64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8

Analysis

max time kernel
139s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8.exe
Size

305KB
MD5

6d1a5c0d02a1181a2e33c4c2ca2d3681
SHA1

be5b902be420e9e61003348d42bc78d7005a860e
SHA256

64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8
SHA512

725cdf560fc6f25b1fcbbec3bcee33212acce7b9212d43b435515152e727be00de6992d4133ce3abfe7c736f3ddde3218d66f02c1b672e2f2ea22260c6945e4e
SSDEEP

6144:DIP9PcFCA4UxNxunXe8yhrtMsQBvli+RQFdq:DAcFn4IvAO8qRMsrOQF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecdbdl32.exe

Executes dropped EXE 64 IoCs

pid	Process
532	Dephckaf.exe
4424	Dljqpd32.exe
2532	Dhqaefng.exe
3488	Dokjbp32.exe
5116	Dfdbojmq.exe
4504	Domfgpca.exe
468	Dakbckbe.exe
1480	Ebnoikqb.exe
1852	Elccfc32.exe
3816	Eoapbo32.exe
3516	Eflhoigi.exe
4580	Ebbidj32.exe
3244	Ehlaaddj.exe
2540	Eofinnkf.exe
3340	Ehonfc32.exe
212	Ecdbdl32.exe
2480	Fjnjqfij.exe
2348	Fmmfmbhn.exe
3768	Ffekegon.exe
1280	Fomonm32.exe
3000	Ffggkgmk.exe
1812	Fifdgblo.exe
872	Fckhdk32.exe
2888	Ffjdqg32.exe
3324	Fbqefhpm.exe
2384	Fflaff32.exe
2968	Fijmbb32.exe
4076	Fmficqpc.exe
2304	Fqaeco32.exe
2972	Fodeolof.exe
4064	Gbcakg32.exe
64	Gfnnlffc.exe
3948	Gjjjle32.exe
4376	Gimjhafg.exe
3168	Gqdbiofi.exe
3724	Gogbdl32.exe
5080	Gbenqg32.exe
3232	Gfqjafdq.exe
4968	Gjlfbd32.exe
1300	Gmkbnp32.exe
4684	Goiojk32.exe
4992	Gcekkjcj.exe
4972	Gbgkfg32.exe
4380	Gfcgge32.exe
4448	Gjocgdkg.exe
2544	Gmmocpjk.exe
4904	Gqikdn32.exe
4396	Gpklpkio.exe
8	Gpnhekgl.exe
2756	Gcidfi32.exe
3584	Gfhqbe32.exe
3688	Gjclbc32.exe
3004	Gmaioo32.exe
908	Gameonno.exe
1400	Hclakimb.exe
2060	Hboagf32.exe
2436	Hfjmgdlf.exe
4728	Hjfihc32.exe
5084	Hmdedo32.exe
1816	Hapaemll.exe
4344	Hpbaqj32.exe
1032	Hbanme32.exe
1932	Hfljmdjc.exe
2104	Hikfip32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Dfdbojmq.exe	Dokjbp32.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Bbopfj32.dll	Dljqpd32.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Leqcod32.dll	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Dljqpd32.exe	Dephckaf.exe
File opened for modification	C:\Windows\SysWOW64\Ebbidj32.exe	Eflhoigi.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kmegbjgn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6792	6648	WerFault.exe	262

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqijj32.dll"	64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphbondi.dll"	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dakbckbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dljqpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gpnhekgl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 532	2688	64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8.exe	83
PID 2688 wrote to memory of 532	2688	64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8.exe	83
PID 2688 wrote to memory of 532	2688	64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8.exe	83
PID 532 wrote to memory of 4424	532	Dephckaf.exe	84
PID 532 wrote to memory of 4424	532	Dephckaf.exe	84
PID 532 wrote to memory of 4424	532	Dephckaf.exe	84
PID 4424 wrote to memory of 2532	4424	Dljqpd32.exe	85
PID 4424 wrote to memory of 2532	4424	Dljqpd32.exe	85
PID 4424 wrote to memory of 2532	4424	Dljqpd32.exe	85
PID 2532 wrote to memory of 3488	2532	Dhqaefng.exe	86
PID 2532 wrote to memory of 3488	2532	Dhqaefng.exe	86
PID 2532 wrote to memory of 3488	2532	Dhqaefng.exe	86
PID 3488 wrote to memory of 5116	3488	Dokjbp32.exe	87
PID 3488 wrote to memory of 5116	3488	Dokjbp32.exe	87
PID 3488 wrote to memory of 5116	3488	Dokjbp32.exe	87
PID 5116 wrote to memory of 4504	5116	Dfdbojmq.exe	88
PID 5116 wrote to memory of 4504	5116	Dfdbojmq.exe	88
PID 5116 wrote to memory of 4504	5116	Dfdbojmq.exe	88
PID 4504 wrote to memory of 468	4504	Domfgpca.exe	89
PID 4504 wrote to memory of 468	4504	Domfgpca.exe	89
PID 4504 wrote to memory of 468	4504	Domfgpca.exe	89
PID 468 wrote to memory of 1480	468	Dakbckbe.exe	91
PID 468 wrote to memory of 1480	468	Dakbckbe.exe	91
PID 468 wrote to memory of 1480	468	Dakbckbe.exe	91
PID 1480 wrote to memory of 1852	1480	Ebnoikqb.exe	92
PID 1480 wrote to memory of 1852	1480	Ebnoikqb.exe	92
PID 1480 wrote to memory of 1852	1480	Ebnoikqb.exe	92
PID 1852 wrote to memory of 3816	1852	Elccfc32.exe	94
PID 1852 wrote to memory of 3816	1852	Elccfc32.exe	94
PID 1852 wrote to memory of 3816	1852	Elccfc32.exe	94
PID 3816 wrote to memory of 3516	3816	Eoapbo32.exe	95
PID 3816 wrote to memory of 3516	3816	Eoapbo32.exe	95
PID 3816 wrote to memory of 3516	3816	Eoapbo32.exe	95
PID 3516 wrote to memory of 4580	3516	Eflhoigi.exe	96
PID 3516 wrote to memory of 4580	3516	Eflhoigi.exe	96
PID 3516 wrote to memory of 4580	3516	Eflhoigi.exe	96
PID 4580 wrote to memory of 3244	4580	Ebbidj32.exe	97
PID 4580 wrote to memory of 3244	4580	Ebbidj32.exe	97
PID 4580 wrote to memory of 3244	4580	Ebbidj32.exe	97
PID 3244 wrote to memory of 2540	3244	Ehlaaddj.exe	98
PID 3244 wrote to memory of 2540	3244	Ehlaaddj.exe	98
PID 3244 wrote to memory of 2540	3244	Ehlaaddj.exe	98
PID 2540 wrote to memory of 3340	2540	Eofinnkf.exe	99
PID 2540 wrote to memory of 3340	2540	Eofinnkf.exe	99
PID 2540 wrote to memory of 3340	2540	Eofinnkf.exe	99
PID 3340 wrote to memory of 212	3340	Ehonfc32.exe	101
PID 3340 wrote to memory of 212	3340	Ehonfc32.exe	101
PID 3340 wrote to memory of 212	3340	Ehonfc32.exe	101
PID 212 wrote to memory of 2480	212	Ecdbdl32.exe	102
PID 212 wrote to memory of 2480	212	Ecdbdl32.exe	102
PID 212 wrote to memory of 2480	212	Ecdbdl32.exe	102
PID 2480 wrote to memory of 2348	2480	Fjnjqfij.exe	103
PID 2480 wrote to memory of 2348	2480	Fjnjqfij.exe	103
PID 2480 wrote to memory of 2348	2480	Fjnjqfij.exe	103
PID 2348 wrote to memory of 3768	2348	Fmmfmbhn.exe	104
PID 2348 wrote to memory of 3768	2348	Fmmfmbhn.exe	104
PID 2348 wrote to memory of 3768	2348	Fmmfmbhn.exe	104
PID 3768 wrote to memory of 1280	3768	Ffekegon.exe	105
PID 3768 wrote to memory of 1280	3768	Ffekegon.exe	105
PID 3768 wrote to memory of 1280	3768	Ffekegon.exe	105
PID 1280 wrote to memory of 3000	1280	Fomonm32.exe	106
PID 1280 wrote to memory of 3000	1280	Fomonm32.exe	106
PID 1280 wrote to memory of 3000	1280	Fomonm32.exe	106
PID 3000 wrote to memory of 1812	3000	Ffggkgmk.exe	107

C:\Users\Admin\AppData\Local\Temp\64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8.exe
"C:\Users\Admin\AppData\Local\Temp\64c875661977e0973dadff15805c2725d9b2d93ea700a42cd8e65eb7178b31e8.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Dephckaf.exe
  C:\Windows\system32\Dephckaf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\Dljqpd32.exe
    C:\Windows\system32\Dljqpd32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\SysWOW64\Dhqaefng.exe
      C:\Windows\system32\Dhqaefng.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        26⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        28⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        31⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        37⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        39⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        43⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        46⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        51⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        63⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:640
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        67⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4324
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        70⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4804
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        73⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        74⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        75⤵
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        76⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2916
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:972
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        79⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2024
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        81⤵
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        82⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        84⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        86⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3868
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        88⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4220
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        93⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        95⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        98⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        101⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        103⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        104⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        108⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        112⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        116⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        119⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        121⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        123⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        125⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        126⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        127⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        128⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        129⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        131⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        133⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        136⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        138⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        140⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        141⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        142⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        144⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        145⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        146⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        149⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6436
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        151⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6524
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        153⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        154⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        155⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        156⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        157⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        158⤵
        Drops file in System32 directory
        
        PID:6784
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        159⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7100
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7144
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        171⤵
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        173⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        174⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 412
        175⤵
        Program crash
        
        PID:6792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6648 -ip 6648
1⤵
PID:6752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
305KB

MD5
c302f851d1a3014cd483dbd7ca85d1d0

SHA1
e5a9e24fd2a0017147e7820fd8b91bf5381e266f

SHA256
26dc925aad586f293470379344355bd47585869eff5210bf0882d4142c4d8835

SHA512
e4830d97c9be856cdd5e0cf3fc53c6c797a8cea0b3ebe69215d357f5a59f7bec5eb8c56c590065d958f2534524a288fa535567c2bf805ed28036384edf8c63f4

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
305KB

MD5
f7c4acf8ff46924b24640185f471b26f

SHA1
d7495862f73333b82fbf978ef82d12ccf9025413

SHA256
ec0f8b0a9a0aac27a2caa37dfca283e97e14e39436b78393981a561565293bc3

SHA512
1c51a6529ae30b1c0dba57093ff2c0ca29c3a3e0a23dbb5625bf9d129478721503fca0657c33065bf073269c0072bc6b2b5ce840879cbf1c64b41ed630d7adb8

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
305KB

MD5
279afaa5f3ef0c9198d15ca684b4edf9

SHA1
067a03c7aa4c22fac3842b889c54bd9ddd536d48

SHA256
4140b8e0f3e9a0991a4e010f28ff75b0eec797624a29ce87b01c6b9de47f0899

SHA512
f086eee3b751e9edb112ff8fad15ad3a6757dc85e52707e6ee0c25e38d0ef5409124d572681a1fb61c3dbe0a5cb818eef9ef2375fa8d6c8f7692846f74a58388

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
305KB

MD5
a51e7183ea68aa6dce346de337f65560

SHA1
f90a211159c5acd4cf589bb0ff6893289c68b884

SHA256
43176f2268019e71619c789393a1d5a1391bf23846fcd04bfbb645c01cda7e17

SHA512
11eb91183f5343155ca89d6a0f743fd6085340fa5363f7fb2b162cfe3f2b24a660ab438b817cdbbaf403dfc5805f4d181f6a07fcdce296641ca5bcfa13a63be5

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
305KB

MD5
a4e762f16c4dda918b12e34c1b63bb75

SHA1
829dba76003d80e11d5697a9cc4eb3a8f607caa2

SHA256
098408b934c65bc67caf8b4cca4f2b6e6e63933c4457f82ecc09e4eb84d8d2a1

SHA512
5e1657075751249e3b04d918b5cba771793eb9f845e35f8627d522cafaba15cf2f4ca148a8af2617dc269f912c58476621068cb53c70300cb3e4305422dcdef5

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
305KB

MD5
18e515d1bd0009bf7b1a36ecc3beed06

SHA1
1c6f75078792126b882f040c4c331c51a022af16

SHA256
5c6a2fb861bc446f5a404cb4808933ec3863c53d81557d2a0794710424110235

SHA512
fcf1c5becfac9c4d156f03d6ca15e679c8a95b33be29a6b4c3ffbdddfc6c88a2aa43af118fd5bb76c9178e93a103eb4444c24b615311b71f2aea95872a41ff44

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
305KB

MD5
e6837a2f33b92ccad8d51f3de102a35a

SHA1
9d3b67d2542f043ede8c428345b48e53abca1d6c

SHA256
8e5e5ec50eba3b7eefad002acdc883c99f62bc47149b85e4d3a40a3909f00923

SHA512
2fc20c2f5e52f679e5c1f45b25ecb5734a139f6ffaa9b4a90b7896929b9209015a628faac6cabe643c61a6ca66bd157b135574e52030838fc03baff402840505

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
305KB

MD5
2ac57a9fffee71e576fbd2d3f22efc00

SHA1
35c6c1a30ce7062833e84105b047eff427edf22c

SHA256
f350c7f68bf74c704957bb926f1bf4e6c386ca6f326134009cd1bd0858b91fed

SHA512
0b3d340661919cba344a821c2f42e9eb960bc32d5cc1bdbcafd72e66c11277747ee55faa0ec9b31298d8b4069eaf3aca00df781e78c740e67b13d815dfff51ba

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
305KB

MD5
2583b5038b420e2bf408a97ea5cebf45

SHA1
db022b446ce502f85e92931d158b542bb6ee456c

SHA256
40c77a3733524c69d635203d70cfd7d57670ed2896099f06551aafc72e3c522d

SHA512
f0f39000fd688d39c144b93e40035fd447491096450310e164c3888f7e03574db7efbb62f0049e6ff18e54a25b6c2e671cf07311c531389b85009789e73f2fbc

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
305KB

MD5
901edee1cf16c3f1c11d7eb8d5bd60e4

SHA1
fe914b679f31476e92719d7b269f03756d6ab242

SHA256
69592ab5cec67298d48115ad62930269b0f5fc29ade536a3e19958e0f2a5943a

SHA512
8cf34ee587667e8c794f02bbf971d4bce8c8cf5b7aadaace820169072ca4c385a66020748489148bb25b5bc46aecb97c39182e7cea53ce66bba42d2293f404c6

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
305KB

MD5
584bcdf93ddb86892478475cb875943a

SHA1
0630af9675295a951a533500b383d95883b74546

SHA256
6190d0ab617513d736c90c395b00d7fda91af8fc3cc13162155680dcd96cd878

SHA512
e94cbdfafc8679c9247bb71586548d406d45859988f21d3ee75b64068060034643fa202949ff8812b4eecdcebe7a9bcdbc2e110887bb116567d4561815d9e46e

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
305KB

MD5
e5a99847555f4c3861f6a83e80f7ac05

SHA1
e7d61457545c45f1d57f4eb7592a435d6d5a3a98

SHA256
7c754f613a3e664eb64f598e189e736ff723becf1605d2b8e780cfc0eb31e2f6

SHA512
17ea556e89fbfb4702c93b7e8cdfb33956f6767ac0cf1dcfe43c1701bc7b385046a3fbcaa8535eb7151bd80d5ac09e9d592f9b38339d48ad1453191c88cb89e4

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
305KB

MD5
1eb185a3b2d265b66a5b527fa1b626e3

SHA1
0d369310c91416c8161af3f0d5ac64011b54e0be

SHA256
0ce8d770baf7aa75f2c7f58e34af9f1d74f80f3c4eb14a0cc832d152e2d3f65e

SHA512
f97d955dcd22a7ffb26beb766ae37552b26a155d368ede81ae073e063afcda65bb1f9e317dbe761a62ec39993b6d183737a34912a031bdacc82aa075efbc22c5

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
305KB

MD5
0af7c505fc71c66a760125cb6c1c1329

SHA1
59a32c01d7d5fda19515db785869ddf3b17135f5

SHA256
2fa969fdd11516995f8bd403978dcc9b8ec2b6d84a6b6121b1e0d7d32878a5b6

SHA512
fd8c6484ab4de5c3b9278b0263608bbc2be197020784eb82ad25d4b21ed35c939413b2861988424e55bac961e802f35e8bea9b980cecbb79f3bd2a400ab60400

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
305KB

MD5
9661d1cbd8b5388c3671ce8eac14f1e5

SHA1
5315765a21f77a163360abf88849261808553a0c

SHA256
c97298a3ed47713e061cec0515df5bb854b17684f8f35b9cd94d57bb5cdc4b36

SHA512
0ac18706f1b684e76ab391f798e8087389909162e2537fa1a813f7f0f4ff4f4a7bb7b6f1309095f29f37052c42cc98eba5645622f9ef2116e72be7d997a69902

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
305KB

MD5
6298254b9f82b6913028707147dafea2

SHA1
32eac78d1f60f949603a054eec83ad2fc4fa177d

SHA256
3c48f78446512f724a30e7a80f3be878e207951abb89b948fd8cab621a812004

SHA512
95444dfb8b322143e120b05c2db9bd73d0703e944daa0f99dfdac8c817f59a16980730394b174d1196db5fa3f0df93a5c373367161585f213bcf369152164efe

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
305KB

MD5
90263282913eefb2535aff8d31e5f309

SHA1
a84783f98d35ca4072b03f92dea5c50076dafa4d

SHA256
9c12fedac165ba97e62cc55b08089f03dd189389a688b59debd7eb4b94346dd0

SHA512
516c600fb7f79fab719ab527c0065ce737affb679c3aaf874887048605f45d2969d536886d5bff8933cc087702303c1048e84247410769bad83ece95a06b59f8

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
305KB

MD5
b5839b0e987b71ca350d552bda7f037a

SHA1
8a2daedc16072ed7222753afb30c1ce4ebca6600

SHA256
4bf93040b2add105a50c34a7b57bb457d00fbf912a311ddd8b1f8b915538552a

SHA512
d145a0dfa4b7e859e14f0aad4b97861cb244d605bc14ebeb5cff248a378f1131c31d2a4ba1aeedfa73e93bddbf16bade175d682479caf6bbe60560e920c0102d

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
305KB

MD5
e0ee21609b50899fd5a86ae6e75c2105

SHA1
028bb737a82d0ee0fa585673bc803a8a1ee5d743

SHA256
22fe8bb3a1052d3b0fcfccd75a13c0e75ec01f592c5ce6c8430a56d2b2e791a8

SHA512
7974476781d89b399dfe01933cde4f731afb450140fc4aa0d20804e856c6ed28011c5ca469f1a02bf685e2b6d210669cfe59eb3519ea19f439826ebe1264e6bd

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
305KB

MD5
e8df55cecc4b94125357f1630270a51a

SHA1
9952a23733262d35d3e1fb6c76f4014384cf04fd

SHA256
798ea92a04ebb2e50436306ecab5255c141fb8795fc6395cfe1e775616e456de

SHA512
b319ac0956a389d33f491aa69de1d8137ee349e60375d22e69e2a4c76edcc02a00ce0a50e6f154f7702f92012614229f3650f7e7cc34dcf7c15556a3cce84e8f

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
305KB

MD5
b83979e7d31c0f91a41624ab6a759cae

SHA1
80611d3e0d7eda25117162f9b154a19737e358ce

SHA256
377ebebaf1e72b0a7a9611ab9f56d35d2f51a4a8821ec77322f6cdaf33681606

SHA512
e08f670fc5cb177ace4063a8f3b941415368af4ffff07078c233163ee096d21fa05f5b23835f1f1181dfbc17fe167d33b325f1e90a317fca7eb24099f77939f3

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
305KB

MD5
34dd0a62fb2fdf5d19a467b2d43db143

SHA1
74c6b1fe9680bd26e7fa20e5fc27caafadbb2878

SHA256
a48d06e32ec07c1db3892ac26e79b23b6738c201732144be303943428583d3e3

SHA512
344d61ac0dceaf2d6ae3fe6051e8239923dde8e4d41d941a7f2739ab72811b084f86d3dbf316eb8384229f7ba7f2940febe682ab0bc88e6a85549305a0b9f6f9

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
305KB

MD5
1757b9ec4bb34397f84fa5ad5f9f814c

SHA1
ab9bb7b9ca82520081679a30195b29a330e32189

SHA256
fc274b978efaab66cdb540c219aed27300f27e419a0c442973c861c4c1311703

SHA512
901bb26612a970d7f1398bd32e06b2546d2b8b56634e25d2448b5e04f3d6ea460680aad53f414962bc6d53e0fe80c8b99985e4e9952026beb42d653d9b9b7175

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
305KB

MD5
51a70fda3cefd6e372c657494650c7d4

SHA1
da61f0befbf02b6169d38376f089fac7e3a8de4e

SHA256
52c968412d911460b053e15a960df4c40503fdef68883f3a610a77ae8c0a555c

SHA512
26b0f7fc0c0310f8ef06e6f502aee67222bdb882e37760b900f68b5f31bcf660a520cf94c2ab08b959e31e65843446c5e08becc12302dea3ce4f6b73eea245d2

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
305KB

MD5
e199656756e396285587b29b7b9a5b9f

SHA1
e6eff0502b18b85c6e2571764c6319f6ed1f74ba

SHA256
4ce60745272f05d065f5bcf6b7aca663c822f60cf7e6bd5e78abc3830c45c71b

SHA512
1181a5cdc9a6dd9c69282f3dcaa0187eb0540db7fbe93a523e75c16b4720f76bb938b96b4a091418fe3494e9b2136c0feaf26e017eec5df9b49a771c9fd2ba0c

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
305KB

MD5
89413c3d69cc9f8d7fef33e4f738ae26

SHA1
2435be231e68c9ee75d0243d043f0fb47316cd54

SHA256
325847aa606302544d64df00544db35249b41fc7e04c17d2488f05d5cd32a6fc

SHA512
132bcc664184843f3209f72ecd3a3f0d35a19d48c489bc1531525c561ebee6087f4cb9f9258494e67ca2a08c48958ef04fdae5dd1edbaf109dbb2949a3bd9f2e

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
305KB

MD5
9d8044b50036d18c79f129b3bef313cc

SHA1
740f8b3b124bf54c559d8bbaf8bada6c99ba2950

SHA256
bd6245c8e3c19c937b064ca0dc2b333d9d76e98d67399d6a7d93650e6ca6fd1c

SHA512
a719e340460ed7e7cdca0815eedeaa7145e0f4235d206c6f5101a6726620c26dedbcd2ccb19161dda91864eb6934e2a645a98c801c9359785eaa4b2b9ad49d28

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
305KB

MD5
7d405168b8646dad70d86a89cb06e63b

SHA1
dfa9650ad26886b89369987728a5ff3be1fcf1f0

SHA256
c36299a579d4949d2c2feea1327a8369a86a0f03ef69a0a9b031ac661f44cdce

SHA512
39d8cc545e63b0ddb9477187cdb9311419c194377c5f182dcb8877810862a30b17780c8532bf0a804eb37d39fc21632276d283797c70889504fc8bcde81694e0

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
305KB

MD5
041c359cf3e8b55aad8025ef3d2083a3

SHA1
1c014c5058b119feaf167a91607d0505d9dc28e2

SHA256
aaab2cf02756b6b814391983d239b9f438d54db55fef8ab28418cb6b72e55aa2

SHA512
e5239466eb516f7af199bebc04f7345a6fcdfda70122b26bf3f2aa192db9c246c79f91b0f25d6e96daba15368fae04b6739e5e2ecd4f479123771a2f9b605265

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
305KB

MD5
7d241996334f69b953926ddfffc3605c

SHA1
a3f1be686619e30684433e79cea6476e6a0c8e6c

SHA256
02db5dcb182af787f115b5645ba169bdb6b35e160e137704ee5eb625b9b2b7d5

SHA512
8b65080392a34d9273db7d1acb94c628778ebc3fb7175a1e29fc671ff25d21b7b071f30f02c9523fce9966d74a00ab46f28bbfea3c779af094651ca77de49ccc

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
305KB

MD5
daf2a0bce8e248c313850b74d9908fb4

SHA1
50546e4aa4d3e91dcd64afa2d353fae01d9284d8

SHA256
27c4f545d308348a46ad9f7ff42f30008a40aad02659837c2865d3cb5fd430d6

SHA512
13e7bad65d90fdd3990374e740c3cbcca4b01d40e1b0c431bbfd07b1b6fa28327c7044de45a5f90d38e3312d9a8955d05fdc547a97e0e11be89fc8c1a21a30cf

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
305KB

MD5
c82dea29dc2e1655ecac6272b2023900

SHA1
f9656a459c39363e5b257a7ba59649d6cb65ba20

SHA256
52c8d37699e20ba87ff3cf8409f04fa475dba177b213aa63a350a3afc6faad8f

SHA512
d5a88f2e427a7a7865dde0d7f82231ac23c702d65b23e83ed179fbe0f632e128c4fa34b93d8e907850076cf92db6ccedf53006b723d518457558e01b28a6e6a8

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
305KB

MD5
864026968e942e075cada38917b3759e

SHA1
a1e012660828ed04cb045cc83385b3acf1548e45

SHA256
f0d86b15e060bc0d2a6205ef431ce3b7ebf1a2c490eccd24f39c5e70daa9d0f1

SHA512
2b78b915f9f82efe23fc189e5112c4c69e060b35d122c490c3564b29d2e220b4ed861193a184e25e8e2a77804a554400449b180582aead979cfe66f77b65670a

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
305KB

MD5
a19290cf970d1ab2b9c146bed6b508c8

SHA1
05f6851ab11b55c41256f49031b1705abb22c96b

SHA256
1e58a81d9c41745464291aed30bcf3a1db78f7dad9d37b91d52eb26e27b54c3b

SHA512
83efc307e973bbb867d755c46469a006ca423a62769a7212de0d63672d481c4445f4dc2590a3b89dbfb0ce42442c54834e337ba4ac285aebd823bdea2784af0b

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
305KB

MD5
12d620c8d6fdda26a5a6f087b3e582f8

SHA1
a5ec18301fd00f176d76a93ad60ae1623ad3bf5a

SHA256
7331955665399697d0c8469458346a31a8faee47ed53dca67507c36ce49a5aaa

SHA512
5e80d947590e32b25a4fec440414f0158d22056ea53fa1e00fcf30661f5175dbece3912c56e1f270e8ba2d0e19006a523b74ee14b76af3c863ad78dde6f2a0e0

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
305KB

MD5
9f250e4f249576aa5af311517dd1b763

SHA1
152b6ac4ea75862818956362c879c7437662758e

SHA256
b1c8244c0822dc3a82ea10b9705b016823df1176b6ce7f07d02bf40495cdcce8

SHA512
dd2109ccba4dff2d1a3367be489a85dc7366eeead40a9c08021bacbda8e825150ab10ccba776ca79830b945b6ee8da21c2cb7f725ed35a0fb57e80c6b1fa0c60

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
305KB

MD5
bdc7a948e208fc3f8f5115f420e2f8f7

SHA1
72509dc34d7cca1fbc0a12d0c940b83c3b126ed9

SHA256
0722594baa3fdaa72a780220cd9c7808c5e476c4b4d54c5cde0c417dbd8faa3d

SHA512
800bd7c81e1bf58c6bcd33aa482f2911e06eb5838763ebceb9df43132e216dbd0d8633ab8da2c0d82ddba2ac0bc7ba60277382398e1fa66b63fa59d8a3fb6a2b

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
256KB

MD5
cf7a0b456ad92fe4343916b03eca18f5

SHA1
8da7e2be72d7ac6c158ea1aacd06778cf1079988

SHA256
2a872d97f79c5e02e01d40ea60a29b48a7184d073164e528ec44ab7fba58fc96

SHA512
1d116fd75430c417d1730bae1a17f66809c7649441efbdae42e2b097e86ef6c2bef2c0120310df4f8d42232ee15eb0de5506d478e1526bbd54d30b959aad6786

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
305KB

MD5
8136516319ef7560a4977f0019cd94f2

SHA1
7f830adbde6eac6194ffea271e242b147e70a4e7

SHA256
7ee97f15d6508aaec83ca13c11b838e9bc2e1c1d263cf4b9fbf606399b269df3

SHA512
8fed2624961ca33a079c620e448f426b4241b0b0128b3fc3004a9cac10e72d16bce0af4f2d7735a4598a46f4a1a3e3b92496bf41ecba54ffe54f076fe9ae0c08

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
305KB

MD5
6127cb2177090a17a129eda9271008e1

SHA1
b6e59e2996c18f9bda1889fe2d6b7cb51ec44b10

SHA256
dde9456c6636207b845c36052d1fa38810740e1bbb2e3ae62dbd91b702302f2d

SHA512
1bb151911da9b3a1f4618715d292dad565eea1921a22d8690664b43f36867285ff75bea08915d2c9f723d7779deda8b392013f51678358530dbb9222a0bf2a80

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
305KB

MD5
d428ebafaad59fb99a8042d5f3fd678b

SHA1
94a2c5955df92eda73bdbc0f3b39b045c734324e

SHA256
951b1f472d9590aca03f68bcd89b49f40f235720da5d34d290583ebd88654131

SHA512
a548f2d8a5f8d38c7fd7a43d5f9ddd7b7ddd75516a3d40cc6d3648f7040166848cc02ca967587128234ccd1a709e6e7a4dad8582790edd8be95cac5ba03d7049

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
305KB

MD5
3b4ede52f3109afed1131a8e3d6173c6

SHA1
147de3f5d43e6e91432ab46d87f7bf5707b4b1b7

SHA256
1a088314719b519336afce11a452c8e8d4a893a57f7d502f461a5596b54038a1

SHA512
bb0ddb2c73a48f78371d054e91209b87f0903db4aa456dfc814ec2c688c9eb3c1f497c331f8a1dd88f0813f7ffb3fd7ae97c2538d7b23cbd916d3057e2e8c449

Download Submit
C:\Windows\SysWOW64\Kpmkpqcp.dll

Filesize
7KB

MD5
9356e7211c69ffffce77867fb802233f

SHA1
ba2b9ea5007733d78bb85f11936a8b98ed3d66ce

SHA256
4d942e9765b4e8bbda2b42fcfb5aa8481af0746e9e7370c51a73ee0efe77ce99

SHA512
8c70d9a318a56ce68a4d2d866a06d38670c6173c4719f6de2538691546b4a5102927b30e1dff3db4bee80118f3fb81a041f5ed497abc825c856ff4cf796344ee

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
305KB

MD5
c475b995de85428bee1364fbdd04b501

SHA1
989d1a62563f2cc27d63056242d4bb4b3f6a23c8

SHA256
89e5640b9b988eacc06f2bb9cb65ae7bcf4977ec957bd002b089390c6bb20769

SHA512
0e27241956fc1b8aa21a3ad78c831c66d0a3ea0fbef3044bc0628dc0d0b61c1a3dcaec150f4abaa7fb07d9af041b9af1ef4a37b15259933fa09fc82a410fc901

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
305KB

MD5
9722f35f78808517b436d01c186c8a5c

SHA1
4f68f3df3c6a3b971f0f75728cf4332dbecc77b8

SHA256
6128ed720adc7d19bf1e15a960cfcf9f3071720547e8587666a28b0c2b9f92ea

SHA512
dffad20027771a4301b4516f57251707140342e7e8c9acf16e814446a54b32408485704e1b10241d6c753fe759607691b3877a3951b89124b2f1a123f87dd6d9

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
305KB

MD5
289eadaf55a9e9b70c3c7ce288ef7827

SHA1
4e2bf1ca8b2c0f887c6a2e94203521820a52f444

SHA256
b1b790a8fb46f57f1cc378c14d8db6dc4fd935a31e15a2c082b075b77b5beb89

SHA512
3bfea6adfa66247db0919d49ed4b4f98803142f7f2e8f318dda8ee99da3ef34b7f7fb661240858cca7a05066c2a96d2fa029f9eebf0c10519c27bdbac06070dd

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
305KB

MD5
dfe1943271a4de47e999819914214be9

SHA1
1295d951a46f8a1365ba407708fff55ec28404fb

SHA256
1d887bdd07c9cbe966119a96b719d58766aa7fadfa948b0ff20ca36b3c5a6518

SHA512
f6684cfadf29141c1678d2d3dec410202a8146df6c898a8253b377782d51c648899410c146e9957090ef2d168dac133b751fe9e38905138284cdb7281bcc4ab7

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
305KB

MD5
d8cc0ca4092b754526dde1773d950c32

SHA1
1311d8f57cce42f935062bd25770ed63bc04e07b

SHA256
ff4710caaa42a9d4b30e49dc96ca1d31bd6e7f8f0f09c76588aa8d3034cdfd7f

SHA512
64992aa668fbd9bb31dda8c7c65aae6ac0907b3cf55a5b16d2453de253591b41193298a14feb650b086ac464c38e3060c359c7a77f1b05f2c902582e0f1b5df1

Download Submit
memory/8-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/64-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/116-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/212-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/388-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/468-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/532-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-458-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/872-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/908-433-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/972-530-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/988-610-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1032-445-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1036-574-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1280-163-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1300-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1396-603-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1400-434-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1480-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1812-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1852-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1960-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2024-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2060-435-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2104-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2232-550-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2304-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2336-619-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2384-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2396-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2480-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2532-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2588-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2688-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-429-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2848-536-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2888-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2916-520-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2968-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2972-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3000-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3004-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3144-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3168-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3232-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3244-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3324-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3340-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3516-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3548-588-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3584-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3688-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3724-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3768-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3816-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3948-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4076-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4220-608-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4324-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4396-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4424-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-465-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4684-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4728-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4804-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4968-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4972-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4992-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5084-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5116-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5136-622-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5176-628-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5224-639-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads