dd5257e4ef79dc184005efb9aa7d82dd64c1ec84a59235557299a78b987388b5

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fb2ef13761bc2203f5ee1541ccbb3b0.exe
Size

192KB
MD5

3fb2ef13761bc2203f5ee1541ccbb3b0
SHA1

b9371f1315f169d5be34138016a3a3609eaca52b
SHA256

dd5257e4ef79dc184005efb9aa7d82dd64c1ec84a59235557299a78b987388b5
SHA512

91f6605200906a2c6b17f1af46f32a6f0ba13a6324c4081417eab907823301c2a3a1cd87b9b4879e4c46f080ffae6827589a2c325e3cd908c62928cbed1c96de
SSDEEP

3072:SptrMbR+cxnfLMCL3FQo7fnEBctcp/+wreVism:S/ERrfxL3FF7fPtcsw6U1

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeocna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcclncbh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onocomdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckcgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hebcao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bldgoeog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmfkhmdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkfcqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abhqefpg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdpnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fecadghc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kadpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhenai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eomffaag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3fb2ef13761bc2203f5ee1541ccbb3b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnpaec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmnpfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggfglb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcibca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdpnda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aagdnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egegjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnojho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acppddig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3fb2ef13761bc2203f5ee1541ccbb3b0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbihjifh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhfpbpdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keifdpif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbepme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajmmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe

Executes dropped EXE 64 IoCs

pid	Process
1364	Mmfkhmdi.exe
3964	Nnojho32.exe
3560	Nflkbanj.exe
4452	Ogcnmc32.exe
4196	Onocomdo.exe
3604	Ogjdmbil.exe
1224	Ppjbmc32.exe
4368	Palklf32.exe
396	Pdmdnadc.exe
3656	Akkffkhk.exe
2272	Agdcpkll.exe
1864	Ahfmpnql.exe
1540	Bgnffj32.exe
3012	Bogkmgba.exe
4444	Bahdob32.exe
2564	Cgifbhid.exe
1780	Dpiplm32.exe
3152	Dgeenfog.exe
3752	Ebaplnie.exe
3952	Ebdlangb.exe
4284	Ebifmm32.exe
988	Eomffaag.exe
4680	Fkfcqb32.exe
4400	Fecadghc.exe
4872	Ggfglb32.exe
1100	Hpfbcn32.exe
4656	Hbihjifh.exe
4720	Hhfpbpdo.exe
4576	Hldiinke.exe
5084	Hemmac32.exe
1112	Ieojgc32.exe
3792	Ilkoim32.exe
4068	Ipihpkkd.exe
4952	Iajdgcab.exe
2676	Ibjqaf32.exe
1952	Jppnpjel.exe
1972	Jpbjfjci.exe
4736	Jeocna32.exe
3688	Jbepme32.exe
4988	Khbiello.exe
1256	Keifdpif.exe
1440	Kekbjo32.exe
2716	Kcoccc32.exe
4028	Kadpdp32.exe
1004	Lcclncbh.exe
4592	Lhqefjpo.exe
2404	Laiipofp.exe
4384	Lhenai32.exe
1836	Lckboblp.exe
2064	Lcmodajm.exe
4976	Mablfnne.exe
3376	Mfpell32.exe
2984	Mjnnbk32.exe
2012	Mhckcgpj.exe
3552	Nblolm32.exe
3728	Nfihbk32.exe
64	Nfnamjhk.exe
4748	Nofefp32.exe
3352	Ofckhj32.exe
3172	Oqhoeb32.exe
3204	Oiccje32.exe
4428	Ojhiogdd.exe
4896	Pjjfdfbb.exe
744	Ppgomnai.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofckhj32.exe	Nofefp32.exe
File created	C:\Windows\SysWOW64\Oedlic32.dll	Hkmlnimb.exe
File created	C:\Windows\SysWOW64\Aahgec32.dll	Bfjllnnm.exe
File created	C:\Windows\SysWOW64\Kjiqkhgo.dll	Ilkoim32.exe
File created	C:\Windows\SysWOW64\Heffebak.dll	Ipihpkkd.exe
File created	C:\Windows\SysWOW64\Cbccbiml.dll	Ddcogo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnojho32.exe	Mmfkhmdi.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Nbjnhape.dll	Hhfpbpdo.exe
File created	C:\Windows\SysWOW64\Dapijd32.dll	Poidhg32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dmnpfd32.exe
File created	C:\Windows\SysWOW64\Nhoped32.dll	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Nblolm32.exe	Mhckcgpj.exe
File created	C:\Windows\SysWOW64\Ajdbac32.exe	Aidehpea.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Fdpnda32.exe	Fkgillpj.exe
File created	C:\Windows\SysWOW64\Ladlqj32.dll	Cekhihig.exe
File created	C:\Windows\SysWOW64\Jpbjfjci.exe	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Kahinkaf.exe	Jhoeef32.exe
File opened for modification	C:\Windows\SysWOW64\Memalfcb.exe	Mociol32.exe
File opened for modification	C:\Windows\SysWOW64\Apngjd32.exe	Apimodmh.exe
File opened for modification	C:\Windows\SysWOW64\Amikgpcc.exe	Aabkbono.exe
File created	C:\Windows\SysWOW64\Fegbnohh.dll	Lckboblp.exe
File created	C:\Windows\SysWOW64\Icifhjkc.dll	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Kkegbpca.exe	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Bhalpn32.dll	Mhiabbdi.exe
File opened for modification	C:\Windows\SysWOW64\Poidhg32.exe	Odjmdocp.exe
File created	C:\Windows\SysWOW64\Fkfcqb32.exe	Eomffaag.exe
File created	C:\Windows\SysWOW64\Bgnffj32.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Anjcohke.dll	Jbepme32.exe
File opened for modification	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bfaigclq.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Lmgglf32.dll	Ibpgqa32.exe
File created	C:\Windows\SysWOW64\Alkeifga.exe	Aealll32.exe
File created	C:\Windows\SysWOW64\Ibnoch32.dll	Bbcignbo.exe
File created	C:\Windows\SysWOW64\Jencdebl.dll	3fb2ef13761bc2203f5ee1541ccbb3b0.exe
File opened for modification	C:\Windows\SysWOW64\Apimodmh.exe	Alkeifga.exe
File opened for modification	C:\Windows\SysWOW64\Jppnpjel.exe	Ibjqaf32.exe
File created	C:\Windows\SysWOW64\Mhckcgpj.exe	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Ppkjigdd.dll	Fggdpnkf.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Fjinnekj.dll	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Gnfooe32.exe	Gnohnffc.exe
File created	C:\Windows\SysWOW64\Aeopfl32.exe	Pkabbgol.exe
File opened for modification	C:\Windows\SysWOW64\Lcmodajm.exe	Lckboblp.exe
File created	C:\Windows\SysWOW64\Fbbojb32.dll	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Pkoemhao.exe	Poidhg32.exe
File created	C:\Windows\SysWOW64\Mdphmfph.dll	Bldgoeog.exe
File created	C:\Windows\SysWOW64\Gpngef32.dll	Ddqbbo32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhoeb32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Fefmmcgh.dll	Oqhoeb32.exe
File created	C:\Windows\SysWOW64\Ciddcagg.dll	Hbiapb32.exe
File opened for modification	C:\Windows\SysWOW64\Khdoqefq.exe	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Jpbjfjci.exe	Jppnpjel.exe
File created	C:\Windows\SysWOW64\Inmalg32.dll	Pjaleemj.exe
File created	C:\Windows\SysWOW64\Cdghfg32.dll	Mociol32.exe
File created	C:\Windows\SysWOW64\Bbcignbo.exe	Bliajd32.exe
File created	C:\Windows\SysWOW64\Fcokoohi.dll	Nnojho32.exe
File opened for modification	C:\Windows\SysWOW64\Cpnpqakp.exe	Cidgdg32.exe
File created	C:\Windows\SysWOW64\Ddmhhd32.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Dnngpj32.exe
File created	C:\Windows\SysWOW64\Fpiedd32.dll	Fdpnda32.exe
File created	C:\Windows\SysWOW64\Klmnkdal.exe	Kahinkaf.exe
File opened for modification	C:\Windows\SysWOW64\Bbcignbo.exe	Bliajd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6228	6988	WerFault.exe	248

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fecadghc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll"	Ddmhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Binhnomg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pehjfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdogqi32.dll"	Apimodmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleqaiga.dll"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggfglb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbjnhape.dll"	Hhfpbpdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdnelpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hemmac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieojgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfaml32.dll"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebdlangb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kadpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbngnmk.dll"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3fb2ef13761bc2203f5ee1541ccbb3b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hldiinke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipgkfab.dll"	Mablfnne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cekhihig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmmpa32.dll"	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcibca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahgec32.dll"	Bfjllnnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiipk32.dll"	Ciiaogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhkmbmp.dll"	Nflkbanj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkfcqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icifhjkc.dll"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mejcig32.dll"	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpnpqakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defgao32.dll"	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghiiea.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnjmilq.dll"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3fb2ef13761bc2203f5ee1541ccbb3b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iajmmm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 1364	4292	3fb2ef13761bc2203f5ee1541ccbb3b0.exe	90
PID 4292 wrote to memory of 1364	4292	3fb2ef13761bc2203f5ee1541ccbb3b0.exe	90
PID 4292 wrote to memory of 1364	4292	3fb2ef13761bc2203f5ee1541ccbb3b0.exe	90
PID 1364 wrote to memory of 3964	1364	Mmfkhmdi.exe	91
PID 1364 wrote to memory of 3964	1364	Mmfkhmdi.exe	91
PID 1364 wrote to memory of 3964	1364	Mmfkhmdi.exe	91
PID 3964 wrote to memory of 3560	3964	Nnojho32.exe	92
PID 3964 wrote to memory of 3560	3964	Nnojho32.exe	92
PID 3964 wrote to memory of 3560	3964	Nnojho32.exe	92
PID 3560 wrote to memory of 4452	3560	Nflkbanj.exe	93
PID 3560 wrote to memory of 4452	3560	Nflkbanj.exe	93
PID 3560 wrote to memory of 4452	3560	Nflkbanj.exe	93
PID 4452 wrote to memory of 4196	4452	Ogcnmc32.exe	94
PID 4452 wrote to memory of 4196	4452	Ogcnmc32.exe	94
PID 4452 wrote to memory of 4196	4452	Ogcnmc32.exe	94
PID 4196 wrote to memory of 3604	4196	Onocomdo.exe	95
PID 4196 wrote to memory of 3604	4196	Onocomdo.exe	95
PID 4196 wrote to memory of 3604	4196	Onocomdo.exe	95
PID 3604 wrote to memory of 1224	3604	Ogjdmbil.exe	96
PID 3604 wrote to memory of 1224	3604	Ogjdmbil.exe	96
PID 3604 wrote to memory of 1224	3604	Ogjdmbil.exe	96
PID 1224 wrote to memory of 4368	1224	Ppjbmc32.exe	97
PID 1224 wrote to memory of 4368	1224	Ppjbmc32.exe	97
PID 1224 wrote to memory of 4368	1224	Ppjbmc32.exe	97
PID 4368 wrote to memory of 396	4368	Palklf32.exe	98
PID 4368 wrote to memory of 396	4368	Palklf32.exe	98
PID 4368 wrote to memory of 396	4368	Palklf32.exe	98
PID 396 wrote to memory of 3656	396	Pdmdnadc.exe	99
PID 396 wrote to memory of 3656	396	Pdmdnadc.exe	99
PID 396 wrote to memory of 3656	396	Pdmdnadc.exe	99
PID 3656 wrote to memory of 2272	3656	Akkffkhk.exe	100
PID 3656 wrote to memory of 2272	3656	Akkffkhk.exe	100
PID 3656 wrote to memory of 2272	3656	Akkffkhk.exe	100
PID 2272 wrote to memory of 1864	2272	Agdcpkll.exe	101
PID 2272 wrote to memory of 1864	2272	Agdcpkll.exe	101
PID 2272 wrote to memory of 1864	2272	Agdcpkll.exe	101
PID 1864 wrote to memory of 1540	1864	Ahfmpnql.exe	102
PID 1864 wrote to memory of 1540	1864	Ahfmpnql.exe	102
PID 1864 wrote to memory of 1540	1864	Ahfmpnql.exe	102
PID 1540 wrote to memory of 3012	1540	Bgnffj32.exe	103
PID 1540 wrote to memory of 3012	1540	Bgnffj32.exe	103
PID 1540 wrote to memory of 3012	1540	Bgnffj32.exe	103
PID 3012 wrote to memory of 4444	3012	Bogkmgba.exe	104
PID 3012 wrote to memory of 4444	3012	Bogkmgba.exe	104
PID 3012 wrote to memory of 4444	3012	Bogkmgba.exe	104
PID 4444 wrote to memory of 2564	4444	Bahdob32.exe	105
PID 4444 wrote to memory of 2564	4444	Bahdob32.exe	105
PID 4444 wrote to memory of 2564	4444	Bahdob32.exe	105
PID 2564 wrote to memory of 1780	2564	Cgifbhid.exe	106
PID 2564 wrote to memory of 1780	2564	Cgifbhid.exe	106
PID 2564 wrote to memory of 1780	2564	Cgifbhid.exe	106
PID 1780 wrote to memory of 3152	1780	Dpiplm32.exe	107
PID 1780 wrote to memory of 3152	1780	Dpiplm32.exe	107
PID 1780 wrote to memory of 3152	1780	Dpiplm32.exe	107
PID 3152 wrote to memory of 3752	3152	Dgeenfog.exe	108
PID 3152 wrote to memory of 3752	3152	Dgeenfog.exe	108
PID 3152 wrote to memory of 3752	3152	Dgeenfog.exe	108
PID 3752 wrote to memory of 3952	3752	Ebaplnie.exe	109
PID 3752 wrote to memory of 3952	3752	Ebaplnie.exe	109
PID 3752 wrote to memory of 3952	3752	Ebaplnie.exe	109
PID 3952 wrote to memory of 4284	3952	Ebdlangb.exe	110
PID 3952 wrote to memory of 4284	3952	Ebdlangb.exe	110
PID 3952 wrote to memory of 4284	3952	Ebdlangb.exe	110
PID 4284 wrote to memory of 988	4284	Ebifmm32.exe	111

C:\Users\Admin\AppData\Local\Temp\3fb2ef13761bc2203f5ee1541ccbb3b0.exe
"C:\Users\Admin\AppData\Local\Temp\3fb2ef13761bc2203f5ee1541ccbb3b0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\SysWOW64\Mmfkhmdi.exe
  C:\Windows\system32\Mmfkhmdi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\Nnojho32.exe
    C:\Windows\system32\Nnojho32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\SysWOW64\Nflkbanj.exe
      C:\Windows\system32\Nflkbanj.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ggfglb32.exe
        
        C:\Windows\system32\Ggfglb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        27⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Hhfpbpdo.exe
        
        C:\Windows\system32\Hhfpbpdo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Hldiinke.exe
        
        C:\Windows\system32\Hldiinke.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Hemmac32.exe
        
        C:\Windows\system32\Hemmac32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        35⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Jeocna32.exe
        
        C:\Windows\system32\Jeocna32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        41⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        43⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        44⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Lhqefjpo.exe
        
        C:\Windows\system32\Lhqefjpo.exe
        47⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        48⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        51⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Mablfnne.exe
        
        C:\Windows\system32\Mablfnne.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        56⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        58⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Ofckhj32.exe
        
        C:\Windows\system32\Ofckhj32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        62⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        63⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        65⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        66⤵
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Aabkbono.exe
        
        C:\Windows\system32\Aabkbono.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2688
        
        C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4376
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1816
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2124
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        75⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        76⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        77⤵
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        79⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        80⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        81⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        82⤵
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        83⤵
        
        PID:460
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        84⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Dcibca32.exe
        
        C:\Windows\system32\Dcibca32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Dnngpj32.exe
        
        C:\Windows\system32\Dnngpj32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        87⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Ddmhhd32.exe
        
        C:\Windows\system32\Ddmhhd32.exe
        88⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Fggdpnkf.exe
        
        C:\Windows\system32\Fggdpnkf.exe
        90⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        91⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Fkgillpj.exe
        
        C:\Windows\system32\Fkgillpj.exe
        92⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Fdpnda32.exe
        
        C:\Windows\system32\Fdpnda32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Fbfkceca.exe
        
        C:\Windows\system32\Fbfkceca.exe
        94⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        95⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Gnfooe32.exe
        
        C:\Windows\system32\Gnfooe32.exe
        96⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Hebcao32.exe
        
        C:\Windows\system32\Hebcao32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Hkmlnimb.exe
        
        C:\Windows\system32\Hkmlnimb.exe
        98⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Hbiapb32.exe
        
        C:\Windows\system32\Hbiapb32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Hghfnioq.exe
        
        C:\Windows\system32\Hghfnioq.exe
        102⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        103⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Ibpgqa32.exe
        
        C:\Windows\system32\Ibpgqa32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Iagqgn32.exe
        
        C:\Windows\system32\Iagqgn32.exe
        105⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        106⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Iajmmm32.exe
        
        C:\Windows\system32\Iajmmm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        108⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        109⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        110⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        111⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        116⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        118⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        119⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        121⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        122⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        123⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Mociol32.exe
        
        C:\Windows\system32\Mociol32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        125⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        126⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        127⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ochamg32.exe
        
        C:\Windows\system32\Ochamg32.exe
        128⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Poidhg32.exe
        
        C:\Windows\system32\Poidhg32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Pehjfm32.exe
        
        C:\Windows\system32\Pehjfm32.exe
        132⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Pkabbgol.exe
        
        C:\Windows\system32\Pkabbgol.exe
        133⤵
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Aeopfl32.exe
        
        C:\Windows\system32\Aeopfl32.exe
        134⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Acppddig.exe
        
        C:\Windows\system32\Acppddig.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Aealll32.exe
        
        C:\Windows\system32\Aealll32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Alkeifga.exe
        
        C:\Windows\system32\Alkeifga.exe
        137⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Apimodmh.exe
        
        C:\Windows\system32\Apimodmh.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        139⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Bfjllnnm.exe
        
        C:\Windows\system32\Bfjllnnm.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        144⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Cplckbmc.exe
        
        C:\Windows\system32\Cplckbmc.exe
        145⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Cekhihig.exe
        
        C:\Windows\system32\Cekhihig.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        149⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        151⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Cmgjee32.exe
        
        C:\Windows\system32\Cmgjee32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        154⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6860
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6908
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        158⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 412
        159⤵
        Program crash
        
        PID:6228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6988 -ip 6988
1⤵
PID:7088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:6716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
192KB

MD5
312d55ae6fc5b628226fee7fafbedc78

SHA1
ec0ac5a60fb7101cfea59a4bebff429b5d01eb31

SHA256
25e7ce4549d25a2ab7e961c0ba1734617eeaadedff64ce66d21baeed26af93f2

SHA512
14b0ab4065559d1544918b719f08beee65a95ff74d2309e422551cb16761e640385c1c328b0c5984f4915bc3cdd31d25ff8d6ca1fdd4c9abe89a2b6dbd7eea2c

Download Submit
C:\Windows\SysWOW64\Ahfmpnql.exe

Filesize
192KB

MD5
0b9862003f417c4a955320651449cd65

SHA1
bae2db8f4d50f4ce606c41b84b7ef7ce300e8882

SHA256
a5578b284477e4e7d5a248f0d71bf0ca022ac58d5190baede83574819d805660

SHA512
bda9c4bf27773c671d822fbefd549062acefbfaa6abd1cb6704d72d983084b0553c029133998830e525f12db81266b4d3d891773cf5abef226ad6dbd4a511f41

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
192KB

MD5
8374a342adbf75857ec36ecf717b9607

SHA1
19a8e433eb4b704472151de2f36aaf43f2efe637

SHA256
f97e453adf39ec58e48a421516228d546f787d84b2308fbff576c406595f8eeb

SHA512
0107abe8c4ff886d436a4c437aebf42c4c0eae3d0626049f3a112db51ad425aa1b935fffa0a98c81c177b3baf34c45b716e520386ea1a456d55f5b246798f348

Download Submit
C:\Windows\SysWOW64\Bahdob32.exe

Filesize
192KB

MD5
c938b50c7ce7d37c5ea4f78498f35dbc

SHA1
ce7aba537d8ba887343c21f31d34fce9313a26e6

SHA256
0e33d4f9d1180ee78a0454355b0be0888f14627f28403238bdc9e4f99e37f020

SHA512
68dc33f6c3c8fa6df960a144b44e6822132caa1f0fd095f528280df1036abc4f62bc79b3d8e36ff4137b27f26cef408beeef3b344ba6aa5bee03cbfba2ab8b94

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
192KB

MD5
5ed3d1959ff2172395465f5c42357f4b

SHA1
a21b05ba586e6899fc69469eac4b56f924f0aa96

SHA256
0fd3878f645c5042f3ca9e496bdfb2f21a994b2e26fc954c0210f5527efaee86

SHA512
6374d52422704369ae8717cd94b77ed7b397be7f1d5b9fbdfbb28051ce185ba53d2fcc0252d5dde6ab751de0a83412b7d9f73f9de6d7e2f582b612b01e4c1b92

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
192KB

MD5
748ed675e229f07037295df678aeeee5

SHA1
9f0f9ee8a2b8b0a5d47266abfee0665b71a76bdf

SHA256
5ca9136b71b412196f79c8dcc62cae350740de4abf3baefdcc6da79f714fe918

SHA512
b0e67c7692c0b1c5cbfac9abc2be279b5a2becb946bedbeab7b8346c44940236e3255d0753eef7a86c165e09aebefa88271f7db9f56fd2e0664710a5393c910b

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
128KB

MD5
db3f6e3f3b846eb86cf05c14c2b3385a

SHA1
f2139e68af32c682d42771f0e4338f2fb0fa31df

SHA256
ddd6acb008667d8f8738eda759b202ec8a560e5e6349c5700c816b40fb26a6cb

SHA512
fea666669a817593627f637a301a5ae044e4b462e9789445152eb81fc5d7d39c6c0d035de14f02f7413b9cfc84743bf387f5c58770cfd1795df659f69fef7ff0

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe

Filesize
192KB

MD5
b9fc8c56f8fedd3bfe62751de91c8281

SHA1
1bd44c5edf277d4a854da3853846db4fd67b68aa

SHA256
6373c8b62061e35e639235d0ad55734c69ac52a53f67a32c2a7557b5a72f82a1

SHA512
b0d10a0f17e18faa86785c15e9f8127bf88976688f179c207ab6b9fd05720b8374fba5a6181fca742ed0fce37396a32b9ca438b9bdce296f628e374984d4caaf

Download Submit
C:\Windows\SysWOW64\Dcibca32.exe

Filesize
192KB

MD5
bce65c47fe6af4fe80d7fa4db4d5d34f

SHA1
95c876f646fe888c3b93d7fe2ad39767d638e54b

SHA256
ff02b8fdeac7df9f31fcda9a5eefbf85a04981b64e453a8fba06c127a4d62b68

SHA512
d920d71164ad44d5c8be3e70914fc0ba1d096c519a94feb0d4cf234ca6dedc983152943f6ab1200316713e6907b4757c00bc4ec1de8d88fe9aad8b179060cbb6

Download Submit
C:\Windows\SysWOW64\Dgeenfog.exe

Filesize
192KB

MD5
7e6e65ad9b4d4c243fe39b5464e4ee15

SHA1
aa7689bba59afbb41c7b1ebaae7af8240e1a4b9b

SHA256
12149cf63c64f458368d55b54bb30ee51168d3787168888f03f4a4a5b166e01e

SHA512
c4c751002f33354b5b7f4ce0fcbb2ffb420a2e8243097972cce82f465c05cdc28b8ba2563f5527c8562042a7de81a13d42ba6daff31bf3ac144a9dfdc9339b76

Download Submit
C:\Windows\SysWOW64\Dpiplm32.exe

Filesize
192KB

MD5
8a551499d2c283c2b00c27417509b84a

SHA1
a75215bd28fa98be0a5cd8bc5220533df4aa52bd

SHA256
742e64c53b285b51c6af29009259b7f8253264e0e66184080ae3b9623662d1f2

SHA512
40e1ebdd687221ea3d9305f2b921f2dd8f3ce28989952bbff5a9359d4f3a0b7595a9765e85319d5f0d4e5dce9d1c87f76b17a5f37a9c979a019b7a6e2f9555b8

Download Submit
C:\Windows\SysWOW64\Ebaplnie.exe

Filesize
192KB

MD5
7f65e3c6dc081bf9cea3d9a32379c4ee

SHA1
c4237533c1d7a61756575613490baec09a71237b

SHA256
2415d6624410c63890d8b5883691092005d5af6f4dcae7270d104b3815f3601f

SHA512
4c0e5f6b8ed1f31c4ea02e0010d9be3e4253861f58d6df10ced90037ca50e3ae86eecfb0c5fb12f5a9b43730f42337c966f5831541519dbab5ed7686047f3676

Download Submit
C:\Windows\SysWOW64\Ebdlangb.exe

Filesize
192KB

MD5
aaff388103afcdecf1bf5c097887723d

SHA1
df0e54696936717c3f1d34907a85ccee9ca4223a

SHA256
77326c33bfbef5554d69aa1f16029614958c6e28a7742021fbaecd5093e36fff

SHA512
93427e9085d3e194359a5296e7b91a7ad391ac340404cb9bbc4e2ed3d1c25dbc87b03be44e1f57306a2e486f472fb9283e85bc9cad9b85cbad0e5315c26c8c1c

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
192KB

MD5
3217a924a57afa9cafa830cab1ba02b7

SHA1
3b3bbb49dd2d4276d209f078d629f34763549eaa

SHA256
8a7df8a8ede8db6378b1ebae0e449e4576a7978baca2b1955ec84da92f56071a

SHA512
f02b06dec5a6d141eedb5b8fa5da0e6fb3c3fdeb514ccb110068fed514e556c1a764f36d109e58983c0e0604a338001603cde9bb103dc8484fd582da40b5a2c1

Download Submit
C:\Windows\SysWOW64\Eomffaag.exe

Filesize
192KB

MD5
17b86a6342d851af15fb589ba2678e87

SHA1
f164fadb7bc7de2a28db5c7ebe46142d516c86ae

SHA256
237f5b30d733ca63e74f7e406dcbd605bc4f97c883f8f6ec58e198124d5c8a38

SHA512
b13bf9f38252c09df8c9aba5eff42e544dc60f44fc1c8dbd7bce3a92ffc3dd961e83b69ae8314e1382a6dca4212685fb618534cdc7f775ce41354c8ec93791c9

Download Submit
C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
192KB

MD5
4e9394137750b274f0c70e2fc5c315b5

SHA1
e1a8324620b3d9f1126d1f47fa47624c884aa125

SHA256
427b032ddbaed808cc99fbb36b3b7575902bec9c9977b328597e149e120ee8b0

SHA512
ef8268ef2626b7fc24729198cd11cb184f4155c30daab2acfdf54bf86c2c85a18b3c7f31637010e7ab7070a075c9b7827a639cdd273476080efe8d6cad4492ac

Download Submit
C:\Windows\SysWOW64\Fecadghc.exe

Filesize
192KB

MD5
03a760aa7261db997d4003cd10895a5c

SHA1
52b7b526364ea50b8b9e185091829d574fef8bc3

SHA256
959d8c52c4aaf5933077677c613a0ab0670f6051e2c24911fa94615fd2588237

SHA512
861226cd6c72d2adb2f31a414cd5ff9b869f2416ba147f9f3892af508dde71e055800fcf8945aae198fd490125a029989e52726e267ef4e56d514a7bfcfe4360

Download Submit
C:\Windows\SysWOW64\Figmglee.dll

Filesize
7KB

MD5
3994308cb55a6d064806667f2c4f7f8a

SHA1
05f9946858acad146f92848c66d4cd74714cc522

SHA256
975c3135cd706bbda7cda4570463bc172dec1242ecfcb688cb94a94a45c7be12

SHA512
0fd2b8cf75eef6ab19da81826c844d40af2d6ea4d0d9d5d4ee9e07aabfab85518b2cc2f97a2caeb0d833c1f5da3eb130487631b37405f2883325fba4892a2e51

Download Submit
C:\Windows\SysWOW64\Fkfcqb32.exe

Filesize
192KB

MD5
c4e80967763a544c0563b958fa558163

SHA1
589663a459b3e0efaa1b6d94e4e8b8416b926db4

SHA256
58d3ae6fa0637d89622ca4d88ffb83a71cce0bd38ba8fd1bb073061a52e23813

SHA512
0a9e2ea92240b53d2fab8ab0ee40da9aee7d68a66c4069db77edce9d1505632043f161842a9a830de9e876fa5eb0f9a67ede8b09c33bddd211421bde2b89d4fc

Download Submit
C:\Windows\SysWOW64\Ggfglb32.exe

Filesize
192KB

MD5
d1db0a48235cb458076b4a6c5add4eb9

SHA1
c26b00126f905f3a4e7990ed53a01d4a7d99aa4d

SHA256
de4e40766eb53b79c28c4c443b765e368d80d2ab9833638d6143019523d98587

SHA512
b69c8388ff5ec10a36a8ed5db15f217ab0e749cb5a4ae8f2a9dd70135cf89b23a4cada02b2064815f4f087f32c633c46ab78f6e5f0785fc7100db08fe7d6c0a3

Download Submit
C:\Windows\SysWOW64\Hbihjifh.exe

Filesize
192KB

MD5
7245f7849826fc78e634ad00bef3e1de

SHA1
2b15903602f8b3757d4a8ff667accbb2d4fe6428

SHA256
d915a26a9dd926ae84dbe0b57e8ac4ed8c08832ba28f78a9a02bc6f93fda91e2

SHA512
d51ccf8bcc223042204c9770b93d382a7736860aeeaad9a0dceb91b596271f90e933c29a52c05377e258e74a3b1fc237d59c82764291802cfde8e2ff7253c3ac

Download Submit
C:\Windows\SysWOW64\Hemmac32.exe

Filesize
192KB

MD5
f0c9519520d59e7156669e1e1fc23664

SHA1
7194874444ee87cb91d69827b845c09779813650

SHA256
fb6d8fee8d4f8f58b6ce64e23bf57a729f99a25e4a2c19e2e276419763713e48

SHA512
bddb65e13f4f884dc6398c8967f24c86aa87ff18f5368164585acdc8b5a016a76f8c7275fec62d3092dbbfaddd631e5a76c147d1a253ddf25dba9ffa60df637e

Download Submit
C:\Windows\SysWOW64\Hhfpbpdo.exe

Filesize
192KB

MD5
377918db7daf5fbd5ae5ce57a91e158d

SHA1
a0c7f31ec2719f3524cf6bb7a888a5dd776a1acc

SHA256
5ad613e60e62f0668371e4b2971b1f70326b3a203d9503d39ede74270a8e6461

SHA512
9c4e85bfdf0884035776714fee21e1235efa70903770abb636671519a99146cd67f2a521b592a279a8bced4a77fb25a1381717043fd2c0d9d4127de43d2778c0

Download Submit
C:\Windows\SysWOW64\Hldiinke.exe

Filesize
192KB

MD5
9781794ce2bd1e4141086a9586ac2e97

SHA1
2c3995174f4fbfa8bc26b8a1c77f65d2e6ad9f68

SHA256
cf8bc41033678fda1cbf94e17d8dc2a412cb5c064e77547cc258f379ddf67bb2

SHA512
88d399186e055f24437229b8680c10fa92ef198738e76c3c0e0b8c8f7631de4dfc7b35fe823ddc97f704f6e029bae2d94b932ca989b63cce1d62543112f3d008

Download Submit
C:\Windows\SysWOW64\Hpfbcn32.exe

Filesize
192KB

MD5
f64f7a202df912efae7a71e6dc2ec624

SHA1
3396c54d01ddf999101df357a80c096d01b3998d

SHA256
2bf6cca63caa64dbd8a5cd660f6d2646f5f683cb096a5b524d69dce8514222f7

SHA512
98058e9d3cdef4e565315cd15f97ba563e1c47657bf528d8f8dc080e8c97cc5fadf9b8bf924486cd6c7fdb16992806d4c59f2eab77c715977f7549d55548bdf1

Download Submit
C:\Windows\SysWOW64\Ibjqaf32.exe

Filesize
192KB

MD5
fd926a13b9df000ccf124835b7b85a8f

SHA1
5d67a9288fbdde27f2c37781b91d633f86bac452

SHA256
a0b52d0f6bcda5613fa79eb0a6c209779599e542026ddc50571925c252eeea1a

SHA512
5668f6518464e36bb0da4a09f52916258385b63f66adacc0136065aa372a62a2e61cef84df1cdc83294fe2ac9ca0c4b6ac138dd42443cbb680bf846ba4d0e710

Download Submit
C:\Windows\SysWOW64\Icogcjde.exe

Filesize
192KB

MD5
31534e1ac0b926c2fdad38fe57a08345

SHA1
fb5de1485978b1c53a99a5ac648c5d5f898e8a66

SHA256
6e31e4fdce05d0dabd97c4624a34c7a45025a0f218f61d57ccf306c98753d2de

SHA512
495d777a74147ddb4d7b96e2eff069d2508de0ad24cb72619e08462138fbb69a7dca34dd1f359f78c80e66d1c27e0f1084cf37b1bdeb98f8e2a0742ea74b6a23

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
64KB

MD5
aff9017fc65560a98b40f8f8d6c0ceaa

SHA1
8935bacc7423c80e12e5830a2f7822d2f4d27446

SHA256
44d4d20eff3a5e08470af738b0c341f5dfe608798c311fedae2c60694f63e600

SHA512
2fa30becfafee479a0518be494bcd2078c2b3d4c5985cb1a56285edcb9a98f7f29f5a2563c9e344b793c57ac3c0ae0919359c67cad7c427702b69e232d73c8f2

Download Submit
C:\Windows\SysWOW64\Ieojgc32.exe

Filesize
192KB

MD5
5095851b5f6025a960a43822f95d1faf

SHA1
d6633ed86c789180c0a37f644cbb711d88d941c7

SHA256
cf33c1f4c165c1c0e7b79d85030f593f7eb6de323b1a2bd6046ffc7aa0e39fbd

SHA512
963c24d2633de8cfa1e516fab8de41bb457f38e906ddd4d4f410c9b7c3c36b1cb72e0f3d9c5f87a18c93e8182caa21ddbc5256c958cb629010ffe244b1a4d257

Download Submit
C:\Windows\SysWOW64\Ilkoim32.exe

Filesize
192KB

MD5
232c5673a5c982e9c1c411fb8bc1a78c

SHA1
0f85f748da9126773f1bcba8ff43dd09fd4eaf4d

SHA256
422ab784319ce43fe500691a2da3b721d7c9076532ac4668667ec1fc86ccc17e

SHA512
f3c5506273be0f48919024525d5e506606ed6de8849b93fb01f4dc32d7a29ba8131498512527048d39f0e9619e42df70482fa5a865347e83a5dd998bd92cbab5

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
192KB

MD5
fcd6b9f674c843fcee3c1952b2be0fd9

SHA1
5cc5a60afc2cce7fdf3d5fbfa83375c9468a6837

SHA256
115c1af568039e699576595d666a10db7325b9d81187ce49a91aac976bb12727

SHA512
96bcec20a33e7206d5a2accf262431bbdafba278b11205fee9e44585e1577e59bfd4bfc6b588e53d6dab12fbb362811f786febf7e7fb72d5af07edc8bda5036b

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
192KB

MD5
fef1d70c616a0e2cd9b37270c4b36b02

SHA1
75da65ebe4c6e17e6f731df0c8c39c292225a6fe

SHA256
4b48ffc0c1f63345f3da8b501f7e0df6d74db578b4bc0e9d36e7322d636651cd

SHA512
01c7307efa3ed0c8d2603626f1165e010a72a58af96ea63a19afbb6460d7adc640806feb1e260308e82a59f86a2ff8637e75be3f5f02875d82da222626016bd5

Download Submit
C:\Windows\SysWOW64\Kcoccc32.exe

Filesize
192KB

MD5
4be9cc1e525083c7b4b6cf0205a91864

SHA1
30ee114a474658b3aeb8bae32fd9d53f67b4254a

SHA256
320883db540f45a2dbd47fe40619c2baac92e397154012543e523f515fe11d00

SHA512
961e46bd7751335d6a72e8d5fe98130eb58096cb96a77fc88022840adab995ba0bafd145913b52d36ae96a35d7a1adea3d7dfba528b651c5193bc4cfd9a01019

Download Submit
C:\Windows\SysWOW64\Keifdpif.exe

Filesize
192KB

MD5
3af455fe6bd02eb778259fa8fea2369e

SHA1
edc2dc3f903a6c1418e7661d5fdea6e9213af264

SHA256
e8849b878a22ff41790433720c27798b4fb14932c97b5dec63d36e30419b8f0f

SHA512
9bbc56fe81d570a01bd07592cf21373846d211709be89c7e841ac94da95d1324ccb1a1ead512fa97fe0ff82253b8926425016380694c5b0d5b5ac694a01d48da

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe

Filesize
192KB

MD5
526d2f1b73707028fb82ccdc5a1e71bb

SHA1
60b463f7f619405b619d1946623ab78d7f04dadf

SHA256
f8427dfb81daf3930541399aca2886ae9b9dbabb4f8ade413b536bd1ad37e974

SHA512
085ceef574bb7934738bd53e48875682c9b274c2b03b4e1343123b47622741fda5b527b3a9f77729f886053917f7b6a9a5043d7cf86a3b426a0e38c6ab05380f

Download Submit
C:\Windows\SysWOW64\Lcmodajm.exe

Filesize
192KB

MD5
16107e58276920fe7a0b834edecb3b87

SHA1
e2b0d8ed3f500a66067cc10fc0e1b244f4d9b204

SHA256
bbdb90e4a3d155bd3248a30a0f580a96e3c60448e9fa88a60bef610eb3de7ab3

SHA512
e328e857cee19a89bd7fab7dad11dce1c4d07566413c8b86305ea4af4e3beb2734daed1fb016ed84f9356bed240213c2ddb59952775b591573178712c87f571f

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
192KB

MD5
e99f386a2e89a42af3965bef27c54109

SHA1
23e3af18598ff2716718908bb8502c5085706d53

SHA256
3cd26f36d8e2cc29e0cd224a62b81e422763f68f3e3a15d9c102272fde308cde

SHA512
4a04bab5eab5100df9ea7fe6b6033b32aa3715d5ae32f8b0028abb18e6be1fba6768655e6817a2a1bb676b7b69e14f054c39653646f9b728e56bf7d2ed94694e

Download Submit
C:\Windows\SysWOW64\Memalfcb.exe

Filesize
192KB

MD5
df2e51e839add01af5a88be1d7eccc73

SHA1
d4ea51ebd2076cee60ae2c71a1182066559fe561

SHA256
5519e99ed0a973746f98d5845700f3607ba19bcefbdde1b45549beb1fcfa1ba0

SHA512
49da81e994cfdc373a71f241e7f98827cba6bec94f302789d3c4d4ae9c2d0103224419feeeba0d2d9e5507afade2e42101b793436a6a93acddac8cded46afcaf

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
192KB

MD5
423db52d01786fc31ee28a6e764ebec1

SHA1
81643a480a6a6a0aff6a9f8c8592252357a1f914

SHA256
5e504f6485997c8ed899fadf09112194ce2cc6db12264f7e211f2b7075585940

SHA512
7e925b866ef95b43afea76157b47a37531a0aa8358cc0e10a47a4ff013f22e695d9e7ff0d05d82888c6e2e60cb92561c5c519569c74d0837533de7183622b469

Download Submit
C:\Windows\SysWOW64\Mmfkhmdi.exe

Filesize
192KB

MD5
2ad16499b5e31069a26eba78c03ddb81

SHA1
c6ed0ff9cdf26ed0cb12d7ce90a89185a0bc843a

SHA256
06135fbb3bdafbab0b9518959421d9c706058693997793cf3f43ece89dc25644

SHA512
34135d8e089e3e6f0eac15eb0b13831a4b71212b54aad919ef517d705bf263042664098cd655137cf7f47cffba9dd1ff712e95fb8c36344c6e405b8d97128abb

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
192KB

MD5
84edab6071ed4c7663605f14d90f8dda

SHA1
a725b60f1672ef80fa8478f51e7709313a7739a5

SHA256
a7f0d99d90ccaea7384848334a3edae40423a7fc0b2ef23ffb9be178e378e818

SHA512
33ba75ef7155f0ab2e33701db2e053f7435230f3acddbff900f2b6f013715b0b33903b77e5a02ba1cdb83ebe7db3a18986cf25b44a709f28bf53c83406431af4

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
192KB

MD5
4916b37afda3dab81be025b6cab37e71

SHA1
c2bdbf61b1d65be2baebce8237889f1ed7a6efef

SHA256
b5e3638bd0b39d21cffa43bb24f8cf6e5cd553d306c40e5174fb256a615b963c

SHA512
d488d37b8f41757fbf027e769f5d1fbdf18db3a61caed8fea376ae0c6f8b3515fc2d46f5e018de3e3d7fb0cea38bcc7949cf5f41b732ad31691c68c6702aa1e7

Download Submit
C:\Windows\SysWOW64\Nofefp32.exe

Filesize
192KB

MD5
d3a0c302a729ed489abb614541e70881

SHA1
d70f7cc937950704e645584c46067061d95d005c

SHA256
075295713f4676cae0207b8034020c4ba7c7065ca9b64b79ca2c52adeef6e62a

SHA512
66881fa96353896cfd94a10b7c5846320693d94cb692dbdd02c0d8e30af23ef504bb1b4952a1868fb8fd14dbed2351d821466e73442af3cfe3ae471a6897886f

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
192KB

MD5
9162c842ed5258c337358c1b53041ed9

SHA1
3211213ac61d325b45ddcaad15e7d96f07ee256e

SHA256
919e1c0d8a843de4ff1e6aed2af2c5a400c0470347d201f602c829afcc07a264

SHA512
873a90bd84bc7fe4ebad4c20bfdf8a2aef8e799dae7b2591980190ebda1421f198e97ff51782b5948562651b0eb1287a05b4faf3e7dc3b1b5006e7506e78cbe7

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
192KB

MD5
d45b9f3ffaaa875800133e40b1d5b607

SHA1
9b4840303c9b41468e5a17aaed631e5b0e3d19e6

SHA256
a29de0552690366235c78fed95e4ef536a2a85e4dd747ee6bebf807b36c301a0

SHA512
d3164c954d5ab97e9ec973d1b08aab0845da029c1f40256607a6404d512dfa3d125413cb260a919d60d8e5b7f7cfe60701dd8f88c03ecb44ad810bda0c0e137a

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
192KB

MD5
6c684729918cbb679feea31c1b50f3ea

SHA1
a48cd6c588401f30d1c309fb91cce8f799ce4842

SHA256
b7b40e8adf84a51af001df9d92e5bd93b02dd51fa746d60ef92cba5884a9e160

SHA512
860024ebfda92e76214cdf44f062a26ac1f1974dab3fd7037b4c689d21aadcb6c0a03bf09a83e847b6c86f1592454f1a244a45817fdabd5010853c36814d766a

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
192KB

MD5
10c8770d0b279372e58c0ebc6515b31e

SHA1
f61f4d8483865990e3c22a1c154b9283c3bf8a4d

SHA256
f20ba09087efd9516e64ecd8943ad8169c573a88ac277e44dda60dc3380286b0

SHA512
427e673599442c561b79a40afb624b8761b449d740dda9ec592834f0c9e68d9c6647ab3a6f3a76de0f9692c7c3006d973c922a20a931c4d1534c6383dab26a68

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe

Filesize
192KB

MD5
1b975c88b0d55121c558955a0ccb4a8d

SHA1
071f5dada6ca2119ffe71d962dd77460698693b5

SHA256
fd6555fb16fbb50c79a6db05f4604e4b99633c6da242c8475255d2085e3abeba

SHA512
8552837efda668f06caf81565aad8c4c0f18b650028fa6fdb5388cc46892cc6dc2d9194434a44a235f3cee89f1b0472a9e36668ab50f2a9a5744986ea77d19c3

Download Submit
C:\Windows\SysWOW64\Pkoemhao.exe

Filesize
192KB

MD5
7fb278c3359a66f7b0df6ab5d0b340fb

SHA1
345cee8e3017cadf9a9d8a00ed9075ad8250b370

SHA256
4ad77132d424e451e2c601582fb2c0b01301ffd54df10a43d91be904fd967994

SHA512
c317b6ed6e5437d29106fb152c67c7028af7227ac99751e4011664f59ff2bbbbdee2dade35cb2f8f4d26a00712c8ce1efa266b79ca42c8f1bc5a5a1fbd4c83f1

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
192KB

MD5
34ad3581989b866f11c254f4b0f95d20

SHA1
3d978bc7f3251a2720007b8cebab148460c80b40

SHA256
9dbb66e48840919eb6c57e30e852114e831bddcc4df0b3e03cd4a799f457e4fd

SHA512
457207dba06be2ed0e8f4809c169a19d22663133649a69ae0cb674ded66313ab6c59b376c309e2ab46780531e5b20c9af7d2ec2dc798574e7a10428aa3230b9b

Download Submit
memory/64-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/988-614-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/988-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-673-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-708-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1256-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1864-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2404-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-578-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2676-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3752-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-607-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4284-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-646-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4452-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-694-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-679-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-633-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-686-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-654-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-700-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads