b116ad7466bb7438899f61147e409479c8cc0c1af27019de153b3ab8ac2b448a

Analysis

max time kernel
143s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7e4a42793294245640404e97bdc2e8f.exe
Size

64KB
MD5

b7e4a42793294245640404e97bdc2e8f
SHA1

61d4b6b4ce47d936a252ee5dbef5ba8cdd0514aa
SHA256

b116ad7466bb7438899f61147e409479c8cc0c1af27019de153b3ab8ac2b448a
SHA512

963f1ecbc1f662b512e7083f9c2a33d9435e19e6bf4a7969a7412b54c0c27ba1289b1eff5d2f61ad3847479478e8a2a1e3d009d85eb02a94ea78ea3c2081194b
SSDEEP

1536:uocHYUx+ByXqrbenO0FjCSTj2L6sBMu/H1:E+Bjeb9Ct6aN

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b7e4a42793294245640404e97bdc2e8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b7e4a42793294245640404e97bdc2e8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe

Executes dropped EXE 64 IoCs

pid	Process
4496	Gfqjafdq.exe
1084	Goiojk32.exe
4692	Gfcgge32.exe
1928	Gmmocpjk.exe
3616	Gpklpkio.exe
4156	Gbjhlfhb.exe
3620	Gjapmdid.exe
4668	Gidphq32.exe
2952	Gqkhjn32.exe
3764	Gbldaffp.exe
2256	Gjclbc32.exe
2180	Gameonno.exe
4684	Hclakimb.exe
3372	Hboagf32.exe
2688	Hihicplj.exe
2216	Hapaemll.exe
1552	Hpbaqj32.exe
2696	Hbanme32.exe
3520	Hfljmdjc.exe
4480	Hikfip32.exe
1900	Habnjm32.exe
5116	Hcqjfh32.exe
3556	Hfofbd32.exe
3232	Himcoo32.exe
3892	Hadkpm32.exe
1736	Hbeghene.exe
3992	Hfachc32.exe
4416	Hippdo32.exe
2648	Haggelfd.exe
2368	Hcedaheh.exe
3148	Hfcpncdk.exe
1604	Hibljoco.exe
2468	Ipldfi32.exe
4976	Icgqggce.exe
1112	Iffmccbi.exe
616	Iakaql32.exe
3144	Ijdeiaio.exe
2540	Iiffen32.exe
2264	Iannfk32.exe
4436	Icljbg32.exe
3408	Ijfboafl.exe
4100	Imdnklfp.exe
3132	Ipckgh32.exe
3160	Idofhfmm.exe
3996	Ijhodq32.exe
1996	Iabgaklg.exe
4120	Ibccic32.exe
4128	Ijkljp32.exe
4520	Imihfl32.exe
2280	Jpgdbg32.exe
4308	Jbfpobpb.exe
2876	Jjmhppqd.exe
5112	Jmkdlkph.exe
2436	Jpjqhgol.exe
1340	Jbhmdbnp.exe
224	Jjpeepnb.exe
1512	Jplmmfmi.exe
5088	Jbkjjblm.exe
1792	Jjbako32.exe
2904	Jmpngk32.exe
4232	Jpojcf32.exe
4408	Jbmfoa32.exe
3972	Jkdnpo32.exe
2268	Jmbklj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gameonno.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	b7e4a42793294245640404e97bdc2e8f.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6816	6696	WerFault.exe	245

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4496	1388	b7e4a42793294245640404e97bdc2e8f.exe	89
PID 1388 wrote to memory of 4496	1388	b7e4a42793294245640404e97bdc2e8f.exe	89
PID 1388 wrote to memory of 4496	1388	b7e4a42793294245640404e97bdc2e8f.exe	89
PID 4496 wrote to memory of 1084	4496	Gfqjafdq.exe	90
PID 4496 wrote to memory of 1084	4496	Gfqjafdq.exe	90
PID 4496 wrote to memory of 1084	4496	Gfqjafdq.exe	90
PID 1084 wrote to memory of 4692	1084	Goiojk32.exe	91
PID 1084 wrote to memory of 4692	1084	Goiojk32.exe	91
PID 1084 wrote to memory of 4692	1084	Goiojk32.exe	91
PID 4692 wrote to memory of 1928	4692	Gfcgge32.exe	92
PID 4692 wrote to memory of 1928	4692	Gfcgge32.exe	92
PID 4692 wrote to memory of 1928	4692	Gfcgge32.exe	92
PID 1928 wrote to memory of 3616	1928	Gmmocpjk.exe	93
PID 1928 wrote to memory of 3616	1928	Gmmocpjk.exe	93
PID 1928 wrote to memory of 3616	1928	Gmmocpjk.exe	93
PID 3616 wrote to memory of 4156	3616	Gpklpkio.exe	94
PID 3616 wrote to memory of 4156	3616	Gpklpkio.exe	94
PID 3616 wrote to memory of 4156	3616	Gpklpkio.exe	94
PID 4156 wrote to memory of 3620	4156	Gbjhlfhb.exe	95
PID 4156 wrote to memory of 3620	4156	Gbjhlfhb.exe	95
PID 4156 wrote to memory of 3620	4156	Gbjhlfhb.exe	95
PID 3620 wrote to memory of 4668	3620	Gjapmdid.exe	96
PID 3620 wrote to memory of 4668	3620	Gjapmdid.exe	96
PID 3620 wrote to memory of 4668	3620	Gjapmdid.exe	96
PID 4668 wrote to memory of 2952	4668	Gidphq32.exe	97
PID 4668 wrote to memory of 2952	4668	Gidphq32.exe	97
PID 4668 wrote to memory of 2952	4668	Gidphq32.exe	97
PID 2952 wrote to memory of 3764	2952	Gqkhjn32.exe	98
PID 2952 wrote to memory of 3764	2952	Gqkhjn32.exe	98
PID 2952 wrote to memory of 3764	2952	Gqkhjn32.exe	98
PID 3764 wrote to memory of 2256	3764	Gbldaffp.exe	99
PID 3764 wrote to memory of 2256	3764	Gbldaffp.exe	99
PID 3764 wrote to memory of 2256	3764	Gbldaffp.exe	99
PID 2256 wrote to memory of 2180	2256	Gjclbc32.exe	100
PID 2256 wrote to memory of 2180	2256	Gjclbc32.exe	100
PID 2256 wrote to memory of 2180	2256	Gjclbc32.exe	100
PID 2180 wrote to memory of 4684	2180	Gameonno.exe	101
PID 2180 wrote to memory of 4684	2180	Gameonno.exe	101
PID 2180 wrote to memory of 4684	2180	Gameonno.exe	101
PID 4684 wrote to memory of 3372	4684	Hclakimb.exe	102
PID 4684 wrote to memory of 3372	4684	Hclakimb.exe	102
PID 4684 wrote to memory of 3372	4684	Hclakimb.exe	102
PID 3372 wrote to memory of 2688	3372	Hboagf32.exe	103
PID 3372 wrote to memory of 2688	3372	Hboagf32.exe	103
PID 3372 wrote to memory of 2688	3372	Hboagf32.exe	103
PID 2688 wrote to memory of 2216	2688	Hihicplj.exe	104
PID 2688 wrote to memory of 2216	2688	Hihicplj.exe	104
PID 2688 wrote to memory of 2216	2688	Hihicplj.exe	104
PID 2216 wrote to memory of 1552	2216	Hapaemll.exe	105
PID 2216 wrote to memory of 1552	2216	Hapaemll.exe	105
PID 2216 wrote to memory of 1552	2216	Hapaemll.exe	105
PID 1552 wrote to memory of 2696	1552	Hpbaqj32.exe	106
PID 1552 wrote to memory of 2696	1552	Hpbaqj32.exe	106
PID 1552 wrote to memory of 2696	1552	Hpbaqj32.exe	106
PID 2696 wrote to memory of 3520	2696	Hbanme32.exe	108
PID 2696 wrote to memory of 3520	2696	Hbanme32.exe	108
PID 2696 wrote to memory of 3520	2696	Hbanme32.exe	108
PID 3520 wrote to memory of 4480	3520	Hfljmdjc.exe	109
PID 3520 wrote to memory of 4480	3520	Hfljmdjc.exe	109
PID 3520 wrote to memory of 4480	3520	Hfljmdjc.exe	109
PID 4480 wrote to memory of 1900	4480	Hikfip32.exe	110
PID 4480 wrote to memory of 1900	4480	Hikfip32.exe	110
PID 4480 wrote to memory of 1900	4480	Hikfip32.exe	110
PID 1900 wrote to memory of 5116	1900	Habnjm32.exe	111

C:\Users\Admin\AppData\Local\Temp\b7e4a42793294245640404e97bdc2e8f.exe
"C:\Users\Admin\AppData\Local\Temp\b7e4a42793294245640404e97bdc2e8f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\Gfqjafdq.exe
  C:\Windows\system32\Gfqjafdq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\Goiojk32.exe
    C:\Windows\system32\Goiojk32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\Gfcgge32.exe
      C:\Windows\system32\Gfcgge32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        29⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        30⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        35⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:616
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        38⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        41⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        44⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        53⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        56⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        58⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        59⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        61⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        62⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        63⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        66⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        67⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        69⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        70⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        72⤵
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1056
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        78⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        80⤵
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        82⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        83⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        88⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        89⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        90⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        94⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        98⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        99⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        101⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        104⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        105⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        106⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        117⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        118⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        123⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        124⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        126⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        127⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        128⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        131⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        132⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        136⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        138⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        139⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        140⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        142⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        143⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        144⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        146⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        147⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        148⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        149⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        151⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 404
        152⤵
        Program crash
        
        PID:6816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 6696 -ip 6696
1⤵
PID:6776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
64KB

MD5
a1e80dc30d146b106ea4dc7e74cc4331

SHA1
3445278bd8892efe7b350a9dfc79963e71b0a7f1

SHA256
e9b9c456cb5f90a2b95da59729e7556c73a839189644de992de77edb75ec742a

SHA512
d79014cd7ee05e297c0e4c8f6ce058757400943bfc0d0d73772095b35b2eb2522db694416175ea9391a6827795b86848db5e5e81fd536e25aa0e741161468f5e

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
64KB

MD5
631ecfc23b9575cce98a928384c9a079

SHA1
36ae4d7f7e49c956c1f4c9c86ce54c4ebbca3c4f

SHA256
38d8c55f3b01b3300ab73046f5791858e8e0694ffc2d5e7dd06cd276fd849694

SHA512
ff1a6d9e8a733d0f97a0f6875f2ab6ef4c2a2a830e9f8328cbaa6f187f7301cb45380900736ebd9657b48c9a6cd2f4f1f882f418258e2ff1435b68c928f7f7cf

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
64KB

MD5
f33287cb3dee2ba309a6ba79c70f77b5

SHA1
bed616d67c06ae577dee8c1a9124f9b753bf782b

SHA256
1a073ab15072a8fb1e629ccd2b54dd08c9e95c45b12265e26335d6a8125a6f09

SHA512
5e873e526f5b29e92db43a0bb1edba7bca3b9bca41b3232adbfaf37d88bc38e2a25768ef9b44623f634acabff49490e6ca36e0dc1162fdee6fedcb92c46de9c1

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
64KB

MD5
3ef03144fb531b1f17ccd10258b21c8d

SHA1
1c26e0a8e78c72b9bfa4eac5a18321dd1d941f4e

SHA256
ac65455498dc788b16e76e9d4d2d24c6bf24f6d194089c9cb4b25616ad27da74

SHA512
9a013870396f5b660c4c4f37a0be63f680cf15e7abf9f8b0f29bf325058c4a9282d0e3aeeafd9b772b3a690931aed5d93511ebe806fe9903f6dbe1ba455a07e3

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
64KB

MD5
425e1a0fd4096a52218c3cea1863ce4b

SHA1
e82774dd6680380956183150bbf063baa9875cb5

SHA256
6ac7b9ccf9d43c262195f35f1573e1120a9b8dea273ca96f2eacd4f305375b3f

SHA512
c76433cce5c843725aa2c54029bdc7b9aa745a2dfdcc06f2e199523134ff546cc330dc238a5490f1e15224b9f2635cf43707ca5dc297e54333e0fc22c48e1a07

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
64KB

MD5
bf8c3bde47f07497a8b49497ca132fd0

SHA1
832ccc6101e1cda73a6be8c555bac2d89c8af8cb

SHA256
b9dbffa8bd223306c52f294b983735a169d759c726acb197a370239976c4e8aa

SHA512
8dfa2343ef54de153ba6676b6250eda52d50c5abf368c435d1f1ed689fb7f23e7c3906abbb57f6b2267ab83e4d4107a1563f54caaec951890e4781eae9de29d3

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
64KB

MD5
f263e6eb8fe65312a4120655619a6056

SHA1
c317d07b7d0072c8f2286e14e6d08cd7a30d6314

SHA256
78fd2b46f22b9bf23a94968ded5f3c44abca8a28816d55afe3be26228c610967

SHA512
3ad41b6c893c4cdca2fe5093d7b87aa3ec2c503bd0876394356a2b65998c7f09dc9cd9fe207094cea0bf7cf32ea7e38d628c8dd9f5f9db57b48151283c10c191

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
64KB

MD5
b85e9fed8bf3077892cdf375a6a980a8

SHA1
9bad7ce64e455f8681f9e8be04cd67802c85ddec

SHA256
46a1f3c4e4128cbec5e05231ba0d6035be9b4cb9a8ac36eb5ccbf029eaf69dc6

SHA512
be2d4c88982f7f502475a6f04b2361e3f7322d194e2fa23a99bbe0cb9159900a745ee9b1cf14a2b5e0aeb7419207e3621403da3dd544c53e7681c002390100db

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
64KB

MD5
a89a977a38da8db2a60ff50c37147f2a

SHA1
416c4e4600f2eba4ef4e7511da63dfce53cbe798

SHA256
47b3750887910af680c76dd4787d3cd26339e83e683af28cf43b865509d9dd2d

SHA512
8d587c410f2ca6294d9c6569c8438acdbdd9f82ae6f135be6b46c283ed0ec8ddb321587da57a777ac15129cb55d5c1cd252e63a29b5f2f80be127a5f0fde90f0

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
64KB

MD5
582043c8386265af3c583fa0c084b0c8

SHA1
021de17903b00a164cc8973b8d8d00fe4c3620da

SHA256
5118db3368595bc81ea03ef4cc7f0ffe410342bf4960bd455498d64d5627c2e5

SHA512
7043f965d84b8f03fb26b11427122abfcf0b0680da8fe1027cb1dc42cb547447d86c952493c94bcbd3a0b7d9b6bc136a30282124f36f47f85976eaca5f10abca

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
64KB

MD5
90bae6039c9ccd26fd0b2e9eab5804c2

SHA1
ad052a4647a0d1b1d638898994e61a9c3491d726

SHA256
fece424cb62e9d46a46307ea55b9eacc319b1b23bb77fc53b999ad06f1ecf551

SHA512
812691706d5152fee43d7b27cabe406f406ac486c1eb1cdd3b5f14150fc05eb08eb1c2827bb9328ada55c0879b09b0c51a0fa8f8f6483b203f06adf1fc1c08ba

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
64KB

MD5
51a67225cbb056f6eddcce64636d4540

SHA1
97cc9f5e2564e69c3ea6493b688a77f1356d780b

SHA256
072b937563de0cd74ce5b1b5e0a6f563c35b2ffae6e2c93a1aa36568b85ee782

SHA512
eb93be874a4af7c4729994381a4890c905264e0e3811e5eab19705e14269abca9f8108744fb771979f18196d415a687fcdd21668fc9390830aa21cb921242c17

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
64KB

MD5
214a884ddbfaa69694d282ce0320f804

SHA1
bf908c5d7ba67d342a467c43f19867a2dabf647d

SHA256
d3d38e5ba83d9ae91a444afa5bb44fa7df104bebf464a2cceddce6e3a8c292a1

SHA512
d642056c8753558934cdccd04379b2a1e071dfd67d45fe36ba8c8b60260ae48670af164189419e985458c00076ef18b44133692711049382e37f53aad163a82f

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
64KB

MD5
467aaa574a0f3c28e9c0f3a8aff9dc86

SHA1
e445f8bd2d982b978118387f786c9c01ea254ff4

SHA256
5ef1821a4d9e4577ac08630463ce0bd2af4c47ba4b77cc40b9367d7679a3bfba

SHA512
e25db7314da40e0123934bd5226bea18a4dcc99856cbe316a0822b8fa00e1a023cf0ef82e6980facd87bd64b227b6b43d58f7478e5815bd444961da26017cf90

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
64KB

MD5
08e69737162f8b03e8dfc8edec5b56a7

SHA1
fab3b096a7b831f4e4ae57e08b7fd1dc2e3a2276

SHA256
e3d5c700e4e8e43a693b76b4470e0440740f3a90db70a8d0a5aeb546ff56dba1

SHA512
28f573954bcc026266a61c743ab3a54b54447265b4636f89de98763e4d462d5b9479836b9ec5b339a8cb8e25983d0498e0dfcc76b54e8d8bdbddcf8e5c3fed0c

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
64KB

MD5
bb9f98d7d8df00ecce77fc6d65c14482

SHA1
98d896513629f07f3bce97cecbf44a50824c06bc

SHA256
eda66da99a6212acaa24a03102a17f6cd1a867d99af6a22c1c4949eb300be5ba

SHA512
53a937c36e0109bd23ee502bec4b19a4ebbc01a80c574c7933b4efa73a652b1e45f83984d78f84f11257159c3f4cb62586e3737cd7fc769c41cfac35ee7d7ba6

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
64KB

MD5
87ad175304eb6d80017339c0d6b24c1f

SHA1
6eaa6ca86ca2dd11f4e438ff8e4a6bd77b0c59a6

SHA256
401448fd9e1e9ff5ffbed7d65877516bc7dc1cd849cccfc6a738110803fa366a

SHA512
87a4f67683c6f6f25998c1c6ceeba646145e50cb7d65369e63f9cf5204f5379e2226783e59c8d3f0859306d2d23939ba3e93f76199f321c43ad9ef18790b5124

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
64KB

MD5
4a3f2eddd3fb9a10ae06583562c00c8a

SHA1
a6608394c7ab6140d0fdbe2dd48171e3111219f1

SHA256
c32e876eabdc998323e6df46e9315b1548fec0df0286f62d6f60b2e8a67b8f73

SHA512
7fa09e9019a51afada4e06714348c7628605b77154079016af39c98a69227b42eebb52637d76be83e3fee7c9f047ac93d98daf7d3039d5a538a3041823ac5f55

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
64KB

MD5
0202447eddd0a38d65a00f9e26bc90d6

SHA1
487ae82b5c8e1600420f8ce01a3a799238a389ce

SHA256
b37412afcefe3d87ad296e98b1e95598d7c92c15f585232e96bc5a4b6b57b5d5

SHA512
68cd29129f544dc11b4b1a80432d44d35958a3788f2279c009f574c952e533c314cf4e3be3bc2f0efc4a2d389db30fb1c4cc33a41d4d20f36bddac4cc13d8ea8

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
64KB

MD5
95c29fc6a583d28958afb3f610d63232

SHA1
8122dbf8f40e6df3ad12570ca2415c2b466bf8d1

SHA256
70ff71c2487ed50302572001efe37fc8515889b26864ce975753ab2a4a2a096d

SHA512
f58aa3baa35cfc3b2280d2544aa60690830ea536a67eadfa3446b5e8ac71422670ff76c237a7a8c76e43d8aae2d30293ab3937ec4edf327c3bd568a234652bc8

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
64KB

MD5
e13bc5530d23c2dd7e9831ec387a0ad7

SHA1
5dde00e15a8b09fc01fb361e0cdeaa7370161be6

SHA256
833db800d16ea7e8a80b3486fc2bd5cf793d65ddd2e16d5e6ad9ece74d9c49f4

SHA512
892168ee4644caa4b53334d407dff3f658aeda21508e6b6ccc5d2f821ea56ae400570c0861a2716b0a1f762588ddfbdd3e79c659dde08e6e2c8fbad0d118b929

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
64KB

MD5
8da1ecbbc281b42bd32d4e7424e685db

SHA1
68e7fa17218ffa2dd0010429a7b1a2a1aef044ce

SHA256
7465860e27cc8ef28ddaf03fa8d86134dd4b89c8fbffe033ba44016df2b06713

SHA512
b5b89c3b13efe0a1935d85330c5ef372aa76b61989e81792d03515a8188b0bb0a0aaf3123188670cd996da39be0c6ce38b60d96ccfab6e80489ea7b1aeabded5

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
64KB

MD5
aecd7e8e80cb8f21e1e69739d324068b

SHA1
0838953584fc7742bde8ab057b1e4a59c1f6bb36

SHA256
8452bb4376a988e2471b1064aa7f72ecc407ee276fe76b2b340729d2e0000f02

SHA512
20efd65efcd4c75961c5fd105f3389a924e3af55b38d00fd8dfefef79eef943b50a974378d1d4947047465e9588084367e69a3cc3bdb9722cf4870e4d2bf2aa9

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
64KB

MD5
88a54ddd7f4252e41b9017a2cf4e2c8b

SHA1
4221dd3cba326b0c2ecf73c70295cd3c02eabd7b

SHA256
ff837c29fdb3e4fb6a2ade97e1642b50d66b0f0521c0a80639f36deac32fef15

SHA512
44ef23e4ca86c86725cf0e6dfb4808ec763670701f25cc0bec856800ab5ca9a60aec0d5a5b03a49f0da97b4d534dd184cd7b0a2f878c31447d053cbe057bec82

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
64KB

MD5
c90dcbb80b2268d0da9703ca47934cef

SHA1
d744bd464b79b3ae9495e6c6fb9a506742f00653

SHA256
c2bde939960d539bf5e4e20c45ade0edea677de52890a674378a69b40cac020b

SHA512
1ac9c7d93af6d9c857abcb84ae291adc935149ab6ccdf359bbe5914051a9d26e66c1a5cc5019bfeb10d61c7df511750dcf3383a4e3610bde658ceb89c7d51056

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
64KB

MD5
549008b0c7a68d1dfae8a07689c47e3c

SHA1
e14dd44d1633b66c524804135cfe12cde3499529

SHA256
32cb914d36dc31f7715d48728bf5a3543a4bd1417b5bff8783827a723abcc8d0

SHA512
d5174dd008f2ff8cac3c72e42cd4185d3d275ee8aaf5ac16a3db3abe8ac3381e6ea049287c34328045fcb2604e35381d5f5c8629f7079992e239ea539bd06d0e

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
64KB

MD5
a525d4f84d71fc565a9739028e1e9cca

SHA1
ce226a91573fc149368233f2c7535f01f2bc392d

SHA256
35b6311634835927917aeaf00ac6470094b6d80eb4e81611331132591e468f12

SHA512
ef18593ba76a03daa266f24dabb655a3bd8d125559aebdf3e08eab8a3f390ca9bf0ec8ee3837d3fe17b32ac0c60e773ebe7b98959753cf1301ecd9e5a65a14f3

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
64KB

MD5
3f047470f316087cbabf14697eda3059

SHA1
ed4d64238f0a7015879830283d292c57b3427c68

SHA256
dd75588bd69484665433cd8f36eaa82b0cdd487640e3a123582c5a081489f83f

SHA512
17cfdf05f633e91ca6bf283ce2a7d94014def9776bc92bd9a203d052868f8b7fe451cc70c0c6d444bd74e31785bd8c15b86b0d48657cf0c05f955e83652acca2

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
64KB

MD5
9755da94179c8cfe05829e75cbd1a35f

SHA1
b2a48938b6bcceae7cc48f9f4894ebf46475fbb6

SHA256
e46017be5956b8bbe8fb088469a8ea3fbeca5b7ff86da6b6f2ab8597cce70aed

SHA512
345eadcddd521762b808da7ac486451c3741031bc69f549822bf799f61719b206ccd2ce0e32a1e69bb1c1d43caef5dabdd2de87cd8e57e5fa780f890b433786e

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
64KB

MD5
7ed60b7e548d795470f7e18295bf2f9f

SHA1
c901c8d0b31dddaa424f61e93ec321183e504ba0

SHA256
99d21d9bd8ce7cb3e6415d550d576e858e06e890b79a532f5f40d1b8ee63f888

SHA512
84e996907f3559c9ace0e96394a50a3cbafd1577f72f23a2bb7800916ed1582f6673a49efe78bcbe883e5adf8be71187c6364058b109b113004a7817ecfed95a

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
64KB

MD5
00f45e419bf8da136f39991de2f9a2ad

SHA1
b97bddce5f23949b89c43b3f189cb2a6a228064b

SHA256
03314a080680f2fc65b280db3a616c24c2df7a7ba92672c43b8aae10ed38d128

SHA512
bbe265cee8b05d9b6336bb4378dabaa01d155307b367f8ae9946d2e96ee0cf904d729f61ec720c2b3266a9ec3b459a4355080f6556fb17070155c6f45358004a

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
64KB

MD5
1cfeddefcd94b8275b95eadf12655d47

SHA1
2389c3d40c69dfdd7024eae91442794d4b45e781

SHA256
e36b2a9a36f41a2a3a75297ddcd5873c220a2a2adf29dfcf2bdcc119ab29c045

SHA512
62db08274501154d0b4526b0ca70baa3c20c573f1339fe0d145b15d4cc2da37b619305145532d2e39cb76aa1f4d0d35f55b857669b80a30ae6b89a92df0f4e4c

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
64KB

MD5
5628596f8a3b926d3bd4a0e73244d583

SHA1
874c511fc41366d2a0b06dc22a473f4bc287e46d

SHA256
c0eed5afa59a02543ca5d3cfe885ef0edb43312897f8c57114a70b7dd44eb1a3

SHA512
8f602d888d8f1845f6a986663210cfe76af3fffdb0a8e0887cfc65b0614c3122997777348e065165c021c9de4e60b719ef1485eb81c60bfa7297afd440d7c000

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
64KB

MD5
49fefcd384e18e0faea9bf3910bebe2f

SHA1
c49c8fc99ce10fe66847fa2c7d8859d413cadb37

SHA256
e14daa6216d74f68faf9b059c878f3ebf8ac47ffbaadf86d8e3819f7193b5c02

SHA512
85b6b732609cffbb62c6a6bed29e52746ddabc511e32f15d52920f7511b5fac6de3908efc2ce41b016df8c6b37351d44c9a3f2787e27828d06a923ea8a2ebdf0

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
64KB

MD5
2f93d6a2c1db20017c221cee8098aaf6

SHA1
1fe6ca4eca606ee1bfc3a3455837d2f2a145afaa

SHA256
ce3420d67fd86cfc2478b2dd6f996df66595a4359de93f18b8b82ee2a01ea85c

SHA512
bc7922ff4aa8433cb6bbfef765a840d637994a281d42487c03d98557aca80687e696c7f74c2a2a34fe99def242fd419d8dde407587653c7d77e8fd9f816c1f26

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
64KB

MD5
921587e3d32396ef5e104ff49437bac5

SHA1
11dce7aacded8d00dc569f828a21320119958b11

SHA256
653af65079c12006d9779326aa32ca332683cd4f81736956b604d397f7187964

SHA512
d0b3c8b5d6a7f334d5b014d120dfa8d4b871184c78f94399fd7a8365dbe6c43bd54631f3d48ef0dfd676963b9967212ffed80eba9a7bd370c8de28b0f7fb1fb4

Download Submit
memory/224-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/616-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1388-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1928-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3148-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-1041-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5296-1049-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5360-1082-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5400-1081-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5444-1080-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5536-1059-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5544-1047-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5660-1075-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5684-1057-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5704-1074-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5804-1038-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5824-1055-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5836-1071-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5944-1034-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6048-1032-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6052-1067-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6132-1051-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6260-1029-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6300-1028-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6696-1020-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads