295ca486e80c96e140c2b570ff239451584cb41d9aaa29bb08b7ba6d72af9b8f7fe3f72247b93bd5ce35

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
63KB

MD5
b80f02a0ff610b016ae49e83b8dc30c4

SHA1
dc50214f507a966dabeac0a4108b4a707e649791

SHA256
13f70b92505318b4c62b5b14762013658e9ae8513268ca33692ea8893438c45d

SHA512
9bcd5dc9cc2653ada2f499bea9fe2b6d0620d69c94cf8a8c28e68113527285d3f5f61e61c1126f1026bd1743c682210d139b8626ec7fa1bf1ffd8c23f32131f2

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
63KB

MD5
ba8b8ddd34c200287763bc5f4325b90a

SHA1
cd520247c2bd00b8070de6ef94bfd81fc1dc3f7a

SHA256
986f0c627e91decfe91eb1708009a2759ae567298d8823e49d467e773b8b241f

SHA512
8e58c536155f8c67fc92e01ca96edfed5845c865776f0d41d2025788b0ff7a1783a868343a84830cac5681864cd0a9a0a3c8041f9580e53c58060a148d3b9060

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
63KB

MD5
80dabbf7f2a43a136f7667b5a4211fdc

SHA1
1110587c73e0dbb7cc17f7fbeee1c8f6b55e92b4

SHA256
e6fe328eb23cc959431225d6a20925971072377a27e4c6fc7883ac6855180efe

SHA512
464f1a6d3ba86e8f83eb4ff9bacc6cc5005239ae9be00bef7ceb620dd622f5475411241450aa6550713e29ca8e68bdda1b2295e46ffddec7bcb01f65b5e466e4

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
63KB

MD5
228dc5d6b8b48224341dc253551c73c1

SHA1
f34e738e3d50e4e6527c9da8efa8117b6cffd3ad

SHA256
6b5e9f340975cf3e2a2e60ba05120a26105f19fa4578b6f63dfa8cdb1dd7d1ac

SHA512
3bdb7b540b069e669ae3e996cac60158fdd2b36c1ed99d93192cef1a0b9915afabc1bb3408cec3797e3f236b52f3e6a81c5fbcca67d9589c08fc0f1393b1046a

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
63KB

MD5
0513f88f5548f0ee83d9e6aa1aac9941

SHA1
27b8625ae182027404a80010a6e5f3c1b8e02fc0

SHA256
c3f72c895ab68df383fafd2086fe60fdb97e628246337224e08a6caa590e94e7

SHA512
30c13f212c4670d315e5983bcdc3d19c95ba2a272e781f37b73578ee829c933aea8554fa988e46dfbb07bef0dedb194251f23b0f9e7d3df69095d216643be59c

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
63KB

MD5
35ed2650f1c9e900f6585291a199f2dd

SHA1
11111f920ead25c7018770da8233e1daf4bd064e

SHA256
b3faafd0459f79d957f56f0b173d23997e73faab4c1366fc66b88873b3d4bdaa

SHA512
ca92498b6bf7266cd785e268cd6f5118d9c3455debbf60a38f7b7f107cac79ac4743af4f910ec80544135f6f56828c10bb77192dbb5bd861de65ee765183ffb1

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
63KB

MD5
6487d5d5a6d4a991c856010c018f1886

SHA1
4ec9f74f35da5edaaaef85cb0f5deed4ffd79a52

SHA256
57b2ff3a163f3cd7c86fd1969796d29d770849b3e19b81fa894582973274e6f5

SHA512
b0e79416421b784179f76bc1469e05d1b702ebb2a8664e3603641f2e294413d65617d70981a742971677b6c88bedf47cd9ba7afe90bd425e170afe3038ae6055

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
63KB

MD5
a01a321a8257ea18b4e7c4e2b7a4b1fc

SHA1
392b3063e5a97539c37615641fdebaf6fa13555f

SHA256
d644d7e3dede5ed5e3a04063fd278e9197df304e7cf00a0c3542c33d0f027fc7

SHA512
70b5586a6b01c78adc40aa3dece09ca1df176228ab0101fc38d61952d04226f8ce8fe0638bf6060337bf996832b76520918f00c6005dc7f704a8af3e858fa70a

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
63KB

MD5
b466893ae1f1911ad31d85f3a287e494

SHA1
fe6ca2fef5b7a534f59e18d5a8905144b936c6ea

SHA256
db4241c29add276294c99b878281a175a7a79b4022bb838b36f8715a9b7aa907

SHA512
bf94da1dd4d70378c7908ed4c8b9f950403b05379c867272830ebead9beb8341b266adb59f5a1f27c87b7f1ebdcf49bae623c8222c353d30de596578b532b0cb

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
63KB

MD5
dbe071ee4175cb9832e63cfa54bbad9a

SHA1
3c7bf1b6e7d62a301858cf15aab5b995a6d6ed94

SHA256
f84d6e1e6a7e6440cbcf8d79d249590378ac29533f3f8f6d0c5cfada0e87f988

SHA512
592a8729be40d620f91ecda0b735e6fca11eebf872a709d10674c756fa063af42f706f1dc9339ad900779b19767a78631b195334f81dfceb44bc049990c64f3e

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
63KB

MD5
391f2b2e05e6b3c9dba9ae55a77ed581

SHA1
312e54e60d9fdc2bd35825b08e07bc5d1a8a2061

SHA256
eb8c8c8c3a208cc82cc34f9c2164371cbf3d7056b955831085a81a2dfe3ff889

SHA512
6c2c653c7d7828d5fb874a353c37ad49b08c81ffecc790fa50b01a06822e8f59022cad0295d555fa8d3cb0d2ad65c8331c4d560baae3011fc67b08d6bc765eab

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
63KB

MD5
706ce8d12bc638a79e58b32974ef4838

SHA1
6481560d038639ad46b6706cdc327d7a54b33348

SHA256
83e73c65e16170eb8c4a4474a443e385726072f4845f7878e63fb8ac58051561

SHA512
f072c5797a3773efbee58f9e4ec6d27dab39e4fac3db5d40b91a26533d501787bf6be6b616c8017bfbd286a1797d4e57d5e33fc2246bd5b8b92bf527f4f00a92

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
63KB

MD5
fcca0ae2dc7953af1a0cbb635f4540f7

SHA1
314b98caac300ff9cd91af94650bc519e2c65ceb

SHA256
d305d599c2724caca20a64e26266d32c8eb7393e62dadaa06372b4880dd2545c

SHA512
357f4d293f58cb778305f2d58abda5fdbbbf392a328535108f2f42d216befd6a5570d9263fb4f2ae64f1f8223d9c1e59db60b1080cef0025251620c9c27a49c5

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
63KB

MD5
b0139c11f13993bd7f02bc8897dfe39c

SHA1
bd2543ee2f67d7528154376132551733f821e5c3

SHA256
a54c1e9d7a132d5ce96e70201299b681ae677d0c4579ed1c52f61448c5569bf1

SHA512
95d4020e2601a8abc5666b9024675621ef0ff7c658538a4e6a996e8323945076fe4ea384880640084dd79bafbbba6e8e557b8aa10098d3a138b566655dcd37e6

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
63KB

MD5
5a27a2e852352d43c2a018b1cd740ebe

SHA1
25e6c63fa4a8487ae2239828672503ddcbee7410

SHA256
d77ca6e7c810a6f869ea1636770817fc8c6ccee0195a2bd3d2547cbe32ded8ff

SHA512
5824ba80c54ab7fcf22c05868715e391a96ef6d7759882868a56e23b073f77652236c517f698604fb33b1a69cf81b2a98ff99e21f75c5bdf7d5b16c7c5292cad

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
63KB

MD5
b6e50e13a9f195d5adf7cc87b353f03b

SHA1
8af6b3dfeabe1049cb047cef891a37e910a3dfe4

SHA256
b64e3c0d7c89fceb3e8ecb49b3ca55d7c89df91d7a09a12232043ba5aecc8ca3

SHA512
00f6d2f3a530fe76531b1f46e8eb663ef4cd6e7e58fe497b7553b399337ca506ef89af0014a6064d74ade8e38547003890bcee999c341f55151ecf01d7fcf09b

Download Submit
memory/368-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/368-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/368-5-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/404-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-556-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1008-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1148-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1184-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-153-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-131-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1700-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1748-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-538-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1900-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2192-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2292-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-955-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2856-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2892-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2964-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3160-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3364-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3388-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3492-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3564-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3676-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3708-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3760-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-385-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3792-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3792-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3912-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3992-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4012-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4268-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4288-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4316-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4320-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4340-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4588-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4604-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4628-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4908-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4976-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5192-950-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5368-946-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5488-892-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads