172a39bfca16a02a800478684038896ae802aee7a32a9f783a315b632d56f7ec

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

172a39bfca16a02a800478684038896ae802aee7a32a9f783a315b632d56f7ec.exe
Size

245KB
MD5

2733c4da48c2e78992edeab0b483bb5b
SHA1

27ce0ff0a97f5f50ea98b5a9684f43fe2c377f14
SHA256

172a39bfca16a02a800478684038896ae802aee7a32a9f783a315b632d56f7ec
SHA512

e21e4a2c4bf1308443ffe49376882fc4fc1494e0edc882a46f244eae7b93f8fd58d329e852001b393154370c963d2da68b8dbddbc002fbacc694c0bc6c5bc876
SSDEEP

1536:EktLloCVZHrqJIJuUKx/OqjeFF2222LEP/4cXeXvubKrFEwMEwKhbArEwKhQL4co:Vh8UKx/OqYF2222gPwago+bAr+Qka

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe

Executes dropped EXE 64 IoCs

pid	Process
932	Gcpapkgp.exe
1380	Gjjjle32.exe
4224	Gimjhafg.exe
4860	Gqdbiofi.exe
1748	Gcbnejem.exe
1180	Gjlfbd32.exe
1092	Gbgkfg32.exe
4300	Gmmocpjk.exe
3928	Gqikdn32.exe
4880	Gcggpj32.exe
4788	Gfedle32.exe
3936	Gjapmdid.exe
1248	Gmoliohh.exe
2212	Gqkhjn32.exe
5036	Gbldaffp.exe
1344	Gjclbc32.exe
3408	Gifmnpnl.exe
4724	Gmaioo32.exe
1532	Gameonno.exe
3036	Hclakimb.exe
3432	Hboagf32.exe
3916	Hfjmgdlf.exe
3460	Hjfihc32.exe
3800	Hmdedo32.exe
2672	Hpbaqj32.exe
3396	Hcnnaikp.exe
4196	Hbanme32.exe
4472	Hfljmdjc.exe
4352	Hikfip32.exe
4344	Hmfbjnbp.exe
2400	Hbckbepg.exe
4572	Hjjbcbqj.exe
1636	Hmioonpn.exe
4220	Hccglh32.exe
3972	Hbeghene.exe
4988	Hippdo32.exe
1812	Haggelfd.exe
720	Hcedaheh.exe
4088	Hibljoco.exe
4840	Ipldfi32.exe
4708	Ibjqcd32.exe
1280	Iidipnal.exe
1020	Ibmmhdhm.exe
3368	Ifhiib32.exe
4804	Iiffen32.exe
3380	Imbaemhc.exe
2388	Ipqnahgf.exe
4508	Ibojncfj.exe
2300	Ijfboafl.exe
4292	Imdnklfp.exe
3064	Ipckgh32.exe
3000	Idofhfmm.exe
1320	Ifmcdblq.exe
2328	Ijhodq32.exe
1524	Iikopmkd.exe
3200	Ipegmg32.exe
1220	Ibccic32.exe
3760	Ijkljp32.exe
3016	Jpgdbg32.exe
1400	Jdcpcf32.exe
4940	Jfaloa32.exe
3360	Jiphkm32.exe
3616	Jagqlj32.exe
3032	Jdemhe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	172a39bfca16a02a800478684038896ae802aee7a32a9f783a315b632d56f7ec.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Iebapp32.dll	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iidipnal.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6760	6648	WerFault.exe	248

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kinemkko.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 932	1784	172a39bfca16a02a800478684038896ae802aee7a32a9f783a315b632d56f7ec.exe	88
PID 1784 wrote to memory of 932	1784	172a39bfca16a02a800478684038896ae802aee7a32a9f783a315b632d56f7ec.exe	88
PID 1784 wrote to memory of 932	1784	172a39bfca16a02a800478684038896ae802aee7a32a9f783a315b632d56f7ec.exe	88
PID 932 wrote to memory of 1380	932	Gcpapkgp.exe	89
PID 932 wrote to memory of 1380	932	Gcpapkgp.exe	89
PID 932 wrote to memory of 1380	932	Gcpapkgp.exe	89
PID 1380 wrote to memory of 4224	1380	Gjjjle32.exe	90
PID 1380 wrote to memory of 4224	1380	Gjjjle32.exe	90
PID 1380 wrote to memory of 4224	1380	Gjjjle32.exe	90
PID 4224 wrote to memory of 4860	4224	Gimjhafg.exe	91
PID 4224 wrote to memory of 4860	4224	Gimjhafg.exe	91
PID 4224 wrote to memory of 4860	4224	Gimjhafg.exe	91
PID 4860 wrote to memory of 1748	4860	Gqdbiofi.exe	92
PID 4860 wrote to memory of 1748	4860	Gqdbiofi.exe	92
PID 4860 wrote to memory of 1748	4860	Gqdbiofi.exe	92
PID 1748 wrote to memory of 1180	1748	Gcbnejem.exe	93
PID 1748 wrote to memory of 1180	1748	Gcbnejem.exe	93
PID 1748 wrote to memory of 1180	1748	Gcbnejem.exe	93
PID 1180 wrote to memory of 1092	1180	Gjlfbd32.exe	94
PID 1180 wrote to memory of 1092	1180	Gjlfbd32.exe	94
PID 1180 wrote to memory of 1092	1180	Gjlfbd32.exe	94
PID 1092 wrote to memory of 4300	1092	Gbgkfg32.exe	95
PID 1092 wrote to memory of 4300	1092	Gbgkfg32.exe	95
PID 1092 wrote to memory of 4300	1092	Gbgkfg32.exe	95
PID 4300 wrote to memory of 3928	4300	Gmmocpjk.exe	96
PID 4300 wrote to memory of 3928	4300	Gmmocpjk.exe	96
PID 4300 wrote to memory of 3928	4300	Gmmocpjk.exe	96
PID 3928 wrote to memory of 4880	3928	Gqikdn32.exe	97
PID 3928 wrote to memory of 4880	3928	Gqikdn32.exe	97
PID 3928 wrote to memory of 4880	3928	Gqikdn32.exe	97
PID 4880 wrote to memory of 4788	4880	Gcggpj32.exe	98
PID 4880 wrote to memory of 4788	4880	Gcggpj32.exe	98
PID 4880 wrote to memory of 4788	4880	Gcggpj32.exe	98
PID 4788 wrote to memory of 3936	4788	Gfedle32.exe	99
PID 4788 wrote to memory of 3936	4788	Gfedle32.exe	99
PID 4788 wrote to memory of 3936	4788	Gfedle32.exe	99
PID 3936 wrote to memory of 1248	3936	Gjapmdid.exe	100
PID 3936 wrote to memory of 1248	3936	Gjapmdid.exe	100
PID 3936 wrote to memory of 1248	3936	Gjapmdid.exe	100
PID 1248 wrote to memory of 2212	1248	Gmoliohh.exe	101
PID 1248 wrote to memory of 2212	1248	Gmoliohh.exe	101
PID 1248 wrote to memory of 2212	1248	Gmoliohh.exe	101
PID 2212 wrote to memory of 5036	2212	Gqkhjn32.exe	102
PID 2212 wrote to memory of 5036	2212	Gqkhjn32.exe	102
PID 2212 wrote to memory of 5036	2212	Gqkhjn32.exe	102
PID 5036 wrote to memory of 1344	5036	Gbldaffp.exe	103
PID 5036 wrote to memory of 1344	5036	Gbldaffp.exe	103
PID 5036 wrote to memory of 1344	5036	Gbldaffp.exe	103
PID 1344 wrote to memory of 3408	1344	Gjclbc32.exe	104
PID 1344 wrote to memory of 3408	1344	Gjclbc32.exe	104
PID 1344 wrote to memory of 3408	1344	Gjclbc32.exe	104
PID 3408 wrote to memory of 4724	3408	Gifmnpnl.exe	105
PID 3408 wrote to memory of 4724	3408	Gifmnpnl.exe	105
PID 3408 wrote to memory of 4724	3408	Gifmnpnl.exe	105
PID 4724 wrote to memory of 1532	4724	Gmaioo32.exe	106
PID 4724 wrote to memory of 1532	4724	Gmaioo32.exe	106
PID 4724 wrote to memory of 1532	4724	Gmaioo32.exe	106
PID 1532 wrote to memory of 3036	1532	Gameonno.exe	107
PID 1532 wrote to memory of 3036	1532	Gameonno.exe	107
PID 1532 wrote to memory of 3036	1532	Gameonno.exe	107
PID 3036 wrote to memory of 3432	3036	Hclakimb.exe	108
PID 3036 wrote to memory of 3432	3036	Hclakimb.exe	108
PID 3036 wrote to memory of 3432	3036	Hclakimb.exe	108
PID 3432 wrote to memory of 3916	3432	Hboagf32.exe	109

C:\Users\Admin\AppData\Local\Temp\172a39bfca16a02a800478684038896ae802aee7a32a9f783a315b632d56f7ec.exe
"C:\Users\Admin\AppData\Local\Temp\172a39bfca16a02a800478684038896ae802aee7a32a9f783a315b632d56f7ec.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\Gcpapkgp.exe
  C:\Windows\system32\Gcpapkgp.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\Gjjjle32.exe
    C:\Windows\system32\Gjjjle32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\SysWOW64\Gimjhafg.exe
      C:\Windows\system32\Gimjhafg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
      - C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        23⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        24⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        26⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        32⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        36⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        37⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:720
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        40⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        41⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        48⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        58⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        60⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1620
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        67⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4484
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        72⤵
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        73⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        75⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2916
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        77⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        78⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        79⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        80⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        81⤵
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:628
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        84⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        85⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        92⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        93⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        94⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        96⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        97⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        98⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        99⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        100⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        103⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        105⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        106⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        107⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        108⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        109⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        110⤵
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        115⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        116⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        118⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        119⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        120⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        123⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        125⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        129⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        131⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        132⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        133⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        134⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        136⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        137⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6124
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        143⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1928
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        147⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        148⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        152⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        153⤵
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6492
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        157⤵
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        158⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        159⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 408
        160⤵
        Program crash
        
        PID:6760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6648 -ip 6648
1⤵
PID:6724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
245KB

MD5
e79795091fc1934588ae69407029abe6

SHA1
75b90f62c2fbee33f3fb3b97ef5a16b153f7b7d4

SHA256
2c29a42e3e4e8a8616bcf92ba4338b76439abe0e12291e882f274efca31224ba

SHA512
5210a49eaccfd22629bd84c3e46f61e62141a4db86df626f7cae9a7db93f53052c16e3a5c2e9fabd1a5ec8ae07625be19dfa95e928dafc121e7082e14680c0f5

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
49KB

MD5
e8590568917e0e9be1ee8c06f5c0dadf

SHA1
adb702bbe5af9b3886d7b06f76d420039fcca299

SHA256
3cee0c004ddd48288755ae7bf5563426385ab5d3cc3d559b5751107777048a66

SHA512
5afbfc7dfb1cb282c1274536a25f9b667f60d3aec51f4ffc26696ed4ac21688d7b3ccb93a740b4f78cc524ac115805aca38e1bf6f9e8a3a2e1bd9833901b654b

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
127KB

MD5
f901d938cbe88c47696166453ddd2471

SHA1
49bd980ff076368e76f0d0c48c17e214a4525ef3

SHA256
c1622b929eb1a818cdf78d5e21a7865953a0f487b64cfab648c4a0c510bec28e

SHA512
dc0b66af0851a8740dbfaea09856bdbc25034711650d19c0cfdb98e51489b8bb3567c481cd5b4eb2977a4df58a65be38539dbdb46452c9cbad162fa33163586f

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
98KB

MD5
8b2f72d2ece05237c0cccb5db432ea47

SHA1
64a3651ba7bf271f4163571c9ec5fe26e5336d70

SHA256
011095fd2c73c4e014fb45dbef1a97da166a67f5c3313241c72569ae9d8c408c

SHA512
acc4b9b5030e457a6b70712c5ab1f36d6986db4f9457b1f3a783e478a47b960fe258ca25936cbeefe4a6f8a44838894e5d9d8a4771a0440df6d529c14d55c343

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
245KB

MD5
fda8912b2ed906bcaa1001c11bfd0a35

SHA1
bba57310400f930727aee9ffe6c1fc28b271d0df

SHA256
8980c3e1f639c28435c626109d1540c717790836fdeb9ccd93bbaac5f1af2aa4

SHA512
1e109c7bfae09a1087346247f2f2d35441b0ac3868f9538d5f8c40d37d32258201f687466302131d678fb587b9d74e07c3b3c77cc0d8eb3d41ae3b72f201d099

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
245KB

MD5
41d6e7be2e400ef169435b3c57c5bf04

SHA1
ba6dd92afb48f962be21d032a164d08349014227

SHA256
43a219c6fff81ccc255d807d2d8cbdda090c6b651ac5d5236e372c543cef805a

SHA512
a835b29890b3c1feb6b3cec63e6bdf7e9d5927bd85995da9afa3cd51fcc94977fc42d2db65a062d06cbcc8b8475e19890ebd1bd183ead75257dec90f6e9d434e

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
209KB

MD5
f09315bfb4e3894551543bc8b344da2b

SHA1
cff8f8dfa54d3332aae0fe230db81e4abd73484c

SHA256
d0c99d4ece888143e7b956936621217692663989ec37db819fa8ec8f9a3ef9ba

SHA512
1db56df1001a05f87df8c983f4038d417c56eb02c7db5f9447132f2b736ed6f794c8a9bb23556a67a67d8febf85fde1df0274f887bba92b68b5288061631fccb

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
245KB

MD5
f3cda6d35fec23d4ab9e223bca4fb8b5

SHA1
7e2bb26205f92ea8864ccfa12af6a5e5a958af6a

SHA256
fad1de69c00ea9cbcb9e7a52acf308588ebca8446140ea5a9072e4e83dd1836f

SHA512
6cb657840be259d9c85c7e4607c629bfee90382bc66e49c68dba4a66eee3e958bcca0d37a594a415def489ece6d50cbfd580669bbfe1df22f3f44058f9e3fc11

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
104KB

MD5
bc134ba5d3f35d35d132006e35651b3e

SHA1
be09fbeb40daea921432f2e01f9f2e416de83d96

SHA256
3873f4bd5d9257b18b83d81b9cf092969716c50b27a70f13b7122cc6f3feb756

SHA512
0f0e2bdd27bfe3336d732becc67588d17901c0e7cc6675e55bbddab48e225d46f6efb1c4e90779d9d275fe488e1c73057aefaa6f8dbf961904e57ffe582d5d6e

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
245KB

MD5
19aab1bfda86449407af1862a59915ad

SHA1
5f72be12afc1e12fd2e46921385b796df5e9723f

SHA256
9fb128e71e276aa217bcafbacbdb60f24f6a207c1ebee02e6711c3d33569b6ce

SHA512
1fc4bd7472e7572dcda412c2ef93e323d61de0181ba82894169db8e8b69f0de6c0b5fcf5f00bcce1cffada94ee0194903f0747c6ffa71ec18acc0803f259a035

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
116KB

MD5
c86142f9429484785be04547da7749de

SHA1
a2f2da3cc3e5583ac69d797738308b90a2ce61d8

SHA256
2c0d2996e82aae7dc2ad77a57ab802bff8915bcda72b6709b70a5927efebcdf7

SHA512
7090ac28290ae0f862b3f91c886c1db524a0ecc348f860a0f8b7bfb61f1c855953cd29234538877a2d51b9e8b8ada43c6ab6a386f5f638503010651617b90789

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
245KB

MD5
1cd8f630505bea87732d48819e8486d2

SHA1
b0b9f136fa9338419da2994b9468c73355db3bce

SHA256
4ee846be9c9f0d17b11013e7e3c0e2b3d9cfc553acc60fe1fa8280123bafaf8f

SHA512
249810ca2489273393d2aab12b7f067470d241a3031be0c347e2db9a42361a5ed458009cf9347e69ebb6e7bf4daaa58a20c925dae51ff27760dc319d57056c32

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
245KB

MD5
c65a90e1788bbf2459ffe4f37c541f6a

SHA1
5a9a8b9e8ad03d455b3c11cb45a29fff64b841c7

SHA256
f2143e314a2291a8c1631071b7717614078a84592f2cda835428ee9f387dd97f

SHA512
039801e3512a74338dc6977e3cd9270bb590ae6a2c60eef786603e1cba4daf056379db9aaeff2e5657cec26371c242318603a1fb2980bd2d58d3b92e54b58f67

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
245KB

MD5
5b59cbc04e3147d8710ba82d1082739d

SHA1
3c6d0c80a795b7a08ae263903eebb25cf6f2bb40

SHA256
62312c8b1f073212c8427e8960de1b3d3457dbb4852893cb321ac60773d42e95

SHA512
6a788c474b06503329a6a685087e17752f8345084dd12c173c32890cf43e7a6331ab0f7608ed7fc41322c2641c3ed9aad7fd15a389d32df4930498deb5308578

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
245KB

MD5
b1ec07df16a5cd2fb91ba75e2a267fa2

SHA1
5573beb22ac01cbd7fbb3c600ddbad81c92b397f

SHA256
b06e2cf6c71ffd31d822caa78b5cda5cf5c897a104c172578ad0f46a524d305c

SHA512
c87734de7046939f081cc9bc13a630cc976a36d34bd3c5454dd6d55e2b1e769ac55d297252c6e32c0845da64af532d6e5ad63523e5c76e287cb5d56418c1aded

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
112KB

MD5
6456ca79a59a9d3e91d383da55b83afc

SHA1
aadf553547fe266e7bba521bf98f40ee313dc184

SHA256
d52e037a0278579a5fd58297519b025372a8ffcb1a730225ce1c51e17d49ca15

SHA512
9de296b3c5d816d3c598f09946facfdfb867e99fcef1a9d96d4de35efb5342f2b00a1d751900c67077a679cfc9d403156b3289aa9626d73d8494c8727cde5a1b

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
245KB

MD5
b8f343725e5d8dda19b45ede526cf917

SHA1
b97e757ddd805747f1adcd70a02ef4637ab2411f

SHA256
e2f18504e83e39c046b5bf317ca3d58779b96859f451fa393735aa58429fe331

SHA512
452b500bffc7b34aee8cf2ac557d3db270053805ff503a6f89d8c4e8dff047e46dd8b8c97787cd380f56d44c47c3d5221967b68e7a84479539f0d6802f1cccb2

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
245KB

MD5
8bf8d785180c01ace8cff68a15a3565d

SHA1
a4fc4f4a5a5e7fca45281a07c2dbac7d8994cf27

SHA256
f831085e79645ba6059bfd6fa140ae38bdacefe0e423306808d2cd2eb8ee540b

SHA512
133bee75c66b4f140964fefbcc32ae06b254318d06552f4cd1a6da3298f37321c343953eb4626ec4a8661596177273993dc139f02bbac22cd93d729e26c2bf36

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
245KB

MD5
4e8643e5300c4d8d4633fc4bf1b11b4d

SHA1
0317880cf585d21467da6e376150f15cf1ca54f0

SHA256
4590b73041b52137c336fb502fbad7c6622bb76a5ba8cf7e75b1288fb3fa4857

SHA512
3aebb486247f00147abd453996cb1c420862a55239e4c3eb959be448adaba665b131eb838b3a0d438b24739eeb842c1626ab94ad12e3b83ae76d60494634fbf7

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
245KB

MD5
00090763254844504eb8e458dc06c9eb

SHA1
673ca7ed99a7eec4a617955a6fdd287ba27468d6

SHA256
d772c631267f8ea882b98cf450463169182d33e6cd132b81eb1168b411e52018

SHA512
52139ed641b673c091e2a9d779ed12597bacb354df593610c38a6c62a1191dd7a31fbced7f9ac1cf54819db6287870653ea7ae3013815ae32885b8b5b7486d19

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
103KB

MD5
c14af06dba98d83b9d797a6265b10e5c

SHA1
adfaf885d0ed1084d4190c119ce95c7c30be9801

SHA256
361e1c432a77e7748b6c07847a5ee54c81feddd49b4a0810b9927d69c08bdc3d

SHA512
4180eb2942c7140d47225f2ff3cf7e0abbcd889161677fc36dcc33119f6fa6f0eee4aed10a0dc03d6534cc29fad1d404d1a998c2e3c5693aefaf77c04c298fc2

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
245KB

MD5
53f016bd7d39c27faf72a1b2c1f9931b

SHA1
8ac207bc5ea0d22b17543b7380473affc3c96b59

SHA256
94440862f3baa6aa4256ff975312b27a7963073ddb2f54c09f4a4b29fecf0984

SHA512
93c97c67abe7811ab41f7143a2fc514a2604d97a78a9cb7dcb397b9cc7ce337a81adfa1e15c1c2b5ceb86c500aac3b9d6b7aba54834ba7595ee7d4859bdbc0fd

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
100KB

MD5
31b546c4a99a4c0b5c2213e66ce207fa

SHA1
e7a64b0dfda0dae86d7a3eac59d4b28f5e6ced4f

SHA256
d1d5bbfb8b008fb5e001bd0bf61f6fa3f0df3972b5ba36a37c5904fd3ceea8a4

SHA512
9a69ada15c69e0da30575f86f5340ca57297ea09b27baa93404157556e459b128c1069134513894c79f047c821dc8c64a735c02dc0d1c3a9bd5185b1e0e9857d

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
233KB

MD5
a9ad35a171fbe775ea5939e52afe22de

SHA1
e51e29ec94fbc8bc162da84d0a3aa3b2796142b1

SHA256
6857195e378a3c9c32dbbb0a76c011edb72b437774dd42e59bc0856c13743ec2

SHA512
a2337e78611d436b55f9d96baca0d47d90c5dcb94e2ad540f4ad08051a0e1d28790f3ab92b488d65674ac34a6ffc7a2b1c8e8f5bb53876d5fe142bd8974ccaf1

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
245KB

MD5
630a2e55441674715ae3e379b276187a

SHA1
728cc9b74347d9a7dee02a9c5313afe5d48ccbab

SHA256
3eb6b52b7ad3fee0ef7e1a290f4a9e0820f3e45895e430e58752cca29f00cc82

SHA512
ce2ab62ed58eb0bffbab650731875d45876b5d117084153c9c67978612d6c7a3cff143b41a8959b9f0c9d0589c950b3b58a55e4480ece1ba95c4640e0e48a994

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
245KB

MD5
107c0020b475622f06e6337b37e4a73f

SHA1
18e0ab369ace20e85e863c0c18a7a41b3abd4749

SHA256
f1306cdc1c8f597769c8957865782714ad9b31d9cc482504a4cb3c4ff698147d

SHA512
64883c12b04075c37b726587e670db80cca891a652606fc8afe2f2afa7b0ec36103dd42fca7c965986db23d85000dd0e34920e78c85fe5f7e51e5dbf3c5a3f5d

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
91KB

MD5
dc30edacaf052cfbe5f01315607fd6f8

SHA1
8672c71048b1059ba45e56a0b0a773e15ab6fe61

SHA256
41f5661a65ca9edfbbd0f51a781d2192e4c84616e7e07323f84e94bf0d24f138

SHA512
f8b9fc32e5fa01530bb5de82f687ec830430750920c5dd9cde865b812b2e82d7f52be45f618af7a4a1b6d4e27fa5d1d54f85a2ac0381af3009aba67d8297a781

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
186KB

MD5
4b28cbcbdbcaf02a880a17e8b443539b

SHA1
915ad27e8774852d581f8cf99229c5905f272dc2

SHA256
cb37102a0a0a8a1834ccf7f2ad8d0b1916dfe297860c27fa5c7157d61274c46a

SHA512
9efb89d6d375480bae0eadd7ca25fb75387ebc31097dbd3906150017532728d26210fbeddcd8ef2e04b565d0ecdbb1d3b8e94dc62e6433f89081a3fe8c6d06ea

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
241KB

MD5
b29e758937bd3fd0a7984ed8b7325665

SHA1
5a6438b396ad5eeaa7557b763b80094feeed4c3a

SHA256
c17b435873036cac98aef034564fe22c34e4eb045b6af6fce2be062b85d99529

SHA512
83127ef6886e529a4ed31237ecd83b740f0e0aacfaa4f7e687f46a98039786a6968ba01d03428396a80ba3fcb4e8468fc38ed46475ff3f6bc53ebe65f131412d

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
162KB

MD5
49c7b0f1879fba663f48f462a4ceb93a

SHA1
f84f41a1c05290b4d263c3daf1923f0c4f446aae

SHA256
77e1b04bbb8884a553b3543074123ecb480eed3e45f537d0ac18e0ee142e58f8

SHA512
aaf7d39877412639dee103b34ae26169e9215b2c487fcc165162714ca602f50a85bfb4856fac31ddea42b276457d3bcfcefdba865267c454c295da7b6943a5fd

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
245KB

MD5
1d5f93c2f76fb9af585f656e73cdcc2f

SHA1
baf0ad93a73ae6009a9a845b2417b46be782ad1b

SHA256
60d6b962c7ddd94ea5640fed6750b7941ac0af19a2e13eb3942bebe6d3fca44b

SHA512
5ee7c15f9f00d141fc173ad1140f912bbaf9fe0da56ae779ef0c4eb7a66a8682b706c8bf516ba9c2f1b9bb556582532a899895a42fcee2dbc5c6d66f0735c20f

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
245KB

MD5
3ac6af664212b5cebfd1cb550e4777e2

SHA1
cb68a46a0c8b52970187aff014167fa26016b326

SHA256
ef4fed73d6b4ebf4165193c3fefd673d810f147374309b9cc045e9d169d655f7

SHA512
2b823377fa48400d35ca1cbbed7b4194803c4e0b892a4e2d96ee994bb6ed69ac1624f3fc8cf95f9d052a006e5838f9a1c7c9a56c7a229b34faa5b2e1cc754aa2

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
245KB

MD5
78f9f3b26bafe2c79c4df32f0f1f915f

SHA1
c9bb7339b845858885bb081301f76b91196d9c10

SHA256
bb76dc10f3d665ea66058c759f32b432761b0841c6411a92bc81761bf4c93e7d

SHA512
bb9f1b74d380a345c16ee5f898ff540c90249f47574af70fdcf4716e110445d9690decd178b490005f9b20d61cfc199a9457f3506d9797169365a85bf4fc742e

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
245KB

MD5
b8a1d9ff2b72452191650ce578b3f456

SHA1
ef5d55a56522d59ecce807f6113773c62748e982

SHA256
735441da02a0a5cfade9fddb5c05700bf4ef3325ebe5eba8174475636ff4f33b

SHA512
bf7c826a50a08a0a9ac862e6177f333a72a4d86f9331db06e8f0a284b91c0a4887784228bb51fb5588925e4219755b03e6e2ad8645b33e037ac7e2a2fedd9797

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
36KB

MD5
74f8b803e6d1eee87355246a2a05c193

SHA1
ec01fa8e45807253829b033302149580da795f5d

SHA256
ee66312202ad11e3ad944ef85d19a3fc489e12bde0f21066d00e34ca128b1516

SHA512
725305c24006eb0c1a01ff55d905db73710395d6cd101829125f9ecc9afbb93f0b82738af48ebf7aa74c4bf78553820c6cf7750d708c53c88d253e80aa37aade

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
245KB

MD5
6bf82aeffbe2d27167b435fc5524377a

SHA1
3c97a6b1f1cef84c62de2e764ad33017f54817f3

SHA256
77f80a03e1aa5633bd2b50a4fcdb0b1de8ed795850f69fce5741861f40609cc4

SHA512
62fef172d8f5a91a5847d99b93f2ed4c2889c9d27a2615d19e463308c221d87d08c330d1124bd1b6501faa2ad862753d1862381480366ac192391b1f45d0e9e6

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
65KB

MD5
70108ea7892e22595c0ca83912315b56

SHA1
581c0fd1fa6c9a2b8bab1d77cfb5c5cb8687cfe4

SHA256
c9722f70751733b371aff9547afd98bd1d2ee95ff7447200cf63ae5a87e09b53

SHA512
98994f3deeb13af452c1764561daf431af59c1f06e46a25711a4475a69d560da8a7aff2c21d064e0272fa86c278ee503f51409fc3ea0923659b06a0de351642c

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
59KB

MD5
c83f3c76853e58c8e838438772b28270

SHA1
4839896929986e6184e7377b8848cca164ce0b22

SHA256
019f6369d89e833f8593e7ff40a3e320a40ec84393081e26537be3c68491e34d

SHA512
4363e93a739011dd491bf73b69595910c78e94354b27e4d55591d008386762fd46a79ce024ba49be7155347641c1eabb7b816c0bbc65c27a0f55e479105fb436

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
245KB

MD5
8bcc08adf0f858e2a5c9b584ebbd44d9

SHA1
70712f539d93e471c5ce90134e5920741489d7bf

SHA256
9a10605af43c87b0f3dfda12c36f5feadaee0a5e81bb282b0f59068392de8edf

SHA512
9abf1ab146b605c8bce98e97e76dac0c2dde27a326f92cd5bdeb45429b59954cc0dd793cfa18b1c836bdb93373ef5cb21fa45afba3da0760a603f154b1518de1

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
245KB

MD5
56fef9e12bc1b268b5a641d2aebe92f6

SHA1
33d5249ed279019989520e0317525a847449450e

SHA256
a4bd28c487fb072eb9d06df7f7a8d58f6bb998176d95df70219d0393dc78730d

SHA512
5c82bdbe6b4f5fd5e191515402bda5568e6a3c3738f268b0c571db14db4a3f2fcc632a5f3d7268c43247f0d28abd2eac687672fdaf358650310ef6e3b19f8d84

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
1KB

MD5
e51f32b7225929eacd0d2668a8852c4f

SHA1
94fdbd89f5a3df742cc056b4697bd2fee45c141f

SHA256
5ff329fd05d0c49e6f9a2ab82885d0c3c82fbe2611cb363a468b56f4a82835a2

SHA512
342572f33e4c246077d5acfeb7b33e313d1bd95df1e02e07f50225ea9ed62100794dcff94444bf8d275926c655e94b88b50200eb841e6de0b73c2d16cb60c088

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
245KB

MD5
48c64279610d8468075d6a1ec824df01

SHA1
76eaacd621a4ff5ee361d68d006f38b5fd257522

SHA256
299db1f32a337d7459ca98f7c720c7d005ed5d5ece6245a131f5a3fbc5d3a1d8

SHA512
84f2cc515a81b9237c749b2b1e554a2e34f6e9d72707dd8a633dfff872c07c1e019fdc69bed8b38555ec525443ff9c2c77193a9918c7414a3531625479b7e6f0

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
64KB

MD5
ef91a1d71b87b46900d5977b60664bbf

SHA1
a8e14d007745d44f98c45441acd714c86e39ecb0

SHA256
34deba3feb7bdebcbcdfc8b92ea0ae9b3b2abb919349763a9cd35c69e4a6ebf7

SHA512
2b29856ee212b26153cf078339170a1e77d99158fdd5486426192b417c422c3ba1d765c3710e211ef4986e39f61ba7416747a17843cf01a6797049660c983ed7

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
245KB

MD5
b051d200815a651ab4ea24d760b5e7f0

SHA1
c9fdb7004cbd915274663017719e748b764345a6

SHA256
ce1756543904329bc95795d3d270a5720b51594d63464234b2de8833b043722e

SHA512
544f150fddaa40ee6438208d8e65c427fe8f020679bb3b484c17374f2e0b02751fd3c16019c91cfaab59cb43cf2d7d50743c036d8014ecced663bf88d3bf7237

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
245KB

MD5
0a0c7fa774248f4a3b828d50cba8937b

SHA1
4e2f5d55376ea1d0494dfe76da97dd6b3b3f75dd

SHA256
05f70cea986015d60ebdfb0a6c58f359c8156145a28099dbac44a443da23c5b6

SHA512
d104325bd624e59729592d153ed7ccce565b2f0231f22e0ecabe8f2cb799d1575353c9e7e1f4caed1f13f281abb455ff322a7803adaed420149ae6ecf42e9f78

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
245KB

MD5
9bcf5e7621a43a08d226ede55e575786

SHA1
50cd7ed1da88eebfd6a8587fb3a56f12dfada7a5

SHA256
5b6c23a7ee3eff117bd8d2711e7d9f95ccb8d85ff2069d3d7de26ace70415666

SHA512
27072647c304900e34d47302206f35bb94f3723f9bcbcdfa0be76a3576b374075b7a18a3406764724598d62030fa5df92b4dea3829f4a7dcab192a62e3831913

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
13KB

MD5
dde2da4d110c787686d570c6c65679de

SHA1
83c57d8fe6b79099b8421674146f367a9fe8a6e4

SHA256
b2d14cda805877b933290e85ae5d43bb0d214c2beed74847ce15ab30e7e43f63

SHA512
ab934575450729e280427d6237d3c7e35774f6f9bad4c7a0f48a29fcbcb0bbdd1d316fed767d0c058515c108a073bbfa99f99954b099b68b6bedc2386a9c710d

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
245KB

MD5
fc727f94441b6d5adcfaf070a3567a31

SHA1
a09ddb2dc73d40ee7ad49c5bc1e43155bacdb8a5

SHA256
cffec31c8434fcd24027c0fbbc3cb4e9510d09f62688a1ef23d202dc15554817

SHA512
3884eba48619432adcb2c45133fce92b5aecb4f593a387a889318291964f836b8656b165db7e95b330098d4b377b9a2308a204e8ca637947181bfbdfb895c46d

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
245KB

MD5
76b8f8bdf13ef7cf2519b1619bdf6b48

SHA1
bc027477a7e84f127b3e5324f59a4e3dd9d2e110

SHA256
428169b271fc5bebc64bc7e3089da396dd54d7bae53be17d9b8eed42356d311e

SHA512
c9a7b554a6cb89d1eeb1218f9ec5c3f637d99df1810c8a6ca339fd4697317cb4523d1bfb8d553b6b3edf4ff84e1118e4b5b2696f4f0a1b9f16b6e82678a26a4f

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
245KB

MD5
b070745be8544ddb37ff44c055c5aa97

SHA1
766355f03c40e816d13f3f84b282dfa55462d42a

SHA256
ae262b89c55f87e3b833169ab646e8432b47ada993708ee904e5e38176746785

SHA512
30796e60dc10f221a136496220af9eb5e26ccefee0bb66abd242f81d7ef6521591b549963a6bda84156cbb2dd0599ccd9ae0d9c3ec923d4418fdcac822579ce1

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
245KB

MD5
71346016ac9d4be69ed3850d4ef8e9b3

SHA1
402c46c171370345de7ffd238298280ba5fa066d

SHA256
8db1957e4cb0a9fe8760b5ade9f64033b26406beb2d35705de0ad43d6b385c37

SHA512
b01549dbcdaadf5453f2e17f15020d882728f44de1758893cbf1aa6dedc68cded194987c9483ca1971e5d84baf6291218e212ba270b9b3ad7112d2ff37a76411

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
245KB

MD5
f0ed886c89b34d84b0e131fe49aa5966

SHA1
e81b515c4c36db6a6c22b1063982b67055d8cca3

SHA256
279d47716f7cc683494c7c9a0b1314865579c2693e77026314b01f86c10fb607

SHA512
94a9df26948194b306b849042a9dff08ddf1bdd2fc2302d2bbf2e8662da83fa9236366eefb6892dc3e38ac209199cf320e4556d4c096eda2ec1069c4b3282942

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
245KB

MD5
bd78c068e8553146776ec3451fe31ee7

SHA1
0cd1c4031d919d815919a2a1e7bdcf789071b624

SHA256
a2dca07bec0ec36f4539d38715985811b7932fc7002ef8f736e622171c34ea25

SHA512
5dd98a189d97102e7126f338b7a098986b87554aa3bad1cab6f9179651a67c0888908b950a575aad043f09b4083b99ceca74e7c0c6d2e549c5964d2d1fb5d81c

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
245KB

MD5
42ceb82e5f0c65992c9bf7d09fc850db

SHA1
e2d89fd7c54eafd2a309ddd242f4d82f745c8303

SHA256
e2e598aadad913018a5712b63e1bf66dad1e167117e8478b5037a6e2f98df911

SHA512
550a3db8a2383e2227c15c10990cf3432ee4ea3847ddefcfae1d68d94a6038f39ce309511e1759922f2b86c628fb413d7805acef79eeb30e54d30a7b78013ef4

Download Submit
memory/436-500-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/720-294-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/932-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1020-320-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1092-57-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1180-53-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1248-110-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1280-314-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1312-507-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1344-225-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1380-17-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1400-417-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1524-393-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1532-235-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1620-450-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1636-287-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1748-41-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1784-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1784-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1784-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2212-113-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2300-356-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2388-346-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2400-281-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2916-501-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3016-415-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3032-440-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3036-243-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3064-367-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3168-457-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3200-399-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3360-433-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3368-326-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3380-338-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3396-265-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3408-226-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3432-251-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3460-253-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3712-472-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3760-405-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3800-259-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3916-252-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3928-72-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3936-98-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4088-296-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4196-266-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4220-288-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4224-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4300-71-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4344-275-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4352-272-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4472-271-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4484-478-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4508-354-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4572-282-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4708-308-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4724-229-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4788-90-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4804-337-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4840-302-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4860-33-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4880-82-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4940-423-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/5036-274-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads