c579a216ad357afb619582b992db63806163e28106b03b98a0acf3584c11b6d4

Analysis

max time kernel
94s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c579a216ad357afb619582b992db63806163e28106b03b98a0acf3584c11b6d4.exe
Size

368KB
MD5

2cc1a76b2ef8b2a7a3c8b4c6224bcec3
SHA1

1fb303a7c84ab9f8b628127ad20c12b022480846
SHA256

c579a216ad357afb619582b992db63806163e28106b03b98a0acf3584c11b6d4
SHA512

ec37c8aa6d578ed3a3e761e214c9b7a92aee60c99934ea287a25958fd7224187e8893feba85878bae4150f8ffa583877b6b0b6678af89e75f18f952b54a47812
SSDEEP

6144:GLfl0pnabtufE4f9FIUpOVw86CmOJfTo9FIUIhrcflDMxy9FIUpOVw86CmOJfToX:GLWpnmzaAD6RrI1+lDMEAD6Rr2NWL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dabpnlkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dadlclim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe

Executes dropped EXE 64 IoCs

pid	Process
3520	Dabpnlkp.exe
2380	Diihojkb.exe
4356	Dadlclim.exe
552	Dhnepfpj.exe
4128	Dpemacql.exe
3620	Debeijoc.exe
2760	Dhqaefng.exe
2080	Dokjbp32.exe
3016	Daifnk32.exe
1460	Dfdbojmq.exe
2940	Dhcnke32.exe
2112	Dlojkddn.exe
868	Dpjflb32.exe
1128	Dakbckbe.exe
348	Ejbkehcg.exe
3004	Elagacbk.exe
2564	Epmcab32.exe
2508	Eoocmoao.exe
1036	Eckonn32.exe
2396	Ebnoikqb.exe
4388	Efikji32.exe
1124	Ehhgfdho.exe
1432	Elccfc32.exe
1220	Epopgbia.exe
2748	Eoapbo32.exe
860	Ecmlcmhe.exe
2728	Eflhoigi.exe
3108	Ejgdpg32.exe
4916	Ehjdldfl.exe
4336	Eleplc32.exe
636	Eqalmafo.exe
4812	Eodlho32.exe
4512	Ebbidj32.exe
776	Ehlaaddj.exe
4340	Elhmablc.exe
4264	Eqciba32.exe
4012	Eofinnkf.exe
1604	Ecbenm32.exe
4832	Ebeejijj.exe
1340	Ejlmkgkl.exe
2932	Emjjgbjp.exe
2360	Eqfeha32.exe
5112	Ecdbdl32.exe
4428	Fbgbpihg.exe
3184	Fjnjqfij.exe
2096	Fhajlc32.exe
5088	Fmmfmbhn.exe
3164	Fokbim32.exe
804	Fcgoilpj.exe
1608	Ffekegon.exe
2424	Fjqgff32.exe
1360	Ficgacna.exe
4252	Fmocba32.exe
1180	Fqkocpod.exe
4648	Fomonm32.exe
4520	Fcikolnh.exe
4060	Fifdgblo.exe
4408	Fqmlhpla.exe
4056	Fckhdk32.exe
1632	Fihqmb32.exe
3536	Fobiilai.exe
2948	Fflaff32.exe
1044	Fmficqpc.exe
5012	Fodeolof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Gbjgbh32.dll	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fobiilai.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Diihojkb.exe	Dabpnlkp.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ehjdldfl.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjflb32.exe	Dlojkddn.exe
File created	C:\Windows\SysWOW64\Fcikolnh.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Debeijoc.exe	Dpemacql.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Eckonn32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Dhcnke32.exe	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Dadlclim.exe	Diihojkb.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ebnoikqb.exe	Eckonn32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Fokbim32.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Npgpaojg.dll	Dlojkddn.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Haggelfd.exe
File created	C:\Windows\SysWOW64\Ejgdpg32.exe	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Fbgbpihg.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Ejbkehcg.exe	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Elccfc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7128	7036	WerFault.exe	281

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll"	Ehjdldfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Elagacbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmaid32.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Fomonm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 3520	2120	c579a216ad357afb619582b992db63806163e28106b03b98a0acf3584c11b6d4.exe	83
PID 2120 wrote to memory of 3520	2120	c579a216ad357afb619582b992db63806163e28106b03b98a0acf3584c11b6d4.exe	83
PID 2120 wrote to memory of 3520	2120	c579a216ad357afb619582b992db63806163e28106b03b98a0acf3584c11b6d4.exe	83
PID 3520 wrote to memory of 2380	3520	Dabpnlkp.exe	84
PID 3520 wrote to memory of 2380	3520	Dabpnlkp.exe	84
PID 3520 wrote to memory of 2380	3520	Dabpnlkp.exe	84
PID 2380 wrote to memory of 4356	2380	Diihojkb.exe	85
PID 2380 wrote to memory of 4356	2380	Diihojkb.exe	85
PID 2380 wrote to memory of 4356	2380	Diihojkb.exe	85
PID 4356 wrote to memory of 552	4356	Dadlclim.exe	86
PID 4356 wrote to memory of 552	4356	Dadlclim.exe	86
PID 4356 wrote to memory of 552	4356	Dadlclim.exe	86
PID 552 wrote to memory of 4128	552	Dhnepfpj.exe	87
PID 552 wrote to memory of 4128	552	Dhnepfpj.exe	87
PID 552 wrote to memory of 4128	552	Dhnepfpj.exe	87
PID 4128 wrote to memory of 3620	4128	Dpemacql.exe	88
PID 4128 wrote to memory of 3620	4128	Dpemacql.exe	88
PID 4128 wrote to memory of 3620	4128	Dpemacql.exe	88
PID 3620 wrote to memory of 2760	3620	Debeijoc.exe	89
PID 3620 wrote to memory of 2760	3620	Debeijoc.exe	89
PID 3620 wrote to memory of 2760	3620	Debeijoc.exe	89
PID 2760 wrote to memory of 2080	2760	Dhqaefng.exe	90
PID 2760 wrote to memory of 2080	2760	Dhqaefng.exe	90
PID 2760 wrote to memory of 2080	2760	Dhqaefng.exe	90
PID 2080 wrote to memory of 3016	2080	Dokjbp32.exe	91
PID 2080 wrote to memory of 3016	2080	Dokjbp32.exe	91
PID 2080 wrote to memory of 3016	2080	Dokjbp32.exe	91
PID 3016 wrote to memory of 1460	3016	Daifnk32.exe	92
PID 3016 wrote to memory of 1460	3016	Daifnk32.exe	92
PID 3016 wrote to memory of 1460	3016	Daifnk32.exe	92
PID 1460 wrote to memory of 2940	1460	Dfdbojmq.exe	93
PID 1460 wrote to memory of 2940	1460	Dfdbojmq.exe	93
PID 1460 wrote to memory of 2940	1460	Dfdbojmq.exe	93
PID 2940 wrote to memory of 2112	2940	Dhcnke32.exe	94
PID 2940 wrote to memory of 2112	2940	Dhcnke32.exe	94
PID 2940 wrote to memory of 2112	2940	Dhcnke32.exe	94
PID 2112 wrote to memory of 868	2112	Dlojkddn.exe	95
PID 2112 wrote to memory of 868	2112	Dlojkddn.exe	95
PID 2112 wrote to memory of 868	2112	Dlojkddn.exe	95
PID 868 wrote to memory of 1128	868	Dpjflb32.exe	97
PID 868 wrote to memory of 1128	868	Dpjflb32.exe	97
PID 868 wrote to memory of 1128	868	Dpjflb32.exe	97
PID 1128 wrote to memory of 348	1128	Dakbckbe.exe	98
PID 1128 wrote to memory of 348	1128	Dakbckbe.exe	98
PID 1128 wrote to memory of 348	1128	Dakbckbe.exe	98
PID 348 wrote to memory of 3004	348	Ejbkehcg.exe	99
PID 348 wrote to memory of 3004	348	Ejbkehcg.exe	99
PID 348 wrote to memory of 3004	348	Ejbkehcg.exe	99
PID 3004 wrote to memory of 2564	3004	Elagacbk.exe	100
PID 3004 wrote to memory of 2564	3004	Elagacbk.exe	100
PID 3004 wrote to memory of 2564	3004	Elagacbk.exe	100
PID 2564 wrote to memory of 2508	2564	Epmcab32.exe	101
PID 2564 wrote to memory of 2508	2564	Epmcab32.exe	101
PID 2564 wrote to memory of 2508	2564	Epmcab32.exe	101
PID 2508 wrote to memory of 1036	2508	Eoocmoao.exe	102
PID 2508 wrote to memory of 1036	2508	Eoocmoao.exe	102
PID 2508 wrote to memory of 1036	2508	Eoocmoao.exe	102
PID 1036 wrote to memory of 2396	1036	Eckonn32.exe	103
PID 1036 wrote to memory of 2396	1036	Eckonn32.exe	103
PID 1036 wrote to memory of 2396	1036	Eckonn32.exe	103
PID 2396 wrote to memory of 4388	2396	Ebnoikqb.exe	104
PID 2396 wrote to memory of 4388	2396	Ebnoikqb.exe	104
PID 2396 wrote to memory of 4388	2396	Ebnoikqb.exe	104
PID 4388 wrote to memory of 1124	4388	Efikji32.exe	105

C:\Users\Admin\AppData\Local\Temp\c579a216ad357afb619582b992db63806163e28106b03b98a0acf3584c11b6d4.exe
"C:\Users\Admin\AppData\Local\Temp\c579a216ad357afb619582b992db63806163e28106b03b98a0acf3584c11b6d4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\Dabpnlkp.exe
  C:\Windows\system32\Dabpnlkp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\Diihojkb.exe
    C:\Windows\system32\Diihojkb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\Dadlclim.exe
      C:\Windows\system32\Dadlclim.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        23⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        26⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        27⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        29⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        31⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        36⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        37⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        38⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        39⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        42⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        45⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        50⤵
        Executes dropped EXE
        
        PID:804
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        51⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        52⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        54⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1180
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        57⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        59⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        60⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        63⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        66⤵
        
        PID:884
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4200
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        70⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        71⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4968
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        74⤵
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        75⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        76⤵
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        79⤵
        Drops file in System32 directory
        
        PID:612
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        81⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        82⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        83⤵
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        84⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        85⤵
        
        PID:728
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        86⤵
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        88⤵
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        90⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4300
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        92⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        93⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        97⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        103⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        104⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        106⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        107⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        108⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        109⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        113⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        114⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        115⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        119⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        120⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        121⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        122⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        124⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        126⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        128⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        129⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        130⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        132⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        135⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        137⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        138⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        140⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        141⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        142⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        144⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        147⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        148⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        149⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        150⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        151⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        152⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        154⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        157⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        158⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        161⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        165⤵
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        166⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        167⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        172⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        176⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6508
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        178⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        180⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        182⤵
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        183⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        185⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        186⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        189⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        190⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        192⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        194⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7036 -s 424
        195⤵
        Program crash
        
        PID:7128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7036 -ip 7036
1⤵
PID:7076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
368KB

MD5
194bae21431b1f91928fad26f213a7ac

SHA1
253d74dc003708e49a4628a1570bf15625af18f3

SHA256
6be75dd3483cda8848d407e7aab3b698b6d89569f2b5f9fbfa511b50531d7904

SHA512
4ec3e3b4baefed639cad90909d9bb9b90af7374030d2c3c97f8bdd09af15547dfcc5e2c068fef53677f23870ff531cd9871030d9b9c398c65d260213d2319eb2

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
368KB

MD5
edc86d034661267c30821fc6527da5d7

SHA1
f22c860159a85e3acba02eafb1380b0f75714f10

SHA256
53be3d7afc64d913195254775c2949d72d7f51c10a9db4ceb4ba6dcad2baf85c

SHA512
a857c8228974fd6c5f8d93e9cd65bf46e54c0956e4e642dc2056123cff5dcfdc30154b43d8c7dc93c27456c09d3964d1651f4f79315d966509929aa4d1bb6a94

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
368KB

MD5
be990bc46cad029498458592cf3d5bcf

SHA1
e1b46732a1a709df04eb660618fc6ef4c654e75a

SHA256
e83ded259c3c92edb05603e7f53c24431191d4dbdd17cd4762b41b5658e558a9

SHA512
232f4d673bc7098ecb516133c7eb9b9547c23a65cfab1494902e844b87ac80f560d5df76faf073d721be88181e2dc0672c8c49e5ec43386485d793283e5bb6f6

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
368KB

MD5
fab96cf5c161117a29b7b2b85fe7c994

SHA1
9b44433795b00d2c1439d1e5512e6e66c2a85500

SHA256
67412714f35e9700738635aeaf1c7a9a0c56632aa633ac9e08afb2307893552f

SHA512
3dbf105fcb06bae502e57b754170bd69cb9131e2754c2baab793b51167ad01e2f6e20dfad1823525e960647b00f31e96f1482e57618fdf7e6aa5869d6f98014b

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
368KB

MD5
7a1895f8b41642910de92ab7b26b8179

SHA1
6ce53b55410f1d263388d65a2c18dc749acf949d

SHA256
8856953657dfc3fb2dcefede659790c049d08e04d9ed58214f04b35036877624

SHA512
fa2c7353488b9fad5de64a5ee749d47552a34d7ede7fa5404e724421be24698854133bfbdc47fd4c7b6fa1d4aaecf432c14c5a37728617b5a4d6bf6da36f1c4d

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
368KB

MD5
d3246c3b703eac8a339e1581770e80cb

SHA1
8b97e34a80cf4f49108e7373d7f661318ccede75

SHA256
e5c69e44bc2dbfa825d6372221a848b80b47f90917c317ef652ab9a61e1b470d

SHA512
5c0a94d67d4d9a4c221394cbb884dd9cb00d50ffd5b7bee5e2fd69ace81982df499b544eb0deef113324c54a46d42e563c1af77c94b75705b2350735b5ef37bf

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
368KB

MD5
5d9b7840b2a40b5da4ada7c13dabed10

SHA1
2d76abf3f320549dbe7b6db7146544fbf0bc315c

SHA256
2a9b3d42c72db25cdced5a280a18b604ef18251b7c393a384568d8fcffee5c4b

SHA512
68be36a6391b5b632654d672991ec657471f767a85a528bb210dd1a23cd02d9977d301005672a7ccb0cf9f467b4176a432c6926ed4ec65865cb3bd979adedc5e

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
368KB

MD5
2504b6c77aa76985713c6e5271408b98

SHA1
3a8ae8c8bd0ad7165605843e367d084f54deec9e

SHA256
affc6c0c9fcad671874dd2b5017c0890c54c0cb1c4de50e7c07a7d620d5a782f

SHA512
0a95f92579a55cab6d838c45f4e3cc5f34b11837076f12419df06d8e988132fbf5e7380df65b35087996e7596bf054bc818d3d86f8a1bc50f0870be1521dcaad

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
368KB

MD5
33418493e7b0a1912fad6e26b5b4f8b4

SHA1
3689ffbf892f188926294e670383c1a3953c50ad

SHA256
bb66793b80620a8ff4ee91aa04537edcefde8a4825b39b870ddb220082ce74b1

SHA512
b3349aa728fe3621d144a60dd4db8096efd2d3662fb0c755c4a4583a7565015cd2cf4c1d304bc744212dcfa4f99e16ee33156630e7e2ca8696384124d566e7ea

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
368KB

MD5
4d4e88402c50bcd9619a550ba1f9132e

SHA1
541c16b96c9d22014faa72ccd649d3b3ba9ae0e2

SHA256
60d37db08f4e6029cdb102359fce8005fed83802c7c167e69216b4368f9b6f8d

SHA512
527e050f1f10ccf598591a0928edef28043bbe7a636ae9f420ec906e35b7671c2e44ff150c4bc41258f19d83a8f54f4f532474a046222f8b08cfbcf6e839ee91

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
368KB

MD5
e7a185331420e47f6bf9f8bff37ae24a

SHA1
30ad873a1f326fbe090dbcd335d80134a841731f

SHA256
ee92e3a7081f0d76d1d175440eddef3fc337d362c9be9ce4b7a74a34dfe60e4c

SHA512
32e41e73b620a84177845c882fa743d2a85caad88b50f182b03088fc6dc610881f43413ab098408403e1e612bdcbc0af4c1ee740a6188c44c21e49ba35572dcf

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
368KB

MD5
0f27f39c28f13861a55c1715691f9bbf

SHA1
ff82ecc5bab4df5bbfbe6c2909c5cd6c46c2ebca

SHA256
b649fa65812352dd3ed9c383e73b838d3f5600c0ff660eedacbad04d8a32921e

SHA512
ba3bf5383e09cbd78bd159fdb3cddf1e51fb115e16a397c8ef8751962961b5e3e7ea1657dbe53530bce6f5e6dfc989b55150a07efbcfc6c0ac5f342e5debadc2

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
368KB

MD5
4601874e3f3b2890603c709d2f26fc5f

SHA1
2dc7bbb1111749204b8da073336834bc2299fde6

SHA256
f13ed69e85b99b1a2e1f543ac61dcf2d50c6f7ac5baaa0faf21203a7b0de2ea1

SHA512
783071598895bf561e991ffecca4383e1b5fca9a2670bd7638ef3302c913136368aa2bee2df9528a9b789a1562a9919e47a19387a908529f7c4f90bfacd39545

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
368KB

MD5
fe85c26987626e1585568a38375045bf

SHA1
33de0b38dbe189581ecd2103bea3172e9ae3eb54

SHA256
e5082ef3329bb0ff4980ecd9af66475d34eaad480608c09994ffc9c45b4b74e9

SHA512
15fd7945fef8cd265b7771a058cdfbbbbece3ca10e77011af0fb1a0e4807c5ed819d408fa9e35d93a178f109fcbbfa0d2d5156b26c25e4a03dd6e820b88bba52

Download Submit
C:\Windows\SysWOW64\Ebjmif32.dll

Filesize
7KB

MD5
a3aafec6fcc557e5a1cb0c605a721ef9

SHA1
1a9adfa7c6203b78ce591cbedac684643e8ee8d5

SHA256
fa22845d394638541d2ada7cf064aad03b3ed1ad20647c0ed49fcffac80afaed

SHA512
33cc7dd2d463b3f3835d802ee54c43f048d44269b00f45dbaec852beb901f24f8ff5bc74ab10c050de788c15e8f534aa4f49db60a4c6b1af88558dc6b7299bd4

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
368KB

MD5
840925eccdfaaafe56bba9505801f36f

SHA1
972e1a7108606720bf3098b4444eb53fb58253ea

SHA256
ddae0fce067477fd17ecaabd52b2c707dd292965102b74a0e89a5972674689e4

SHA512
55ebae2c987e36798f3b62110c3bf5073b9f33b57dad84143f823758ac3c38be12141ebd9ce17375bbcc5abd692e6f2e2642f933bef49bdc4bf2c2195009cf81

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
368KB

MD5
ca61bf9aca3ef325b5e9025f63d5ad17

SHA1
f2c86fd82924b6185fb83cd9afffce1ef1d3e270

SHA256
98d2bdb24dd8188cbecba112f6f39df4156e94e164abe7befb16763aa8fd44df

SHA512
0ea22bdde5ce401724b82657285bfdc136f96eed62562de266fb19f9e8cfc6e94170b26a0eb1e9979301b539344e803586b2e7f8cbf98aa1139e882c9815daae

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
368KB

MD5
1977d84cdfc25706321125b96ee8d183

SHA1
9fd19129c17bf82349e9b4652ba75babe7e2d0af

SHA256
571554d2267f067bca9e179ae7ed7a5df1e84f45cde66eff84d4b1aa73ec5ad5

SHA512
3653d2f539afff3fd9f4c4b3d5dce6a01ac96211dbec4ca923a4fd884da7c2e944623dc7b9c2aa21e7f5b3d39d976dfce2afb469322c87cfb8ed1cd85531c550

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
368KB

MD5
3a71f79eca9cd236603b6cfc4f4fa587

SHA1
bc4634b80bf2aa91222c816f811900c59793e006

SHA256
bfdc655bc8a093551cd55f2ef69134b586a0af10357fd929e83eda81c63f9c79

SHA512
cc98ba25cdc9508242be795d5b6b732633404c25e701fccf293595a6c66ecdf5cd5871e282212ee035913adc1855257831f9b9c21b858636064390362f865b8e

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
368KB

MD5
dfdea21b9f3704c891a5a61fb7ad4231

SHA1
43ac49df4dddcfffa6085a7cf72e903397db7269

SHA256
9092d860ffdc683cecb9998ef29355aec693a1c67c8ecc58e8bb9fb6eb53cc2f

SHA512
49f0566e6fd6fa48e4b424234c0fe6ad6b5bdfb4155d950e89c2cfc3628bff5d4ec315c1b8824bcb5ec821ff888ff2d6b1d94f2433a7ab3c190bccef197e094a

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
368KB

MD5
5e56c36334d27d8be70249b0a70dd25c

SHA1
dc6850d597c3353e68a0571d21439bc6c195c74a

SHA256
c7547fb96c48da54445f20591805d620ef8fc38a0412dcb86f7d979743c13347

SHA512
1cb075edd8b5c3867a818d6da5e39f60751c4466a0254db1fdee788c4a5863122aefb6e79227b7cc54bb3e30c1ce9d01e41fb67ca2b0bb4fee4abb9f489a5a39

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
368KB

MD5
a00e3636b63a38a4615f5b8cf6e6637a

SHA1
fd69342b1a36bcb486b1356e8e65ec214070a5bb

SHA256
3a10280dbc716372f4eef044f9a65316fb6388cdf5a89b3dd8e602bbd98ef1a6

SHA512
b46856b1003d1a04d3683a0155a6377b622f5072998896ae1eda8510226b3f7234e615c5acde5bc5de623ec8f1f4e48282c0d5f70c490710f5ae9d779be22f34

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
368KB

MD5
2994680d021e3b3ca3e69fd2a5fd91a9

SHA1
7a31e062de4ab05b5cf930379351cccfabcc12be

SHA256
625e98a7f6539f64ea870b28d8953771d48b35a3427dd8e6abad9bc5db112f97

SHA512
dd6b43daf83bd51452d53f6c6bd199284d45d60961edda51653c25f5712d6cac42dc1e973e1d1e49914858662e948e3469f517188d0b1f1cde4505ef4f9a3de9

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
368KB

MD5
61d8d03016b550deaab10a9f287c355a

SHA1
ad22960b67c238ff81e6a330ff6c12af1a5fee25

SHA256
aa0eec4ded65fea7a9a4efcc77c4797b13904cda447efcd6a30a13544bf4376e

SHA512
e803bc1fa625569e53b2b7db6d1b9f7fd5eee7c4cc531f7fdb512fc63e9bf63fad547540942635b54723763c3b6db70dca441a059adb61a02e2f0219759ae936

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
368KB

MD5
d54c63e6c4ab961b43bc14dd22b352b0

SHA1
6fa1a495359d636018ea954963ee34c0f057818e

SHA256
4a3a83d8a0882dc01bc9017940ad94f9fb456f6c60f14578faf6916424a9f5e4

SHA512
7c5a9174d717bea3c3c0bcd9a7e0a1f57c604a52947de63a1b859baa89bd7924607ace4040437f712ecdfd4300b3aea54aca8a17917907629cddf4fcf5229bd1

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
368KB

MD5
3a77d5fe1bf6cf3fddba7556cc8918bc

SHA1
8bcc65a55853b457f417ec0805e690ef559afee5

SHA256
fab39bb6e1d1d37212c748fc0b71edaea3abec5bf8bbb2534a6103ed6cacaf98

SHA512
04c4b922a70acfb14e2d0b8b7624e904908588f057a84b0ef6e8b05b7da3c517cb2e8eb9da69962a26fa214668e1ecd3d5520a862c0e86afbf5d01bd7bea0542

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
368KB

MD5
66d5b4454e533da40b3d124cbb3a75eb

SHA1
db0a48430fd1b2108c8ea87a118d88401f0626d6

SHA256
e34d311c8ea70275a97c6d430629f597342c7dea21e72ebdf8da7e31499dd833

SHA512
6682bac9af59c96fb8876423f31bdcaf7a1805fea4270520a94904d871c2c345ea942e6b03d7be5c20efecc00a8f16330380b2be83509a10844acb6e1735baed

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
368KB

MD5
3d8142ea46f63750061b8d6e169d495c

SHA1
4d1bb87b9322513ddba96a30eb2a4693a1f6b84c

SHA256
0ce83ce7fe66261e8954e67a2f44792f2c5552525067cf8c8e2c5d88522d5a79

SHA512
45a9536b46b272fecbdcf4e274f9787ba1baf5ac3fb1a59d715d998617a75d6fd34e3b6e20bc8663e936570f8c9caf8b9bdbf6ffa9b66e250517877b046f50e4

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
368KB

MD5
cadae9cd72c7bf22e344a2c4495cba9b

SHA1
ef7e535f16d55e74cf39d68b3d55e72f8579cc7f

SHA256
cafcefa48d13919230da237ed937454cbf518df88a7c22be1406ee4a492d1912

SHA512
9d073337081f61236747889c606274f51194a20a14cc6340a7c303a32e566138a7d7b196aaa01c84b205bb493584a2b8294d1d6ace45a6763ab8a8bd18c0557c

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
368KB

MD5
83d020f990a4e5d085cb008b90d7a534

SHA1
ab8262f6d97a87d42e575b5c32bba0203b3c86e7

SHA256
3792817f199cc03cf90474173d3985d5e6b1520a8002117bcf4287b50cddfa45

SHA512
604cc3fb276b2c30802c61698204c472280cf760c82780ab32a3c6c048ea114fb5fe2608cffba52addee7b43072c5d7a306b98429a9cd32444a28b571ca1b6a5

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
368KB

MD5
09dc0d2e0978268ec1ec260edb7fdfde

SHA1
7db9883c724ca876a1addacad42ccb9971a3dd26

SHA256
7f44aff9e1af7ab2b1a717e575820af0ebeccaa169e6e2cd3f35380be7828464

SHA512
e12c9dafc24ff3e1282100dd3e099103a5bacfa450419d1b1da05c3e386b5f3e47d9869a7d810bb0278a56d7db9769be24cb83f05888b1fc8c5476e39ac3952d

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
368KB

MD5
1a086afe85aa637385747ddc7c32ff91

SHA1
f30b5d72fb730a58798e59612813376377049507

SHA256
7422cd6822ce9a7e50df0038597a1051b3702cd31fcbcebe63dcd989e592221a

SHA512
f0cd5b45d114877e71cd07953ac52ab53d4ead36755c26bd34bd20c630b59bc54f419a624201a8489d902a694127132d6fe53becda60d1b1089c444968bd0661

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
368KB

MD5
078f0df6ed88d593d001be640d71417d

SHA1
c23bfd5028cdaeba7b5b12f9d2c0c0702e65a1e4

SHA256
b17815d767bb6d10bdc3b62b87342be65be4cd477e897ba9fcb5a0c52844f393

SHA512
f244c0ea8b68f1d7dfbe96d6ce2d43562ba3c6d59d017add4c07e672c1352acc4ccaa021c73b01d989b81733f6b9d60b001aac4b2a25f36134a44e297f69b1f5

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
368KB

MD5
ef81491e1c8dbed20e9fb8717389ab46

SHA1
bc8697bbc08c3b85525cb670fb4614c2d3aeda45

SHA256
f6cb2574ebb262de87fdacd9f565c6be47e33615ba163606fa958681258026b7

SHA512
77d6ca8c3f3fb16ad3169b1abbfe36e4f5b1e2fc528fb4fa9a77294873100d22fdd7f68596f90f64b12b3ab0ed74ae18015fe9ba96daf84189ad4f05439b8f6d

Download Submit
memory/348-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/636-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/776-416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/804-456-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/860-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/868-351-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1036-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1044-501-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1124-378-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1128-479-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1180-471-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1220-381-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1340-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1360-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1432-380-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1460-91-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1604-429-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1608-461-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-75-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2096-453-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2120-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2360-439-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2380-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2396-372-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2424-463-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-365-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2564-363-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2728-389-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2748-383-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2760-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2932-438-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-102-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2948-500-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3004-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-83-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3108-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3164-455-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3184-447-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3520-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3536-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3620-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4012-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4056-488-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4060-481-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4128-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4252-470-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4264-423-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4336-402-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4340-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4356-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4388-373-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4408-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4428-446-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4520-480-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4648-472-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4812-409-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4832-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4916-396-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5112-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads