8b99750d9f725d268e74479c3c76dfd48a2ed05f4f840efda11bb99ba09d643d

Analysis

max time kernel
206s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1965af77fcbd41cdd4825602df60f17d.exe
Size

363KB
MD5

1965af77fcbd41cdd4825602df60f17d
SHA1

f1d5f4e92b89edf3cbbbbd687aa3e80dad40ec73
SHA256

8b99750d9f725d268e74479c3c76dfd48a2ed05f4f840efda11bb99ba09d643d
SHA512

b8afa6ff837e1ccba7c6465c3e6f01175e6e6354beabbac1a7d12e1f70fa6393c8348eca30e204891f0f5b9bb19f3267178063a1f3a1e981281029027fa4be39
SSDEEP

6144:sPtwNOT5tTDUZNSN58VU5tT0dzL4n5tTDUZNSN58VU5tT:sz5t6NSN6G5tsLc5t6NSN6G5t

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnlng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdaedgdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacboi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oafald32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghanoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnkflo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bojhnjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljlagndl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdaedgdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mallojmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ellpgeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnblmnfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bojhnjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bekfkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldhbnhlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohnlcndb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcghm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Galonj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bekfkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnccmnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkncd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnhifonl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boldcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebnqofj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhgfaha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pokjnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebnqofj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iqkjkokh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oafald32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcgndf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hanlcjgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clgkmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mknjgajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokjnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpokm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mknjgajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boanniao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalchm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcghm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boldcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maefnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldhbnhlm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngnnbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnlng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfodpbpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnccmnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maefnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1965af77fcbd41cdd4825602df60f17d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clgkmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oklhpjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnhamc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpokm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfhgfaha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngnnbq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgdklb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnhifonl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Galonj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdbofo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aedfdjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obgoaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikpc32.exe

Executes dropped EXE 49 IoCs

pid	Process
3020	Fcnlng32.exe
4792	Gmfpgmil.exe
752	Gfodpbpl.exe
2128	Gnhifonl.exe
4536	Ghanoeel.exe
3960	Gnkflo32.exe
3520	Gcgndf32.exe
3692	Galonj32.exe
2804	Hfhgfaha.exe
1020	Hanlcjgh.exe
396	Hnblmnfa.exe
1364	Bojhnjgf.exe
844	Boldcj32.exe
1700	Bidefbcg.exe
456	Boanniao.exe
1488	Bekfkc32.exe
4968	Cemcqcgi.exe
388	Clgkmm32.exe
4796	Cipebqij.exe
4404	Ldhbnhlm.exe
1664	Lalchm32.exe
4452	Lgikpc32.exe
3888	Lnccmnak.exe
2588	Lijdbofo.exe
2828	Ldohogfe.exe
1072	Ljlagndl.exe
4528	Mdaedgdb.exe
1864	Maefnk32.exe
2732	Mknjgajl.exe
2752	Mgdklb32.exe
932	Mjcghm32.exe
3732	Majoikof.exe
1060	Mallojmd.exe
3684	Ngnnbq32.exe
4896	Nacboi32.exe
4440	Aedfdjdl.exe
4880	Pokjnd32.exe
1012	Pjpokm32.exe
924	Cbkncd32.exe
392	Iebnqofj.exe
3192	Obgoaq32.exe
844	Ellpgeag.exe
1448	Iqkjkokh.exe
2432	Onhhfe32.exe
1428	Ohnlcndb.exe
876	Oklhpjcf.exe
4636	Oafald32.exe
4560	Pdpmdn32.exe
4112	Pnhamc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Obgoaq32.exe	Iebnqofj.exe
File created	C:\Windows\SysWOW64\Gnkflo32.exe	Ghanoeel.exe
File opened for modification	C:\Windows\SysWOW64\Hanlcjgh.exe	Hfhgfaha.exe
File opened for modification	C:\Windows\SysWOW64\Lgikpc32.exe	Lalchm32.exe
File created	C:\Windows\SysWOW64\Ldohogfe.exe	Lijdbofo.exe
File opened for modification	C:\Windows\SysWOW64\Mdaedgdb.exe	Ljlagndl.exe
File created	C:\Windows\SysWOW64\Nacboi32.exe	Ngnnbq32.exe
File created	C:\Windows\SysWOW64\Mknjgajl.exe	Maefnk32.exe
File created	C:\Windows\SysWOW64\Gnhifonl.exe	Gfodpbpl.exe
File created	C:\Windows\SysWOW64\Gcgndf32.exe	Gnkflo32.exe
File created	C:\Windows\SysWOW64\Lijdbofo.exe	Lnccmnak.exe
File opened for modification	C:\Windows\SysWOW64\Cbkncd32.exe	Pjpokm32.exe
File created	C:\Windows\SysWOW64\Hoencb32.dll	Ellpgeag.exe
File opened for modification	C:\Windows\SysWOW64\Galonj32.exe	Gcgndf32.exe
File opened for modification	C:\Windows\SysWOW64\Hnblmnfa.exe	Hanlcjgh.exe
File created	C:\Windows\SysWOW64\Igdmbh32.dll	Ljlagndl.exe
File opened for modification	C:\Windows\SysWOW64\Majoikof.exe	Mjcghm32.exe
File opened for modification	C:\Windows\SysWOW64\Gmfpgmil.exe	Fcnlng32.exe
File created	C:\Windows\SysWOW64\Ffhjdnih.dll	Iqkjkokh.exe
File created	C:\Windows\SysWOW64\Eocpmlgp.dll	Fcnlng32.exe
File created	C:\Windows\SysWOW64\Bidefbcg.exe	Boldcj32.exe
File created	C:\Windows\SysWOW64\Mallojmd.exe	Majoikof.exe
File created	C:\Windows\SysWOW64\Kainifch.dll	Aedfdjdl.exe
File opened for modification	C:\Windows\SysWOW64\Oafald32.exe	Oklhpjcf.exe
File created	C:\Windows\SysWOW64\Gkedihfb.dll	Oklhpjcf.exe
File created	C:\Windows\SysWOW64\Icpeok32.dll	Obgoaq32.exe
File created	C:\Windows\SysWOW64\Hanlcjgh.exe	Hfhgfaha.exe
File created	C:\Windows\SysWOW64\Dbpmfe32.dll	Bidefbcg.exe
File created	C:\Windows\SysWOW64\Ldhbnhlm.exe	Cipebqij.exe
File created	C:\Windows\SysWOW64\Gffnkjcl.dll	Lalchm32.exe
File created	C:\Windows\SysWOW64\Jiepaa32.dll	Mknjgajl.exe
File created	C:\Windows\SysWOW64\Ngnnbq32.exe	Mallojmd.exe
File created	C:\Windows\SysWOW64\Ghanoeel.exe	Gnhifonl.exe
File created	C:\Windows\SysWOW64\Cemcqcgi.exe	Bekfkc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnccmnak.exe	Lgikpc32.exe
File created	C:\Windows\SysWOW64\Pjdhck32.dll	Iebnqofj.exe
File created	C:\Windows\SysWOW64\Oafald32.exe	Oklhpjcf.exe
File created	C:\Windows\SysWOW64\Cbkncd32.exe	Pjpokm32.exe
File created	C:\Windows\SysWOW64\Iqkjkokh.exe	Ellpgeag.exe
File opened for modification	C:\Windows\SysWOW64\Gfodpbpl.exe	Gmfpgmil.exe
File created	C:\Windows\SysWOW64\Iddoag32.dll	Gnkflo32.exe
File opened for modification	C:\Windows\SysWOW64\Bekfkc32.exe	Boanniao.exe
File created	C:\Windows\SysWOW64\Lnccmnak.exe	Lgikpc32.exe
File opened for modification	C:\Windows\SysWOW64\Mgdklb32.exe	Mknjgajl.exe
File opened for modification	C:\Windows\SysWOW64\Mallojmd.exe	Majoikof.exe
File created	C:\Windows\SysWOW64\Gmfpgmil.exe	Fcnlng32.exe
File created	C:\Windows\SysWOW64\Ljlagndl.exe	Ldohogfe.exe
File created	C:\Windows\SysWOW64\Mdaedgdb.exe	Ljlagndl.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmdn32.exe	Oafald32.exe
File created	C:\Windows\SysWOW64\Ohbmih32.dll	Galonj32.exe
File opened for modification	C:\Windows\SysWOW64\Lijdbofo.exe	Lnccmnak.exe
File created	C:\Windows\SysWOW64\Gfodpbpl.exe	Gmfpgmil.exe
File opened for modification	C:\Windows\SysWOW64\Hfhgfaha.exe	Galonj32.exe
File created	C:\Windows\SysWOW64\Majoikof.exe	Mjcghm32.exe
File created	C:\Windows\SysWOW64\Nmgjmi32.dll	Onhhfe32.exe
File created	C:\Windows\SysWOW64\Jheopffn.dll	Pdpmdn32.exe
File created	C:\Windows\SysWOW64\Fcnlng32.exe	1965af77fcbd41cdd4825602df60f17d.exe
File created	C:\Windows\SysWOW64\Nqkiog32.dll	Hanlcjgh.exe
File opened for modification	C:\Windows\SysWOW64\Maefnk32.exe	Mdaedgdb.exe
File created	C:\Windows\SysWOW64\Galonj32.exe	Gcgndf32.exe
File opened for modification	C:\Windows\SysWOW64\Bojhnjgf.exe	Hnblmnfa.exe
File opened for modification	C:\Windows\SysWOW64\Cipebqij.exe	Clgkmm32.exe
File opened for modification	C:\Windows\SysWOW64\Pokjnd32.exe	Aedfdjdl.exe
File created	C:\Windows\SysWOW64\Dccpdooi.dll	Pjpokm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmfpgmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjcaodp.dll"	Gfodpbpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldhbnhlm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdaedgdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Galonj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfhgfaha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mallojmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iqkjkokh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mknjgajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflhqe32.dll"	Gcgndf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnblmnfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foaoho32.dll"	Bekfkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bidefbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbpmfe32.dll"	Bidefbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ellpgeag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hanlcjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bidefbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pokjnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obgoaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pienan32.dll"	Mjcghm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfhgfaha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bojhnjgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bekfkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqjibapd.dll"	Pokjnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johfep32.dll"	Lnccmnak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majoikof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aedfdjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1965af77fcbd41cdd4825602df60f17d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcjogeh.dll"	Ghanoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boldcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clgkmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dogcjkih.dll"	Lgikpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngnnbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnhamc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalchm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdaedgdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfodpbpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgjef32.dll"	Hfhgfaha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnblmnfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obgoaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oklhpjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnhifonl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgdklb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpokm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpdooi.dll"	Pjpokm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1965af77fcbd41cdd4825602df60f17d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhinj32.dll"	Lijdbofo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacboi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkncd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oklhpjcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjpokm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnhamc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinlep.dll"	Bojhnjgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bekfkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kainifch.dll"	Aedfdjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aedfdjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohogfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipniemf.dll"	Majoikof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3020	2220	1965af77fcbd41cdd4825602df60f17d.exe	92
PID 2220 wrote to memory of 3020	2220	1965af77fcbd41cdd4825602df60f17d.exe	92
PID 2220 wrote to memory of 3020	2220	1965af77fcbd41cdd4825602df60f17d.exe	92
PID 3020 wrote to memory of 4792	3020	Fcnlng32.exe	93
PID 3020 wrote to memory of 4792	3020	Fcnlng32.exe	93
PID 3020 wrote to memory of 4792	3020	Fcnlng32.exe	93
PID 4792 wrote to memory of 752	4792	Gmfpgmil.exe	94
PID 4792 wrote to memory of 752	4792	Gmfpgmil.exe	94
PID 4792 wrote to memory of 752	4792	Gmfpgmil.exe	94
PID 752 wrote to memory of 2128	752	Gfodpbpl.exe	95
PID 752 wrote to memory of 2128	752	Gfodpbpl.exe	95
PID 752 wrote to memory of 2128	752	Gfodpbpl.exe	95
PID 2128 wrote to memory of 4536	2128	Gnhifonl.exe	96
PID 2128 wrote to memory of 4536	2128	Gnhifonl.exe	96
PID 2128 wrote to memory of 4536	2128	Gnhifonl.exe	96
PID 4536 wrote to memory of 3960	4536	Ghanoeel.exe	100
PID 4536 wrote to memory of 3960	4536	Ghanoeel.exe	100
PID 4536 wrote to memory of 3960	4536	Ghanoeel.exe	100
PID 3960 wrote to memory of 3520	3960	Gnkflo32.exe	97
PID 3960 wrote to memory of 3520	3960	Gnkflo32.exe	97
PID 3960 wrote to memory of 3520	3960	Gnkflo32.exe	97
PID 3520 wrote to memory of 3692	3520	Gcgndf32.exe	98
PID 3520 wrote to memory of 3692	3520	Gcgndf32.exe	98
PID 3520 wrote to memory of 3692	3520	Gcgndf32.exe	98
PID 3692 wrote to memory of 2804	3692	Galonj32.exe	99
PID 3692 wrote to memory of 2804	3692	Galonj32.exe	99
PID 3692 wrote to memory of 2804	3692	Galonj32.exe	99
PID 2804 wrote to memory of 1020	2804	Hfhgfaha.exe	101
PID 2804 wrote to memory of 1020	2804	Hfhgfaha.exe	101
PID 2804 wrote to memory of 1020	2804	Hfhgfaha.exe	101
PID 1020 wrote to memory of 396	1020	Hanlcjgh.exe	102
PID 1020 wrote to memory of 396	1020	Hanlcjgh.exe	102
PID 1020 wrote to memory of 396	1020	Hanlcjgh.exe	102
PID 396 wrote to memory of 1364	396	Hnblmnfa.exe	103
PID 396 wrote to memory of 1364	396	Hnblmnfa.exe	103
PID 396 wrote to memory of 1364	396	Hnblmnfa.exe	103
PID 1364 wrote to memory of 844	1364	Bojhnjgf.exe	104
PID 1364 wrote to memory of 844	1364	Bojhnjgf.exe	104
PID 1364 wrote to memory of 844	1364	Bojhnjgf.exe	104
PID 844 wrote to memory of 1700	844	Boldcj32.exe	105
PID 844 wrote to memory of 1700	844	Boldcj32.exe	105
PID 844 wrote to memory of 1700	844	Boldcj32.exe	105
PID 1700 wrote to memory of 456	1700	Bidefbcg.exe	107
PID 1700 wrote to memory of 456	1700	Bidefbcg.exe	107
PID 1700 wrote to memory of 456	1700	Bidefbcg.exe	107
PID 456 wrote to memory of 1488	456	Boanniao.exe	108
PID 456 wrote to memory of 1488	456	Boanniao.exe	108
PID 456 wrote to memory of 1488	456	Boanniao.exe	108
PID 1488 wrote to memory of 4968	1488	Bekfkc32.exe	109
PID 1488 wrote to memory of 4968	1488	Bekfkc32.exe	109
PID 1488 wrote to memory of 4968	1488	Bekfkc32.exe	109
PID 4968 wrote to memory of 388	4968	Cemcqcgi.exe	110
PID 4968 wrote to memory of 388	4968	Cemcqcgi.exe	110
PID 4968 wrote to memory of 388	4968	Cemcqcgi.exe	110
PID 388 wrote to memory of 4796	388	Clgkmm32.exe	111
PID 388 wrote to memory of 4796	388	Clgkmm32.exe	111
PID 388 wrote to memory of 4796	388	Clgkmm32.exe	111
PID 4796 wrote to memory of 4404	4796	Cipebqij.exe	113
PID 4796 wrote to memory of 4404	4796	Cipebqij.exe	113
PID 4796 wrote to memory of 4404	4796	Cipebqij.exe	113
PID 4404 wrote to memory of 1664	4404	Ldhbnhlm.exe	117
PID 4404 wrote to memory of 1664	4404	Ldhbnhlm.exe	117
PID 4404 wrote to memory of 1664	4404	Ldhbnhlm.exe	117
PID 1664 wrote to memory of 4452	1664	Lalchm32.exe	116

C:\Users\Admin\AppData\Local\Temp\1965af77fcbd41cdd4825602df60f17d.exe
"C:\Users\Admin\AppData\Local\Temp\1965af77fcbd41cdd4825602df60f17d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\Fcnlng32.exe
  C:\Windows\system32\Fcnlng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Gmfpgmil.exe
    C:\Windows\system32\Gmfpgmil.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\Gfodpbpl.exe
      C:\Windows\system32\Gfodpbpl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Windows\SysWOW64\Gnhifonl.exe
        
        C:\Windows\system32\Gnhifonl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\SysWOW64\Ghanoeel.exe
        
        C:\Windows\system32\Ghanoeel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Gnkflo32.exe
        
        C:\Windows\system32\Gnkflo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3960

C:\Windows\SysWOW64\Gcgndf32.exe
C:\Windows\system32\Gcgndf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\Galonj32.exe
  C:\Windows\system32\Galonj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\Hfhgfaha.exe
    C:\Windows\system32\Hfhgfaha.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\Hanlcjgh.exe
      C:\Windows\system32\Hanlcjgh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\Hnblmnfa.exe
        
        C:\Windows\system32\Hnblmnfa.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\SysWOW64\Bojhnjgf.exe
        
        C:\Windows\system32\Bojhnjgf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Boldcj32.exe
        
        C:\Windows\system32\Boldcj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Bidefbcg.exe
        
        C:\Windows\system32\Bidefbcg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Boanniao.exe
        
        C:\Windows\system32\Boanniao.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Bekfkc32.exe
        
        C:\Windows\system32\Bekfkc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Cemcqcgi.exe
        
        C:\Windows\system32\Cemcqcgi.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Clgkmm32.exe
        
        C:\Windows\system32\Clgkmm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Cipebqij.exe
        
        C:\Windows\system32\Cipebqij.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ldhbnhlm.exe
        
        C:\Windows\system32\Ldhbnhlm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Lalchm32.exe
        
        C:\Windows\system32\Lalchm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664

C:\Windows\SysWOW64\Lijdbofo.exe
C:\Windows\system32\Lijdbofo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2588
- C:\Windows\SysWOW64\Ldohogfe.exe
  C:\Windows\system32\Ldohogfe.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2828

C:\Windows\SysWOW64\Lnccmnak.exe
C:\Windows\system32\Lnccmnak.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3888

C:\Windows\SysWOW64\Lgikpc32.exe
C:\Windows\system32\Lgikpc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4452

C:\Windows\SysWOW64\Ljlagndl.exe
C:\Windows\system32\Ljlagndl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1072
- C:\Windows\SysWOW64\Mdaedgdb.exe
  C:\Windows\system32\Mdaedgdb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4528

C:\Windows\SysWOW64\Mgdklb32.exe
C:\Windows\system32\Mgdklb32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2752
- C:\Windows\SysWOW64\Mjcghm32.exe
  C:\Windows\system32\Mjcghm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:932

C:\Windows\SysWOW64\Majoikof.exe
C:\Windows\system32\Majoikof.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3732
- C:\Windows\SysWOW64\Mallojmd.exe
  C:\Windows\system32\Mallojmd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1060
- - C:\Windows\SysWOW64\Ngnnbq32.exe
    C:\Windows\system32\Ngnnbq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:3684
  - - C:\Windows\SysWOW64\Nacboi32.exe
      C:\Windows\system32\Nacboi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:4896
    - - C:\Windows\SysWOW64\Aedfdjdl.exe
        
        C:\Windows\system32\Aedfdjdl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
      - C:\Windows\SysWOW64\Pokjnd32.exe
        
        C:\Windows\system32\Pokjnd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Pjpokm32.exe
        
        C:\Windows\system32\Pjpokm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Cbkncd32.exe
        
        C:\Windows\system32\Cbkncd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Iebnqofj.exe
        
        C:\Windows\system32\Iebnqofj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Obgoaq32.exe
        
        C:\Windows\system32\Obgoaq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ellpgeag.exe
        
        C:\Windows\system32\Ellpgeag.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Iqkjkokh.exe
        
        C:\Windows\system32\Iqkjkokh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Onhhfe32.exe
        
        C:\Windows\system32\Onhhfe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ohnlcndb.exe
        
        C:\Windows\system32\Ohnlcndb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Oklhpjcf.exe
        
        C:\Windows\system32\Oklhpjcf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Oafald32.exe
        
        C:\Windows\system32\Oafald32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Pdpmdn32.exe
        
        C:\Windows\system32\Pdpmdn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Pnhamc32.exe
        
        C:\Windows\system32\Pnhamc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4112

C:\Windows\SysWOW64\Mknjgajl.exe
C:\Windows\system32\Mknjgajl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2732

C:\Windows\SysWOW64\Maefnk32.exe
C:\Windows\system32\Maefnk32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bekfkc32.exe

Filesize
363KB

MD5
ecf9ee727a43fc46a1abc5f6dd947e8f

SHA1
56a52f69bd7d53a77697b82cd994bd53fcf75769

SHA256
3b3627ffd519151650583aa135c6f95ae6df4fae53309456f560a2f28f43878e

SHA512
dbc8c0ffa169b26560f65910f260c7134f4a2aa5d478a0708811f8fd418ae31a46184e8b03156bad239ef2f6e1370887fc58935cfc2481399b126e4cd0b835df

Download Submit
C:\Windows\SysWOW64\Bidefbcg.exe

Filesize
363KB

MD5
5f5ecd870939993fe2d4dc53970e3107

SHA1
270531a1f777fd7a61ff73f437973e0bdac9a570

SHA256
52c0f28fbe4e5829a720df47ca4848901ecd5be4bb2742d2c76f97db58b5d77b

SHA512
a70efa26a543200886fc955a2dcd3dd657c3883b686b29d211b43d3238ae1f6b32250f07840018e80d9dc8082fd2a68175e183fd74558b8130becca2ae7579a6

Download Submit
C:\Windows\SysWOW64\Boanniao.exe

Filesize
363KB

MD5
23cb2a23e6ef8ed1c7d35425650de1e9

SHA1
b4ee6e22b6c9e5bc7acb3a78e02753d23f99da05

SHA256
e486009a823b0ddab46e7d9b178198f3ce383d58ed583067a55473fca4d128c8

SHA512
cf0a34f57116a85a88eecdaa129cbd8719fcf639ffa1fe93d440d06539d2e5c7c9e957bbfecd090260a319796c3fdc1bd8440ae33b3e4757d2d79cc828f4cad8

Download Submit
C:\Windows\SysWOW64\Bojhnjgf.exe

Filesize
363KB

MD5
07364b830bd7ef85b0f9098640e2a606

SHA1
fad87de86fb90865fd073a2c0cf6295bdb88e8df

SHA256
a07a6a024d94b88242f8b2ed0410da147ac2bda934a0a3629bc42f29a87fc8ee

SHA512
ac621d973b6b9558e8a3ddec5a47bb53e89ba6461c0a95ecee0adb472acf6e91b8e0e13f6216789ec3b2c68ebf75f584091008196d76bcf983bd2ae9f4c04d14

Download Submit
C:\Windows\SysWOW64\Boldcj32.exe

Filesize
363KB

MD5
f6f899b32929861eb4b59fe016e37999

SHA1
921785634e0352bfa31d5d5d2ed89e16ef40dddc

SHA256
868876cff261b505601d92b78a510d24456f9bc421c06de26f21fc7345706986

SHA512
2276b40d81e15f379e7dc02580f79fd94b27400cbfb0b7d37a6a5f23d46d018b48146aef7e460a3fa9189b1caac79f963ce8508f232208f44c9f33cdc03d5a4a

Download Submit
C:\Windows\SysWOW64\Cemcqcgi.exe

Filesize
363KB

MD5
0383c29a256c96ddbb9fc55be4ccaa99

SHA1
7c55d55b5eb7bc546ced42d378f279be8f63cd88

SHA256
298052f8f27d5173dcea5593edb6be3516b1b46e0b5129967a9fd8e39df64118

SHA512
5d7ce5b6a9b22e1e50145793ea56edb9919feac8fb3035b36a7dc1ddde829c1ea9b3f95e719b90b357d3ebae12ac6042ac3162d2bb867c63ffaf62bec4ba2699

Download Submit
C:\Windows\SysWOW64\Cipebqij.exe

Filesize
363KB

MD5
c7377381de02d0d59f5edf559dbfc81a

SHA1
e73860a46852b2635cecb8793b87bda250d657c8

SHA256
f283c7e4dd3d103c4757600d54cbb6e37820865485d08a0d803d8581b3fc9776

SHA512
747db2edf7b74fcac96c0798df8210ea361f5313ec409ca5b0dbd1cc9d0ffb836debb2a540ced31385ac9aeda27cfcf5aef3e879f56e47be5240cd99a0ba7252

Download Submit
C:\Windows\SysWOW64\Clgkmm32.exe

Filesize
363KB

MD5
3935c99dc499d2de6d0cf6feb8f69518

SHA1
e9f95a359e1d513d019aa7f757991e4ef36c2b25

SHA256
76d391c910611fc9449108af05c308f30da8d314526eeee4f476c5944e1a318c

SHA512
4b635c8b1e5cc0f72eb674965d379f5ac8f249f3c729b965041a5ef98c5305ffc503bc1288365eff3eba060f30c45495b0eeebf4fd34324e20390c0566410ecc

Download Submit
C:\Windows\SysWOW64\Fcnlng32.exe

Filesize
363KB

MD5
3266b80d5eb97f3642af2ebb179995e8

SHA1
4222bb01e0ff77e736faf2603d9822beb14985ec

SHA256
7abd55782502c627af88b70eaf2ab4e4d57c6cbb26f052c9831ccef4cf5b26b2

SHA512
d81a530fa830772b46e76a5311844f6476bc29738fe2762de4ee603f8a55ba63026d37dfd66aad5e241f2f9c57047efe29ff9ec628dbf6c2ee5eb5c98c290d1b

Download Submit
C:\Windows\SysWOW64\Galonj32.exe

Filesize
145KB

MD5
fdbe525676a71017cb4182368a4b57b5

SHA1
8ad6e8f84cf7b2d46c549be7ec891369b8d134f5

SHA256
cb3b40e0e880f89d602db8a4da6432cb1461477f4b2dc7db355ceebf4f762cdc

SHA512
0f988ffc486c475db8cf0dcd6f38c360eb7a0dcf92979935f3cd182e4f5aab55d6cc238cbb40aa6db813b238426c0d18bb508117bf2a373b06edefbb79bb03fc

Download Submit
C:\Windows\SysWOW64\Galonj32.exe

Filesize
274KB

MD5
2efd17c2dcc5e75b3eddbe573953734e

SHA1
fe19e38954284b550369fc2778bdcfddc90b1c76

SHA256
06dfcbc292e277b8bb4a1787d528e68363849d49050df3fb20f75117466bb5cd

SHA512
0b81fb524f502ce84539edfc6a7c7d775f2c38eac6043aa7df08f09ed70fb2d39e6f7ce8cf133c14ea62ffdcf55ab1cb5b6b8860f4fee4e98accec93da05301f

Download Submit
C:\Windows\SysWOW64\Gcgndf32.exe

Filesize
363KB

MD5
9f89a17c22719da2ff99d064e68ba67a

SHA1
59fd4f72a52242e9e0204101c1879688651a2ea3

SHA256
fcd2fb8b12d8d60e4c2357d693e4143eef4d031878aa65966292ae1eba162aa8

SHA512
0bc54ba2d7d7804afe5e12ba5fa7e5facc2d55069c5476335e4f7814b404022baf9f87402d2ec667f18c0bc6036d6c1a61f883a19f6dd21c236dc52a192a2a49

Download Submit
C:\Windows\SysWOW64\Gcgndf32.exe

Filesize
130KB

MD5
c2f361232b80b67df07b78a04ad97b8f

SHA1
debba75f70dbbc4e8ed38dd69dde27a75fb5933d

SHA256
5e5b6021f8166e1ef5886460473ff18def36c6fc9c2f0a3a427377481e70ee4c

SHA512
77245722241a99475c1621712fb0bbd20a8518bdf990dcb73b1e44e5a484dc216a07ebafd6ce9c4aa68b6fb3ae682293901efae74c00eb5cae6f9dd07df83d52

Download Submit
C:\Windows\SysWOW64\Gfodpbpl.exe

Filesize
363KB

MD5
f0b22b9abbac01b122607270e7df3a02

SHA1
d1ca9a623fc3dba73a165b65a366f5b7b3749e65

SHA256
4f31030d5f4986c6e3a9870fe7de7def453d63ac5201d80b5743c175c8e4b0bf

SHA512
6fb304d7d9b578217e6f55b2599fd36bd54558e3c3441f1034d488b2312d412de49e588aa68c0b219f21eab35fa53a596b3b0c6b005516082ea17979a08d60c9

Download Submit
C:\Windows\SysWOW64\Ghanoeel.exe

Filesize
282KB

MD5
e8009191c10fdec60dcc0047a3a0aebb

SHA1
1a40063b14160eb9025db1047b35de9bf788bd61

SHA256
f4df514386ea0920043517585034295d2c6152138450e2b842bd0e148deba41e

SHA512
115366eea69405614a7ec0b97d6d2370533fb1babb806862c637112a5d8543541154a90e6378f1caa61d892e35314ec3a43ba28496bbd533f39b16427ea21005

Download Submit
C:\Windows\SysWOW64\Ghanoeel.exe

Filesize
267KB

MD5
24b853928ce3341cc4c56de04e81ceff

SHA1
a607f6ff0c36582f4b5d73dd37e1fea1a5528f01

SHA256
3bd0abea204d372debc5354a77c992833c5791f3b739eaa33814362ebde13897

SHA512
9740823f11f6a9fc5a071dee3b641b36e9e232e86a8536f16411e4f4801629eace7dc06b5d3f7b78a7b9f9879d51c7340e9e9b43bb6e8f6ef331df68d7305f63

Download Submit
C:\Windows\SysWOW64\Gmfpgmil.exe

Filesize
363KB

MD5
7939f84a0b67ca683b3d04cb1e0e7ee0

SHA1
1e1cbbccf1cd995c3475e916add5228881e73cd8

SHA256
c0b6abb88fbc0ede74ad412edfab19c19afe2e14799dc59b76669396bfaf40e0

SHA512
14e610c4acecd21fe26490a024536889a5c66a536ea18268484bb0e5cac9d364a217d446876e0acb9ea862ff02870a785575088b8392867cb5d1d95519546cf5

Download Submit
C:\Windows\SysWOW64\Gnhifonl.exe

Filesize
323KB

MD5
2b3e0f8bd05d8348bc9430df8f6ca715

SHA1
da749caacac7135724b7db84b0bb52fc164dbd85

SHA256
a595d067558ff9439aa9416eeafc28360e46a6a1588b2b5f47b587c64ad7aab8

SHA512
92f2609d5ffe649a4fa2121f376b9f1162a1dd1f23321a017d0b052729d7ece9b404b4591c676eb3802a177c73d5019baf5f56b10762e92b588852671a08d9af

Download Submit
C:\Windows\SysWOW64\Gnhifonl.exe

Filesize
308KB

MD5
8514258e2b7e2c590a4c5af987f4401b

SHA1
b55734afd15e52ba73549f23bad25096673b8092

SHA256
c97bf92b998dd17badcfcc099c4b757cbddff6924982581ec8ac36f13c633d33

SHA512
8a954c6e5f52dbfdd3b56419ce776be4750a5f4bc4412b6c9d348d398883ea4f9aadba67a820857e36d0c73ec62f68c7452388d7bef383d32977396668823204

Download Submit
C:\Windows\SysWOW64\Gnhifonl.exe

Filesize
363KB

MD5
d5f91c032e9f1ece2d20f8cb3e994912

SHA1
13874f2560c3a5191c9bb97b6fa2f5aee79c0cfe

SHA256
ab00b0c87ecfb55c7dc738885594402649c79c5291b5bf87a86966045ec44625

SHA512
e8d4e02491991b2252ae8d237faac37443717b34e81b017f0551208da23e51316be9319bb6376871fbcb35d0ce55f094cf6a7f240be47d341356bf76d4ed63fc

Download Submit
C:\Windows\SysWOW64\Gnkflo32.exe

Filesize
196KB

MD5
0045ea19970fb70d7e5e909b0a06d946

SHA1
1cf41f8e219a94205006f8b07ada09ec8e0f1193

SHA256
e09f0cd6e4c63cea34adf766940c71b0145c2d78ce8dad8b1a5f98b9f9d24061

SHA512
c3601705f94fb386c30e25ce67285c443187366abb134f2417f402506450cf816f23e0fc0fef41d96378e8375e8575b6c9df6a7b7d024812af7ac5270aa5958a

Download Submit
C:\Windows\SysWOW64\Gnkflo32.exe

Filesize
283KB

MD5
1f743b3a571ebd097bc6e0eb5e7e6e03

SHA1
48b3852c9c58714a893ef226828eac272f916e03

SHA256
db504f524ab0c93834184b1db22b39dcaaa31009c135ce026e71d88fa1da2970

SHA512
6fd83ddffd7d3e6d11177b9480e88146368053e3da2b4afefa339a84bc61d0aafa89b9c6f0b17a71d14e8ffebfbdc0a20df771975aac44eed8aa65c7bd7e208f

Download Submit
C:\Windows\SysWOW64\Hanlcjgh.exe

Filesize
258KB

MD5
4f69295e1bd905ce5d291ecc4c1556b6

SHA1
c60f965c937fd242a50122774fa024a9ab573d62

SHA256
57285e2d03d00fa32f3564220830eb52cd3ac713de78583a0c81cea1c7d3ebb8

SHA512
046909d0520e9493fe606bac298c2a8117c041aacc50cb167ea31d80590edd50b384a6e0c40b305466778d15b48e932222bd0d0d53f849e464f72bae59fa78e4

Download Submit
C:\Windows\SysWOW64\Hanlcjgh.exe

Filesize
111KB

MD5
c30fcd334fb7732c6ee862b5efdf33e2

SHA1
85316df410b7272e0f098a5ef751313b167f6f48

SHA256
07b5ee89df51f587091352182570836e6a375c6fd399e8c53cc2a39c05d5106d

SHA512
8203ab383fe58afbb3e787e24996c6bdcd70bc2b640b4d5d6acf5f0ceec331e3879429a9871c71232d6f4e25c33a2b3e4463f2dcf77939d0ad70485ae9fb1a70

Download Submit
C:\Windows\SysWOW64\Hfhgfaha.exe

Filesize
160KB

MD5
72762ff7d179dcff99911cff3b8150fa

SHA1
861da1273ecad2262765b4e508ae9cc6824caa0f

SHA256
515335b7e0571196d0acce7de02e5d80192b2e53403c868068439149ad6be2cf

SHA512
340068ca92e0264c23861c10a239f85692bb4c735aaa19f62931a226e5903e46909953b6e75b205f54c33663b04c1a11243202a19c504db81c039fe43efbeae8

Download Submit
C:\Windows\SysWOW64\Hfhgfaha.exe

Filesize
218KB

MD5
7768b7861dcef05a2e46d1bc81d5d9fc

SHA1
339c4ad9a24db88d5a7a362ea80ffcfaa06b682f

SHA256
20ff96be285541a27749b28d264036d880c0a742c9cedc3b8616e157d46df82c

SHA512
dd73fc2510156d43f1a009947dbeb477e319ed9f42e6c769cb5ebd1d44e964d8807fa5504253af28627565645d041edb0fcdfe24d5096f90348b653b524aa787

Download Submit
C:\Windows\SysWOW64\Hnblmnfa.exe

Filesize
182KB

MD5
9adb8d8d482e8e524e8e6ef8af0c0d5d

SHA1
ab560eb393d0143520ca8562b1908c937002bbf3

SHA256
bf0e25ec05ae6cac80676c8b1313b537372875455514afc6c88bafb863b5c5e4

SHA512
bb9233de438f266e8130bc21cb0a3c176cdc03bfc2c5478b854aa922d70d42b08c5d4a04f4df04d233cf2c6768ff3ef63130c88dce4c42b085eebfcd9884dfc0

Download Submit
C:\Windows\SysWOW64\Hnblmnfa.exe

Filesize
363KB

MD5
eb81fad2bdc4d30d5233c01db8c8c493

SHA1
2a033efa9943b893515475e03a635b4ef7bfe551

SHA256
4461e33ac00b734cc93869989994870478c3fc361badfe2f82e76a744fda7bca

SHA512
8d6ee22e6cd1753080c2f14cb008d7558353178841e3ed76f435e538eca9f3fa42b3d5aca0119c8c0da592b3488041ebbce50961f7332ad8156f0f506ea3e327

Download Submit
C:\Windows\SysWOW64\Iebnqofj.exe

Filesize
64KB

MD5
202e9f42c72522f9f37454c6c4df825f

SHA1
52a1bf2d5bdee698b93debc5e8273d8e07ff9d62

SHA256
b4ed5922e023b20d3dd020c7ae6af9283702c4dbd744aa7984f448ff25b04a23

SHA512
c76de2c1571ab9833efa36a4d6c177a9b62a1ff8e965dcff26d427fd97d15964fcf0bdea621db285a9e10f50a693817f7a4d85b93cfe1a0fbe8373d9eb90999e

Download Submit
C:\Windows\SysWOW64\Lalchm32.exe

Filesize
363KB

MD5
fa64f1ad24d9ce78bbc040578a0f2372

SHA1
1933f0038542bcd1bdb008c53f4159ca879fbe4d

SHA256
cb5947e80bfc64187b26666b44b2ffe89b47cfa7bc161b815c957c1fbd0ecc13

SHA512
1f4ffd185a58b309d283e2668dde8f2c880964a7b5148fea34aeb1fa887b8eb5fa149b4efd68de8391a934785e52fe0a93641f062215b2cbc3cbb76dab3867a3

Download Submit
C:\Windows\SysWOW64\Ldhbnhlm.exe

Filesize
363KB

MD5
799d4e04379875b6cc0062cf2634e1b0

SHA1
880776e47920f4371fe68bc55b25296bf101a0bf

SHA256
56767fb197b5b809580f7ae969edf7409829fbd7b842714e0e6ea8ee5ecd8b01

SHA512
5ab53b960c9b8e72a5419f71cf6f8fd7283ebaa0945a478b1e93f1b151ce7737c0e838dcae727ff2c94a89555d5f6b64937186631735100ad3d1409f89fbdf93

Download Submit
C:\Windows\SysWOW64\Ldohogfe.exe

Filesize
363KB

MD5
49d5cbda8e5ab3787c42f2f9c60adac1

SHA1
0ffd13dd627473a99f37f0e9ecc56226137499a1

SHA256
970783165b05366af04606929e2871f3c3659a87f5bcc158529ec5602f38f7f3

SHA512
6a3a98842b6f8ed355d2bc682360411c4b5ee13a93eb154456c669d5e9efb68d1607a9b50afbc64d5868cbd513c7fd2d84af6a70d4f031388b2be49552aa3784

Download Submit
C:\Windows\SysWOW64\Lgikpc32.exe

Filesize
363KB

MD5
5e3f66c0cf9028e742136c9efc51bd19

SHA1
dde31efec66ef66524770994ae993a4e7befb2be

SHA256
c0ba018501c7f4192516640b79f36d56de681000b1e387ef7c2e2681a3cda5b6

SHA512
67eda3949cb473eb61e64bc79d2d588bbaa897e86ca2d8d74703290359f201d023cc1971f99bb52acd9a0a53935e6a9e497e9a630a4e861c6562fa64e8642408

Download Submit
C:\Windows\SysWOW64\Lijdbofo.exe

Filesize
363KB

MD5
8d88a0aadfadd25fcc28ed9dc8be7a04

SHA1
4cd211692555854ccc7f39f5df9cd63a46f74449

SHA256
04b7a7b0da9ee05e2f65dc71c4012d94f17ab4d6e87790427b8038d1030d08a6

SHA512
8bbf85865c78e72eb6064ce1a8152e5023bd2f3aea88e927c5fe9b95a284d0a01c3d3ff6593d31fb1be669490b092e108574df90398d4cb628531bd3829e459f

Download Submit
C:\Windows\SysWOW64\Ljlagndl.exe

Filesize
363KB

MD5
8b68ad5e52696e8b56804fced0253a39

SHA1
bdc57389b76d6f6c602f8df1d8bdbb38445d027b

SHA256
b91e995bb397f38fe430f9bef49a95ba5e7f997ede662e902bf63dd71e167450

SHA512
0bf193416d149bb01588da6f3d719a19618d85e1a87459df8cc804c10158de4fc990ad4f8c9a84e298cf4b6569cf3c1b3bbb96b010015b4614b8db4f6bbe1a7a

Download Submit
C:\Windows\SysWOW64\Lnccmnak.exe

Filesize
363KB

MD5
c9d90b0e7722cc77919df446bde53900

SHA1
288ab2c502be2d53434bb58339aaf6913e573153

SHA256
0bfa89c9672ae7a87df49e1c654b92a9b51fe44af61329c1d4be6ada4c1a0bf0

SHA512
0b58dce77ef039d180c0506ad5c80d7989237686bbac380bb526d63987a430ca5515b9ea151f8340dd64ff9da609dc5555c7d2397bce574f20e47a153b2b1b3d

Download Submit
C:\Windows\SysWOW64\Maefnk32.exe

Filesize
363KB

MD5
4f4cbef04fc333019c007d3096b242d6

SHA1
570b23c0fa0d9adf97de767de662606a3ee1fcb1

SHA256
db756873ede6d3d3655d1ff9ceff236022bc4f070317149153a8423d59c9dfbb

SHA512
fb68c562fa39e8ff8c60acbd888b53b80a2656b2699cea7ab86fe8ac68d828c302e7ce3f9b66e3cbc34699552dd76886afb6865050e3febe65d8342f39a27b1d

Download Submit
C:\Windows\SysWOW64\Majoikof.exe

Filesize
363KB

MD5
b4ca15f47b5507b1871b5513b5b13d6b

SHA1
2f4adb065e3290d4df2cf163adc2bb59d0cfc4ed

SHA256
0c5741bb912d40f9e7f1f0109abba7c40353ee9f46041a3d466f71227dc9cdc5

SHA512
2ca0e48fb1babab8608ef6d8378f6f64c4dfbb2636bf9d2641ef7ae631826cba0c2b39ea23fb195f40959ffd68591b0f21414abe2cfd1670ce5b24fe54c214d4

Download Submit
C:\Windows\SysWOW64\Mdaedgdb.exe

Filesize
363KB

MD5
f8ced6a7a7a4ce6d65b964bbc6122556

SHA1
71a91d60a0f35d3ed014d8f5d494b1a59d5053a8

SHA256
5942e2c73b56ae9b7556947444cd79e969b1ee0d6e361680c636c705582b6054

SHA512
ad60406802318cffc643e860975b4ba709493720a5521f5627569b3142267b8d142a01bba793089813b34beca04b452f9d39d8b2e3056e3d39fd056d279bcebf

Download Submit
C:\Windows\SysWOW64\Mgdklb32.exe

Filesize
363KB

MD5
cfa7d3e69d4bab285c1e77bed44cd1e8

SHA1
c9a9701bb273c96c0756c2e23406de5ec0c0380b

SHA256
0129e597cdbccb12a35200fecb3b2d17670920903f1977f0da1494854eb371f5

SHA512
8b8f5670d836ce7a098b3f8676ed571ea8121fed6975c22a371f18e5be3421a9101f2f5efb6e4ead0aa5d36bcfd06bfa989de57c3db5ea6af0981b2e653c9635

Download Submit
C:\Windows\SysWOW64\Mjcghm32.exe

Filesize
363KB

MD5
cf3d7e69ff18b84e9138e022d28e4212

SHA1
37e6835404cc4496d3f5219e54cf197baca20d53

SHA256
7422d70c34818d37b3432d598a5a0e13151a9233676736c5f438ea1d6a54b164

SHA512
8d960183bf6cab0f30eeb3621c978974b6f74db3dcdad6ad805ef193c78de120f5c4bdf6260bde326e6b3aa22a1d5f4fcfd276ed290040fe471f39ee2fec1319

Download Submit
C:\Windows\SysWOW64\Mknjgajl.exe

Filesize
363KB

MD5
bb42361e2b577ab367a996cb55738163

SHA1
c40b813f9840aa1da7f77e601f25b3f375a98284

SHA256
b3ad7a10d4efa438d7ff9b6783257adf4e353b6c98890824763e12276dfaa924

SHA512
088f33aef6a41dd7e186523fe31baef7828f05a35f566d5e1c4b12f508ef92735b744748306d2cf3fc64a67f078fdffafdf942515476c0ccd862d13853508648

Download Submit
C:\Windows\SysWOW64\Nacboi32.exe

Filesize
320KB

MD5
436d93bffa7b25c6fb48c9a483df3609

SHA1
61dbfa131836d17ffab4000394852713d7ab9ced

SHA256
524468ca81ea9c2c158cbc387960e2c1dd3841f9ff36345d1ecdbb2c61e5d7ad

SHA512
7226cd19f412969d42512f8bba5366e5257b4b62ea56e7494717af32c76d09c9262bad12ef75ad0bbdedebe47cac5fcf3fef95522e85698f99e440679ff2998e

Download Submit
memory/388-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/388-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/392-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/752-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/844-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/844-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/844-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/844-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/924-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1060-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1060-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-434-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3192-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3888-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3960-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4112-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4452-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4536-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4560-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4896-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads