f1de77b6b21a7f0a577d670fbca0e5de31791bcce7a791c45c003f98755cdfe4

Analysis

max time kernel
2s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7f72a5dd1386a146d6635f93dc600a4.exe
Size

440KB
MD5

b7f72a5dd1386a146d6635f93dc600a4
SHA1

4dedfa665558bba7c2dca98184a5d7f28032508c
SHA256

f1de77b6b21a7f0a577d670fbca0e5de31791bcce7a791c45c003f98755cdfe4
SHA512

e3fb6fb92593fe977263ebebf7f1dee98d541cbc51c88fd66fb960d70312ce77c1fbfebc3b3ff9415c2fdbe75c1da87d7d7e01b054bcc378a31fcb82b6d1c81d
SSDEEP

6144:1MgdmJXhOXWXJb/lO40yjstmzsXhOXWXJb/XuNocjdQLWXhOXWXJb/lO40yjstmg:1M8WZ5WTZRQZ5WTZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b7f72a5dd1386a146d6635f93dc600a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe

Executes dropped EXE 64 IoCs

pid	Process
1184	Gqfooodg.exe
2268	Gfcgge32.exe
4056	Gpklpkio.exe
540	Gcggpj32.exe
3616	Gfedle32.exe
4340	Gidphq32.exe
1236	Gqkhjn32.exe
3580	Gpnhekgl.exe
656	Gbldaffp.exe
4508	Gfhqbe32.exe
1168	Gifmnpnl.exe
3784	Gmaioo32.exe
4348	Gppekj32.exe
3216	Hclakimb.exe
3432	Hboagf32.exe
2476	Hjfihc32.exe
4148	Hmdedo32.exe
4184	Hpbaqj32.exe
2480	Hcnnaikp.exe
1708	Hbanme32.exe
1664	Hfljmdjc.exe
1988	Hjhfnccl.exe
3980	Hikfip32.exe
3400	Hmfbjnbp.exe
3160	Hpenfjad.exe
3572	Hcqjfh32.exe
3556	Hbckbepg.exe
4232	Hfofbd32.exe
724	Hjjbcbqj.exe
1188	Himcoo32.exe
4688	Hmioonpn.exe
3584	Hadkpm32.exe
3412	Hpgkkioa.exe
4992	Hbeghene.exe
4144	Hfachc32.exe
2128	Hjmoibog.exe
4292	Hippdo32.exe
2992	Hmklen32.exe
1380	Haggelfd.exe
1476	Hpihai32.exe
1764	Hcedaheh.exe
3764	Hfcpncdk.exe
3208	Hjolnb32.exe
2044	Hibljoco.exe
2940	Hmmhjm32.exe
4580	Haidklda.exe
2456	Ipldfi32.exe
2136	Icgqggce.exe
2008	Ibjqcd32.exe
3444	Ijaida32.exe
2716	Iidipnal.exe
3780	Impepm32.exe
3996	Iakaql32.exe
3820	Ipnalhii.exe
4216	Icjmmg32.exe
1876	Ibmmhdhm.exe
4488	Ifhiib32.exe
2060	Iiffen32.exe
2840	Imbaemhc.exe
3752	Iannfk32.exe
3588	Ipqnahgf.exe
4696	Icljbg32.exe
3900	Ibojncfj.exe
2260	Ifjfnb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	b7f72a5dd1386a146d6635f93dc600a4.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gppekj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6768	6668	WerFault.exe	252

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1184	2324	b7f72a5dd1386a146d6635f93dc600a4.exe	89
PID 2324 wrote to memory of 1184	2324	b7f72a5dd1386a146d6635f93dc600a4.exe	89
PID 2324 wrote to memory of 1184	2324	b7f72a5dd1386a146d6635f93dc600a4.exe	89
PID 1184 wrote to memory of 2268	1184	Gqfooodg.exe	90
PID 1184 wrote to memory of 2268	1184	Gqfooodg.exe	90
PID 1184 wrote to memory of 2268	1184	Gqfooodg.exe	90
PID 2268 wrote to memory of 4056	2268	Gfcgge32.exe	91
PID 2268 wrote to memory of 4056	2268	Gfcgge32.exe	91
PID 2268 wrote to memory of 4056	2268	Gfcgge32.exe	91
PID 4056 wrote to memory of 540	4056	Gpklpkio.exe	92
PID 4056 wrote to memory of 540	4056	Gpklpkio.exe	92
PID 4056 wrote to memory of 540	4056	Gpklpkio.exe	92
PID 540 wrote to memory of 3616	540	Gcggpj32.exe	93
PID 540 wrote to memory of 3616	540	Gcggpj32.exe	93
PID 540 wrote to memory of 3616	540	Gcggpj32.exe	93
PID 3616 wrote to memory of 4340	3616	Gfedle32.exe	94
PID 3616 wrote to memory of 4340	3616	Gfedle32.exe	94
PID 3616 wrote to memory of 4340	3616	Gfedle32.exe	94
PID 4340 wrote to memory of 1236	4340	Gidphq32.exe	95
PID 4340 wrote to memory of 1236	4340	Gidphq32.exe	95
PID 4340 wrote to memory of 1236	4340	Gidphq32.exe	95
PID 1236 wrote to memory of 3580	1236	Gqkhjn32.exe	96
PID 1236 wrote to memory of 3580	1236	Gqkhjn32.exe	96
PID 1236 wrote to memory of 3580	1236	Gqkhjn32.exe	96
PID 3580 wrote to memory of 656	3580	Gpnhekgl.exe	97
PID 3580 wrote to memory of 656	3580	Gpnhekgl.exe	97
PID 3580 wrote to memory of 656	3580	Gpnhekgl.exe	97
PID 656 wrote to memory of 4508	656	Gbldaffp.exe	98
PID 656 wrote to memory of 4508	656	Gbldaffp.exe	98
PID 656 wrote to memory of 4508	656	Gbldaffp.exe	98
PID 4508 wrote to memory of 1168	4508	Gfhqbe32.exe	99
PID 4508 wrote to memory of 1168	4508	Gfhqbe32.exe	99
PID 4508 wrote to memory of 1168	4508	Gfhqbe32.exe	99
PID 1168 wrote to memory of 3784	1168	Gifmnpnl.exe	100
PID 1168 wrote to memory of 3784	1168	Gifmnpnl.exe	100
PID 1168 wrote to memory of 3784	1168	Gifmnpnl.exe	100
PID 3784 wrote to memory of 4348	3784	Gmaioo32.exe	101
PID 3784 wrote to memory of 4348	3784	Gmaioo32.exe	101
PID 3784 wrote to memory of 4348	3784	Gmaioo32.exe	101
PID 4348 wrote to memory of 3216	4348	Gppekj32.exe	102
PID 4348 wrote to memory of 3216	4348	Gppekj32.exe	102
PID 4348 wrote to memory of 3216	4348	Gppekj32.exe	102
PID 3216 wrote to memory of 3432	3216	Hclakimb.exe	103
PID 3216 wrote to memory of 3432	3216	Hclakimb.exe	103
PID 3216 wrote to memory of 3432	3216	Hclakimb.exe	103
PID 3432 wrote to memory of 2476	3432	Hboagf32.exe	104
PID 3432 wrote to memory of 2476	3432	Hboagf32.exe	104
PID 3432 wrote to memory of 2476	3432	Hboagf32.exe	104
PID 2476 wrote to memory of 4148	2476	Hjfihc32.exe	105
PID 2476 wrote to memory of 4148	2476	Hjfihc32.exe	105
PID 2476 wrote to memory of 4148	2476	Hjfihc32.exe	105
PID 4148 wrote to memory of 4184	4148	Hmdedo32.exe	106
PID 4148 wrote to memory of 4184	4148	Hmdedo32.exe	106
PID 4148 wrote to memory of 4184	4148	Hmdedo32.exe	106
PID 4184 wrote to memory of 2480	4184	Hpbaqj32.exe	107
PID 4184 wrote to memory of 2480	4184	Hpbaqj32.exe	107
PID 4184 wrote to memory of 2480	4184	Hpbaqj32.exe	107
PID 2480 wrote to memory of 1708	2480	Hcnnaikp.exe	108
PID 2480 wrote to memory of 1708	2480	Hcnnaikp.exe	108
PID 2480 wrote to memory of 1708	2480	Hcnnaikp.exe	108
PID 1708 wrote to memory of 1664	1708	Hbanme32.exe	109
PID 1708 wrote to memory of 1664	1708	Hbanme32.exe	109
PID 1708 wrote to memory of 1664	1708	Hbanme32.exe	109
PID 1664 wrote to memory of 1988	1664	Hfljmdjc.exe	110

C:\Users\Admin\AppData\Local\Temp\b7f72a5dd1386a146d6635f93dc600a4.exe
"C:\Users\Admin\AppData\Local\Temp\b7f72a5dd1386a146d6635f93dc600a4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\Gqfooodg.exe
  C:\Windows\system32\Gqfooodg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\Gfcgge32.exe
    C:\Windows\system32\Gfcgge32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\Gpklpkio.exe
      C:\Windows\system32\Gpklpkio.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        28⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:724
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        49⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3780
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        56⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        63⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        64⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        67⤵
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        69⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        75⤵
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        76⤵
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:800
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        80⤵
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        81⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        82⤵
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2056
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        85⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        92⤵
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        93⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        94⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        95⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        96⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        97⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        98⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        99⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        100⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        101⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        102⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        103⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        104⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        105⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        106⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        107⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        108⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        109⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        110⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        111⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        112⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        113⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        114⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        115⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        116⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        117⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        118⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        119⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        120⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        121⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        122⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        123⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        124⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        125⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        126⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        127⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        128⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        129⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        130⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        131⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        132⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        133⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        134⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        135⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        136⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        137⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        138⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        139⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        140⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        141⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        142⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        143⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        144⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        145⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        146⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        147⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        148⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        149⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        150⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        151⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        152⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        153⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        154⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        155⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        156⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        157⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        158⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        159⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        160⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        161⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        162⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6668 -s 408
        163⤵
        Program crash
        
        PID:6768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6668 -ip 6668
1⤵
PID:6744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
440KB

MD5
e487c9610022e19f91db45c980c16d10

SHA1
c4107861fea3069905daa4a8e448c6b802ed8e28

SHA256
8cf02fc687c91b239f69da4797dfc711781ec4ccef56bd25b61155a77455606b

SHA512
b41f5fafd898cc945e4e50dfceed134cb4adfb5b4846c021412555ef6e3bbe328e02e00a10d1783b09514686d29157c06493b256174e2707e1038c7d4f86fa37

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
440KB

MD5
2865ddf37dee4adee45977a5d122c99a

SHA1
d5b600e31002b360e87103e8ef3e66f8201b9bf6

SHA256
49cf37936f69b066ee69ea84b31ec1a87caee0039c1a554ef8cb619434c3e3ff

SHA512
e8750b7d859da512f3455823c11f0d0245d2635b2bc29f99e9ae068d87b81af1d44b1dba4eed2026a64f52d4f8f4a62678162dee90e0f5e9c0ca67204ba593aa

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
440KB

MD5
7853b1cfa17fe3cce4ee0d27c1ec8912

SHA1
897a29036af237e6f32ffcc73b1e60421c11370c

SHA256
79d80de1170ee04550d5c9f2457340d2f9bb22072aaf4f9e5748ff4646c918ff

SHA512
a875123184cb1cd2b436dca62487f455068431a77f3da36e016e4ae26b86b000dc6f81227df8583c121673bdc99ebe8541650bb60434b0c33618575fdeed233c

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
440KB

MD5
37ddc978bc5c5f2ef3b37712dbc9997b

SHA1
b6708be252a07f4c001ab186aba1b96621eb4b92

SHA256
8724914c7abb4942c20851c6861edde1351838ffe1baff73d5a54f9007853525

SHA512
459331756536506f94ea985b0a312de2b2444affd6f14fa5fc8beb3d910c55b29f4dfb9bf45cce8c49a1f9bd95dfa84598662af2f09df001c3b3af54b327691f

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
440KB

MD5
fa8e3e7c30d094a11af0cfae0d884fc0

SHA1
b2f973e1c7c5dc96c73b546a7a14a5f41bd69eb4

SHA256
ad0b64b9e727fcee4b8d992ebf54f57c7cbbcb57816672af818a57f543c97741

SHA512
39e09f8c91587f01df25fbd930be7ce7f8bd9d2694b16b1505365b672dafbc4222a81f701cc0c0b2dc1d6e8b2c6401c891cc60ef23c3eaad7a2ed49aec60217a

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
440KB

MD5
766aba303a64c40eb8bce04ef7d26c59

SHA1
6513a0cdd68a125d8bfae85f862ce962ee188793

SHA256
b9b2616cdaea141cee2b180dda8b84561d5edfaf5a568becdef3cf379b54e39f

SHA512
4d04d52c6d8df266748912474b5a90ca2f294930846a1d26ebd95ccd128fed68997092b4ca0c54a46f83004e4c6e521906c1556c1045792b301de6fd0e53ce60

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
440KB

MD5
376d4d8e19c294ded5fb8e7c29f53859

SHA1
b905f29b889f94883cabcdc7e11d7c374cb93c15

SHA256
a2382e666c53f3c66e93387133e9d3836c9895fa3bd5ee335db1aeb76860d620

SHA512
f98179a67533de2e792fce31930515bb6c5325a6b8fa0a5d5969d81938afb8a136ae8578bac74ba38ce0953cf68d0b39f0e38922947639a7d4d31afb7b487077

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
440KB

MD5
d0da9d974e021e3baaf5bc9f7f9eccf4

SHA1
3363dd0ad010dda3076cb6bf18f1cfa3909be283

SHA256
9ec3125e5750ea6bdbb31b169d187ab57ed785bcedccae8c5faef631e36eb0f0

SHA512
830574e6e0686149da30f5bd56c45faf0e6d6726842b6ed619b562dec76a14159f44a904f21dc614bf8bfd443d4e3fa677abd50c3946ba240653059c47fe81a7

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
440KB

MD5
89e1a7cee18138da997f248fd43d81fb

SHA1
b4aa1ac0c343b1cf6c09a1f5cf3778a37515513f

SHA256
cbadfd2d4f73cbd5e9c859efc0cbc95af8985d14c3c3dc33a1ebabed782b72ed

SHA512
c528f4e9fc1ca50aa18f33c23c5efe07bb752cc3f7f547592df95250eea31040c55de6ce550171141e827d1bb3e7e16690e9939d66ba258fafbeb15ee7d7f6a6

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
440KB

MD5
75efe3d2e4b94c54b3b0a9cbbd57df13

SHA1
72feab6cbf518b1f1f7fa9e8af28e5bf5afb8fe6

SHA256
fe93c854f3c4a2599829d24b07d9a67afd7eac0a2ed1dbea8de553477705f743

SHA512
1ce468bfef02d8f553a5083ab8ff849dbbe8c6398bcb4f7f3acfffff6a5c2c2e620825d0cc80b712739d0ddca1aabe9079045f11426a9f3651f15681e03c1d7e

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
440KB

MD5
ffbeaa974995f3655361e7ddd82f11b9

SHA1
d440d1a0870937b5bfac3f318ea40e54496530f8

SHA256
5242b2382c5734f2e0324c686a5b1e8b61e12f2b6ba29ddfd2977b1da1ddf444

SHA512
e872bea2a88732ffea104b23fd83238c563907e3f0f4ffe3301616c7d86defc4798de256e8c903a02168e2e48155097ce55bd8af838ad87a0347fe75fd29ede8

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
440KB

MD5
5f0e33761af661587827c7bd48b5578d

SHA1
dae008298e3ec7530961c5713592a3dff829f132

SHA256
41fb711a6912d042d85752ecbd9dcde7d0c460498f45044fc05384ef6abe6afa

SHA512
909e22e90343cf217b43e13a1a7b4c4a5032d797be1ca8a749739ba65cbee4b8ae368bd65fd125c085d69b783b37bdc625317b4a1a1a6e2b52982d9a86b7ca8c

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
440KB

MD5
1d130370e80854ad506853899e465ac1

SHA1
aa22c64792024c308525ea9e4c8ba78e45b9f994

SHA256
3d33397ce9c2fdbfb1a6235f27d0a722148e884936ac765065d693e48910df3f

SHA512
55c7f474ba5b6f9e3538d6b204b32b7e8a182e8f96c9a6cceb9bdc7019855789637335079b76b4bb1352c79c6b79b35981e621740a97348d11eef551f24a2c74

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
440KB

MD5
5963c69407b36e8c83f1dccd23903ae9

SHA1
8359d8ce8cd98d94e7bfe9889a78a0380b1dd2c3

SHA256
47c551ca1ee95265ea659cf8c4459c8ff4850785e7352e6651950ca0c3884b7f

SHA512
fdf62021192aa29a3c3f47c42988ba3ffb5a5dc843c04c2ec2ed72d705782f7bebaa7546d9f29f4aadffe3f7aab1dab23073ef925cb57f9c19620cbe66de7756

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
440KB

MD5
661e7ff036868f2780bb815426b696bb

SHA1
03bef0a0f53387e526a5cf334329122da1bb0707

SHA256
79617061bb6ae8cd81e71e732df15901c2b177727560c10cf2feccb75a389eca

SHA512
9a4579786e575b2e822d0801adc2ad0500a2cb676016209da4d7cfe3d8fb97cfc429d88dd67c57425fb41eaf33592dc8fb6a830cbe2c777c1e4083bccc47b5ae

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
440KB

MD5
18162a71748bd405f36565ef4ab76de0

SHA1
862a82500f5a0ba87fb2989ffe16dd7b54d17e68

SHA256
2510577d606fff967ac68d34239d72006dd972352dae72d5330e9dc6f7995511

SHA512
87a2264e80d747c6914310d83e91104d5e1553127cd23aa04defc0d5540804de1dff17b71922eb74f3650ad3da35bbad42b1c143e9343dc2f781fa77f1f1895f

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
64KB

MD5
caeff314b80587bcd450382921139c18

SHA1
d1043784721650b105bb89be119035bfa186bbbb

SHA256
da60fa921c332f9418b832a96599adfd5bbacfc65509b13399c6f4f8746eba8c

SHA512
9b68160d36d7aba5d42779b00bfdca194e1e963e99cd2e8f9498192788d92370f7b558396e1312a78c115a5329df700b34860c18cbee86b1980615046348fffb

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
440KB

MD5
da6004d456b5e7ad6341d431f3344fdc

SHA1
e0f572c020ee87ec92fa10693a0fe94cd3261598

SHA256
d175e88fdaad6e22556bd41927970e72804b0d3c9bb1af8b950dbb315f6be58c

SHA512
94363d2714976062a1f0cfa5fadf410f1c5ab440b91301e1efe6cfcb558dcb1b25714e8a72cb79831e6a41d52a647f28afb6936b2052138d65947103af291558

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
440KB

MD5
5fbaf2c2ab1a56790eef2171323f3f5f

SHA1
4f516b829d42bb5aa7e57ab790d8df5d2e663ec5

SHA256
c51fe5319019b64689cbef8686598a0644837d2e1fbd2e35c740729005c99e65

SHA512
0679aaebf8dc89945dfcb7590680503a16aea1801d36712886931de3de9287af3cc7c3825e5a1efc0295219d95624670f61df667c670af9c7887b706587c52c7

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
440KB

MD5
ddfb1731bc1f58cd2494cc68c84a77de

SHA1
a9b062be3056ca70d4f85b82f355f8943e23353c

SHA256
7094c939b080d0fd6f1502d0c651e1604c4eb414784d7d30b118831ec10222fe

SHA512
d8e0cc39019d28cbae2a8246dc5f27c0a2d7a47487c1a6e083c2dfc8b3d4ac1274353f1119baa8adb11fd36e511495e048a445f6ca7330670fcecf8524f6112d

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
440KB

MD5
1094a5e2aba81d540ba65486a3417aa6

SHA1
5a42a12c5d5af21433c7295ba70bf25b86f58cbf

SHA256
b5d347d8f762de2c049a3b6205a6fee07abed8b9f3a7e88982f61603e90fc170

SHA512
e90e1236ee736da976b71765acce6972a38f9ee8a8f20f7e3bfda461ffc79d0d5f4b3cd0b1b047e167eea4fa587c9b10244282586722b7742e85e1ba3d47806a

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
440KB

MD5
d03d126549e3ae6f8e61fcf6eb9f8b91

SHA1
59fed4f2e90c24b2fb122a3d56afa9ba4cecd13f

SHA256
599b05c6e14056cacbd89f68f027bde6d79bafac91a064273c5c55031ba3e097

SHA512
6501eb67fdae8614ea183415bacf9c0f164fa4629b5097a9da972dee4d4fa36b9072bb6725c5f6df8a4deca8129a6457121df67c4e9ff6d58f3dfedf59b3b4bb

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
440KB

MD5
43058bd565f7c6d0188ed7834cabd880

SHA1
6571641718fe4ab97bb9c665628a48509a748bca

SHA256
74fd65aa009dfa02f072ebae99dc2316d4dd9d0f3ead8ae88f9b4a159b4eb319

SHA512
02c79bbac3d9a450c63abce6828d47e7259019a7b37526c1d58433fe783cdbf437ef26207c4f2096cf771dde5ef683f28e54f8ae55c8430faa1334d10e73ca24

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
440KB

MD5
a97f227d0ea78c65483b6890b10fd460

SHA1
56c8a24fed7f5955f0b610566c60b78937c2a745

SHA256
8627c3ac0519fd828980689593167326151190d2f82bbc1659eeef8a3bb791ae

SHA512
26d5d9497f30ad7d8c90d849f88f6145d5a44c07a112f8ade79e561ba27f90b720269ee060b2c66543aca4c129425c57e4232520d9e5f734d4caa52aee29824e

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
440KB

MD5
49199ec8949d7597c23a1b1aa4537005

SHA1
c5941648461a6403de0e97679883b9ad91e8e305

SHA256
5443d09a2bd5cec6fb2b71fb88e28a0bb266d7d8c4048a89ef6ae5742754da97

SHA512
9d45174a9ffd85b9f5572c49de4cf2b56b66c225a8b43cd51d7d6e05b6e38168c41a8bd5347321f8633e10a69b2c7201e59371a0e693eed2205c9937d42abb50

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
440KB

MD5
506036e82dc19397a3140390f8f12e97

SHA1
4f3b51e8f8b8a356e149c8c68dce07ca946019b6

SHA256
9cb3d17f47e714908d8ca6bf5b5a56b09a59148191c285d15382b5cdcb2e7296

SHA512
eae11736929c5fbabc57af29039057b6ef7ba3327fdb8be85a56906aae8164b2930b0293d72c874bd8be0dfc5d30534ed931ef43bb59d1abf084ba4ff0ea1aaf

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
440KB

MD5
804514402927e89221fb1b9e8fee3608

SHA1
b38c58d7b26c2fe54ef287c21cd26f3a79d316c7

SHA256
7f3c644621b2d6d8c1260caf1823cc5ba07d61788ec81c99d0c379d90b2d7e86

SHA512
07f523aeeb746140609173f4029f9d8a2fcb9fcd56846b691043ddebfe31d4bb495111a7674cdb815ef5c3d98ae76f2f5bc66158bbcb592be46d99001a55c2b0

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
440KB

MD5
7915d80c3820c0662e2d87488ec6c53d

SHA1
c73adef4c96cbafb13e73a5f36ecaa67fb4fd70b

SHA256
9547be1a48eb9a8eb0436d38ec718ada5721f6b4913e83aa1c4d5fa524191ecd

SHA512
63efdd5d3d996f64e37396755b5baa2c83b5f481ccfd9f1e3fae034cb4503708e613e3755c2301654d738960d00493cf95c185c48c1419c1f59491d67fb14c7e

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
440KB

MD5
c0da51268d827cabf00ee88fbf31447c

SHA1
c3652a2cf4b40901acd62b51aa21a6da3b39041c

SHA256
25baa1bba98c3a131b756e9b0732a017105422def23c1df26ecd56f8727fc8d4

SHA512
7349bb5ba4454e5ea458588611d4d88ae1d61679039e90ef5347561b6caaf2e02fda25f6b5cb755d7c094c3c491b1d458283a744c0c1ba53b59c4281771a57f5

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
440KB

MD5
f47a6df6d1c8ab3804e6ca620a4b2040

SHA1
1ea5096f1498ecfc6dd1838fb9041ff88c324395

SHA256
ddf8f073d366f6f83b290b72cb02a0c007166c2556de8a07b06c421ef5f2c888

SHA512
f171d09758b4d4154ef647683e164291b41a81cf390edfd05392a8fac117cc6f408dad07a68f9011ed9ca00f3ca41f39f0c850432ba1ae6f8403f8a4d9e6e1ac

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
440KB

MD5
d8e95f3593c9c2784c68f5258eba0d57

SHA1
b97a99f9142df71d967f898916426d05f0cc6958

SHA256
55f5ec8915382673afe8db792b7632a38886f720061fcd9ea149f437c704e943

SHA512
dba45d6f69d3282faaf4d60630d423d37619ab85425c615fdf8e5ebe6c5deca4f6e64f93a88a25a643ee210467d00d938ac4239f646b238b7b21f38f2297dfd4

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
42KB

MD5
e99425580319378f285638fe22fc8da2

SHA1
4b350c24b1358a45770ecdb45016f840e6c74602

SHA256
021bacdbd38173a0921bc3b519ff76d9388821d14f0f4b6cac9de65585e588ca

SHA512
09a701c7810c790032b9ecc7d86c6a49ab09cc2d309cc7bff028f567ffb0386049d51ac0560adf31290b7ce69ddfc47eab9b7659c00faf6c7152a0bcc658f205

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
440KB

MD5
3612fb7fc1b3c73e19a57b82b084084d

SHA1
4880b3db9a72d10dc22f2647983c0b7639984839

SHA256
fe5a0ecc9b63bdcaae8c13a3c7ed5652103585231b763f1f3f125b752399c661

SHA512
193628d513e9bc5b391ddb02bc4e57965d993279a472c61cfb83625a6494e60fb90324b4160cffba2b3d0f95158f5677c336213e284f4a4ca40617464670f971

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
440KB

MD5
6972c26def33e4aa2f3248049aab588e

SHA1
21a52ade4c070f90c814f9ac1c61d38b900bd232

SHA256
7f601f5854ca0d6ca6834a0cb9c6a12cb4ce2f053e57854188faf97ca1a4e103

SHA512
a23980d743e9de5f7f794dd30afb0e18c893b097fa1bb13f541244b81ddd3d2617babbb27115b068904bb142b163190283f020a016c58de9021ce65d3045be55

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
384KB

MD5
70e39e33e224c130be4987a15bcc8a1d

SHA1
c9b393f1dc5cfd865abcc0ac802b4c41cc9cf54d

SHA256
cc3d805214f6049002055fbf63c5e78195b7a2177f54a5c57ee935864578b964

SHA512
2d5bfd481e612e704bb3d89805397c14d9c09b6d9f7b14657fb73d1d9adc626087dc7d733ab8fef6c5943516566b993d4c2e5c9e08df140d987328cef261951a

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
421KB

MD5
975d9592de1f47887554bc7643909bb9

SHA1
6694c7d66bf9e58651c9cb1f28d98bdb86808647

SHA256
fc648ab9f87517bd70645a2d27af60320ee2bc152955e736cb200617461ccff7

SHA512
314fae8164732e15c97bfc1ae067abd11d7e046d17b271cc7ed937d09044fd5f99c7ac908a5c33472bf071adb9a159c10da66f2dfc897651aa98ea3f97036d0a

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
440KB

MD5
c3c42b8db7a8dc9d38a2d059a7e8e0ab

SHA1
f12420c214f724cb1d8bd3bcdf0751779f476152

SHA256
f23b60d000714dedb40b7b4435ba5e28b43873b3c18d123952a9905b7f6533e9

SHA512
d8f3da744014f4fd3a88caadbd57ce324bf5731b681e4683c411d9e11941bef5b26671df06395b7322bd53a28a59e2a0b5fd6473ed98f0e58390e74b475c47b6

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
440KB

MD5
57a20f1870262140a83eba5d09a4f81b

SHA1
c8e899855ba4f54ed96fa431fc9a66b0a1189dd0

SHA256
7b8f4498280224137a389eb9f7dd76b86ced802bd9386aa6e9dffd8361fb09f9

SHA512
943b6d6622d707a60510534848a3c52fb2518ae53ea0a5b4f90e8b05148f5a192d5acf55ef5cd4b1e20c7c0e5a36769ffa6b76f5519f396e7416bcf16a2195a7

Download Submit
memory/540-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-565-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5132-1064-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-1078-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5336-1063-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5340-1075-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-1051-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5476-1073-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5544-1061-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5556-1072-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5648-1071-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5692-1070-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5792-1069-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5808-1053-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5840-1068-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5908-1067-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-1084-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5964-1046-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5968-1083-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6016-1082-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6036-1057-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6044-1047-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6056-1081-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6092-1080-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6176-1044-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6260-1042-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6424-1038-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6624-1033-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads