1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907

Analysis

max time kernel
10s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 19:33

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-18T19:34:25Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_1-dirty.qcow2\"}"

Report Analysis Logs

General

Target

1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe
Size

461KB
MD5

ae7af5bdfeba04bf8390c7a2962606a6
SHA1

860ecac8fd5616507d4a289a921894735a0db83f
SHA256

1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907
SHA512

d8dca8b7b85a23d21acf21b9678b4fad43c5d25ae39a5a5542ce8a977bf647a998ea362f29ccf87dfabc9eb432456a9d5af65c8c018cae5ef136c3e2c967c244
SSDEEP

6144:WfRkJJG1E8NQDVi3ULUgNQPi3UPUgNQViEUjUgN:WyJG3iUJ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dohmlp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fifdgblo.exe

Executes dropped EXE 64 IoCs

pid	Process
4828	Dlgdkeje.exe
4640	Djlddi32.exe
3692	Dohmlp32.exe
2744	Dagiil32.exe
4056	Djnaji32.exe
3920	Dphifcoi.exe
3040	Dcfebonm.exe
1628	Dfdbojmq.exe
2096	Dhcnke32.exe
2460	Dpjflb32.exe
1172	Dchbhn32.exe
608	Efgodj32.exe
432	Epmcab32.exe
388	Eckonn32.exe
2220	Efikji32.exe
1396	Ehhgfdho.exe
2136	Epopgbia.exe
3208	Ecmlcmhe.exe
2092	Eflhoigi.exe
3836	Ehjdldfl.exe
2856	Eqalmafo.exe
4028	Eodlho32.exe
1408	Ebbidj32.exe
4316	Efneehef.exe
3156	Ehlaaddj.exe
820	Eqciba32.exe
4372	Ecbenm32.exe
2480	Ebeejijj.exe
2108	Ejlmkgkl.exe
3024	Emjjgbjp.exe
2976	Eoifcnid.exe
4588	Fbgbpihg.exe
2836	Fjnjqfij.exe
460	Fhajlc32.exe
3604	Fqhbmqqg.exe
1484	Fjqgff32.exe
3140	Ficgacna.exe
4904	Fqkocpod.exe
2276	Fomonm32.exe
4280	Fbllkh32.exe
3672	Ffggkgmk.exe
1948	Fifdgblo.exe
2984	Fqmlhpla.exe
2540	Fckhdk32.exe
3960	Ffjdqg32.exe
4120	Fihqmb32.exe
4616	Fqohnp32.exe
4256	Fcnejk32.exe
2412	Fflaff32.exe
368	Fijmbb32.exe
4928	Fqaeco32.exe
1028	Gcpapkgp.exe
2888	Gbcakg32.exe
4488	Gjjjle32.exe
3944	Gimjhafg.exe
3364	Gmhfhp32.exe
1860	Gcbnejem.exe
4572	Giofnacd.exe
4444	Goiojk32.exe
2308	Giacca32.exe
4888	Gpklpkio.exe
1888	Gbjhlfhb.exe
396	Gjapmdid.exe
1564	Gpnhekgl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Hifqbnpb.dll	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Ampkqqjm.dll	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Ebbidj32.exe	Eodlho32.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Knceql32.dll	Djnaji32.exe
File opened for modification	C:\Windows\SysWOW64\Epmcab32.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Dacdmi32.dll	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Cniohj32.dll	Eckonn32.exe
File created	C:\Windows\SysWOW64\Ebeejijj.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Fhajlc32.exe	Fjnjqfij.exe
File opened for modification	C:\Windows\SysWOW64\Ffggkgmk.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Jqqjmnii.dll	Eflhoigi.exe
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gcbnejem.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Dchbhn32.exe	Dpjflb32.exe
File opened for modification	C:\Windows\SysWOW64\Ehjdldfl.exe	Eflhoigi.exe
File opened for modification	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Fbllkh32.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Eckonn32.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gbcakg32.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Eceakm32.dll	Dlgdkeje.exe
File created	C:\Windows\SysWOW64\Lfhilofo.dll	Eodlho32.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Dpgbbq32.dll	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Ficgacna.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Dpjflb32.exe	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Dohmlp32.exe	Djlddi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7112	7016	WerFault.exe	257

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqqjmnii.dll"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlgdkeje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhilofo.dll"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagaaq32.dll"	Efikji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cichoi32.dll"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoodnhmi.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djlddi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomonm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkfba32.dll"	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eckonn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll"	Dlgdkeje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgpaojg.dll"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppheeep.dll"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehjdldfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll"	Djnaji32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4828	4500	1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe	83
PID 4500 wrote to memory of 4828	4500	1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe	83
PID 4500 wrote to memory of 4828	4500	1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe	83
PID 4828 wrote to memory of 4640	4828	Dlgdkeje.exe	84
PID 4828 wrote to memory of 4640	4828	Dlgdkeje.exe	84
PID 4828 wrote to memory of 4640	4828	Dlgdkeje.exe	84
PID 4640 wrote to memory of 3692	4640	Djlddi32.exe	85
PID 4640 wrote to memory of 3692	4640	Djlddi32.exe	85
PID 4640 wrote to memory of 3692	4640	Djlddi32.exe	85
PID 3692 wrote to memory of 2744	3692	Dohmlp32.exe	86
PID 3692 wrote to memory of 2744	3692	Dohmlp32.exe	86
PID 3692 wrote to memory of 2744	3692	Dohmlp32.exe	86
PID 2744 wrote to memory of 4056	2744	Dagiil32.exe	87
PID 2744 wrote to memory of 4056	2744	Dagiil32.exe	87
PID 2744 wrote to memory of 4056	2744	Dagiil32.exe	87
PID 4056 wrote to memory of 3920	4056	Djnaji32.exe	88
PID 4056 wrote to memory of 3920	4056	Djnaji32.exe	88
PID 4056 wrote to memory of 3920	4056	Djnaji32.exe	88
PID 3920 wrote to memory of 3040	3920	Dphifcoi.exe	89
PID 3920 wrote to memory of 3040	3920	Dphifcoi.exe	89
PID 3920 wrote to memory of 3040	3920	Dphifcoi.exe	89
PID 3040 wrote to memory of 1628	3040	Dcfebonm.exe	90
PID 3040 wrote to memory of 1628	3040	Dcfebonm.exe	90
PID 3040 wrote to memory of 1628	3040	Dcfebonm.exe	90
PID 1628 wrote to memory of 2096	1628	Dfdbojmq.exe	91
PID 1628 wrote to memory of 2096	1628	Dfdbojmq.exe	91
PID 1628 wrote to memory of 2096	1628	Dfdbojmq.exe	91
PID 2096 wrote to memory of 2460	2096	Dhcnke32.exe	92
PID 2096 wrote to memory of 2460	2096	Dhcnke32.exe	92
PID 2096 wrote to memory of 2460	2096	Dhcnke32.exe	92
PID 2460 wrote to memory of 1172	2460	Dpjflb32.exe	93
PID 2460 wrote to memory of 1172	2460	Dpjflb32.exe	93
PID 2460 wrote to memory of 1172	2460	Dpjflb32.exe	93
PID 1172 wrote to memory of 608	1172	Dchbhn32.exe	94
PID 1172 wrote to memory of 608	1172	Dchbhn32.exe	94
PID 1172 wrote to memory of 608	1172	Dchbhn32.exe	94
PID 608 wrote to memory of 432	608	Efgodj32.exe	95
PID 608 wrote to memory of 432	608	Efgodj32.exe	95
PID 608 wrote to memory of 432	608	Efgodj32.exe	95
PID 432 wrote to memory of 388	432	Epmcab32.exe	96
PID 432 wrote to memory of 388	432	Epmcab32.exe	96
PID 432 wrote to memory of 388	432	Epmcab32.exe	96
PID 388 wrote to memory of 2220	388	Eckonn32.exe	97
PID 388 wrote to memory of 2220	388	Eckonn32.exe	97
PID 388 wrote to memory of 2220	388	Eckonn32.exe	97
PID 2220 wrote to memory of 1396	2220	Efikji32.exe	98
PID 2220 wrote to memory of 1396	2220	Efikji32.exe	98
PID 2220 wrote to memory of 1396	2220	Efikji32.exe	98
PID 1396 wrote to memory of 2136	1396	Ehhgfdho.exe	99
PID 1396 wrote to memory of 2136	1396	Ehhgfdho.exe	99
PID 1396 wrote to memory of 2136	1396	Ehhgfdho.exe	99
PID 2136 wrote to memory of 3208	2136	Epopgbia.exe	100
PID 2136 wrote to memory of 3208	2136	Epopgbia.exe	100
PID 2136 wrote to memory of 3208	2136	Epopgbia.exe	100
PID 3208 wrote to memory of 2092	3208	Ecmlcmhe.exe	101
PID 3208 wrote to memory of 2092	3208	Ecmlcmhe.exe	101
PID 3208 wrote to memory of 2092	3208	Ecmlcmhe.exe	101
PID 2092 wrote to memory of 3836	2092	Eflhoigi.exe	102
PID 2092 wrote to memory of 3836	2092	Eflhoigi.exe	102
PID 2092 wrote to memory of 3836	2092	Eflhoigi.exe	102
PID 3836 wrote to memory of 2856	3836	Ehjdldfl.exe	103
PID 3836 wrote to memory of 2856	3836	Ehjdldfl.exe	103
PID 3836 wrote to memory of 2856	3836	Ehjdldfl.exe	103
PID 2856 wrote to memory of 4028	2856	Eqalmafo.exe	104

C:\Users\Admin\AppData\Local\Temp\1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe
"C:\Users\Admin\AppData\Local\Temp\1e1b48bedceec6bec4ff649008bf1b60aec055bde0f9f1b0ba5ce86903b7c907.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\Dlgdkeje.exe
  C:\Windows\system32\Dlgdkeje.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\Djlddi32.exe
    C:\Windows\system32\Djlddi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\Dohmlp32.exe
      C:\Windows\system32\Dohmlp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3156
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        69⤵
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        71⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        72⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        75⤵
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        76⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        78⤵
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4152
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        80⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        81⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        82⤵
        
        PID:688
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        83⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        84⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        85⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        86⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        87⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        88⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        89⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        90⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        91⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        92⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        93⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        94⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        95⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        96⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        97⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        98⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        99⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        100⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        101⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        102⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        103⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        104⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        105⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        106⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        107⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        108⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        109⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        110⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        111⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        112⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        113⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        114⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        115⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        116⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        117⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        118⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        119⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        120⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        121⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        122⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        123⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        124⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        125⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        126⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        127⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        128⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        129⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        130⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        131⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        132⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        133⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        134⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        135⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        136⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        137⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        138⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        139⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        140⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        141⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        142⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        143⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        144⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        145⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        146⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        147⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        148⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        149⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        150⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        151⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        152⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        153⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        154⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        155⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        156⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        157⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        158⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        159⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        160⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        161⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        162⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        163⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        164⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        165⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        166⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        167⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        168⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        169⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        170⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 408
        171⤵
        Program crash
        
        PID:7112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7016 -ip 7016
1⤵
PID:7052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dagiil32.exe

Filesize
461KB

MD5
c20b7cf6091e7db35ef6c0ecbfff53cf

SHA1
d8a54b07105a5d450ca4798fda17900ed5eecfb0

SHA256
2c8491ec1d00db1fe478f2849b7ba3cdb4a6613de58d64b7b927fa18175d67fa

SHA512
5f1075f0654c83e0a956c7b3a61a1b06798cc95d8ac33d5fc9b18d4118fc4d1f902ff03a1a61ab09967740f2f60f20d06eff28293a11c976718ad390c0173371

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
461KB

MD5
cff46ddf90e0b40bc56661ead49e4ac2

SHA1
9b922b05eda7dcd38f6b533ecf0d0265afae9141

SHA256
3a51401c7e8d35bbfb35b5814378b0105298765b9e9885a19861f50234556a6f

SHA512
9fd8d5d6a84b373559c04b0415f799bf7c16f9ae1530a83a9a4650d8a21ca33e1f49dd84b89f00d52f913800d7425fe7a6ee41d678e15646b169ee82960700b6

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
461KB

MD5
6c71bc3e2a9f4deb66500822f491a794

SHA1
e5b0959a573df0f1a87f2a6d74c8d1be9c182ca6

SHA256
04b39e8731b58988002b73518a1b4532169b131ef0609097223aeff39de02e04

SHA512
18bec08ab14b8381f16812805e2d9e013f3c6a51731d98efa1bd3ba9bfa5f27dde4c398df6d1e3f2a49402700192f405957755e058d5e43c68a9fd10b309bc16

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
461KB

MD5
918f2af86a3ac81a700f0e9d3c30e0fa

SHA1
7d44450b0208d6c113e5d0a2fef80e2f710d58f0

SHA256
46cbe334baeb3b6ce155b1c03ef0b0b6244eea0242ddc129986d747c3cedf1d8

SHA512
db9ae2b6fd6870e0c3bf0b9b1cbb388a99f970b7ad483eb584791b156f16b11faf189110d91915acfd759a4831fabdfce30c2353b38a6d7825a9c05a687ddf40

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
461KB

MD5
ce3a8275f837ce1c6dfb657d93cfc701

SHA1
2a67ad1cc36f83ea0ad3a396fdc11d114326d2aa

SHA256
05d1f186709f5fb05ec41a7b9581511ee9906f609a873928e6c83a248979babe

SHA512
b1d94ba67dbe2499d3ef79c122baa44dea859bdc204a37527450d47b974582e32cddaf351afd8909ea8027528398317de7163cab5c27e6b31e2d87e0418ecbbd

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
461KB

MD5
f3911072233051f22d37418f2e5b9e41

SHA1
ff33c720aee39501bd6bacc29331c2c35c1a363e

SHA256
b4cad6a3ff3c76248ca5822ad21548ae5fc785969ac378ff7932853363b2d504

SHA512
e46f08335055455f780cdb69f0797d0f6300b7202d4ec6971f4c5c5297349fd603562f2e9b11b9f10edddf250914c743f901870802033b3cf76cb56787b1727c

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
461KB

MD5
bf8334612b731a82a5678ed8c84db0b0

SHA1
d26162d0f8db963aeda7949751ff2f0f0151fc7b

SHA256
ae1cfecbcde828600a84ea3b9fb1cac0c91c6015e0c79312601d31ea59da9d82

SHA512
95e0f1cf4a0c7162d53b6199bad2966a6d6075548c1474ed03102a9c4aae2d54c4d7dc4bf8b5bd1cfb5e6393bec6b2847939547ba8d2d3ce8e9ee37dbeb2bae4

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
461KB

MD5
e7f8a061d3c0ec3f2f5de345c04b981d

SHA1
8f36d83d9d2958a90c5b4ec010df10779f697f4c

SHA256
a13c37370d909805fc3985dbf5523c4842539e15f95522cfdd1b8d7000f41ac5

SHA512
3b50a6beb319611e6e4637093a69cf6c7e084bbea4cac47d8aa2422366dc564bc16997a47940b5dc41f36dfe7f8d59f486e4cdc45fa1dc02936a76b965b4715d

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
461KB

MD5
acf9641c03a3fea7ae4a57993d41b6f5

SHA1
668033bcd4c1ca512fd51a2391e4feaafdf46133

SHA256
8df402a6f42a876cd57d8ad2a6a7301cb6c5efb0f9a9abdb826f61898faa97a3

SHA512
ab324b0951c8651a1c61f8ce2b69842d5bc782e3e5cdf800578ba03abb75862590f45afd0a86ed96aaa1fe8e1cd6e02aaefd572b35ac1a4702a804d58333a11a

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
461KB

MD5
4b1feb573cf85b8594e30c189dfa89f2

SHA1
7692faa9a4b2bbaf486a176cdf92c4f9ad75bb98

SHA256
80ce63dfee5c777130ca7848703ecde005ffbb09bf89d4cfbf4507969a28b469

SHA512
3f35200a0e9f53fd6421a57841f7c480851fd3b66534dccd39728524d582801fa20e7fe6f7e431f63b906eb9eedfab24d605d304e6a854954d4eb3ec676c498a

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
461KB

MD5
2cab006560a2b25cfbae0121b93b946a

SHA1
9e80d335446047e7628b294445aa797ae9acb614

SHA256
035d0d58d5bba1da7939a57946de884ad14e4d3e3165ee178ecbbf457d426255

SHA512
7d05923175fc5d6c35f0db09ffe29c127dff38d24cccc27f82b0f28c9c61d03e7db30b570b73e3fa39b640bdc8039ac5437451e4c053b4067e12322e733ffec9

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
461KB

MD5
76f340be72fb9e2d85bbc25ce2ef942f

SHA1
b071bad150f96283dd7318e04fc870a714ae3942

SHA256
6ac4b8bcc573d6f51b7bb5c4321499af0cc3569ba3c8db6d41d95a41d50a3306

SHA512
a25542b7fd269111584797890f7f823cb7a7fcac24cc48d6b969a1d30163328a914ef1cced2c7eddbe2feac72bc28bd77e1be56f4174f2d4c59bf180d3a37b73

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
461KB

MD5
68b74109dfb7c8e42fdadcd2cdb55e73

SHA1
aa5584eec66c659af263437252fc98ca5ec71532

SHA256
da4cdfc2997a402ad7c6df9f4b3fb616f5a9c9488e54340a007e67846942186e

SHA512
cc083b9223f6e3d0bd5f81d8c695cc829ccf27f715920a187d89ca61a4c8c86166a7fa1abd7bbb8534ddde73c978229e43a43ce76058c7439aa4a98fb3b0a7f6

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
461KB

MD5
074c647b636cc31c0c5f75b6ae3612e9

SHA1
bea0fc6a2362c56b2ac4eec4b93499155a69b35b

SHA256
13f9a4a1c09a0c912afe31e3ba38c61f4f146d236340fcb97e31a15344712262

SHA512
34f1243d6edc669b99df0bd87d6232189bfae5a9b137b5b21074af5df4b543435dadef8e326dc595853efed65becc4030da2310476aecb03fc5125de042967a4

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
461KB

MD5
18f34ce5cb133fd748ac56b42eb6859b

SHA1
fcaa1cb642d5e16a972661830c30e864f66ca505

SHA256
3f390da2b3642847efd2b88f8e18dcc182cd0c717273170dbe53b35cb0666410

SHA512
9fe1d8c1ce7998c8e316aa73a313dc6456d1904c1bde1ab0acaf4d3f2b49427804e58a984441dc580c6bca90536694186781d93006d92d1e2085a9be842b87fa

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
461KB

MD5
fdc87a051f817ac1a49d7e8a1a5c7c6f

SHA1
ed87082d75284ad3bb474aa891f2b64679db86e4

SHA256
dce9c55c13f8de1e06bb2768c08d13858eb8308f0c65bd9e68ccc5741af2bc59

SHA512
99331cfd758a34db34c4dddb5e7a0fdb89f9393fb21dbdfc161254fa39d76b605959097ced2778046496afa4504ba09c9a42e986617dd8f40b780cd778551cc2

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
461KB

MD5
d9234f702e5b458620559bb9ec7a506d

SHA1
7a46416062e99f52375edb1c104c93c17817ed27

SHA256
ba8abad336ce06e83d591b1d30809d40d443125d318352b2ed8df907e21bcf6c

SHA512
038c3941fa1359fe6346906122c0fd8bcf05bc53f07cccbeb19426f707cf307edc91b6000e54dd866df1845c6f8332ee7ff116859b48bc8bf1d32f445645c435

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
461KB

MD5
467f7e36e7b64590f005a1bbd8627a99

SHA1
58023f1e74282b8ae369ff36d1dae506ee43d0b8

SHA256
8f11ad425f431ce364ab36becaab24d0f89660a5b1e335d7ff34fda9956622a1

SHA512
863d6671c2e551d7acd89ff7ac438b9475a8790a5b8a7abf364c1c3bb36b90d20be2fc3c488594904dc36ba2386f3c41b47085d7e2d306a24b2d941e1f917243

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
461KB

MD5
54d5445ef1abeefb753c97f9e51107bc

SHA1
372c4d481b41aef18ee6c194b9a767888af52fd6

SHA256
cc3e36690c7a02fc5fc941cecd0830db0faae8ec392d313c5aa44099eb2a1dd6

SHA512
f14587a357271031683b38f81d5575fcdddd4aeec220a20c5cb63046e1fa2682d877f3141fd746079622c94ee2b689991379283fa5f808833fde0277171800d8

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
461KB

MD5
c0fa58f1ab4e99ea23c13b7d7b7ef3ac

SHA1
cb6a89d7b013f2c9767cac75805132188e21d830

SHA256
add00e16cdc8a3577a5d3c95c47839b3fb4119b4ad422864437b9183e6d70a89

SHA512
eefda1eb716c8f22a3a823dac6d6a05faa447e65a40a8817d77393d7aee2f12ffc7b52ad6e5aeaaa574a9e9dbb073adbd5a902c6e013228bc53ba53043e7444b

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
461KB

MD5
36616ad86b93e521f38803e2d95ad3eb

SHA1
9d78ead99aa70a9f9fb50164dbef35e19175a73b

SHA256
2e7260201b0c7c62a8c6b8fb31a2cf59c2e8b97ec09ef40f4589b288dce9f658

SHA512
c7d89ba01f9a2296e1e3c602d870d706922d789f05b48130c31e4132af39a6311ef121e9e45acad78c8a5f97d2e56382b43d4d5226c79cf87dd3f8bf9c2bcbf5

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
461KB

MD5
34f6efd1c9df6d59bf65cf877ec902e1

SHA1
784b90fdc28bbb59fef9661213c9cf8ebb8d4fee

SHA256
22d70a5fbcf3cb5e21f13678a13bc454f7933b9b1ea2814f04300eae513f3e20

SHA512
410b637e15a4eeae87d7d213b210e2617a147ebc6e00ed48525d9b78a229b6e8883128200f8cf561cdd5d1d46690b619f1592472042207772149a2806c2dcbde

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
461KB

MD5
2849f0515f16c87a16a88f504fc1ef86

SHA1
e4548c8bb5c44d1455e8afc80edf50890ed61f02

SHA256
a3d6287d8e75da98e52fd5f26e5bc305ca3ab397d37582fc1890cc4bbca4f27d

SHA512
adad1970d9b1709fc6418861fb8643e67133db5a4355a3309855b1f495b8935d41a59d255d750f4c313edcc49b5e04f28455f11140e059a60c087b706bd8152b

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
461KB

MD5
8fcb79e742beb93e3954babec1640807

SHA1
0d4059eb5b24758ebb1b03e04c08d9a42a3af4cb

SHA256
c80338fcfc65c7015c14619a44753d3c3438597d04958a0e49c3636eed25dcb3

SHA512
383c23a71587530e1acbdbbcdb482107e346a23b58ba003162ea95cb60f79cf3e33b28dc1572f4a51914db09adafdb4f54edab11b8d8201636c443d712edc5b8

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
461KB

MD5
0af9a9346f2d541922cf5be94d00d680

SHA1
8484c399d7001f6525dec3d47052803e766c3069

SHA256
90c472b15846b498d5cdba932d87054a54d1ec2091e0a7d13ce9896e03ab67a8

SHA512
b8e042966f7c95b752024ad097f16b2f32b934a9b50b016403edab4bfeaf2ec904f1fc0b17b7cc4db22de22129a8a3a9d4d3a2ea8e169f103c919244d51b8a2c

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
461KB

MD5
e7002670c54d073371609410d3b0c660

SHA1
d5a3e38c7914c0158f63a768e815568c1ff49ca5

SHA256
d811ea32aa399566cf70394489735fcbbaf507ac40e428e1ee4dadb704e50550

SHA512
0eab4f70f8a94834b77c2bde953cb15c03599fb77ba7c83ade909c84f8083272a09085e547927d5161a30676a4c828b9600f03b1709382e532f307eb1b5d338f

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
461KB

MD5
0ed366bf429ad6afbbb426caff150edb

SHA1
f0eb153f79314535f298a4ff8c86131310d1ecaa

SHA256
a6bee20ac2f09d283ff4349ff63127ac90e0e53ac854a6ba5d7b69b31507ecad

SHA512
88cec2ebe6d3133030136ec22748c3ec3d65b6b420c9ff1beb3ab5c3e19e275d59921ae9befeb8e6b8bbdb5f5cd45791e79b3c8166e3df9e0684f706b2cf7aa7

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
461KB

MD5
0c809dd385e38a7f1e04837e98008ae0

SHA1
b917f6d31d45acfcdd53bcd7ae650d1f4d1ae359

SHA256
368383225a34a0cb345161b11b6a16e542da09dc38ca10b494aede1fe32c6cfd

SHA512
82beae50e719c5a87cc4d73f523e79695f7d535c0e03ed28d0913dd4e3c02cd38ec06e27743e6bd744c7710a21d3c194a111e490283df0ab126e3cb30e9673d2

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
461KB

MD5
c686c74b52f480b9d6b46c5b06e18fc5

SHA1
4441dc692b7c5668c6e52626e05096ee152b8a64

SHA256
6dfd45e0f7f0cadb46dbf5c4dd067e08e2489868b1b38f185ce8bd0e7db34e63

SHA512
b24f933ac7339f7487e79baeee7314eb881b8c15b38ac6bbce6095601dc6420ba1ec9b6ec50359cc04ebf78101ada4439a9a9b540ce0f3c50871d993b8700e85

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
461KB

MD5
64a358c5e397ad956124eb5e99f8dbaf

SHA1
ce0d150e8d095a8d42cfc8e1708f314e3921541c

SHA256
608aa1c206ae820dd3aad37a6caa86b8857dffb4deb2bfd2d79a8e34a3441be0

SHA512
2c4f96ee15bee04a5f6c4183761da2bf6404281ec1761e90b4804a271c5e601e2ddc994652709c368c10feea9f1b16899d3f42c6c44ff8da10b7cc18eb1f0564

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
461KB

MD5
7b3ff29f8bdcf71e4939189157007a54

SHA1
cadc0631d291c943dba482b4cffaf981649958b4

SHA256
1ea90597dbe06febd6b4e6989e0c435449c1d0e0891a4227289607308dfbce43

SHA512
93a9e1fe7480f7e92d7131c0ad69477e105df949cdb66cd799b2111782bbd2d2b71303958d431abe14f763448525c67f94ad65ee15699841908f16ae31993238

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
461KB

MD5
d27c761415873c8e70730414f9a121e6

SHA1
3a0bffa500f6f0d743077c1f46f257cd9f570b06

SHA256
18d56a1917992b9518e50e5d7fd31b29bd7870fd467ef31283df873652d04ea5

SHA512
f68b6598857cfe37a1fe4002df2ee3c445563ec21c067674fb6668a5a74c6cdc90c0d0120a360d8b7932e4eb03057dc78c383e44669b0d8eea5a99ac721d0e0e

Download Submit
memory/388-377-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/396-454-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/432-372-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/608-371-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/624-460-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/688-518-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/820-410-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1108-461-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1172-369-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1400-511-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1484-426-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1600-572-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1628-357-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2064-508-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2092-395-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2096-363-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2108-412-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2136-393-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2256-467-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2292-479-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2308-447-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2460-364-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2480-411-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2540-445-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2744-349-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2836-419-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2856-402-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2976-418-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2984-442-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3040-356-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3404-523-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3408-544-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3604-425-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3656-472-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3692-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3696-488-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3836-400-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3920-355-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3960-446-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4028-403-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4152-500-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4280-433-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4316-404-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4416-562-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4500-5-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4500-0-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4500-498-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4532-550-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4612-574-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4624-529-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4640-17-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4792-474-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4828-13-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4888-452-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4904-432-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5076-481-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5132-580-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5216-591-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5256-602-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5300-607-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5340-609-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5392-615-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5476-631-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/5512-632-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads