26b5c58e5b55036db2cae469f585dcbd4dc38c01ba4396fd0ca1d8f517dc655f

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 18:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0079001f4d8e5010ec7c7065e10e9326.exe
Size

111KB
MD5

0079001f4d8e5010ec7c7065e10e9326
SHA1

09ac202c84b7ae2e23d0189aee189b37895082af
SHA256

26b5c58e5b55036db2cae469f585dcbd4dc38c01ba4396fd0ca1d8f517dc655f
SHA512

27fe008fb9e62fd3182be84e523df1cfda4dc3498c9ce372fc569300b8dcce12e3f19cc2d00d78682ecd3bcbd892fa8a490560c4f7ddf04617f95b64363ca346
SSDEEP

1536:i0HM5CijMMI0oOxQyLBb8xJhffHghNdTTybC/3dfe4m8+9yMT:i0HPiwM9oLrNHg/f/NN3+9TT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iipgcaob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ichllgfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfmemc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdildlie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmbpmapf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gedbdlbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fagjnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igonafba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapicp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habfipdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffhpbacb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiknhbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfjhgdck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedocp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghcoqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fepiimfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpejeihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giieco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhckpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glgaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0079001f4d8e5010ec7c7065e10e9326.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkcdafqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgmalg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikfmfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpejeihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haiccald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcfadgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapebchh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfmemc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhomd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpqdkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoamgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igonafba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhljdm32.exe

Executes dropped EXE 64 IoCs

pid	Process
2868	Dbfabp32.exe
2844	Dfdjhndl.exe
2696	Dolnad32.exe
2776	Ddigjkid.exe
2756	Dookgcij.exe
2628	Ebmgcohn.exe
3044	Ehgppi32.exe
2864	Ejhlgaeh.exe
380	Ecqqpgli.exe
2508	Eccmffjf.exe
1808	Enhacojl.exe
660	Ecejkf32.exe
640	Ejobhppq.exe
1084	Eplkpgnh.exe
1276	Fidoim32.exe
2316	Fpngfgle.exe
2132	Ffhpbacb.exe
1716	Fmbhok32.exe
1720	Fpqdkf32.exe
1056	Fbopgb32.exe
992	Fglipi32.exe
940	Fnfamcoj.exe
292	Fbamma32.exe
880	Fepiimfg.exe
2996	Fljafg32.exe
1600	Fagjnn32.exe
2808	Fjongcbl.exe
2680	Gedbdlbb.exe
2572	Ghcoqh32.exe
3040	Gdjpeifj.exe
2284	Gifhnpea.exe
2000	Gpqpjj32.exe
2144	Gfjhgdck.exe
796	Giieco32.exe
2612	Glgaok32.exe
2976	Gfmemc32.exe
2420	Gpejeihi.exe
1704	Gbcfadgl.exe
1124	Hpgfki32.exe
900	Haiccald.exe
2856	Hedocp32.exe
2804	Hhckpk32.exe
2608	Hkaglf32.exe
3032	Hbhomd32.exe
528	Hdildlie.exe
1540	Hkcdafqb.exe
576	Hmbpmapf.exe
2384	Hhgdkjol.exe
2340	Hoamgd32.exe
1768	Hapicp32.exe
2256	Hgmalg32.exe
3000	Hiknhbcg.exe
2064	Habfipdj.exe
2100	Igonafba.exe
1904	Iimjmbae.exe
1936	Ipgbjl32.exe
1396	Icfofg32.exe
2240	Iedkbc32.exe
2388	Iipgcaob.exe
2584	Ichllgfb.exe
2940	Igchlf32.exe
2960	Ijbdha32.exe
2556	Ipllekdl.exe
2524	Iamimc32.exe

Loads dropped DLL 64 IoCs

pid	Process
2476	0079001f4d8e5010ec7c7065e10e9326.exe
2476	0079001f4d8e5010ec7c7065e10e9326.exe
2868	Dbfabp32.exe
2868	Dbfabp32.exe
2844	Dfdjhndl.exe
2844	Dfdjhndl.exe
2696	Dolnad32.exe
2696	Dolnad32.exe
2776	Ddigjkid.exe
2776	Ddigjkid.exe
2756	Dookgcij.exe
2756	Dookgcij.exe
2628	Ebmgcohn.exe
2628	Ebmgcohn.exe
3044	Ehgppi32.exe
3044	Ehgppi32.exe
2864	Ejhlgaeh.exe
2864	Ejhlgaeh.exe
380	Ecqqpgli.exe
380	Ecqqpgli.exe
2508	Eccmffjf.exe
2508	Eccmffjf.exe
1808	Enhacojl.exe
1808	Enhacojl.exe
660	Ecejkf32.exe
660	Ecejkf32.exe
640	Ejobhppq.exe
640	Ejobhppq.exe
1084	Eplkpgnh.exe
1084	Eplkpgnh.exe
1276	Fidoim32.exe
1276	Fidoim32.exe
2316	Fpngfgle.exe
2316	Fpngfgle.exe
2132	Ffhpbacb.exe
2132	Ffhpbacb.exe
1716	Fmbhok32.exe
1716	Fmbhok32.exe
1720	Fpqdkf32.exe
1720	Fpqdkf32.exe
1056	Fbopgb32.exe
1056	Fbopgb32.exe
992	Fglipi32.exe
992	Fglipi32.exe
940	Fnfamcoj.exe
940	Fnfamcoj.exe
292	Fbamma32.exe
292	Fbamma32.exe
880	Fepiimfg.exe
880	Fepiimfg.exe
2996	Fljafg32.exe
2996	Fljafg32.exe
1600	Fagjnn32.exe
1600	Fagjnn32.exe
2808	Fjongcbl.exe
2808	Fjongcbl.exe
2680	Gedbdlbb.exe
2680	Gedbdlbb.exe
2572	Ghcoqh32.exe
2572	Ghcoqh32.exe
3040	Gdjpeifj.exe
3040	Gdjpeifj.exe
2284	Gifhnpea.exe
2284	Gifhnpea.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Noomnjpj.dll	Mmldme32.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Naimccpo.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Jijdkh32.dll	Fidoim32.exe
File created	C:\Windows\SysWOW64\Opnelabi.dll	Hedocp32.exe
File created	C:\Windows\SysWOW64\Mjapln32.dll	Hmbpmapf.exe
File created	C:\Windows\SysWOW64\Afcklihm.dll	Ichllgfb.exe
File opened for modification	C:\Windows\SysWOW64\Nhllob32.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Ecejkf32.exe
File created	C:\Windows\SysWOW64\Hhgdkjol.exe	Hmbpmapf.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nhllob32.exe
File opened for modification	C:\Windows\SysWOW64\Dbfabp32.exe	0079001f4d8e5010ec7c7065e10e9326.exe
File created	C:\Windows\SysWOW64\Dinhacjp.dll	Ejhlgaeh.exe
File created	C:\Windows\SysWOW64\Ikfmfi32.exe	Ihgainbg.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Hdildlie.exe	Hbhomd32.exe
File opened for modification	C:\Windows\SysWOW64\Jocflgga.exe	Idnaoohk.exe
File created	C:\Windows\SysWOW64\Dolnad32.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Mledlaqd.dll	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Enhacojl.exe	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Fbopgb32.exe	Fpqdkf32.exe
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	Laegiq32.exe
File created	C:\Windows\SysWOW64\Meijhc32.exe	Mbkmlh32.exe
File opened for modification	C:\Windows\SysWOW64\Fglipi32.exe	Fbopgb32.exe
File created	C:\Windows\SysWOW64\Hcodhoaf.dll	Hhckpk32.exe
File opened for modification	C:\Windows\SysWOW64\Hiknhbcg.exe	Hgmalg32.exe
File opened for modification	C:\Windows\SysWOW64\Iamimc32.exe	Ipllekdl.exe
File created	C:\Windows\SysWOW64\Ggfblnnh.dll	Meijhc32.exe
File created	C:\Windows\SysWOW64\Ebmgcohn.exe	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Ejhlgaeh.exe	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Hhgdkjol.exe	Hmbpmapf.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Lpekon32.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Eccmffjf.exe	Ecqqpgli.exe
File created	C:\Windows\SysWOW64\Lijigk32.dll	Hapicp32.exe
File created	C:\Windows\SysWOW64\Jabbhcfe.exe	Jocflgga.exe
File created	C:\Windows\SysWOW64\Lbgafalg.dll	Jocflgga.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Khknah32.dll	Eplkpgnh.exe
File opened for modification	C:\Windows\SysWOW64\Ijbdha32.exe	Igchlf32.exe
File created	C:\Windows\SysWOW64\Lfdmggnm.exe	Liplnc32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Dhhlgc32.dll	Ehgppi32.exe
File opened for modification	C:\Windows\SysWOW64\Fagjnn32.exe	Fljafg32.exe
File created	C:\Windows\SysWOW64\Ieidmbcc.exe	Iamimc32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Iapebchh.exe	Ikfmfi32.exe
File created	C:\Windows\SysWOW64\Kmfoak32.dll	Kilfcpqm.exe
File created	C:\Windows\SysWOW64\Mkhofjoj.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Ikhbnkpn.dll	Fljafg32.exe
File created	C:\Windows\SysWOW64\Ichllgfb.exe	Iipgcaob.exe
File created	C:\Windows\SysWOW64\Bpebiecm.dll	Iipgcaob.exe
File created	C:\Windows\SysWOW64\Daiohhgh.dll	Iamimc32.exe
File created	C:\Windows\SysWOW64\Imehcohk.dll	Ecqqpgli.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Ncmfqkdj.exe
File opened for modification	C:\Windows\SysWOW64\Liplnc32.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mkmhaj32.exe
File opened for modification	C:\Windows\SysWOW64\Dolnad32.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Eccmffjf.exe

Program crash 1 IoCs

pid	pid_target	Process
3984	3944	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haiccald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igonafba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0079001f4d8e5010ec7c7065e10e9326.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oagcgibo.dll"	Giieco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhpbmi32.dll"	Hiknhbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll"	Moanaiie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fglipi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkcdafqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecejkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbgnedh.dll"	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijdkh32.dll"	Fidoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbamma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpekon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll"	Dbfabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpqdkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnpjo.dll"	Gpqpjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoamgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiknhbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ichllgfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecqqpgli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fepiimfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipgbjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allepo32.dll"	Kohkfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmjolo32.dll"	Fbopgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhffdaei.dll"	Fbamma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgmpikn.dll"	Hkaglf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieidmbcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhbnkpn.dll"	Fljafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghcoqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnelabi.dll"	Hedocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecqqpgli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmbhok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefgcifd.dll"	Gedbdlbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdjlion.dll"	Gpejeihi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijbdha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laegiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll"	Mbkmlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll"	0079001f4d8e5010ec7c7065e10e9326.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhgdkjol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2868	2476	0079001f4d8e5010ec7c7065e10e9326.exe	28
PID 2476 wrote to memory of 2868	2476	0079001f4d8e5010ec7c7065e10e9326.exe	28
PID 2476 wrote to memory of 2868	2476	0079001f4d8e5010ec7c7065e10e9326.exe	28
PID 2476 wrote to memory of 2868	2476	0079001f4d8e5010ec7c7065e10e9326.exe	28
PID 2868 wrote to memory of 2844	2868	Dbfabp32.exe	29
PID 2868 wrote to memory of 2844	2868	Dbfabp32.exe	29
PID 2868 wrote to memory of 2844	2868	Dbfabp32.exe	29
PID 2868 wrote to memory of 2844	2868	Dbfabp32.exe	29
PID 2844 wrote to memory of 2696	2844	Dfdjhndl.exe	141
PID 2844 wrote to memory of 2696	2844	Dfdjhndl.exe	141
PID 2844 wrote to memory of 2696	2844	Dfdjhndl.exe	141
PID 2844 wrote to memory of 2696	2844	Dfdjhndl.exe	141
PID 2696 wrote to memory of 2776	2696	Dolnad32.exe	140
PID 2696 wrote to memory of 2776	2696	Dolnad32.exe	140
PID 2696 wrote to memory of 2776	2696	Dolnad32.exe	140
PID 2696 wrote to memory of 2776	2696	Dolnad32.exe	140
PID 2776 wrote to memory of 2756	2776	Ddigjkid.exe	139
PID 2776 wrote to memory of 2756	2776	Ddigjkid.exe	139
PID 2776 wrote to memory of 2756	2776	Ddigjkid.exe	139
PID 2776 wrote to memory of 2756	2776	Ddigjkid.exe	139
PID 2756 wrote to memory of 2628	2756	Dookgcij.exe	138
PID 2756 wrote to memory of 2628	2756	Dookgcij.exe	138
PID 2756 wrote to memory of 2628	2756	Dookgcij.exe	138
PID 2756 wrote to memory of 2628	2756	Dookgcij.exe	138
PID 2628 wrote to memory of 3044	2628	Ebmgcohn.exe	137
PID 2628 wrote to memory of 3044	2628	Ebmgcohn.exe	137
PID 2628 wrote to memory of 3044	2628	Ebmgcohn.exe	137
PID 2628 wrote to memory of 3044	2628	Ebmgcohn.exe	137
PID 3044 wrote to memory of 2864	3044	Ehgppi32.exe	136
PID 3044 wrote to memory of 2864	3044	Ehgppi32.exe	136
PID 3044 wrote to memory of 2864	3044	Ehgppi32.exe	136
PID 3044 wrote to memory of 2864	3044	Ehgppi32.exe	136
PID 2864 wrote to memory of 380	2864	Ejhlgaeh.exe	135
PID 2864 wrote to memory of 380	2864	Ejhlgaeh.exe	135
PID 2864 wrote to memory of 380	2864	Ejhlgaeh.exe	135
PID 2864 wrote to memory of 380	2864	Ejhlgaeh.exe	135
PID 380 wrote to memory of 2508	380	Ecqqpgli.exe	134
PID 380 wrote to memory of 2508	380	Ecqqpgli.exe	134
PID 380 wrote to memory of 2508	380	Ecqqpgli.exe	134
PID 380 wrote to memory of 2508	380	Ecqqpgli.exe	134
PID 2508 wrote to memory of 1808	2508	Eccmffjf.exe	133
PID 2508 wrote to memory of 1808	2508	Eccmffjf.exe	133
PID 2508 wrote to memory of 1808	2508	Eccmffjf.exe	133
PID 2508 wrote to memory of 1808	2508	Eccmffjf.exe	133
PID 1808 wrote to memory of 660	1808	Enhacojl.exe	132
PID 1808 wrote to memory of 660	1808	Enhacojl.exe	132
PID 1808 wrote to memory of 660	1808	Enhacojl.exe	132
PID 1808 wrote to memory of 660	1808	Enhacojl.exe	132
PID 660 wrote to memory of 640	660	Ecejkf32.exe	131
PID 660 wrote to memory of 640	660	Ecejkf32.exe	131
PID 660 wrote to memory of 640	660	Ecejkf32.exe	131
PID 660 wrote to memory of 640	660	Ecejkf32.exe	131
PID 640 wrote to memory of 1084	640	Ejobhppq.exe	130
PID 640 wrote to memory of 1084	640	Ejobhppq.exe	130
PID 640 wrote to memory of 1084	640	Ejobhppq.exe	130
PID 640 wrote to memory of 1084	640	Ejobhppq.exe	130
PID 1084 wrote to memory of 1276	1084	Eplkpgnh.exe	129
PID 1084 wrote to memory of 1276	1084	Eplkpgnh.exe	129
PID 1084 wrote to memory of 1276	1084	Eplkpgnh.exe	129
PID 1084 wrote to memory of 1276	1084	Eplkpgnh.exe	129
PID 1276 wrote to memory of 2316	1276	Fidoim32.exe	128
PID 1276 wrote to memory of 2316	1276	Fidoim32.exe	128
PID 1276 wrote to memory of 2316	1276	Fidoim32.exe	128
PID 1276 wrote to memory of 2316	1276	Fidoim32.exe	128

C:\Users\Admin\AppData\Local\Temp\0079001f4d8e5010ec7c7065e10e9326.exe
"C:\Users\Admin\AppData\Local\Temp\0079001f4d8e5010ec7c7065e10e9326.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\Dbfabp32.exe
  C:\Windows\system32\Dbfabp32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\Dfdjhndl.exe
    C:\Windows\system32\Dfdjhndl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\Dolnad32.exe
      C:\Windows\system32\Dolnad32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2696

C:\Windows\SysWOW64\Fglipi32.exe
C:\Windows\system32\Fglipi32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:992
- C:\Windows\SysWOW64\Fnfamcoj.exe
  C:\Windows\system32\Fnfamcoj.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:940

C:\Windows\SysWOW64\Fepiimfg.exe
C:\Windows\system32\Fepiimfg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:880
- C:\Windows\SysWOW64\Fljafg32.exe
  C:\Windows\system32\Fljafg32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  PID:2996

C:\Windows\SysWOW64\Gdjpeifj.exe
C:\Windows\system32\Gdjpeifj.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040
- C:\Windows\SysWOW64\Gifhnpea.exe
  C:\Windows\system32\Gifhnpea.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2284

C:\Windows\SysWOW64\Giieco32.exe
C:\Windows\system32\Giieco32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:796
- C:\Windows\SysWOW64\Glgaok32.exe
  C:\Windows\system32\Glgaok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:2612
- - C:\Windows\SysWOW64\Gfmemc32.exe
    C:\Windows\system32\Gfmemc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    PID:2976
  - - C:\Windows\SysWOW64\Gpejeihi.exe
      C:\Windows\system32\Gpejeihi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      PID:2420

C:\Windows\SysWOW64\Gbcfadgl.exe
C:\Windows\system32\Gbcfadgl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1704
- C:\Windows\SysWOW64\Hpgfki32.exe
  C:\Windows\system32\Hpgfki32.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- - C:\Windows\SysWOW64\Haiccald.exe
    C:\Windows\system32\Haiccald.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:900

C:\Windows\SysWOW64\Hedocp32.exe
C:\Windows\system32\Hedocp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2856
- C:\Windows\SysWOW64\Hhckpk32.exe
  C:\Windows\system32\Hhckpk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2804

C:\Windows\SysWOW64\Hbhomd32.exe
C:\Windows\system32\Hbhomd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3032
- C:\Windows\SysWOW64\Hdildlie.exe
  C:\Windows\system32\Hdildlie.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:528
- - C:\Windows\SysWOW64\Hkcdafqb.exe
    C:\Windows\system32\Hkcdafqb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:1540

C:\Windows\SysWOW64\Hmbpmapf.exe
C:\Windows\system32\Hmbpmapf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:576
- C:\Windows\SysWOW64\Hhgdkjol.exe
  C:\Windows\system32\Hhgdkjol.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:2384
- - C:\Windows\SysWOW64\Hoamgd32.exe
    C:\Windows\system32\Hoamgd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:2340
  - - C:\Windows\SysWOW64\Hapicp32.exe
      C:\Windows\system32\Hapicp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      PID:1768

C:\Windows\SysWOW64\Hiknhbcg.exe
C:\Windows\system32\Hiknhbcg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3000
- C:\Windows\SysWOW64\Habfipdj.exe
  C:\Windows\system32\Habfipdj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:2064

C:\Windows\SysWOW64\Iipgcaob.exe
C:\Windows\system32\Iipgcaob.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2388
- C:\Windows\SysWOW64\Ichllgfb.exe
  C:\Windows\system32\Ichllgfb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2584
- - C:\Windows\SysWOW64\Igchlf32.exe
    C:\Windows\system32\Igchlf32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2940

C:\Windows\SysWOW64\Iamimc32.exe
C:\Windows\system32\Iamimc32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2524
- C:\Windows\SysWOW64\Ieidmbcc.exe
  C:\Windows\system32\Ieidmbcc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:2332

C:\Windows\SysWOW64\Ihgainbg.exe
C:\Windows\system32\Ihgainbg.exe
1⤵
- Drops file in System32 directory
PID:2168
- C:\Windows\SysWOW64\Ikfmfi32.exe
  C:\Windows\system32\Ikfmfi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:1556

C:\Windows\SysWOW64\Jocflgga.exe
C:\Windows\system32\Jocflgga.exe
1⤵
- Drops file in System32 directory
PID:2724
- C:\Windows\SysWOW64\Jabbhcfe.exe
  C:\Windows\system32\Jabbhcfe.exe
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\Jhljdm32.exe
    C:\Windows\system32\Jhljdm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    PID:1312
  - - C:\Windows\SysWOW64\Kilfcpqm.exe
      C:\Windows\system32\Kilfcpqm.exe
      4⤵
      Drops file in System32 directory
      PID:1376
    - - C:\Windows\SysWOW64\Kohkfj32.exe
        
        C:\Windows\system32\Kohkfj32.exe
        5⤵
        Modifies registry class
        
        PID:2712
      - C:\Windows\SysWOW64\Kgemplap.exe
        
        C:\Windows\system32\Kgemplap.exe
        6⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Lpekon32.exe
        
        C:\Windows\system32\Lpekon32.exe
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Laegiq32.exe
        
        C:\Windows\system32\Laegiq32.exe
        8⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        10⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016

C:\Windows\SysWOW64\Idnaoohk.exe
C:\Windows\system32\Idnaoohk.exe
1⤵
- Drops file in System32 directory
PID:2772

C:\Windows\SysWOW64\Iapebchh.exe
C:\Windows\system32\Iapebchh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:716

C:\Windows\SysWOW64\Ipllekdl.exe
C:\Windows\system32\Ipllekdl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2556

C:\Windows\SysWOW64\Ijbdha32.exe
C:\Windows\system32\Ijbdha32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2960

C:\Windows\SysWOW64\Iedkbc32.exe
C:\Windows\system32\Iedkbc32.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\SysWOW64\Icfofg32.exe
C:\Windows\system32\Icfofg32.exe
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\SysWOW64\Ipgbjl32.exe
C:\Windows\system32\Ipgbjl32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1936

C:\Windows\SysWOW64\Iimjmbae.exe
C:\Windows\system32\Iimjmbae.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWOW64\Igonafba.exe
C:\Windows\system32\Igonafba.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2100

C:\Windows\SysWOW64\Hgmalg32.exe
C:\Windows\system32\Hgmalg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2256

C:\Windows\SysWOW64\Mlaeonld.exe
C:\Windows\system32\Mlaeonld.exe
1⤵
- Modifies registry class
PID:540
- C:\Windows\SysWOW64\Mbkmlh32.exe
  C:\Windows\system32\Mbkmlh32.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:2260

C:\Windows\SysWOW64\Meijhc32.exe
C:\Windows\system32\Meijhc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1676
- C:\Windows\SysWOW64\Mhhfdo32.exe
  C:\Windows\system32\Mhhfdo32.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:2748

C:\Windows\SysWOW64\Mapjmehi.exe
C:\Windows\system32\Mapjmehi.exe
1⤵
- Modifies registry class
PID:2288
- C:\Windows\SysWOW64\Migbnb32.exe
  C:\Windows\system32\Migbnb32.exe
  2⤵
  - Drops file in System32 directory
  PID:2140
- - C:\Windows\SysWOW64\Mkhofjoj.exe
    C:\Windows\system32\Mkhofjoj.exe
    3⤵
    PID:2636

C:\Windows\SysWOW64\Mholen32.exe
C:\Windows\system32\Mholen32.exe
1⤵
PID:1080
- C:\Windows\SysWOW64\Mkmhaj32.exe
  C:\Windows\system32\Mkmhaj32.exe
  2⤵
  - Drops file in System32 directory
  PID:3048

C:\Windows\SysWOW64\Mmldme32.exe
C:\Windows\system32\Mmldme32.exe
1⤵
- Drops file in System32 directory
PID:2604
- C:\Windows\SysWOW64\Ndemjoae.exe
  C:\Windows\system32\Ndemjoae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:3128

C:\Windows\SysWOW64\Ndhipoob.exe
C:\Windows\system32\Ndhipoob.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3348
- C:\Windows\SysWOW64\Ngfflj32.exe
  C:\Windows\system32\Ngfflj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  PID:3396

C:\Windows\SysWOW64\Nlcnda32.exe
C:\Windows\system32\Nlcnda32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3492
- C:\Windows\SysWOW64\Ncmfqkdj.exe
  C:\Windows\system32\Ncmfqkdj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:3548

C:\Windows\SysWOW64\Npagjpcd.exe
C:\Windows\system32\Npagjpcd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3752
- C:\Windows\SysWOW64\Ngkogj32.exe
  C:\Windows\system32\Ngkogj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Modifies registry class
  PID:3800
- - C:\Windows\SysWOW64\Nenobfak.exe
    C:\Windows\system32\Nenobfak.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    - Modifies registry class
    PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 140
1⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\Nlhgoqhh.exe
C:\Windows\system32\Nlhgoqhh.exe
1⤵
PID:3944

C:\Windows\SysWOW64\Nhllob32.exe
C:\Windows\system32\Nhllob32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:3896

C:\Windows\SysWOW64\Nlekia32.exe
C:\Windows\system32\Nlekia32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3692

C:\Windows\SysWOW64\Nmbknddp.exe
C:\Windows\system32\Nmbknddp.exe
1⤵
PID:3644

C:\Windows\SysWOW64\Ngibaj32.exe
C:\Windows\system32\Ngibaj32.exe
1⤵
- Drops file in System32 directory
PID:3596

C:\Windows\SysWOW64\Nmpnhdfc.exe
C:\Windows\system32\Nmpnhdfc.exe
1⤵
- Modifies registry class
PID:3448

C:\Windows\SysWOW64\Naimccpo.exe
C:\Windows\system32\Naimccpo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3288

C:\Windows\SysWOW64\Nmnace32.exe
C:\Windows\system32\Nmnace32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3240

C:\Windows\SysWOW64\Nkpegi32.exe
C:\Windows\system32\Nkpegi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3192

C:\Windows\SysWOW64\Maedhd32.exe
C:\Windows\system32\Maedhd32.exe
1⤵
- Modifies registry class
PID:2800

C:\Windows\SysWOW64\Mofglh32.exe
C:\Windows\system32\Mofglh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1476

C:\Windows\SysWOW64\Mlhkpm32.exe
C:\Windows\system32\Mlhkpm32.exe
1⤵
PID:2900

C:\Windows\SysWOW64\Mhloponc.exe
C:\Windows\system32\Mhloponc.exe
1⤵
PID:1444

C:\Windows\SysWOW64\Modkfi32.exe
C:\Windows\system32\Modkfi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1520

C:\Windows\SysWOW64\Moanaiie.exe
C:\Windows\system32\Moanaiie.exe
1⤵
- Modifies registry class
PID:2576

C:\Windows\SysWOW64\Lfdmggnm.exe
C:\Windows\system32\Lfdmggnm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:532

C:\Windows\SysWOW64\Hkaglf32.exe
C:\Windows\system32\Hkaglf32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2608

C:\Windows\SysWOW64\Gfjhgdck.exe
C:\Windows\system32\Gfjhgdck.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2144

C:\Windows\SysWOW64\Gpqpjj32.exe
C:\Windows\system32\Gpqpjj32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2000

C:\Windows\SysWOW64\Ghcoqh32.exe
C:\Windows\system32\Ghcoqh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2572

C:\Windows\SysWOW64\Gedbdlbb.exe
C:\Windows\system32\Gedbdlbb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2680

C:\Windows\SysWOW64\Fjongcbl.exe
C:\Windows\system32\Fjongcbl.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808

C:\Windows\SysWOW64\Fagjnn32.exe
C:\Windows\system32\Fagjnn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1600

C:\Windows\SysWOW64\Fbamma32.exe
C:\Windows\system32\Fbamma32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:292

C:\Windows\SysWOW64\Fbopgb32.exe
C:\Windows\system32\Fbopgb32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1056

C:\Windows\SysWOW64\Fpqdkf32.exe
C:\Windows\system32\Fpqdkf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1720

C:\Windows\SysWOW64\Fmbhok32.exe
C:\Windows\system32\Fmbhok32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1716

C:\Windows\SysWOW64\Ffhpbacb.exe
C:\Windows\system32\Ffhpbacb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132

C:\Windows\SysWOW64\Fpngfgle.exe
C:\Windows\system32\Fpngfgle.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316

C:\Windows\SysWOW64\Fidoim32.exe
C:\Windows\system32\Fidoim32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\Eplkpgnh.exe
C:\Windows\system32\Eplkpgnh.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\Ejobhppq.exe
C:\Windows\system32\Ejobhppq.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\Ecejkf32.exe
C:\Windows\system32\Ecejkf32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\Enhacojl.exe
C:\Windows\system32\Enhacojl.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\Eccmffjf.exe
C:\Windows\system32\Eccmffjf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\Ecqqpgli.exe
C:\Windows\system32\Ecqqpgli.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\Ejhlgaeh.exe
C:\Windows\system32\Ejhlgaeh.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\Ehgppi32.exe
C:\Windows\system32\Ehgppi32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\Ebmgcohn.exe
C:\Windows\system32\Ebmgcohn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\Dookgcij.exe
C:\Windows\system32\Dookgcij.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\Ddigjkid.exe
C:\Windows\system32\Ddigjkid.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddigjkid.exe

Filesize
111KB

MD5
fc6ae2e4e3ab1b8c2b88529210dd6b7e

SHA1
f795833bcc9e6514d3c8a587550676f058665518

SHA256
2d1d680efa2417f351f30660e7d9307b7e203404839f5cca53f7f3191940852c

SHA512
9b6d43cd488aa9175b98aa3684814a46ad16d734b5a8158a8081d905f256f05b9307e4bdfe02f236a0c76a38dca04fc7937503d3fbd7aafd78e7c0f6468b578a

Download Submit
C:\Windows\SysWOW64\Dolnad32.exe

Filesize
111KB

MD5
59fa4c7c33fa27cf08527e9b73635107

SHA1
4c9d7212f446ff7ce49b07c14eee236959d05dce

SHA256
ae12401c2a9e51a8e8e957583d9cf02f140c915e0f063f9a70e40d1920d1ebec

SHA512
0fd25f59ccffd41914eb9988a993e233b990dea7f7ccfc24226d19f9b7bb40798eb35ec9978f99ca5c3027e73a799ec248160e279924262602b9344732ea32db

Download Submit
C:\Windows\SysWOW64\Dookgcij.exe

Filesize
111KB

MD5
d5bc48d5b39e2b6b37649abb47a54457

SHA1
d669c5de7baffc526777e4221f329d335795c794

SHA256
9c830a5b575c939df0fff4cebe21dffe5bdbeb138ae109886e640d2ec7e5e79a

SHA512
766bc75589a6e5e392bfeec2b9cd15a9c23e8bc3411f4c010784d5892db9fdac23eed2424c7a457ddd8c7358bf735cde3998ea6ef78e29747f14a861fcf4fc5d

Download Submit
C:\Windows\SysWOW64\Ebmgcohn.exe

Filesize
111KB

MD5
6d840cc651f7666cefbadadbbd2550fb

SHA1
cb977be54263611aa6b738cba488552185dc52ae

SHA256
9d517117fb26aeaf6d4af22923ccc5ac7076c91886899e68b96b00f5a4203b8a

SHA512
8810f8b062361f0a9802b7885cfcc4b7d48cfb032d9bbf841463d723fea70cd4d2c49c46a103978aef884155c87f1882d25805a1c44b218836acf481e2dddf4f

Download Submit
C:\Windows\SysWOW64\Eccmffjf.exe

Filesize
111KB

MD5
1482c37f5465bb7ad6f802503b7861d6

SHA1
3749a9552fab151d1c60914d26d0fa3ec7f3b564

SHA256
7e61a15de8b917b0dbaf519c2f60be1ee994653f9722fe963dd2548b59b3124e

SHA512
938028fa38253d32c4d06d5b9bb6271787e15adf4f07291ef9aac46e723a32bbf683add001a977a2ea09c41d5eadec182e4782f87eb594fe2e4c6e6cbc77c7e8

Download Submit
C:\Windows\SysWOW64\Ecejkf32.exe

Filesize
111KB

MD5
9c952d30a95133aedd802e0cf7d0005f

SHA1
ea6e6935901683f75acbb750f0c24a3b684832e1

SHA256
10238802c9664edd7ac101ddc18c4eb655157373fed9d86efb100f4b4109a98b

SHA512
6773abe48751fa283ac7e18ccdd0b36515a309eb74eafa058be2f56a65ff582138947bb4549a08bf1965824f663deece98898fdc716cb9f7c8dfe00d531b1f5c

Download Submit
C:\Windows\SysWOW64\Ecqqpgli.exe

Filesize
111KB

MD5
ad8c290affacee2b23e029e783fdba9f

SHA1
5f1a9bfe9b46ef641740b51ada0ec54643b3f4e6

SHA256
f6211b55245784eed1beea50ba89e6043e8c57cd9a19a39eb792ffc5ef6e00d4

SHA512
b55d8fbc1570e529a30b8caa918452476c0cbd8b455d1c0f2b96abf314836271bd5baf5cf04d2176e02de5a2ccba066d467aff0354fd8a48d412f35d80189a32

Download Submit
C:\Windows\SysWOW64\Ehgppi32.exe

Filesize
111KB

MD5
2eb93f89b83ec618775f06995d641e55

SHA1
a45fe79e21af63f4ff6cff8dbaf776e7d3807150

SHA256
11ede026d4ffb5e96d8d197b7cc72161fee7395ba8b40c164233fef74c86c7a8

SHA512
509c465f6637a8c57716bc50e27d0684e2a3ec0ffc5c23c18b345294538eaf4903f9ecee5157d3d91c2319a46758f4c875ab5bb1dc903c9a2820e0e3cd2a70a4

Download Submit
C:\Windows\SysWOW64\Ejhlgaeh.exe

Filesize
111KB

MD5
8f2cbc1878a3e72c5a4c8255c937f69d

SHA1
5a467b70903b4547d5491a2a06dc45b21a7b379e

SHA256
e1278eac220b646319188dc08350c9d945c69c1d508c8a7358e6046a3e74fe79

SHA512
00d63645bf86ccabff60f04df7069e3d24cf9110fddbcf2eb45ccdc666e036b96a271fdc779990c886a02078401992d7eeb64d2a1b3ed02ea644a02928fae432

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
111KB

MD5
e4a94ec67cc3460023a59770e2a97ae3

SHA1
f911dcfa69bec713e030a5a79878bedb204276b1

SHA256
cc7613542bdf4af73580530e7291e02634192be21c0f7f799b0525a8f18bf674

SHA512
a2e9e4bbf89a371e55ef4320ef3d0380afd44235a29f44a203cfcae9ecaa99dfd4b4db45b8d4da726ee1800ca000f6cf23a62c6e0490cc07ec7824dbca2f3471

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
111KB

MD5
c75aec82f8a97ffde78e6094af5be465

SHA1
ca210f00161cf606db1a0195d4518ebbee52b5bf

SHA256
af7a237abc434a3f01561ce6d587c1faefc7885a3f1f745d73ce9c0749530e1e

SHA512
f4525e665a31f0fdf1cbedd43d48389d0fd54b77ffd273dc94a8dfae442a609468035d509a6bcdc7c8601df86ffe6c3a82fef7522199b7b3d17bf9a9c1b7d201

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
111KB

MD5
090f5047065d1630b6e7ca48eb224da1

SHA1
c40bdf64ab2865068c17dccdfad184642cf74358

SHA256
61367eb6bca5b2b4ad727c2957b27d0cc175907b42413d4aa1fc51663c6b0748

SHA512
50a808cbddc7a560d83dcbb4d46cc063b0d3498d7e89a1efb6ab410cf8e7ab2f4e054c13ec0d9c0151be9897e090cadbf9cb2e4a1bc186a43e96939da39fde07

Download Submit
C:\Windows\SysWOW64\Fidoim32.exe

Filesize
111KB

MD5
81dc7e11d555d210ebe4a318a4e947e9

SHA1
9b12057e20ffa3c58790693bf4704e57f612bea3

SHA256
b07189ae2e8b40428029d7020a431ac8ef347628a592cc0b34c6e92ebab7f249

SHA512
2200a0b0195048d4aac0115922e925199eb12dba3d74afed41796ffa84d55774b9581c0f42bf3a058d12f82cb2c0fe46b81a670c92b19fd97494720299d0b3ea

Download Submit
C:\Windows\SysWOW64\Fpngfgle.exe

Filesize
94KB

MD5
301f6881e6b205c5004005c0f9e69410

SHA1
048625615e95f4d598012d9e327dabca32877c68

SHA256
ebc990936a08b3b2fcce3717de0f0ef8e801df3e317858c2c6faa690947098ce

SHA512
efa73a7433e83ed9cda4358a23f2e74418342827584c18ad4a056e084a1700482be922b31689bf315ce05a194ffb9246664989b0ebd57d6212e682b73e4227a5

Download Submit
\Windows\SysWOW64\Dbfabp32.exe

Filesize
111KB

MD5
436d565d1a45a186756dfbd3793a1741

SHA1
db16dc13e3049ebdd5502cb76b91adaf46057130

SHA256
8cac29f349cdc51d1dae2820f2aade3f4b6ac7d9aeb60996691165a29de77001

SHA512
44863f27af12dac04322a28b8ffb335e56933d473bbc1061ef285234c0426caf02589bb730d7941bf3ed08585a1d07cc57a87e32ff64e56268cd36a6326d3445

Download Submit
\Windows\SysWOW64\Dfdjhndl.exe

Filesize
111KB

MD5
03edcbbc62136b3295e9c4b403614293

SHA1
7be26235a04a0880000f49b952ea2625ba16d010

SHA256
5650ee393512b3bd48b66491ca84ca66db241104f9c020582e4f737d82b51106

SHA512
fe3a2c10491a198d46acaa0e9e98311c11fad18a752b6529a7162908078b6bef75c5f38aac06b4ab75490186e2221640c265aa9846d71b31d70296f9ddb95264

Download Submit
\Windows\SysWOW64\Fpngfgle.exe

Filesize
111KB

MD5
38eb79bcd33bbdf3b35a1acf724bfee7

SHA1
61609824a5a5494a1bcc73c100acd661fdaac304

SHA256
4a4f7e09a069624307fa9c24b18c5e8d1bb14bf14ff39a2159197afadf75b3d1

SHA512
0691f1e956266ae6f05c1115cd6aa1e2e15fe6ce645103d53bc47db47369c48eff0c265510e1fafd6262ac88164f26ae7b165247b7617e8efc21341f3fc63355

Download Submit
memory/292-305-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/292-299-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/292-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-131-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/380-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-170-0x00000000001C0000-0x00000000001F3000-memory.dmp

Filesize
204KB

Download
memory/660-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-310-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/880-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-288-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/940-293-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/940-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-277-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/992-283-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/992-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-263-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1056-271-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1056-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-192-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1084-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-218-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1276-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-328-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1600-336-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1600-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-249-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1716-248-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1716-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-256-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/1720-255-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/1808-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-238-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/2132-233-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/2132-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-225-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2476-6-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2476-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-364-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2572-370-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2572-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-86-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2680-354-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2680-350-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2680-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-60-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2776-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-346-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2808-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-348-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2844-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-34-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2864-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-20-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2996-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-320-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2996-325-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3040-375-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3040-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads