16f59b7b904ab25355402eb328fefc716b4cd3d666109b651eb3df2c84a8a5ed

Analysis

max time kernel
99s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3804bb5b3377dbcb1e80e130058d4750N.exe
Size

96KB
MD5

3804bb5b3377dbcb1e80e130058d4750
SHA1

f02a76f983214f5cbcdcbea6f24e93961219d7a3
SHA256

16f59b7b904ab25355402eb328fefc716b4cd3d666109b651eb3df2c84a8a5ed
SHA512

5c4395c404e42cca28b236e3f1a3bb3c3b7883a807f29139de6bcc777251615791e2dfcabd17ac7d2599f33c20d1c64185a2824c0da3b69c0ad607019ddcd50b
SSDEEP

1536:bKIJQhFsIp1UJK1POp0nyQEgLfBYUKh+tkRraMUJN1AerDtZar3vhD:Pl6UJK1kcLfBYUOGkRGMM1AerDtsr3vV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inbkgejf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdkgdfm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majlgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obfdifli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgeigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjjoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjjoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impagbef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpogjkfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Konciabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idapdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmlacq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgpegdgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3804bb5b3377dbcb1e80e130058d4750N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnoejgjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmckijg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgihncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnffgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfeqcjll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpfmkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgihncoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbkdbgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idlgiljp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmlacq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jonjbcph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jopghc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalpelai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjojh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhfejpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmaneph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noebqnnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpekmold.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnelp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifkcegjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkpale32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfokifi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmediocn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpcbngc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcgdgomh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnjhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnamlkjn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnabpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcmeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idlgiljp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkidbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhddcdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipqkim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnkeff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnncndi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpacpkdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgiada32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngjjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oglgan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hndoeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjojh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaeiemga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamhlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhemjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joknmcbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmgaoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmpipd32.exe

Executes dropped EXE 64 IoCs

pid	Process
4456	Ggpcbngc.exe
3168	Gjopoifg.exe
3048	Gmmlke32.exe
732	Gcgdgomh.exe
2120	Gfeqcjll.exe
5064	Gmpipd32.exe
6120	Gpnelp32.exe
1408	Gfhmijji.exe
1988	Gnoejgjk.exe
4664	Gamafc32.exe
3148	Gclnbn32.exe
3452	Hfjjoj32.exe
3680	Hnabpg32.exe
664	Hapnlb32.exe
4880	Hcnjhn32.exe
5784	Hfmgdi32.exe
5636	Hndoeg32.exe
2648	Hpekmold.exe
6076	Hhlcnl32.exe
5428	Hjjojh32.exe
2412	Hadggbcg.exe
5564	Hfapoian.exe
2688	Hmkhlc32.exe
2936	Hdeqimqh.exe
5760	Hfcmeh32.exe
692	Hnkeff32.exe
4572	Hplannfl.exe
5556	Iffijh32.exe
5052	Impagbef.exe
1700	Ipnncndi.exe
4636	Ihefdk32.exe
2860	Ijdbqf32.exe
1876	Ipqkim32.exe
4552	Idlgiljp.exe
5036	Ifkcegjc.exe
5104	Inbkgejf.exe
5140	Iapgcpii.exe
2008	Idocolhm.exe
3404	Imghhaon.exe
3832	Iabdhp32.exe
3748	Idapdk32.exe
516	Ifolqg32.exe
4416	Iofdad32.exe
1780	Iaeqnp32.exe
5112	Jhoikjma.exe
5224	Jfaiff32.exe
5520	Jmlacq32.exe
2788	Jpjnol32.exe
2460	Jhaepi32.exe
3288	Jkpale32.exe
448	Joknmcbk.exe
3016	Jaijioao.exe
4836	Jdhfejpb.exe
2792	Jgfbafof.exe
4816	Jonjbcph.exe
3472	Jmpknpgc.exe
5496	Jpogjkfg.exe
3544	Jhfokifi.exe
2408	Jkdkgdfm.exe
4556	Jopghc32.exe
1064	Jpacpkdd.exe
1624	Jhhlahdf.exe
2264	Jkfhmdcj.exe
5624	Jmediocn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mkpcjp32.exe	Mgehiaec.exe
File opened for modification	C:\Windows\SysWOW64\Ifolqg32.exe	Idapdk32.exe
File created	C:\Windows\SysWOW64\Kpcpek32.exe	Jmediocn.exe
File created	C:\Windows\SysWOW64\Lalpelai.exe	Konciabf.exe
File created	C:\Windows\SysWOW64\Logfppjk.exe	Lgihncoa.exe
File created	C:\Windows\SysWOW64\Dlcbdmho.dll	Onmengbn.exe
File created	C:\Windows\SysWOW64\Pgeigm32.exe	Oegmka32.exe
File opened for modification	C:\Windows\SysWOW64\Gnoejgjk.exe	Gfhmijji.exe
File created	C:\Windows\SysWOW64\Aeiamppq.dll	Jmlacq32.exe
File created	C:\Windows\SysWOW64\Hhlcnl32.exe	Hpekmold.exe
File created	C:\Windows\SysWOW64\Oglgan32.exe	Oiifeajn.exe
File created	C:\Windows\SysWOW64\Oojecj32.exe	Ogcmamka.exe
File opened for modification	C:\Windows\SysWOW64\Oalajbaa.exe	Onmengbn.exe
File created	C:\Windows\SysWOW64\Cododlpi.dll	Pgeigm32.exe
File created	C:\Windows\SysWOW64\Jmcagdha.dll	Jkfhmdcj.exe
File opened for modification	C:\Windows\SysWOW64\Ooabml32.exe	Ngjjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hhlcnl32.exe	Hpekmold.exe
File created	C:\Windows\SysWOW64\Ccijncff.dll	Joknmcbk.exe
File created	C:\Windows\SysWOW64\Maligfmc.dll	Iapgcpii.exe
File created	C:\Windows\SysWOW64\Cqniga32.dll	Jpacpkdd.exe
File opened for modification	C:\Windows\SysWOW64\Kpmckijg.exe	Kolgca32.exe
File created	C:\Windows\SysWOW64\Nohofm32.exe	Nhngjcdl.exe
File created	C:\Windows\SysWOW64\Jaijioao.exe	Joknmcbk.exe
File created	C:\Windows\SysWOW64\Lgbkdbgf.exe	Lddohfhb.exe
File created	C:\Windows\SysWOW64\Jpjnol32.exe	Jmlacq32.exe
File opened for modification	C:\Windows\SysWOW64\Jpogjkfg.exe	Jmpknpgc.exe
File created	C:\Windows\SysWOW64\Pncnea32.dll	Ipnncndi.exe
File opened for modification	C:\Windows\SysWOW64\Idocolhm.exe	Iapgcpii.exe
File opened for modification	C:\Windows\SysWOW64\Kgdobd32.exe	Kpjffjli.exe
File opened for modification	C:\Windows\SysWOW64\Mnffgk32.exe	Mhinod32.exe
File created	C:\Windows\SysWOW64\Fbdpibaj.dll	Jmpknpgc.exe
File created	C:\Windows\SysWOW64\Gjopoifg.exe	Ggpcbngc.exe
File created	C:\Windows\SysWOW64\Jpogjkfg.exe	Jmpknpgc.exe
File created	C:\Windows\SysWOW64\Iapgcpii.exe	Inbkgejf.exe
File opened for modification	C:\Windows\SysWOW64\Ogcmamka.exe	Oeeqeakm.exe
File created	C:\Windows\SysWOW64\Ndbagfkd.dll	Konciabf.exe
File created	C:\Windows\SysWOW64\Dkgbng32.dll	Ngeqpoga.exe
File opened for modification	C:\Windows\SysWOW64\Pnpbdgpk.exe	Pomahj32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcmeh32.exe	Hdeqimqh.exe
File created	C:\Windows\SysWOW64\Mhkjdc32.exe	Mbabgioa.exe
File opened for modification	C:\Windows\SysWOW64\Oglgan32.exe	Oiifeajn.exe
File opened for modification	C:\Windows\SysWOW64\Gcgdgomh.exe	Gmmlke32.exe
File created	C:\Windows\SysWOW64\Jonjbcph.exe	Jgfbafof.exe
File created	C:\Windows\SysWOW64\Hhqelf32.dll	Mkbpppkj.exe
File opened for modification	C:\Windows\SysWOW64\Nhemjb32.exe	Nnoimi32.exe
File created	C:\Windows\SysWOW64\Nnjobjbc.exe	Nohofm32.exe
File created	C:\Windows\SysWOW64\Omnqaeag.dll	Ldklahpm.exe
File opened for modification	C:\Windows\SysWOW64\Logfppjk.exe	Lgihncoa.exe
File opened for modification	C:\Windows\SysWOW64\Mbabgioa.exe	Mnffgk32.exe
File created	C:\Windows\SysWOW64\Bgflbdic.dll	Ndbkid32.exe
File opened for modification	C:\Windows\SysWOW64\Hfmgdi32.exe	Hcnjhn32.exe
File opened for modification	C:\Windows\SysWOW64\Hpekmold.exe	Hndoeg32.exe
File opened for modification	C:\Windows\SysWOW64\Jhaepi32.exe	Jpjnol32.exe
File created	C:\Windows\SysWOW64\Nnoimi32.exe	Ngeqpoga.exe
File opened for modification	C:\Windows\SysWOW64\Nnjobjbc.exe	Nohofm32.exe
File created	C:\Windows\SysWOW64\Hmkhlc32.exe	Hfapoian.exe
File created	C:\Windows\SysWOW64\Kmgaoo32.exe	Kkidbc32.exe
File created	C:\Windows\SysWOW64\Jjonhn32.dll	Lalpelai.exe
File created	C:\Windows\SysWOW64\Hplannfl.exe	Hnkeff32.exe
File created	C:\Windows\SysWOW64\Dhhccg32.dll	Kmgaoo32.exe
File opened for modification	C:\Windows\SysWOW64\Jmediocn.exe	Jkfhmdcj.exe
File created	C:\Windows\SysWOW64\Mhddcdlf.exe	Majlgj32.exe
File created	C:\Windows\SysWOW64\Eopcpj32.dll	Jpogjkfg.exe
File opened for modification	C:\Windows\SysWOW64\Inbkgejf.exe	Ifkcegjc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5688	2248	WerFault.exe	221

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmlacq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anologeb.dll"	Logfppjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oebdpbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfmgdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iffijh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipnncndi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdeqimqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgpegdgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaebqn.dll"	Lgihncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oklcdf32.dll"	Mamhlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oegmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijdbqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpnbed32.dll"	Mpkomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnamlkjn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oeeqeakm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oojecj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcgdgomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macohqgj.dll"	Jpjnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnpjhhg.dll"	Majlgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iofdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldklahpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpogjkfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfeqcjll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmcalai.dll"	Jhoikjma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcpfee32.dll"	Jgfbafof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cemjag32.dll"	Kpfmkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgiada32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oeeqeakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldgjo32.dll"	Pomahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbifeoee.dll"	Hpekmold.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfaiff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhaepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jopghc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khkhfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coieap32.dll"	3804bb5b3377dbcb1e80e130058d4750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipnncndi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkehe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhkjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noebqnnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pomahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcgdgomh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhlcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaijioao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkidbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mamhlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jopghc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndbagfkd.dll"	Konciabf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbhmp32.dll"	Gfhmijji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjobjbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnaebi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqid32.dll"	Hmkhlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmgaoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnoimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbabgioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnficf32.dll"	Hadggbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifolqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhccg32.dll"	Kmgaoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkjfpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgeigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmpknpgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Logfppjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmaneph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmpipd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6132 wrote to memory of 4456	6132	3804bb5b3377dbcb1e80e130058d4750N.exe	87
PID 6132 wrote to memory of 4456	6132	3804bb5b3377dbcb1e80e130058d4750N.exe	87
PID 6132 wrote to memory of 4456	6132	3804bb5b3377dbcb1e80e130058d4750N.exe	87
PID 4456 wrote to memory of 3168	4456	Ggpcbngc.exe	88
PID 4456 wrote to memory of 3168	4456	Ggpcbngc.exe	88
PID 4456 wrote to memory of 3168	4456	Ggpcbngc.exe	88
PID 3168 wrote to memory of 3048	3168	Gjopoifg.exe	89
PID 3168 wrote to memory of 3048	3168	Gjopoifg.exe	89
PID 3168 wrote to memory of 3048	3168	Gjopoifg.exe	89
PID 3048 wrote to memory of 732	3048	Gmmlke32.exe	90
PID 3048 wrote to memory of 732	3048	Gmmlke32.exe	90
PID 3048 wrote to memory of 732	3048	Gmmlke32.exe	90
PID 732 wrote to memory of 2120	732	Gcgdgomh.exe	91
PID 732 wrote to memory of 2120	732	Gcgdgomh.exe	91
PID 732 wrote to memory of 2120	732	Gcgdgomh.exe	91
PID 2120 wrote to memory of 5064	2120	Gfeqcjll.exe	92
PID 2120 wrote to memory of 5064	2120	Gfeqcjll.exe	92
PID 2120 wrote to memory of 5064	2120	Gfeqcjll.exe	92
PID 5064 wrote to memory of 6120	5064	Gmpipd32.exe	93
PID 5064 wrote to memory of 6120	5064	Gmpipd32.exe	93
PID 5064 wrote to memory of 6120	5064	Gmpipd32.exe	93
PID 6120 wrote to memory of 1408	6120	Gpnelp32.exe	94
PID 6120 wrote to memory of 1408	6120	Gpnelp32.exe	94
PID 6120 wrote to memory of 1408	6120	Gpnelp32.exe	94
PID 1408 wrote to memory of 1988	1408	Gfhmijji.exe	95
PID 1408 wrote to memory of 1988	1408	Gfhmijji.exe	95
PID 1408 wrote to memory of 1988	1408	Gfhmijji.exe	95
PID 1988 wrote to memory of 4664	1988	Gnoejgjk.exe	96
PID 1988 wrote to memory of 4664	1988	Gnoejgjk.exe	96
PID 1988 wrote to memory of 4664	1988	Gnoejgjk.exe	96
PID 4664 wrote to memory of 3148	4664	Gamafc32.exe	97
PID 4664 wrote to memory of 3148	4664	Gamafc32.exe	97
PID 4664 wrote to memory of 3148	4664	Gamafc32.exe	97
PID 3148 wrote to memory of 3452	3148	Gclnbn32.exe	98
PID 3148 wrote to memory of 3452	3148	Gclnbn32.exe	98
PID 3148 wrote to memory of 3452	3148	Gclnbn32.exe	98
PID 3452 wrote to memory of 3680	3452	Hfjjoj32.exe	99
PID 3452 wrote to memory of 3680	3452	Hfjjoj32.exe	99
PID 3452 wrote to memory of 3680	3452	Hfjjoj32.exe	99
PID 3680 wrote to memory of 664	3680	Hnabpg32.exe	100
PID 3680 wrote to memory of 664	3680	Hnabpg32.exe	100
PID 3680 wrote to memory of 664	3680	Hnabpg32.exe	100
PID 664 wrote to memory of 4880	664	Hapnlb32.exe	101
PID 664 wrote to memory of 4880	664	Hapnlb32.exe	101
PID 664 wrote to memory of 4880	664	Hapnlb32.exe	101
PID 4880 wrote to memory of 5784	4880	Hcnjhn32.exe	102
PID 4880 wrote to memory of 5784	4880	Hcnjhn32.exe	102
PID 4880 wrote to memory of 5784	4880	Hcnjhn32.exe	102
PID 5784 wrote to memory of 5636	5784	Hfmgdi32.exe	103
PID 5784 wrote to memory of 5636	5784	Hfmgdi32.exe	103
PID 5784 wrote to memory of 5636	5784	Hfmgdi32.exe	103
PID 5636 wrote to memory of 2648	5636	Hndoeg32.exe	104
PID 5636 wrote to memory of 2648	5636	Hndoeg32.exe	104
PID 5636 wrote to memory of 2648	5636	Hndoeg32.exe	104
PID 2648 wrote to memory of 6076	2648	Hpekmold.exe	105
PID 2648 wrote to memory of 6076	2648	Hpekmold.exe	105
PID 2648 wrote to memory of 6076	2648	Hpekmold.exe	105
PID 6076 wrote to memory of 5428	6076	Hhlcnl32.exe	107
PID 6076 wrote to memory of 5428	6076	Hhlcnl32.exe	107
PID 6076 wrote to memory of 5428	6076	Hhlcnl32.exe	107
PID 5428 wrote to memory of 2412	5428	Hjjojh32.exe	108
PID 5428 wrote to memory of 2412	5428	Hjjojh32.exe	108
PID 5428 wrote to memory of 2412	5428	Hjjojh32.exe	108
PID 2412 wrote to memory of 5564	2412	Hadggbcg.exe	109

C:\Users\Admin\AppData\Local\Temp\3804bb5b3377dbcb1e80e130058d4750N.exe
"C:\Users\Admin\AppData\Local\Temp\3804bb5b3377dbcb1e80e130058d4750N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6132
- C:\Windows\SysWOW64\Ggpcbngc.exe
  C:\Windows\system32\Ggpcbngc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\Gjopoifg.exe
    C:\Windows\system32\Gjopoifg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\Gmmlke32.exe
      C:\Windows\system32\Gmmlke32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\Gcgdgomh.exe
        
        C:\Windows\system32\Gcgdgomh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
      - C:\Windows\SysWOW64\Gfeqcjll.exe
        
        C:\Windows\system32\Gfeqcjll.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Gmpipd32.exe
        
        C:\Windows\system32\Gmpipd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Gpnelp32.exe
        
        C:\Windows\system32\Gpnelp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6120
        
        C:\Windows\SysWOW64\Gfhmijji.exe
        
        C:\Windows\system32\Gfhmijji.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Gnoejgjk.exe
        
        C:\Windows\system32\Gnoejgjk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Gamafc32.exe
        
        C:\Windows\system32\Gamafc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Gclnbn32.exe
        
        C:\Windows\system32\Gclnbn32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Hfjjoj32.exe
        
        C:\Windows\system32\Hfjjoj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Hnabpg32.exe
        
        C:\Windows\system32\Hnabpg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Hapnlb32.exe
        
        C:\Windows\system32\Hapnlb32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Hcnjhn32.exe
        
        C:\Windows\system32\Hcnjhn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Hfmgdi32.exe
        
        C:\Windows\system32\Hfmgdi32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5784
        
        C:\Windows\SysWOW64\Hndoeg32.exe
        
        C:\Windows\system32\Hndoeg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5636
        
        C:\Windows\SysWOW64\Hpekmold.exe
        
        C:\Windows\system32\Hpekmold.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Hhlcnl32.exe
        
        C:\Windows\system32\Hhlcnl32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6076
        
        C:\Windows\SysWOW64\Hjjojh32.exe
        
        C:\Windows\system32\Hjjojh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5428
        
        C:\Windows\SysWOW64\Hadggbcg.exe
        
        C:\Windows\system32\Hadggbcg.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Hfapoian.exe
        
        C:\Windows\system32\Hfapoian.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Hmkhlc32.exe
        
        C:\Windows\system32\Hmkhlc32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Hdeqimqh.exe
        
        C:\Windows\system32\Hdeqimqh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Hfcmeh32.exe
        
        C:\Windows\system32\Hfcmeh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5760
        
        C:\Windows\SysWOW64\Hnkeff32.exe
        
        C:\Windows\system32\Hnkeff32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:692
        
        C:\Windows\SysWOW64\Hplannfl.exe
        
        C:\Windows\system32\Hplannfl.exe
        28⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Iffijh32.exe
        
        C:\Windows\system32\Iffijh32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Impagbef.exe
        
        C:\Windows\system32\Impagbef.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Ipnncndi.exe
        
        C:\Windows\system32\Ipnncndi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Ihefdk32.exe
        
        C:\Windows\system32\Ihefdk32.exe
        32⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Ijdbqf32.exe
        
        C:\Windows\system32\Ijdbqf32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Ipqkim32.exe
        
        C:\Windows\system32\Ipqkim32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Idlgiljp.exe
        
        C:\Windows\system32\Idlgiljp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Ifkcegjc.exe
        
        C:\Windows\system32\Ifkcegjc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\Inbkgejf.exe
        
        C:\Windows\system32\Inbkgejf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Iapgcpii.exe
        
        C:\Windows\system32\Iapgcpii.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Idocolhm.exe
        
        C:\Windows\system32\Idocolhm.exe
        39⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Imghhaon.exe
        
        C:\Windows\system32\Imghhaon.exe
        40⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\SysWOW64\Iabdhp32.exe
        
        C:\Windows\system32\Iabdhp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Idapdk32.exe
        
        C:\Windows\system32\Idapdk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ifolqg32.exe
        
        C:\Windows\system32\Ifolqg32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Iofdad32.exe
        
        C:\Windows\system32\Iofdad32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Iaeqnp32.exe
        
        C:\Windows\system32\Iaeqnp32.exe
        45⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Jhoikjma.exe
        
        C:\Windows\system32\Jhoikjma.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Jfaiff32.exe
        
        C:\Windows\system32\Jfaiff32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Jmlacq32.exe
        
        C:\Windows\system32\Jmlacq32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Jpjnol32.exe
        
        C:\Windows\system32\Jpjnol32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Jhaepi32.exe
        
        C:\Windows\system32\Jhaepi32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Jkpale32.exe
        
        C:\Windows\system32\Jkpale32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Joknmcbk.exe
        
        C:\Windows\system32\Joknmcbk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Jaijioao.exe
        
        C:\Windows\system32\Jaijioao.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Jdhfejpb.exe
        
        C:\Windows\system32\Jdhfejpb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\Jgfbafof.exe
        
        C:\Windows\system32\Jgfbafof.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Jonjbcph.exe
        
        C:\Windows\system32\Jonjbcph.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Jmpknpgc.exe
        
        C:\Windows\system32\Jmpknpgc.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Jpogjkfg.exe
        
        C:\Windows\system32\Jpogjkfg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Jhfokifi.exe
        
        C:\Windows\system32\Jhfokifi.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Jkdkgdfm.exe
        
        C:\Windows\system32\Jkdkgdfm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Jopghc32.exe
        
        C:\Windows\system32\Jopghc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Jpacpkdd.exe
        
        C:\Windows\system32\Jpacpkdd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Jhhlahdf.exe
        
        C:\Windows\system32\Jhhlahdf.exe
        63⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Jkfhmdcj.exe
        
        C:\Windows\system32\Jkfhmdcj.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Jmediocn.exe
        
        C:\Windows\system32\Jmediocn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Kpcpek32.exe
        
        C:\Windows\system32\Kpcpek32.exe
        66⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Khkhfh32.exe
        
        C:\Windows\system32\Khkhfh32.exe
        67⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Kkidbc32.exe
        
        C:\Windows\system32\Kkidbc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Kmgaoo32.exe
        
        C:\Windows\system32\Kmgaoo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Kpfmkj32.exe
        
        C:\Windows\system32\Kpfmkj32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Kgpegdgl.exe
        
        C:\Windows\system32\Kgpegdgl.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Kaeiemga.exe
        
        C:\Windows\system32\Kaeiemga.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3592
        
        C:\Windows\SysWOW64\Kdcfai32.exe
        
        C:\Windows\system32\Kdcfai32.exe
        73⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Kpjffjli.exe
        
        C:\Windows\system32\Kpjffjli.exe
        74⤵
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Kgdobd32.exe
        
        C:\Windows\system32\Kgdobd32.exe
        75⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Kolgca32.exe
        
        C:\Windows\system32\Kolgca32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Kpmckijg.exe
        
        C:\Windows\system32\Kpmckijg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1304
        
        C:\Windows\SysWOW64\Konciabf.exe
        
        C:\Windows\system32\Konciabf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Lalpelai.exe
        
        C:\Windows\system32\Lalpelai.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Ldklahpm.exe
        
        C:\Windows\system32\Ldklahpm.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Lgihncoa.exe
        
        C:\Windows\system32\Lgihncoa.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Logfppjk.exe
        
        C:\Windows\system32\Logfppjk.exe
        82⤵
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Lddohfhb.exe
        
        C:\Windows\system32\Lddohfhb.exe
        83⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Lgbkdbgf.exe
        
        C:\Windows\system32\Lgbkdbgf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Mpkomg32.exe
        
        C:\Windows\system32\Mpkomg32.exe
        85⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Mgehiaec.exe
        
        C:\Windows\system32\Mgehiaec.exe
        86⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\Mkpcjp32.exe
        
        C:\Windows\system32\Mkpcjp32.exe
        87⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Majlgj32.exe
        
        C:\Windows\system32\Majlgj32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Mhddcdlf.exe
        
        C:\Windows\system32\Mhddcdlf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4436
        
        C:\Windows\SysWOW64\Mkbpppkj.exe
        
        C:\Windows\system32\Mkbpppkj.exe
        90⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Mnamlkjn.exe
        
        C:\Windows\system32\Mnamlkjn.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Mamhlj32.exe
        
        C:\Windows\system32\Mamhlj32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Mdkehe32.exe
        
        C:\Windows\system32\Mdkehe32.exe
        93⤵
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Mgiada32.exe
        
        C:\Windows\system32\Mgiada32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Moqifn32.exe
        
        C:\Windows\system32\Moqifn32.exe
        95⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\Mdmaneph.exe
        
        C:\Windows\system32\Mdmaneph.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Mhinod32.exe
        
        C:\Windows\system32\Mhinod32.exe
        97⤵
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Mnffgk32.exe
        
        C:\Windows\system32\Mnffgk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Mbabgioa.exe
        
        C:\Windows\system32\Mbabgioa.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Mhkjdc32.exe
        
        C:\Windows\system32\Mhkjdc32.exe
        100⤵
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Mkjfpo32.exe
        
        C:\Windows\system32\Mkjfpo32.exe
        101⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Noebqnnk.exe
        
        C:\Windows\system32\Noebqnnk.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Nbdomi32.exe
        
        C:\Windows\system32\Nbdomi32.exe
        103⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Ndbkid32.exe
        
        C:\Windows\system32\Ndbkid32.exe
        104⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Nhngjcdl.exe
        
        C:\Windows\system32\Nhngjcdl.exe
        105⤵
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Nohofm32.exe
        
        C:\Windows\system32\Nohofm32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Nnjobjbc.exe
        
        C:\Windows\system32\Nnjobjbc.exe
        107⤵
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Nojllm32.exe
        
        C:\Windows\system32\Nojllm32.exe
        108⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Ngeqpoga.exe
        
        C:\Windows\system32\Ngeqpoga.exe
        109⤵
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Nnoimi32.exe
        
        C:\Windows\system32\Nnoimi32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Nhemjb32.exe
        
        C:\Windows\system32\Nhemjb32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4812
        
        C:\Windows\SysWOW64\Nnaebi32.exe
        
        C:\Windows\system32\Nnaebi32.exe
        112⤵
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ngjjko32.exe
        
        C:\Windows\system32\Ngjjko32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Ooabml32.exe
        
        C:\Windows\system32\Ooabml32.exe
        114⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Oiifeajn.exe
        
        C:\Windows\system32\Oiifeajn.exe
        115⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Oglgan32.exe
        
        C:\Windows\system32\Oglgan32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Onfonhhf.exe
        
        C:\Windows\system32\Onfonhhf.exe
        117⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Oilcka32.exe
        
        C:\Windows\system32\Oilcka32.exe
        118⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Onhlch32.exe
        
        C:\Windows\system32\Onhlch32.exe
        119⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Oebdpbnp.exe
        
        C:\Windows\system32\Oebdpbnp.exe
        120⤵
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Okllml32.exe
        
        C:\Windows\system32\Okllml32.exe
        121⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Obfdifli.exe
        
        C:\Windows\system32\Obfdifli.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4452
        
        C:\Windows\SysWOW64\Oeeqeakm.exe
        
        C:\Windows\system32\Oeeqeakm.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Ogcmamka.exe
        
        C:\Windows\system32\Ogcmamka.exe
        124⤵
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\Oojecj32.exe
        
        C:\Windows\system32\Oojecj32.exe
        125⤵
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Onmengbn.exe
        
        C:\Windows\system32\Onmengbn.exe
        126⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Oalajbaa.exe
        
        C:\Windows\system32\Oalajbaa.exe
        127⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Oegmka32.exe
        
        C:\Windows\system32\Oegmka32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Pgeigm32.exe
        
        C:\Windows\system32\Pgeigm32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Pomahj32.exe
        
        C:\Windows\system32\Pomahj32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Pnpbdgpk.exe
        
        C:\Windows\system32\Pnpbdgpk.exe
        131⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 412
        132⤵
        Program crash
        
        PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 2248
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fdbmgh32.dll

Filesize
7KB

MD5
6c4f8b39c3810ab60fb3f166a7ac097e

SHA1
ee62178869727015829083041e53c143c832f8e8

SHA256
df14f8e8a63d02ec0ea3f9671536493797d273e21e575b5c89c39e032f924555

SHA512
11db6bed374755d9e1d0030cc99e3da9f458504170ea2bb7033d86497b657a2ef282a3b485ddc2c6f5e08d573265b7cb38e56b9ec50cd4d3560c550607b3147f

Download Submit
C:\Windows\SysWOW64\Gamafc32.exe

Filesize
96KB

MD5
833bef959f4112cf96550f30f26fb84c

SHA1
46dc44ad25b4d9589886a4f2f29050d4312b90b6

SHA256
6caf81c564be7676bde3e5a6e2e6df8de5b9c2a2b16fe9750b06c03735d07fcd

SHA512
da4947eaae4855dfb84e0f62eac084a3db093fc34bf0dd29bd7010ed13ec4b097614fdbdacf82713347e9a4dd17ea667358d1058c98fc4bde59ee156ce4c3092

Download Submit
C:\Windows\SysWOW64\Gcgdgomh.exe

Filesize
96KB

MD5
9a94a26d9304ba983bc275d3ca429e61

SHA1
443ba3cfa81c65b79059cdc1b29d0727a57c1878

SHA256
9909297e81e32e0636e1035769d5b9fc1949faec6def8b508d95fb3bbac451ab

SHA512
5a58d1abf094d06a8ddc67d88545711aa066fe9a65456b79c4f31d6afc6b71b000be719a909a542cfade9823f7ef77377366f64881905a53d360d10d273d9700

Download Submit
C:\Windows\SysWOW64\Gcgdgomh.exe

Filesize
96KB

MD5
a864b562edfefb7c58c9fe7ba79f0e0c

SHA1
b648b8c03b7e1dd4722a17d5aa83de169d8b415d

SHA256
d31ea0b7b3061a1bc3d9021c4a8362120325fce2782800f508d86cd95b74d536

SHA512
ca32c2de0c2650f308d961abdb7bfbd5f3b64f6eaf0a1a0cecba94da013bac21c3b6327940a2f2e327fbb664cdfdc0378f5929a23f1992fdda2700ce6418c662

Download Submit
C:\Windows\SysWOW64\Gclnbn32.exe

Filesize
96KB

MD5
e3f5bf36633f5e779b50b4e60497cbb9

SHA1
0ffc6a6709926d036a8139ce53f35198ebbb59ed

SHA256
bec298fa95ef23208fa670104aca0dd05855e423cc3bba09067c518f38f1d12e

SHA512
f5f5ea358976de9c0e0ace9a484784a02428b4bdd8980b1e6c4f8d3fdda426bedc5663b4c1a6e660e2d9292e5b7c78d209f9e47b2a0c651f22090dd12826a738

Download Submit
C:\Windows\SysWOW64\Gfeqcjll.exe

Filesize
96KB

MD5
83c155c73f26af4900b4619f1d17baa6

SHA1
f46b206fd349f6003c7e376d931beeb1282476fc

SHA256
e39e2774b3206c95bbb22f9ad96ff782b2e4af9503e50daaeb8480690bf9a33f

SHA512
ec2b6b15656891fd1ec6e2cf84458f4dc45c7a622adab92c4433366b73686a181eba5ab753cdd02dbc5dfb8992c75ce1d93ec01b879726e4888f23281803cb0a

Download Submit
C:\Windows\SysWOW64\Gfhmijji.exe

Filesize
96KB

MD5
c271449e6683435f7c14bc6e27866244

SHA1
259a34a91a879c95f8cc871c79c10da662f9b8d7

SHA256
d19609e252b335606db84728c3b53f0ae18a27824008eb9656ae233dcfa5ec8b

SHA512
30772adc3ab5102b0cb9ba144b75ef145517e22cfb05ab65c169ca4ea345ba7e9700c7e115fe4aa8f0a5bdae1bc365206237b341efad980353229eafd5656cb3

Download Submit
C:\Windows\SysWOW64\Ggpcbngc.exe

Filesize
96KB

MD5
cc971538574341e1f6b7f07fc8113c45

SHA1
c094489c38b25c85a60e5f643ffeaad7a8599f7c

SHA256
2d79fbdb57c26c943a36aa0fbc6cf8ddd7fb59245a86844120bef9f6099be690

SHA512
300d6fa74572ceed4876894eebef2ee7d49b91cc13969149115bbefbd64fb39b38addad8f72e79f79de0d514c71e4a33da921296f5a36d2996d76ea441d97dc0

Download Submit
C:\Windows\SysWOW64\Gjopoifg.exe

Filesize
96KB

MD5
5515bfc224abb23c7fb3d72825524062

SHA1
e202fe3fc94d54bc0e488372ba9b8cf7c3ffe527

SHA256
42b4f496b8dac2751f9a17a01829dbd3e54188a8aeb924ac5c3275513d195126

SHA512
93135dd6d0bd710c5d8b09ab2c23d5a6af11a7f5080f028a504a7db8b93000d2ce46408028791dfba6aae6104387e5f6ac2e4e60c2f30874e865527e9516c763

Download Submit
C:\Windows\SysWOW64\Gmmlke32.exe

Filesize
96KB

MD5
f8492edf6cc8b0ac85fc227ffba64c8f

SHA1
fabb04df6572846087c614b2c2207a733d63bdc3

SHA256
85aea902533a30b3b6887d7311687c206821f073aa1c3d91cc33834555e0a48e

SHA512
e4b4d8773dafc9c2db41c1be3d0e16d70ace5c314211f302fba0169f9e495dc897cbe3ba235f257bda168b319b8bded635639a04a0b72ef58beca5bde5719678

Download Submit
C:\Windows\SysWOW64\Gmpipd32.exe

Filesize
96KB

MD5
14bfb6a5b3a664d6ce2f55637ee777e9

SHA1
001686137a04c02edf6c2edecad3ee4b7d8e04c6

SHA256
305a4fc6c0577e2ad8c3ad329c03e3ea1cb58d1134db8aa44f3c61aa929d3367

SHA512
7698f3d572a6eb99111b250bad0883549304f3c1899f56b81674589173c8841ae001550eab7ab561d3019537a21592a720794ff71de89ad414d9b80dd8e42f92

Download Submit
C:\Windows\SysWOW64\Gnoejgjk.exe

Filesize
96KB

MD5
662e5e6b1eababb9c783f65ddfe3add3

SHA1
4a5d502794ae419aac7206cd62a48f0356d23f4f

SHA256
8c8f6d6ed2440d850931446eae7cf1b8c5d1ad7206ff32ad51891c75dc955c05

SHA512
d5798911ef17403183c56c2b2f1c1218b99bc778439843fb2ba55a4c239df14442e578d532b139363689f15501448554dd9f0aeb1ac7d536f065f4fb95fb9308

Download Submit
C:\Windows\SysWOW64\Gpnelp32.exe

Filesize
96KB

MD5
056753782d76141d883c4383b0fc7462

SHA1
394aef7966093ab81dba94f29ac82cd627fcaf54

SHA256
8c0146615e037a24c2191501b29dfd9d2088909249297e1a3b480ee144e6b14f

SHA512
71cc4d2a0b2c28967df562bd90a22f40084869699f716af78b3d18b5c70fe5492cf2c0f77878bb2a55a587d90e9b46dd21e776b851616dd73edf90a1a568a327

Download Submit
C:\Windows\SysWOW64\Hadggbcg.exe

Filesize
96KB

MD5
80d7828873d1f8cb16872f27b228e490

SHA1
6a4d514a03a79ce7d79f6032332f0aa61389d5fb

SHA256
e05527a6a278d05a214d8410e32bddd278f0634a011c473bcd9918f1ab6b78f0

SHA512
dc5627be370a9ead884131f97933594b12509b03d89c516999f1f284e36110d251299537ff8ce3b42e6d318c2e0fcd5f11b794b72b8db644a038b7e61ac3a00a

Download Submit
C:\Windows\SysWOW64\Hapnlb32.exe

Filesize
96KB

MD5
2268da49d9eb315f453299f752401239

SHA1
5287af6c3cab19226e66fa39eae2043718ced766

SHA256
89c151fd58d5e5a3ee418da9497066e4f69b747b82a2e61e920c51dadd68e93b

SHA512
b7e184824af824d9f26f45c576d25801d998668345335849dea65b4d4c04070a3fe3bb7dd354a1b225710e37b1655a956b4dfd31dc1bdcda0608c7ed2ffb8ba4

Download Submit
C:\Windows\SysWOW64\Hcnjhn32.exe

Filesize
96KB

MD5
9132332735aae0decb983d63dd5d7b7f

SHA1
4c5a5a0e8a0251a9027af5662e683f59e9285a61

SHA256
bc2faa9a373b143cb1f5ce98e8716acb36ec61e27a3f8c0cac1e49093b04afcc

SHA512
b98dca71112fb5c9648cd0e79886edcf8fb6be9fb771bb0df127acf85f737cda6b867b619ee422b0702ee83c650636d1f44d48d547f142c56359916afb8f64cc

Download Submit
C:\Windows\SysWOW64\Hdeqimqh.exe

Filesize
96KB

MD5
6eadae31b4f34221a09a458608dc54e7

SHA1
aebb14418628f90925d707d53498878dc5defd90

SHA256
b4fc85cba9c3388d4f2a82eeb89230c7b0ff7f67a8bbd2d7e39cc1a7f94bcb24

SHA512
73578175f25ec761db0e8bc28386261fe8299578f951b2ae9ab67d8ce1cfa21a1a036bc3289c8054335d4eeb6353e0e1d3e7c9496d1ec7cd3ea0de3a6ac87593

Download Submit
C:\Windows\SysWOW64\Hfapoian.exe

Filesize
96KB

MD5
cbabe09955992816f983ab301d0b1287

SHA1
be2e3fe8e9d30b718ee295b1d332115c48cb7334

SHA256
5bc9c7b24025337830488b95a43da16b1b9374cfc3df29554f6a3d0374ecde50

SHA512
b53875bbc86af116ab459bbb5743d5d72d5b58a8e579c269f73a734254aeed7ede5c36d370f2505e74e605545c5db6f6c69e4c8bfae4ee953336060cfdb4e20f

Download Submit
C:\Windows\SysWOW64\Hfcmeh32.exe

Filesize
96KB

MD5
33dd8820e9160b182ddc0b87a330578c

SHA1
a6233e0de9d9a4786d40e83c631db3e4e423fdd4

SHA256
f448a620c154a566eed83aa5f5d71384bafae55b0329034f47ae12cde9b2db39

SHA512
fd5c0f4f4e777ee9c886d388b160b4ff498b0e77387e64d9a07956cff2ce0b0b7bfe842dddb2570f3694e03519f3203c264176ac7776f50fef7b5907207ddd6c

Download Submit
C:\Windows\SysWOW64\Hfjjoj32.exe

Filesize
96KB

MD5
4f0aa3fafb83d95a4cbadfe47f394712

SHA1
956c7fe39b134dc06fd1bdfd2f42209a89d15bd4

SHA256
7868f1102f81eeff41ebeb5c511380969f406d2dd98a4600bff1597fb91c2b90

SHA512
a666148663e19a5d953dbffd00acbd97499e1dadf35e4539cb2c2b3bd3bebd044297001b8fc8d2b2c4589d0ddea12346b306bb96d105527d1a67a79cdb1eed50

Download Submit
C:\Windows\SysWOW64\Hfmgdi32.exe

Filesize
96KB

MD5
f5b9120e0e495e3ea2dcbfcce1142b25

SHA1
0015b3a4dcf1566dcd2c7592915a8a17e5c4dbb8

SHA256
8d986240a9e2d3e6d63be5a9cd59bf6a18dbce3d975e6189477740e7f347ef26

SHA512
def54ba3c872087a20ad8357917a9eaee9bb3d498e8d5ba7dc6a3676ef635aa00a4a56f3cebd95fda3c8cf2b20ab0938e60ae7dc15e2777a77a8b72af8e0c98c

Download Submit
C:\Windows\SysWOW64\Hhlcnl32.exe

Filesize
96KB

MD5
815249a2c00a5ad34c2d69e384262a29

SHA1
5d3cc32c7f42720934d01dc72423dbc6b886dfe1

SHA256
eb02b55ad0e6f22a51aa776d319403650b3833db4cf2aa12aef818e20ec9e976

SHA512
88f623b4773fa8d6f2b54856ba6091da2c100fade48579883e607cb0e0e9c2828dd841a61398861485e672a08fe5e1b1bffc048ae2c81d57f817a326506de831

Download Submit
C:\Windows\SysWOW64\Hjjojh32.exe

Filesize
96KB

MD5
42d3d6d6cf79efd2900d5cd5fea77c27

SHA1
d55d2bfeb9491b61799267a3ebb01dac23bb610f

SHA256
a729708842c120503eb72440bd7ff26c1f3295ab49e7949ff6994e78c028e788

SHA512
252bf45967dec06a7dbef05361e9cd22228e2f3ca2c47378198b60cc26601d5c742afb305791a8d2c227b37cd431a79242ab85dccd8f3ce97f95d002840a0b3f

Download Submit
C:\Windows\SysWOW64\Hmkhlc32.exe

Filesize
96KB

MD5
c7b488a960307856731e0a8ca40e1679

SHA1
24c70656fae9d0833a4f20084d89362549b8b457

SHA256
5dcf8d70f57cd0b7fd47f652a0f622000aeddec9b4dd81f33faaf3d17affa9b6

SHA512
9354227883c2cb921daf7e0733cc22b79fc570a532d28340cd673f8d2323786b262089f35497b862fdeecc8c58a38c8b79b966563600a6bb4d50ec3cedd449da

Download Submit
C:\Windows\SysWOW64\Hnabpg32.exe

Filesize
96KB

MD5
75a8c3a4a08d02137cf3625dd8a2215a

SHA1
1b9729d3bf616295e98204a262f3c1f98160abb8

SHA256
3e7530aabca350fd417b123cd10b42fe160a82d235dfd3fde5429248d06ac9d7

SHA512
3ed9857d05fa775b34b3f801e99431e1e74c2137c65395a73f6b621cc2a09256327d71198e3f28018f1c806444c64041c7180c6c12b904932b4a7953a71ee273

Download Submit
C:\Windows\SysWOW64\Hndoeg32.exe

Filesize
96KB

MD5
bbf30ce5670a518127903090ea060bf4

SHA1
3153d09c70472c3b060eae2346465dd72af71a3d

SHA256
8e2efd30ef55705b29b1371c8f49e8658279850411a8ab6ffbf89d18f4a74497

SHA512
7057bf03b0db2dbc86dde8ace8b7e725f69a4b389a70ee18d94ffc5508ea2f28ac86db0ee4874247be20e3a4c9456b8dc535b65379adaf4d6542160b2ef21abb

Download Submit
C:\Windows\SysWOW64\Hnkeff32.exe

Filesize
96KB

MD5
2acbf9cd38432a94e60eeb8a59294142

SHA1
1ffae0f003c25ab9065c1316602704c407ba3e19

SHA256
fd5521668edfc7244c9398a8c271a12ecbb6a3b14e2ea9e1458560696ade5be8

SHA512
f7a6bd5a1c27f54cc0c494b7bcad88739778ab495812d3b83c6d0ee1d27718e375b808b54c50f37f40d8be025c15a0b472e38a314f729987cf962d5ac2c57857

Download Submit
C:\Windows\SysWOW64\Hpekmold.exe

Filesize
96KB

MD5
60cd868d14aa2d94866cca0dd813a131

SHA1
33efbbef56492ac483a55a79b5fda1a9b3ed3259

SHA256
6e4101ba6eafd32ae03688b95231b38ffdbec63541f811a42defcea4447b6d62

SHA512
28b24d91f41043b28b05e7448bc546efe0f0fda7bffdc634947ef54b5ca6d74a2cc74a585fbeb29cfcde181870dbf3fe5f1f825de2425eb7740fde83b7252478

Download Submit
C:\Windows\SysWOW64\Hplannfl.exe

Filesize
96KB

MD5
1b8a0f846cb93e155ea53612f3b73589

SHA1
3808890c87e26fd7787040e7bd58ffbaf58e65b4

SHA256
bc457310049c2ccce4c5fb5ab93c248801ece6c60acb42bccca981a8275f5102

SHA512
6bcc6549269f5623f8bf46b603a8a6b630868c427006b7fbab08d0087359cc4dd07b2d2a1439f8442f3b411275473854745cd59ec63e13083a103c5a8d8d5c3a

Download Submit
C:\Windows\SysWOW64\Iaeqnp32.exe

Filesize
96KB

MD5
2f49a599b55f6bd8a1c6bb29f367c9a3

SHA1
782dcc50550a56e9bf15184d586a7156f3311d21

SHA256
8ca011f1badeefb1966fe386958eab0342a4371d899160ee1f694a5571bb06fc

SHA512
d3b54e04e2c34c5389945c72ed5a3f7b61680f7887293abea1152ca99eb6165395328e68cc3c52afe864ba5cb8bc245cdaf33ebbde5501dfa16ad9910fc62e2c

Download Submit
C:\Windows\SysWOW64\Iffijh32.exe

Filesize
96KB

MD5
cd05b2b4dd532f751d6094263d2c165d

SHA1
2c44c87e02003b5a14274a102fd5c4ba9a007838

SHA256
020b1d98a9d4778a94b8f5eefd62347b084b539149328d1918f8cbad414d66ed

SHA512
89ca6fc62045c043103675a21bfca5f14817c333e286d75fb1e01ff183da6371766d21f8d8dba746d7b00fb132036cb4cf9c2f6249cb5e6e90efbc046893e34e

Download Submit
C:\Windows\SysWOW64\Ihefdk32.exe

Filesize
96KB

MD5
07a763d7be1afb9f8bdb881e4725f77c

SHA1
037c6c70dc801279bfb171a2d746830e128cbef3

SHA256
002c6f62ec7cc0dfc9f1f9ff42b6e5b1d3573ede0853efe92a6ee3c2cad7cae2

SHA512
c07a183fb451efb841149b1d8a623be53092f7fc8c0a65da9bc62fa7360de4089d4691247568da4965a1938b4b0b758e58512481a9a90d91ae298a4481f3c5ee

Download Submit
C:\Windows\SysWOW64\Ijdbqf32.exe

Filesize
96KB

MD5
bead711aeb66da75f98a43603ae7291d

SHA1
f885c31146e43258f4bdee02e37f48ce3197e56a

SHA256
76ba719c4152210b3cdfcd77cbf92be45b9efccd0584b3816a205de48847cf19

SHA512
cab91dd7ef4f573152470bdfc712c2bcbabb569b1d77b9829d1566946b2a6ab0eef398f6e0541b9d7a453c9705da7295308adfa2bace9cc7fdab85f4b0dcdd88

Download Submit
C:\Windows\SysWOW64\Impagbef.exe

Filesize
96KB

MD5
30bab6aa4ff1e90a433ae4b084265fc8

SHA1
2be05e3618b70fbf8717c75bd3c67070d8d6f485

SHA256
17ad9f634f955be5072889a86fe989799d4264ddb748b172e585adedf50de7b3

SHA512
28c2a07b37549b31994b495576d82409768c3de33314cd9b992c534cc0b49ebe0a312d7e686bf561707ef53ab5e60cbb7bab61c5576a0ccf68af7718e61900de

Download Submit
C:\Windows\SysWOW64\Ipnncndi.exe

Filesize
96KB

MD5
c4d40c77c398ebda4b4fb1226ff568c7

SHA1
549f7de8847b56fc47e8d13c72a4f9783a1389aa

SHA256
9915fb8760fe50aeebc10d4b35f8beec7968ba035162787b6a10cf494f8a3144

SHA512
af6c279e103943949cc2d82cc756551cdb5e1868e0d90edf3b66bc8fa0273182df1847de4e5f75e04db3328e6f0c881d0dd4e6ce2301712572557708daec4fe4

Download Submit
C:\Windows\SysWOW64\Kpfmkj32.exe

Filesize
96KB

MD5
3479c5855842c08d25067c9c8ddf69a3

SHA1
b6a81df12cf9333693f067720ecc6d53cd05da89

SHA256
243c60f403378ab66987119cbf9244e590f13783ff2513cd343eba2d3a2c8b38

SHA512
fbfe55c3e191aa5eb81f70149e9451f0592fe265532e5feaebec0968bfc0c55db2adba602cbee0fdb1ec036ffcf6cc35529543f1429ff077959cb39418278162

Download Submit
C:\Windows\SysWOW64\Kpjffjli.exe

Filesize
96KB

MD5
a6f96576f4d370b5a0c1e3777d3f4959

SHA1
59947657de5432c43fd943ddd9339e5e0c078e71

SHA256
6d6c206de004e97b85eedaea65b4a8ff1e147140c7501841d1d129f8f557f5d0

SHA512
40b37eb45089c6f5754e755ec18fe78d4981e51012852c8b093c288f1770b611eabad35919cd33d17cfabf9cffab1301a296cb39387c8d9856850e3b15abc1b5

Download Submit
C:\Windows\SysWOW64\Kpmckijg.exe

Filesize
96KB

MD5
f61a687869b48387d9cc53bb873c3615

SHA1
231a75d458f4942c776d3612968799e7e84169a6

SHA256
dca0d7cd01b9aac95f4713ce6a718b8f83d42a78737b345a38301796178a69a5

SHA512
66794d3ed59ec7f871f88900a782428247e073a4933ab55766a3b5e185ee61c2e27b0ec2e4d77b267a9fefcd9c534495381e33197fe17d831f5a4c8ec4aa8f44

Download Submit
C:\Windows\SysWOW64\Lgihncoa.exe

Filesize
96KB

MD5
9fb8f399e2a787754530b4f360afca6d

SHA1
7ed5e379b81edc9438c1f3c429710590bc624c42

SHA256
78f7739effda8610a38c55508e0618a616ed577ab4fbef7044b0a9e468776812

SHA512
5f6dd7eab8789bf3815bc1f0711e2fd8a7dd3167f0cef3aca72ad21ece19573c7f155579a6ddbb5caeba14d5afc35ce2e2f64d8a375210f16a8707ad62f6bda9

Download Submit
C:\Windows\SysWOW64\Majlgj32.exe

Filesize
96KB

MD5
5322061f4bf4e96d647106d4fe2d9968

SHA1
f583a51ff9d65f79ad82176ed21ed3ed099dccd9

SHA256
b613321d3e412fee83bbf4c419788f698bfcffa550a3fcad9fe9b53fbef5b733

SHA512
965e5149aac6a877538a90c6e40aba7db5274ce9253a73d6f1c31b1ced8a4a11f58687ba4c36cc7e3eab36a2442cf8cdb7f57189a8e619bca3c3c02ec4850725

Download Submit
C:\Windows\SysWOW64\Mamhlj32.exe

Filesize
96KB

MD5
aea06c7b0e8990d7929ecac53fc79275

SHA1
7c2586280fd2e0ea710b9cbb1bc3fc181310293c

SHA256
d738947522f4641ce7c4654ed77c42285468a390107367016a67b29c2cb324ca

SHA512
10d764d9fe09c2ebb9d7c3a42b7155302d2d85a76ba8608d6f3a714e3ed96631fd770c4f5f4fb97ec5aab369d5df4cd9d74d658d23430d261f7bf7d75c876c6b

Download Submit
C:\Windows\SysWOW64\Mkjfpo32.exe

Filesize
96KB

MD5
f92af7a281d9a4477dde6924fb4d4ad9

SHA1
43ef1225e2c3bf934c5d935b658822d13458caa6

SHA256
6a288b67e3b983062e8e0ad229af82795c79cbc0bd655d18f8085ad1586c55d4

SHA512
ecc66cdf972afef3753de9e246b0736e37e9052992b81c74d679b93f9a8abb40d074d976ff23c3874f7f92350ad2acfd0a64e4430db55fb67ce1bc991d18d6c7

Download Submit
C:\Windows\SysWOW64\Mnffgk32.exe

Filesize
96KB

MD5
c9c56ebd19dee47e30212e02cfaa4fef

SHA1
d5c86eeaeecf40007b4b5d3f024b719a86e3107f

SHA256
f2b5dedf56d9dd3a6af266858787a7b9042d4628401f876dcdbef3730393bff4

SHA512
9c9cc6bf98844a2ce4957407f5837072da41dfbd0318b67861c93ce0f1d9d644c41bc0a66b7dd7c459e4e50e6a9fe8897e3fb9fd1413cfebff75f36c54320274

Download Submit
C:\Windows\SysWOW64\Nhemjb32.exe

Filesize
96KB

MD5
608c542d1ee3b6b4f720cf4423c5ea6c

SHA1
cbf82e0948712542ddd635a9b95fa3a4fa40270d

SHA256
fe26341c66e6fd422360cc912c71a4edeae4b60f89444a6d964c5d0b8582c52e

SHA512
c767830616f2baea55b0d6919429599cce460f694f8fad931582696ada8dc3f0753c6d7fee1ca4aaeaf83953c67bd311be123871627cd5e845c3a326cf149698

Download Submit
C:\Windows\SysWOW64\Nnjobjbc.exe

Filesize
96KB

MD5
8061b24b9da68c837e0f4f06cc4d8fc4

SHA1
25a8842e53e94a8c6af038326986e579136f753d

SHA256
0f9495c33f6540b1b97c9f7ebeb916642e7d6538711699048356c51874bd11a7

SHA512
0e60edfaa01679c4aa841915333d13a79a2bfac6fec92538d2ffbb3fab40fb8dc0095fa522f71278ed4a91dd5cf2712bcd56121117212cb0eaf625d6c0a3b2a5

Download Submit
C:\Windows\SysWOW64\Nojllm32.exe

Filesize
96KB

MD5
cc3430e49da74ef158b3ea0178197bb3

SHA1
61974d3656527a8641da66f32fa2657edbbaaf97

SHA256
cbc0f4ff57e602399f4a37a54346eee88dedd50db8493bbf86117f4665997fea

SHA512
eb686c19ad2afc24dabecf706871aeb3924d910e2c1f56f3191f13e0e9a0b88a228f0e66b0beecbfe7f4b3428ee43c5727d6926982fce49280d8b422ff4f2d81

Download Submit
C:\Windows\SysWOW64\Obfdifli.exe

Filesize
96KB

MD5
48be5cb855a4c85f576b5e10ba991f94

SHA1
2a807cdd3370e00c2a3c7c84de520bb0c9868d73

SHA256
fd1c1024612f45089e2e5c51bde288b11e81204d2cfa9424d3d12921188b0ba7

SHA512
e3826c521157d473fc5aa0737e2f558f1b9893947768149e222f5ac392712c4e44e526b09fa12353436f0e521e73ad0bf3914d5dafc0698dba6e7f41b6e78ca1

Download Submit
C:\Windows\SysWOW64\Oglgan32.exe

Filesize
96KB

MD5
a660e20253a6493a2b7ef587e0a49eb7

SHA1
6f4032c9b8af0c2d3c3723a5058f6c8986034006

SHA256
2518ec78db8fb844e5da7678e23999e8aea289d4d4c7f3f04f0b9d585f982182

SHA512
51ed53269db935b692bd7814cb418e33d4008a02fb072c4c9e6d6814d23b67ce6ba4070354873a50f896e0b12aff77398c9168f02e53b0e44bc9c10bd3db3ff7

Download Submit
C:\Windows\SysWOW64\Oilcka32.exe

Filesize
96KB

MD5
6a8fbb47a75c07a74904609f5aad0a14

SHA1
e677e88de0f75be21ad41525f621b09d1ee49596

SHA256
e1c5f415afd3a7c9465419ea1f35a680846fe2a37ca57dcbc0d65e7b92130484

SHA512
53e638c53d3d2c32f3036c01f8d663be1d1d58bdb530ac5197001a09b1ac2065c84ac3ad4cee4a818491ae2af10e6b880164024a03cfa24804e5b3e039827408

Download Submit
memory/448-374-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1304-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1408-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1876-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2460-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2648-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2788-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4636-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5140-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5188-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5224-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5232-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5296-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5424-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5428-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5496-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5520-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5556-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5564-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5624-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5636-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5752-459-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5760-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5768-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5784-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6000-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6068-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6076-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6080-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6120-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6120-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6124-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6132-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6132-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads