99b0e889d0e1c3ea3f4812d3a52faa873ea271d3097e3aca4c4dc6cdf6c9eb86

Analysis

max time kernel
137s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99b0e889d0e1c3ea3f4812d3a52faa873ea271d3097e3aca4c4dc6cdf6c9eb86.exe
Size

128KB
MD5

caff3e81ce7e529ad487b828c79598df
SHA1

300f89130f65070b5a88e29d3f25ac8a6cbecd4f
SHA256

99b0e889d0e1c3ea3f4812d3a52faa873ea271d3097e3aca4c4dc6cdf6c9eb86
SHA512

3008bde4d7cc2990eb4d70e4aa49440a77c071babb5c711a2a10c3d7d0a2a880c71b2de9d264317aeeef8e6d2120b376ab4a48bd326d0fc700ff32dec61e1185
SSDEEP

3072:ENwQCMxgoDt54I5W5qeSS1z09lCYLs2RAlwX3YdE/e1lj9pui6yYPaI7DehizrV7:EMq7DT3XEzU7L3wwydpui6yYPaIGc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccaall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dofpgqji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe

Executes dropped EXE 64 IoCs

pid	Process
3376	Dhjkdg32.exe
1408	Doccaall.exe
1020	Denlnk32.exe
4908	Dlgdkeje.exe
3564	Dofpgqji.exe
3848	Dephckaf.exe
4872	Dhnepfpj.exe
2732	Dohmlp32.exe
4760	Dagiil32.exe
2580	Djnaji32.exe
5068	Dllmfd32.exe
3580	Dcfebonm.exe
1456	Dfdbojmq.exe
1460	Dlojkddn.exe
376	Domfgpca.exe
2224	Efgodj32.exe
1064	Ehekqe32.exe
2404	Epmcab32.exe
5020	Ebnoikqb.exe
3396	Ejegjh32.exe
4352	Ehhgfdho.exe
4928	Eoapbo32.exe
3852	Ebploj32.exe
2728	Eleplc32.exe
1808	Ebbidj32.exe
4264	Ejjqeg32.exe
4764	Elhmablc.exe
1388	Eofinnkf.exe
3220	Ebeejijj.exe
552	Ehonfc32.exe
3884	Eoifcnid.exe
1076	Ffbnph32.exe
992	Fhajlc32.exe
2340	Fcgoilpj.exe
2668	Fbioei32.exe
2208	Ficgacna.exe
3244	Fqkocpod.exe
2352	Fomonm32.exe
4492	Fbllkh32.exe
2948	Fjcclf32.exe
4632	Fqmlhpla.exe
2612	Fopldmcl.exe
4700	Fbnhphbp.exe
2300	Fihqmb32.exe
864	Fqohnp32.exe
4272	Fcnejk32.exe
4440	Fflaff32.exe
4512	Fijmbb32.exe
2972	Fqaeco32.exe
4576	Gbcakg32.exe
1356	Gjjjle32.exe
880	Gqdbiofi.exe
4964	Gcbnejem.exe
2828	Gjlfbd32.exe
1416	Giofnacd.exe
4464	Goiojk32.exe
3760	Gbgkfg32.exe
4860	Gfcgge32.exe
3152	Gbjhlfhb.exe
3340	Gfedle32.exe
1264	Gmoliohh.exe
2240	Gcidfi32.exe
3516	Gfhqbe32.exe
4148	Gifmnpnl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Epmcab32.exe	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Efgodj32.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Oijnep32.dll	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Njqijj32.dll	Dofpgqji.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Elhmablc.exe	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Denlnk32.exe	Doccaall.exe
File created	C:\Windows\SysWOW64\Kpmkpqcp.dll	Dcfebonm.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Ejegjh32.exe	Ebnoikqb.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Ebbidj32.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fbioei32.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Denlnk32.exe	Doccaall.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Elhmablc.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Hibljoco.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Dlgdkeje.exe	Denlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Dcfebonm.exe	Dllmfd32.exe
File opened for modification	C:\Windows\SysWOW64\Ejjqeg32.exe	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Dephckaf.exe	Dofpgqji.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7348	7260	WerFault.exe	281

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dllmfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eleplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojigmkeg.dll"	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagaaq32.dll"	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmpolji.dll"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	99b0e889d0e1c3ea3f4812d3a52faa873ea271d3097e3aca4c4dc6cdf6c9eb86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojeoiop.dll"	Dhnepfpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll"	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 3376	2684	99b0e889d0e1c3ea3f4812d3a52faa873ea271d3097e3aca4c4dc6cdf6c9eb86.exe	86
PID 2684 wrote to memory of 3376	2684	99b0e889d0e1c3ea3f4812d3a52faa873ea271d3097e3aca4c4dc6cdf6c9eb86.exe	86
PID 2684 wrote to memory of 3376	2684	99b0e889d0e1c3ea3f4812d3a52faa873ea271d3097e3aca4c4dc6cdf6c9eb86.exe	86
PID 3376 wrote to memory of 1408	3376	Dhjkdg32.exe	87
PID 3376 wrote to memory of 1408	3376	Dhjkdg32.exe	87
PID 3376 wrote to memory of 1408	3376	Dhjkdg32.exe	87
PID 1408 wrote to memory of 1020	1408	Doccaall.exe	88
PID 1408 wrote to memory of 1020	1408	Doccaall.exe	88
PID 1408 wrote to memory of 1020	1408	Doccaall.exe	88
PID 1020 wrote to memory of 4908	1020	Denlnk32.exe	89
PID 1020 wrote to memory of 4908	1020	Denlnk32.exe	89
PID 1020 wrote to memory of 4908	1020	Denlnk32.exe	89
PID 4908 wrote to memory of 3564	4908	Dlgdkeje.exe	90
PID 4908 wrote to memory of 3564	4908	Dlgdkeje.exe	90
PID 4908 wrote to memory of 3564	4908	Dlgdkeje.exe	90
PID 3564 wrote to memory of 3848	3564	Dofpgqji.exe	91
PID 3564 wrote to memory of 3848	3564	Dofpgqji.exe	91
PID 3564 wrote to memory of 3848	3564	Dofpgqji.exe	91
PID 3848 wrote to memory of 4872	3848	Dephckaf.exe	92
PID 3848 wrote to memory of 4872	3848	Dephckaf.exe	92
PID 3848 wrote to memory of 4872	3848	Dephckaf.exe	92
PID 4872 wrote to memory of 2732	4872	Dhnepfpj.exe	93
PID 4872 wrote to memory of 2732	4872	Dhnepfpj.exe	93
PID 4872 wrote to memory of 2732	4872	Dhnepfpj.exe	93
PID 2732 wrote to memory of 4760	2732	Dohmlp32.exe	94
PID 2732 wrote to memory of 4760	2732	Dohmlp32.exe	94
PID 2732 wrote to memory of 4760	2732	Dohmlp32.exe	94
PID 4760 wrote to memory of 2580	4760	Dagiil32.exe	95
PID 4760 wrote to memory of 2580	4760	Dagiil32.exe	95
PID 4760 wrote to memory of 2580	4760	Dagiil32.exe	95
PID 2580 wrote to memory of 5068	2580	Djnaji32.exe	96
PID 2580 wrote to memory of 5068	2580	Djnaji32.exe	96
PID 2580 wrote to memory of 5068	2580	Djnaji32.exe	96
PID 5068 wrote to memory of 3580	5068	Dllmfd32.exe	97
PID 5068 wrote to memory of 3580	5068	Dllmfd32.exe	97
PID 5068 wrote to memory of 3580	5068	Dllmfd32.exe	97
PID 3580 wrote to memory of 1456	3580	Dcfebonm.exe	98
PID 3580 wrote to memory of 1456	3580	Dcfebonm.exe	98
PID 3580 wrote to memory of 1456	3580	Dcfebonm.exe	98
PID 1456 wrote to memory of 1460	1456	Dfdbojmq.exe	99
PID 1456 wrote to memory of 1460	1456	Dfdbojmq.exe	99
PID 1456 wrote to memory of 1460	1456	Dfdbojmq.exe	99
PID 1460 wrote to memory of 376	1460	Dlojkddn.exe	100
PID 1460 wrote to memory of 376	1460	Dlojkddn.exe	100
PID 1460 wrote to memory of 376	1460	Dlojkddn.exe	100
PID 376 wrote to memory of 2224	376	Domfgpca.exe	101
PID 376 wrote to memory of 2224	376	Domfgpca.exe	101
PID 376 wrote to memory of 2224	376	Domfgpca.exe	101
PID 2224 wrote to memory of 1064	2224	Efgodj32.exe	102
PID 2224 wrote to memory of 1064	2224	Efgodj32.exe	102
PID 2224 wrote to memory of 1064	2224	Efgodj32.exe	102
PID 1064 wrote to memory of 2404	1064	Ehekqe32.exe	103
PID 1064 wrote to memory of 2404	1064	Ehekqe32.exe	103
PID 1064 wrote to memory of 2404	1064	Ehekqe32.exe	103
PID 2404 wrote to memory of 5020	2404	Epmcab32.exe	104
PID 2404 wrote to memory of 5020	2404	Epmcab32.exe	104
PID 2404 wrote to memory of 5020	2404	Epmcab32.exe	104
PID 5020 wrote to memory of 3396	5020	Ebnoikqb.exe	105
PID 5020 wrote to memory of 3396	5020	Ebnoikqb.exe	105
PID 5020 wrote to memory of 3396	5020	Ebnoikqb.exe	105
PID 3396 wrote to memory of 4352	3396	Ejegjh32.exe	106
PID 3396 wrote to memory of 4352	3396	Ejegjh32.exe	106
PID 3396 wrote to memory of 4352	3396	Ejegjh32.exe	106
PID 4352 wrote to memory of 4928	4352	Ehhgfdho.exe	108

C:\Users\Admin\AppData\Local\Temp\99b0e889d0e1c3ea3f4812d3a52faa873ea271d3097e3aca4c4dc6cdf6c9eb86.exe
"C:\Users\Admin\AppData\Local\Temp\99b0e889d0e1c3ea3f4812d3a52faa873ea271d3097e3aca4c4dc6cdf6c9eb86.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\Dhjkdg32.exe
  C:\Windows\system32\Dhjkdg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\Doccaall.exe
    C:\Windows\system32\Doccaall.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\Denlnk32.exe
      C:\Windows\system32\Denlnk32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
      - C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        23⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4764
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        29⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        30⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        33⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        34⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        39⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        43⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        44⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        45⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        50⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        55⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        57⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        67⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        68⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        69⤵
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        70⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        72⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1056
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        74⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        76⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        77⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        78⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        79⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        81⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        82⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5404
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        84⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        86⤵
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        87⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        88⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        89⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        93⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        94⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        98⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        99⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        100⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        101⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        102⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        104⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        106⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        107⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        108⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        109⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        111⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        112⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        113⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        118⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        119⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        121⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        127⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        128⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        130⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        132⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        133⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        134⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        136⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        137⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        139⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        140⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        141⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        143⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        144⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        146⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        147⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        148⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        149⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        150⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        151⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        156⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        158⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        159⤵
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        161⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        162⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6476
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        164⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        165⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        166⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        167⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        168⤵
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        169⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        170⤵
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        171⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        172⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        173⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        174⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        175⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6844
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        177⤵
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        178⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        180⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        183⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        184⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7180
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        188⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        189⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 412
        190⤵
        Program crash
        
        PID:7348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7260 -ip 7260
1⤵
PID:7324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dagiil32.exe

Filesize
128KB

MD5
94f244cca1b3df1a87b6b6e51c382247

SHA1
06fc09c5b8e355c70fb4eec9e53b9e3664c79353

SHA256
60bc888bf19b2185fb1c0c36019079a6c7cbbb33e78cda0668a61ebebb401db3

SHA512
3c0a85dcf3dc9bef4c8afa3057e2d8d9751a77eb3262c3c1a52320d73a51214e20558aa4129897ba0dfcb754de801585ad5fc158a5b9f195486f3fe64d84f393

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
128KB

MD5
4c0e461882acdb250961d205e73a556d

SHA1
ecb0b16d05c9377e847f0d928ed39793dc57cf28

SHA256
5865c0b4d35c03cdaf2e56260ec29a97bcde06b8785ba0f871971ce2c3f06f0b

SHA512
8eb5eac1a700e3a86c7a21ca76cb14663199dc2dc685a54b3bde361a5f01cf49d749bec76c92b099f770a100330e28288d725dd70a2ceae18fab961c38a645ad

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
128KB

MD5
d53f6bb7869a2c6fcb5bc678076353e2

SHA1
b8cd6a8607886882efa8fdc7fadb45057b427e5e

SHA256
56fe08bdf351439ae1a6bfd18aa6ee24793f3466393d7c17eeb2cbf6a4561a6a

SHA512
702ce5b116808fe2468c1a826ddfb8d82e587057c3525d2d324ebcddb9ac0aacaccf6075304d7aa150bde3638642aa79bcc9914a36e9b385f50e539c119d2f2a

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
128KB

MD5
1c629cd6f916befa184af158005d62a7

SHA1
31e6db5acfbc58279e7faf85ad302752bc2d4286

SHA256
110e3be3ca401fd0e28e0ac54f8b14c0f0c8f7a5d42eb041f96cf72a7055362e

SHA512
185273ae494c729165dfc19f489e90b9416687cabd58afffa92991498ddadc691b11b4516f364ab1296fd1326bb7bda6fb23791aa36801b17841cc5f7adc954e

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
128KB

MD5
11f4cc514c4ae08b320fa65900161321

SHA1
8a1da5e2972c1b5fc1742501efa549b4eb849bcb

SHA256
4a8c1ac9dc91dcd8fadb34a71ce41209aec5cb7683cf427cc633daf1a613f043

SHA512
0c76c67d0dfcc07dba7cc4c1f1d2f2efddc437c0e60f2551c7301cf42129bcc2889c758f6160c29f67ec0f6a1c96db30a154431964a4bdc3ffa8acbdd690dc35

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
128KB

MD5
d0e0809bd069e39d19f4a51a68f5d525

SHA1
8d986be85ea20fe0ea7092954792b7f5427c48f5

SHA256
71968e47d9f79592b869ff90bcb09615e146c86cfe599ea8909b7014f8ff9094

SHA512
ee1d01245377d5c024eab9b81f6d3c76de242363b3ce51709fa09029c45316e4f642b649c5f608a2be5e8980667da4433efa8b165342d0db72ed1d5f004b909d

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
128KB

MD5
e66bb85773123d87846d85a1eb6836bc

SHA1
84bda9fcd617dd41f72b73524756038c91a2c21c

SHA256
d8f19fd328f355fa225cadc3c8ff985590503768dd58f41012f9439488ad4421

SHA512
b9a2c4c2f8ba5184336ebc6e9a53d536426ee785d9f18b24a703550e10ff0a50126fc87ca69d1a877caf8a07b785ecf71faf48f5113b9a604d7f1f06991bad8e

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
128KB

MD5
52fb86a33fd48f47ad6871901a092cd0

SHA1
870ab2bb1c2b9fbdce3ef245ceb63c4858a9598c

SHA256
b2efc7cb08535a7c059a0bc8e5ff4c01b96ee7533f2cda79318e8caf03a6c1ce

SHA512
833bad49a7017bc8ea2d962f77ec84189efda69e70553e7cf4609faec017af9048116308bac8a916721795e7a0eed3244ec225277f3b9c1efba0ee3a63c628b1

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
128KB

MD5
f97678dfbd102e2e74e648b1d08c4304

SHA1
e76517d1ce054ffc7f4a5c8710ea4f4e9ae8b896

SHA256
38d9cae7d52558a660f29dc873650a61be28d50d6aaa8560185cf9f65192ebbc

SHA512
e552dbdab670a0edf99836409633e9eeed161dcce011656deefd85d9d3a3c44dcdc5aa4107f07869ea9af16ca218bb217abeb3929eae84bfad3d305f649a05af

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
128KB

MD5
55458ef01b0d236386a020f64a0e3aa8

SHA1
625ccc5c20739a243efbb42c18e12f69c5dcaa0a

SHA256
e31ab4d25a348c8b4fa3a7f129e06652eb2326e9dac2323331ed082605c21ed5

SHA512
acc1ead1b7771b4bece043627286165af06eecd1f6ed5ce9013eb221785b4370698025a78e04288ad5cbd9324726ce320d58b8661c9f7686aebcd838e1794bbd

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
128KB

MD5
a33ba4f62e5ddf6a12da8d56ce00f791

SHA1
f282e4633babad7ead53e1a3d7c599c912afe41a

SHA256
5ebf9b442f16019fbbefd97bc2cd01185647fee9a5c184a0660fd6611e8e275f

SHA512
44501ff0bdad38de182d452ad01451238e02c1c2074723cbaa849db6ab454be1e9b37e122caef4d8102fd15c44dece313f4df6e46f5078bf1d51cdd4b2383b76

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
128KB

MD5
55994cc782a34ba9ac933c9ae16613d5

SHA1
3ecb51b0c05a013e858436adcfeefe7909c8c2d1

SHA256
422a3d0de8501416f203f6db268c6b103ee5d00e933a377642dffb97ab9a15f9

SHA512
4ea202ea0096de343bd6bb9b2b46bd10e9a5ea2b6be3d3f5c495aaa2dbcf18833bb00ec7e6829176eac00000de5fb4a7465bad95b2e5adc72945354c2a9edc02

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
128KB

MD5
7527840bbde1cc1d9a2ffeb4666de4ab

SHA1
9e203cfa17ab9ef3048954e4fe66bc9875edaebb

SHA256
41ff9b90dcb708c015fa44b1a04589bc1a88de57fd51b50987ed5b79375dc20d

SHA512
bcdf0db808d9dda212d9d0d099ef12915583b303b7887de28f8c40e2710d08cc7633a2644e54dde5749a1b2370729cb0ffc54b9c83cef0010f933e1c206ed141

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
128KB

MD5
59f779590de9f2c51f1a94322c987683

SHA1
952058442d7368e14446c695ac924653047dcb12

SHA256
314bd389ae6b01e4df8491d57d4207ed9668f14f450ccec1ffa0fd22b8d61ce4

SHA512
535e904dd2c70733e3e4085bec805de3ce2ece693ccc8b1f754b28984f059be50a5849d76354c6620d505dabfa30c01cbc6c44bfee087a0bf1f697059b86e29b

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
128KB

MD5
3dbb9c0dbb70e0a387db287effd3fb25

SHA1
9b327f9320c19aa4893e8d60d70d96987ce87213

SHA256
ba507e614a100a844038b410ae50d9592c74199b4cf9ddfad6694dd871c6f196

SHA512
115ff04ce070e1b2eb89009595e85f7ad18e984f13f030d63f597dbeae14827706ed659a7f9f2cbca3dd58ad713b5b0506fc3bc81eeaf9f1dde9ce6f0ca729ec

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
128KB

MD5
ef5d9345e923895d02f45a0817c676e1

SHA1
5de548168a813821c0a2d5e1d56f5efd7bcb0c19

SHA256
9c792f436832d3bc090be9dc904021308f1eded87c9679f9e1ad8ef80cda8424

SHA512
fb6042b33c2c7d2343328a6e5bf4759e9611964124be54f7348e8713fc02e98076859f1cb1c2f58b90e33949366775e485fb0a8ca228853842b65356fe220368

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
128KB

MD5
58e75b6248fe1a24312c382d7c6e5bfc

SHA1
a8fd3b15cdbf5718f26cf8f7fcddbecd53219afc

SHA256
19f8d3a2f808f3eab59fb15c28524e5d4068f2a3587489bd4078f3a53c22e5e6

SHA512
27899929e1143c0f9c46672799d9f1f2c4fb1517a950290119a7a1251a6986459b1f30c16c43fbd9f1cd65b60beff1dec64c85834315047c1039bfe3b516f10b

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
128KB

MD5
31de61ede224d9d2977704c8565e75b9

SHA1
1b036e35b34f8be3c763215d7b6ddf62c1db6b54

SHA256
749a2a8dd4e23233d2026d6bcb6f03955c3ca70320ec09e661041a321bf1aa9f

SHA512
952ee70067e50325dba9bace29e453511d5f8e0f77f5a67e22e1abaee8f118f58ee9d17fa3102a0e8548e649e6d713d16ed179cd99b1e16c3467683d19cc2390

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
128KB

MD5
003097efc6e3687b2cada6510ea299e9

SHA1
7b34cb2880057668c0a73fd869025083d1e958ce

SHA256
73fcd801dc57b1155317aa3e0a09f167273eb3b86f3e6e6d660edccb12cb81b2

SHA512
33eb26cb7dedd8a4a82ada93ff2b561ec1c4618290f2f1a6baa69a1cc0cf703db888859516bd8e492d869013a243487a197c47bf0d578cc45abbd92572415200

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
128KB

MD5
51b551b3a9ff718896cb4d88959187fb

SHA1
63e19b94d8ba7b6f6cab3f88771b9f5b1da3a4cd

SHA256
cb73601173936741065c9b8082c87749d73434b3cc00cb867b81c3c336ae6065

SHA512
1bbb1a3a54c9f4fc98e05a21ea3265df998bef0132485e8db076cc1cf4e38eaff3ae707f76a0ad853cd0f9b1b607e3d27af5f8791ce6d211609e4cb28667308e

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
128KB

MD5
7402adba67d57e193c37840ffdd41e7d

SHA1
9e2bedd8e2fdebaa517d2ffdd90e007f4ace9d5f

SHA256
d90bf945848a8c8149929d0c7aac4d957d8d3308d928f984c5a30ee900a399b3

SHA512
d7fd4e6526daef24a8fc895be80115c6ab22d007a6851e11e1c8651755f540fbdde3f7e3d0b09101547170cb5a7064e8bbd252ef94689e99447fe6e734cb8455

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
128KB

MD5
7a56c3fd60c3ce837e22cc449c452e6a

SHA1
21c9ed8bec1ddf91772d11a0e85f6eee2951590c

SHA256
f2e5727f4c5826fbc4aa475a0673cadcf4aed5716ce70482ce2f5f13b33f5657

SHA512
50691a7bd1901e6c8400a11921a398bd09c33b6ff926f86f3f14bb642b0528d92460a189d4a770667916409ea3aea9287e5867bb2bd97b0d8b2832499749dd57

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
128KB

MD5
45da368183ba51aeac9e3f62bb333417

SHA1
05f7aad865593caa863a731e61663e84d964b8d0

SHA256
0578a79c0d313e6fc78180ddd1caa92d6172a09e37084a183defdd040559ab5c

SHA512
91552a26da716e693291cccd08dcb8477f540c41ff541c026a14d5a4e9b3239567d2994c11d96ec6dc2a832f483acad155cf49c342453b36bb0f9f7cdeddd1ca

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
128KB

MD5
5e97c6d9e6a54efcc9db2c605555cae2

SHA1
de1dd481fe6c3e402a325f4f920da1a0c07e8ebc

SHA256
f42f0fe459e6fd515524f28bcdf1425f8860f4cf8ca242501473dc2961960cc8

SHA512
5a11493ec29c3c11e562f67129705c54f39bce97032342e7297311011f8dbab9f32536e6795cc272293209aebb8e710377345d47d79a053d4371c9d874a1f3f6

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
128KB

MD5
65bdce433534fc4f5cb89ef60aab11cc

SHA1
ca2acc5bd27f34363055ac074aeb2fd0d57ea41c

SHA256
49e580e228fd4cc58d1f4ba7204de22f061b12c5ea54701dd4a16701c6ef6de1

SHA512
f21b71b1762bba896b6c0e582126489fd266e23cfbf425c9490d0a19783f9ce3e949fdbedfd4e4cbca38d29a50b05fd591bc9124b0463ebaa47a5edcf6fb442b

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
128KB

MD5
15710eb1afccb350f99d27bef6ce3199

SHA1
5353512d6e9310126468bd01a59f4efbeb4e6ad8

SHA256
385da46c37f172d354fedae97a3508f4e8fde33320fab715e1445e342a9ae546

SHA512
843ba80fbf0587d3202631de1c194025ab5b57dc3bd4e1ffc372369f42560ecc88c77d1cc15967fcf7df407c27d42d3ae8326c3dede3d0bd3bc3b062f3266daf

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
128KB

MD5
8f9c31ad95075d41129646a8a5c5716b

SHA1
c9cce8f89c17e789c7dbdaa4a4e65f81e341f17d

SHA256
6ca6f244a148d3f61c23410fa65603f3032b521310067fc0bc9b038281d65dbd

SHA512
18c00544f240354782ad71633782f3bd37c27709feebc43076ec4a8b851858eb7ca262a871aca23793f93dc76e27a76e12f319049caf19aa9253258778127ceb

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
128KB

MD5
a1b5cf9dd4ab4930689f151c222ef94a

SHA1
e20f54e1cd944340732480b6ef65fdb8c124de24

SHA256
29d30d2f28e9d4a216034a72ac2cfce70d2ea3aa3a5bb25bd3568e11c981885f

SHA512
30852a261f30ed7a780528948ef9116f1d347ae879524be1c74bd77a2d455437bc9e79cffeec4dcf57b87054b258f4fa8ef5c4ab50f9cc8cb72a75de13ac253b

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
128KB

MD5
84f17245d8fd82f1452b31e674d85da4

SHA1
1eaa3c17a9026156a7a4dacd0b7b820cc5866c5e

SHA256
48ca1d53ef49ab8cda5d6bce2cbab707d042f191053160fd07270860cb68347f

SHA512
6b2432846b99d9071a3b846bd5730b7198da5eda0fdbc395346ab9076c857adfe4ac9e89e7b78af80e54e9ea36335575602764d2735695b20d6e625557f335b3

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
128KB

MD5
d9fb2814ef7992a93edf83532aac1a98

SHA1
9bcd0e7240db5eaa2661b636f544c7dddde6a639

SHA256
e5936ac29f2127da3d8f57ddcdf0bff4796154dc6c509b187aa789821ebd3648

SHA512
f1363e542bc8bb2ddf957ef96aea6e8222721559128f3f5e53de1f2b30d25dfa75926ebd03afda8068bd30bb587bc340b063ab34c8b2edbe716d3c517becc185

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
128KB

MD5
b7b5af49f366d3d3fb62515d8be35054

SHA1
640cc656ae50401681b5960c175a17d21f23e2b4

SHA256
596f92df7613a8984bb74fb11e76b1c0bd89c8fb5647d8de4dade27a284f8510

SHA512
f178e91ecfaa29c7ecbaea0520cc3084f554849fbe1d897030d0936de9660e677285305e5ea928056594b08ff737dc6983c133e94c35efd7b7ed488beedbf97e

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
128KB

MD5
edba2718ef427b120bb168c778788c4f

SHA1
b31d8bc4a2fa7328c66c0290236866fdfd01d0f4

SHA256
37859408eacb571f0594a5bbd2f0ce0cd26d39bef7317e94a9ac6249801dd1fb

SHA512
ea5e23473136df8657d8a859d6fddddab3ce2717dde75ec1a75f5209da8d98cde47a6012ebb242f59ed697f72c79930e2e4d8245d53c0a485b569f6495cd7eea

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
128KB

MD5
a938a224ba2346e8cf6edfeb01f8b78a

SHA1
325b35f873beceda0b6a138473a6b221a5e20545

SHA256
e39f8387265bc0e12d6ea511fca19fac4a4872fae4bec1c20568c5478aa904ae

SHA512
38723c96b8aa8249da45ac41118bc5be8e130268718aa208898e920e79ec6dcda03fdb485ef7c063844cf6bac61a65e692a2ebc7b8bd511ea2bcf38bc094474d

Download Submit
C:\Windows\SysWOW64\Omlami32.dll

Filesize
7KB

MD5
a1be6ab660d85e831a3ca9a8faa74fdc

SHA1
494e01ffddace815b842bd96177f8fee518408d4

SHA256
46139a4e06ece9ee62fa7ea34b70decf5b00ba0ff5f24e5c6a7505d3c3daf752

SHA512
3c13f78b59d988bc734f3218956863a1f3d4e7303cb06b16443f10c379d25222dcd2a5e99a9ae26aee1f1525f4003f26923a451560f045fb32106ff862b6b6de

Download Submit
memory/376-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/552-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/864-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/880-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/992-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1020-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1064-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1076-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1264-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1356-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1388-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1416-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1456-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1460-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1808-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2208-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2300-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2404-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2668-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3220-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3340-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3396-163-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3564-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3580-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3760-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3848-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3852-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3884-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4272-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4440-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4576-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4632-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4700-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4760-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4764-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4908-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4964-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5068-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads