16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Size

89KB
MD5

1d942dc4c3698e52117f4d6ca21b0275
SHA1

5a54b4ab64274f46c8b418ea23490d2cb2984131
SHA256

16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e
SHA512

b05eeb4d8e8a634edefada510dd150e15b539d26617094b58b55fb4be5fef9b32248f8aa8cd57b3159651279a1d0be0bbdc167f02bfdfe158463a65b8ff29c45
SSDEEP

768:WMslOQMe39sTDOjAEjgLTnwYIhD5E5ZHtLejjd/ATn3HTgkwUlxqP0qH5cAv8Q51:yNsXGdjgLTwfo2doQkjy5BcOlExkg8F

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhlhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dohmlp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnepfpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe

Executes dropped EXE 64 IoCs

pid	Process
4844	Denlnk32.exe
2512	Dhlhjf32.exe
4904	Dcalgo32.exe
3868	Dephckaf.exe
1996	Dhnepfpj.exe
1940	Dohmlp32.exe
2932	Debeijoc.exe
5080	Dhqaefng.exe
1324	Dphifcoi.exe
428	Dcfebonm.exe
4824	Dfdbojmq.exe
1696	Dlojkddn.exe
832	Dpjflb32.exe
3004	Dchbhn32.exe
3736	Dakbckbe.exe
2812	Efgodj32.exe
5108	Ehekqe32.exe
2396	Elagacbk.exe
224	Eoocmoao.exe
4332	Eckonn32.exe
2816	Ebnoikqb.exe
2372	Efikji32.exe
3160	Ehhgfdho.exe
3436	Epopgbia.exe
3440	Eoapbo32.exe
4640	Ecmlcmhe.exe
3856	Eflhoigi.exe
2968	Ejgdpg32.exe
3148	Eqalmafo.exe
4304	Ebbidj32.exe
3244	Ejjqeg32.exe
408	Ehlaaddj.exe
2528	Elhmablc.exe
396	Eqciba32.exe
5116	Ecbenm32.exe
3664	Ebeejijj.exe
1108	Ejlmkgkl.exe
4912	Ehonfc32.exe
1388	Emjjgbjp.exe
1036	Eqfeha32.exe
1012	Eoifcnid.exe
536	Fbgbpihg.exe
1056	Fjnjqfij.exe
1976	Fhajlc32.exe
4908	Fqhbmqqg.exe
2096	Fcgoilpj.exe
4936	Fbioei32.exe
1088	Ffekegon.exe
4972	Ficgacna.exe
3304	Fmocba32.exe
3200	Fomonm32.exe
4488	Fcikolnh.exe
2500	Fbllkh32.exe
3252	Ffggkgmk.exe
2516	Fifdgblo.exe
3488	Fmapha32.exe
3744	Fopldmcl.exe
1548	Fbnhphbp.exe
748	Fjepaecb.exe
1344	Fihqmb32.exe
4856	Fqohnp32.exe
4660	Fcnejk32.exe
1176	Fjhmgeao.exe
1596	Fmficqpc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Bbopfj32.dll	Debeijoc.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Dphifcoi.exe	Dhqaefng.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Cfjbmnlq.dll	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Himcoo32.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dcalgo32.exe	Dhlhjf32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fjhmgeao.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Fbllkh32.exe	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Knceql32.dll	Dhqaefng.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Ficgacna.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hfjmgdlf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7304	7220	WerFault.exe	292

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojeoiop.dll"	Dhnepfpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppheeep.dll"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbkmec32.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genjanmh.dll"	Dephckaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll"	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpjnm32.dll"	Dhlhjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 4844	4848	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe	84
PID 4848 wrote to memory of 4844	4848	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe	84
PID 4848 wrote to memory of 4844	4848	16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe	84
PID 4844 wrote to memory of 2512	4844	Denlnk32.exe	85
PID 4844 wrote to memory of 2512	4844	Denlnk32.exe	85
PID 4844 wrote to memory of 2512	4844	Denlnk32.exe	85
PID 2512 wrote to memory of 4904	2512	Dhlhjf32.exe	86
PID 2512 wrote to memory of 4904	2512	Dhlhjf32.exe	86
PID 2512 wrote to memory of 4904	2512	Dhlhjf32.exe	86
PID 4904 wrote to memory of 3868	4904	Dcalgo32.exe	87
PID 4904 wrote to memory of 3868	4904	Dcalgo32.exe	87
PID 4904 wrote to memory of 3868	4904	Dcalgo32.exe	87
PID 3868 wrote to memory of 1996	3868	Dephckaf.exe	88
PID 3868 wrote to memory of 1996	3868	Dephckaf.exe	88
PID 3868 wrote to memory of 1996	3868	Dephckaf.exe	88
PID 1996 wrote to memory of 1940	1996	Dhnepfpj.exe	89
PID 1996 wrote to memory of 1940	1996	Dhnepfpj.exe	89
PID 1996 wrote to memory of 1940	1996	Dhnepfpj.exe	89
PID 1940 wrote to memory of 2932	1940	Dohmlp32.exe	90
PID 1940 wrote to memory of 2932	1940	Dohmlp32.exe	90
PID 1940 wrote to memory of 2932	1940	Dohmlp32.exe	90
PID 2932 wrote to memory of 5080	2932	Debeijoc.exe	91
PID 2932 wrote to memory of 5080	2932	Debeijoc.exe	91
PID 2932 wrote to memory of 5080	2932	Debeijoc.exe	91
PID 5080 wrote to memory of 1324	5080	Dhqaefng.exe	92
PID 5080 wrote to memory of 1324	5080	Dhqaefng.exe	92
PID 5080 wrote to memory of 1324	5080	Dhqaefng.exe	92
PID 1324 wrote to memory of 428	1324	Dphifcoi.exe	93
PID 1324 wrote to memory of 428	1324	Dphifcoi.exe	93
PID 1324 wrote to memory of 428	1324	Dphifcoi.exe	93
PID 428 wrote to memory of 4824	428	Dcfebonm.exe	94
PID 428 wrote to memory of 4824	428	Dcfebonm.exe	94
PID 428 wrote to memory of 4824	428	Dcfebonm.exe	94
PID 4824 wrote to memory of 1696	4824	Dfdbojmq.exe	95
PID 4824 wrote to memory of 1696	4824	Dfdbojmq.exe	95
PID 4824 wrote to memory of 1696	4824	Dfdbojmq.exe	95
PID 1696 wrote to memory of 832	1696	Dlojkddn.exe	96
PID 1696 wrote to memory of 832	1696	Dlojkddn.exe	96
PID 1696 wrote to memory of 832	1696	Dlojkddn.exe	96
PID 832 wrote to memory of 3004	832	Dpjflb32.exe	97
PID 832 wrote to memory of 3004	832	Dpjflb32.exe	97
PID 832 wrote to memory of 3004	832	Dpjflb32.exe	97
PID 3004 wrote to memory of 3736	3004	Dchbhn32.exe	98
PID 3004 wrote to memory of 3736	3004	Dchbhn32.exe	98
PID 3004 wrote to memory of 3736	3004	Dchbhn32.exe	98
PID 3736 wrote to memory of 2812	3736	Dakbckbe.exe	99
PID 3736 wrote to memory of 2812	3736	Dakbckbe.exe	99
PID 3736 wrote to memory of 2812	3736	Dakbckbe.exe	99
PID 2812 wrote to memory of 5108	2812	Efgodj32.exe	100
PID 2812 wrote to memory of 5108	2812	Efgodj32.exe	100
PID 2812 wrote to memory of 5108	2812	Efgodj32.exe	100
PID 5108 wrote to memory of 2396	5108	Ehekqe32.exe	101
PID 5108 wrote to memory of 2396	5108	Ehekqe32.exe	101
PID 5108 wrote to memory of 2396	5108	Ehekqe32.exe	101
PID 2396 wrote to memory of 224	2396	Elagacbk.exe	102
PID 2396 wrote to memory of 224	2396	Elagacbk.exe	102
PID 2396 wrote to memory of 224	2396	Elagacbk.exe	102
PID 224 wrote to memory of 4332	224	Eoocmoao.exe	104
PID 224 wrote to memory of 4332	224	Eoocmoao.exe	104
PID 224 wrote to memory of 4332	224	Eoocmoao.exe	104
PID 4332 wrote to memory of 2816	4332	Eckonn32.exe	105
PID 4332 wrote to memory of 2816	4332	Eckonn32.exe	105
PID 4332 wrote to memory of 2816	4332	Eckonn32.exe	105
PID 2816 wrote to memory of 2372	2816	Ebnoikqb.exe	106

C:\Users\Admin\AppData\Local\Temp\16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe
"C:\Users\Admin\AppData\Local\Temp\16d02377dcd7f63c3ce1bc583108ae82eabf4e6bee08455fa5aa3f6e7ac34b5e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\Denlnk32.exe
  C:\Windows\system32\Denlnk32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\Dhlhjf32.exe
    C:\Windows\system32\Dhlhjf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\Dcalgo32.exe
      C:\Windows\system32\Dcalgo32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        27⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        30⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        32⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        33⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        35⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        36⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        40⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        45⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        54⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        59⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        60⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        63⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1176
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        65⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        66⤵
        
        PID:368
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        67⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3712
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        69⤵
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:384
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        71⤵
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        72⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        73⤵
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:856
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        75⤵
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        77⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        78⤵
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4428
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        84⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        87⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        88⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        89⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        91⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        92⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        93⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        95⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        96⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        97⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        100⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        103⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        105⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        111⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        113⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        114⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        115⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        116⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        118⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        120⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        124⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        125⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        127⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        128⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        129⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        133⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        134⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        138⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        142⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        143⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        145⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        146⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        147⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        148⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        149⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        152⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        153⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        155⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6620
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6660
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        158⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        159⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        160⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        162⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6936
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        164⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        165⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        166⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        167⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        168⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        169⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        171⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        174⤵
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        175⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        177⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        178⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        180⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        181⤵
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        182⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        183⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        184⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        185⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        186⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        187⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        188⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        190⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        191⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        192⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        194⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        195⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        196⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        197⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        198⤵
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        199⤵
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        200⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        202⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7220 -s 420
        203⤵
        Program crash
        
        PID:7304

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7220 -ip 7220
1⤵
PID:7280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
89KB

MD5
1a6c34ca4dc59cf4db3390f8e5226ba0

SHA1
190825ce8d368c3cb8faffe0338dc45c0fa1b260

SHA256
b3c160711cd2dd71d256d75f2d56abac5df5a2286d6f3ed0e297f7b18749e5d3

SHA512
80da383d12902125ff2721dbf271dfc6bc37154a8aac3bdf77824b558dda17027e95c81e9096717393b58e90350c59ecb4d0cd8a0538d0b87d4725558cfe1f08

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
89KB

MD5
10100f7fd3b5afb19f10eeca61d07927

SHA1
a881cc09e19aba90e2cea752317060ff53281a84

SHA256
b8c7350f8ad07a764715ba866174ac591e57873179d025e628d1cf1092b8dc78

SHA512
77bbecc1cc92c6693862b4952b886fa3ff52cbd0a37ca6a1efb0c15e5a2ae69f0f779ad634bb10a8ae0efa35e6c042c4dbfa063fed99827cc9adb28b5d177796

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
89KB

MD5
bf9be482cbd06a9a93ad65cb553d5eca

SHA1
5c71f41547b2bda31174661bd078ef562dfb339e

SHA256
e3fbd5390473683e893fc6751b9cd3cc2f8af64a63725869b5bed1786206ec59

SHA512
82789a6bc648d1813ce96e166ba3066a0817e4570617f233d3d8d2cad25f864b32856f2937cda5f7d441438f21ef19c74d934bffc103fdf62f51acd8d9cc78dc

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
89KB

MD5
fc75c1a4ae3cd0010ee8e10336b64c0e

SHA1
6bb7d1f90ada538c10ced292974f6e78fda6f323

SHA256
01989da0b8220f2fc6c03a697aa93366feb30d5a62a90eeb6d708a29c40545ce

SHA512
24f9ecdb8c43913046a22c96566897bf96e15398751d3f92ea9e6ef7dd00b1b74022c69bd450c352e1bfaa7845df12b9eaa256d20cd82ffcae8a9d32ed7b4600

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
89KB

MD5
a6aa1db64d02680e7e1b21f44de025cf

SHA1
e90c0d8e0bff225a65ae00b1bfcf2bb231eef979

SHA256
660ace5266ef61d02d2e858f77ebc5f3adbcb92efe9d02e5ad4e03e1a6f0d6ba

SHA512
f28db06587608b4e57ad27e7560a24314b12e66bbc4f4e0c626d3d3bba1fc6f412eb038890ae7b5087dc097aa3f8417d1417b42f4bcf6efd5368f9b589e1e9dc

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
89KB

MD5
d28bc773e33129f90f87a4873ce1376c

SHA1
53148e5c8f23e8bf6fbb005b6821844a3aa41dbc

SHA256
83a34aa4fc8a3f597b48989d1e9e451da9a732d04d80ec0d5909f93582675f82

SHA512
72ffe3429a64a44153bea13bd458576f54b03d00544c005f636ef332f7b78eafb2f6e4f13fcfb35e24a7037b98c9c0b07659bacc1bd6b0e428671cb33e654ff2

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
89KB

MD5
ecab2830a79b42de3425217677a2cd4d

SHA1
9e86c43e439dd763b7514cf581cee1ae0f7a4389

SHA256
c242a18e8fbc7ee2caa2ef986fe219240b6e3e297cb7ea6a49b0320aeeca0736

SHA512
0aa0fb725d64a1a023095e06647280f52bcb5732b304523910c6700e417cb452a7f946382c9d765076220a4cc0bb32805c187d039d8d537d1c992198ad099c4b

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
89KB

MD5
cbcdc6c7fceda183bab9697a0b705d24

SHA1
a9e7adfbb0e6067e6b932867129e20697edaa6ca

SHA256
734b1527ececd3e3512a30a3a2e48b71453a2c387e48df4404c84abfc2861990

SHA512
6d6e3ac05bc73cbef8b4d3c56314685afcda8e1bcee8104d5f9fed0935bbea22ff347b06cbe23e3bb2f78037b3321f75734e7912ba7ed9e6deee60cb7bd033d6

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
89KB

MD5
5945194babcb0e2628fd4a464c91f34b

SHA1
cd3170ed72a9dbf8d4a93b374591d55fd2c962a4

SHA256
205f345366be84e6433c231ac949e67917204b7e2b901623a9c2315e282658b5

SHA512
4e54cfa2d31b9b10c22e18544d3bb34c2609171a7f9c645ec1a18f6457108ec8178601fc596ee22deff60f17c52536c2e8c552cc8f67edec18f546ae7c4ab684

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
89KB

MD5
5bb878bcd5bfbb4a01b471bc8cbe461a

SHA1
621262e0577f27254521f117ea68503334a3b0d6

SHA256
15bb2c77b801086d933d5e66ff24daef91c8093d72298ac65bf1110e815b7880

SHA512
7109f880bb6f9a2af72195e7b5066854a213cadb4613029c1e02c161c13da88d29c85e1061cc6be860daf606b494462d14a0e5e1f530b2c6b0483d80f7ce3b41

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
89KB

MD5
b3755240a43d2572a561ac12a2b854fc

SHA1
f8bb70cc9ecd6df2c6bd50b94283de896ef411a0

SHA256
27984751cf2188e235a1264e36279f5ec38ed957554c65a41ae3ae75c982bd42

SHA512
7093eb4c7609a8b77d1823c55305a234b0902f78fab9a07f362acac2df74e09e43dbafcb850047d4eaf4174d381c4fa7315902543c267ec9b09452501b21bdd5

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
89KB

MD5
5cd1f962fceac8477917d2c01eced87e

SHA1
8868799bdf65778fae89c57ab0736b14ec1c7f5a

SHA256
e9ab684b81c9acad6aeae1066db34e66bfbb9420065e29c704186263543eb183

SHA512
33144c069f2242f8a24a91994e73294de9ae407a095008df7bc2bfc5138f6ca82dee957d9b00610d534f298df776da99dc5259b627fd5113353b567e6dbf0a03

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
89KB

MD5
d6fcbd728af65e737c57f8d70c614231

SHA1
d6d9113c35ceb00660c5813a294286ec4c17dc99

SHA256
e21fb92360e0f42a6f9dcfc3eb943fae5a11231c97201b58561b94fbc1aa50a5

SHA512
8df2e9a030b9bc05df080b44ff86c7253242dec2578fabb73ec9e7c9bafe1ed7c425e822e0082f1858efb8e0eb0fa286306562b1c0a16643b0eeca3e97c36c29

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
89KB

MD5
3bc3476268cf9078d0e36b7c5805d79d

SHA1
a4959706ee75a290fdf1d34584bd5111e4000eae

SHA256
950f9954d13bfbf9be61d7a7dca123507c591768a073501ab25cc112f7f7206c

SHA512
43c63c65835b9df80077476196ceff8edc83ed25a0283a885031c4918efcd314aed5487d022264094b770069a9ccfe84b82993eef17bdd24af4e11755c91349d

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
89KB

MD5
790775d46c1a3f40baeda000b5ea2135

SHA1
ed1d24ec75f05d4b61455e05b8cbb8b71322f8ae

SHA256
3ea9af98941995e3655aeadab9168f1534b291e45da0b2f29f18b030774256a0

SHA512
7e9edeafa4ad212f1160c0444355c5857e43ae82cbac0305fbda7e13ecf124400608484810f30f9b327e547cd2be92f1d5335d531d4d376e1f4c2f5dc15f213b

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
89KB

MD5
96512fcf5c14f8ac3c3b6b841ec822cd

SHA1
3d5d7ff411ec688edb01091206e41a57c3d72ecf

SHA256
d8b8bc9d747ec1b7a4d0dac7553d8c4adddc49372a6717886199bd0940688943

SHA512
7719b279eccb35e9c9fbe9275c2c95c6aaa235d90ed3bcfb83dfd591be789766a5fd92f3d4e534a6845b745d7722bdd27481436581f8884ecb7da36c66d7feb9

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
89KB

MD5
05be68c94e09bffe60b4a596a65b41a2

SHA1
9077e934bd8674e1f8891321bcbf6c527ad325ae

SHA256
f2b72fcfb12ebe75f3679fd4aa8033d97a02ec6399dd6069cb9ec32713333968

SHA512
8098700b72e460ec26bd0c184dafae1ac033977c8d682fd8e2f2d4e6cd310f5cae1e4a1fdd907fe9232bb09988f6f138f978f20352a2bdf3f33e98cc4f4c95b5

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
89KB

MD5
f215b96a163dd712dc10177f297665c0

SHA1
6b578c30f944b4ea5767118ad4928a0a882774d4

SHA256
2ce155ad5caea44c3721a5a998fdd8b161c84b8052ee005fd55b54c4a31d91bf

SHA512
95ac40b3c8d8bfa19eada4909755d31265ffdc55d23c0ad548e5b4409fc8a4376d34361a7f95d11b50292093e9618e3992e4ad2e7c22d70394075f9afb4b8cb7

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
89KB

MD5
d1ed48b07ad8b7ccd4909c9ca67bc892

SHA1
7fe5ed960dec47bc07ffbf2ed74529ac299e8e50

SHA256
c6b7099b4f1753435e4b992e085d5fa3e2cf8e07f854b5b7712aee6e3123cd47

SHA512
5864fa514b06564c90a50bd0b0c63a40216eb1ed926c5a3705c473870a9d5f6487a7d584a1b9d4ba389ab66a089b6516065d866c07bd8e703aa5381c5f32e9fa

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
89KB

MD5
9047245bf6a26d2daf3b1c2c18afea4c

SHA1
89a3d0c6b6086aab60ee979796f7522baa0b3e61

SHA256
80878a0c6315f2ff376bc6a050be9ec1633ba4ee16f165750fe6062a04e70ce8

SHA512
acf653643dd1659e424d9388babc62ebec1d872310e40860e65b5c80a3d172e61733177846d58098633dd6f824c1d74d96d78da01070d48805f12fd305a869d6

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
89KB

MD5
2221ae864107621f0795d2d0d5742bf1

SHA1
e43b08258817105aa8a105048cdcc4e4c5ce36f1

SHA256
ee6ecc8736fdab0eca374df61925524c9ced4371c4627ad219611b50631b593b

SHA512
0b349fdc08cbef774d4c00cc63cfc4014d91e08739ad45eb816f982a8ca0014d741ebbe4e6419b9429914e76ba25562daa857d1af4bb68fd5713fbd29949c8a8

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
89KB

MD5
eaa174c8fec26d7278d7c2e751cb3cee

SHA1
de4a3d7eeca13105983ebeadec5a7128db6e507b

SHA256
46dd8ebe6de3b904bd5df1d0195b72595b084c778786b90bb89b25024cda8a2c

SHA512
52260c15d7c75cbb62e2fa9ade353b3d578876f7631b7e9d5a0b7f701bdc1e69786588212945a79b42c0c4d092fe90139a087164bfd45a41bbf5b49f3dcd5f60

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
89KB

MD5
235102cc6aa85a5b6e9f3b4d7db9c222

SHA1
12f871b982ca172e3e9b88935585af3256950bd6

SHA256
9f76cc00781de58e8d6ad8bd5a612e93b67edbe629f564499e7ccdfe793a40b2

SHA512
26e222e98103966a03658615d166f936764286666cabad4416b50320dc527e37a17cfbda30057891807eec5c64f2dca1d7d66bef34c5dbedf7b1bc238880951c

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
89KB

MD5
f4cff9f6273e6acd616347879d3184ac

SHA1
eab4e453ff54af03e058df76bfe7307790a78214

SHA256
9a03b72262d39109b47d749c87422c986886dca7a3946d5a7bc2d6814d7202eb

SHA512
199c79bfb22a324e429e4df9426d286a06fb8604b31b24713f30a0fbc75f52bc1a20fceeafcbf6ee5a3d52d01734a5b488b4584145af497af7ae3f2805420c4d

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
89KB

MD5
ba606a832399ff642e227fd7d64aae37

SHA1
7cc249bef08e36c9c908885cba96a2d0b376c158

SHA256
7b1047932b0fcf9a2479997d70041e3463cc000f9d10dc07a6ae47ac4714603f

SHA512
2b403c1df3d530d31528b9a65b757722940dcd1b62e6ea8a300c2324e7843ec6039d620deaf684fd282c3653221d5ff285b4bf1b55641b60ccc8267f0017dbff

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
89KB

MD5
41e92a01d142146a043af3b29a3bdd62

SHA1
0a0fe125faf3995af10c78b6d84eccdf625c1d1f

SHA256
52f65431163985225de7bc97e04d50deaa9ffd3b5e9cf886316461803b5ba760

SHA512
4a2c525b2bf1d97c11c43edfc1190c5b38c5b74e3f031008aa97121d17a3e641f67688def850f5ec20ede26ed2f7c969848c269f71310180861b9a52ca22a72f

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
89KB

MD5
f8080469dc744b5090ca74425b66d35f

SHA1
bca911c4c18165789549bdfc6847355c56d75313

SHA256
b392564bf30c3ca61c73f0559aa7b0ff236ba038bf6c55e92542d720fc406e8a

SHA512
38e5dc49df4512668790cfa50a6840a680d6c3a2b0689f59d467d33444ea87b28da05a90cc0e6fa14f4e2a128ed62890d97a056a3d95ab76489bc83b5479aec4

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
89KB

MD5
3390c3b3558c67a698b4b834ef0f8bff

SHA1
6d93d804d9525d7d8d5b88cc8773f7f543295607

SHA256
6f970054f34bd5cabc7b014c3afeb95345af49301d7eb45adfb6a9bab10f91c5

SHA512
e1f4b9b2cf37cb897de6c7f9329ed640d39fcd88be9d4a1dd53bae2ad033634ff46564342ceeb09545e8167e211e3585f33924a111fb2b2669bd8c8a850a23b0

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
89KB

MD5
0049e80482d82a5aa39d08e65b3023a6

SHA1
7287d3c5a6f9f6f1358f25000c472af132bfa249

SHA256
988fc7121fe185d3e48bea061f139df6fd701c26b15e9f07299dc4285d39835d

SHA512
70270aa504f303d4c706e63b6e57949084636d3633f489cd42bda9584dc4eb5ac72e609473346fcb937f35880114b296799d5385bf571d3684c13ac60967a08f

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
89KB

MD5
8fbac8a2312d84001bcc81919001096c

SHA1
29f5a015d7654eb741638b183532016014be7fa3

SHA256
7e945394bb27b94fb420ba8f37f74c1316f275756a8632b21d572ea4492d9e72

SHA512
32983e5935346f0d1a827ce88abc4cae2dbf4b99df4f418821f89b9363698d93eea22275259130d11de3ea316fad69c35658b61eabe06bd7782398d336d851cf

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
89KB

MD5
1cd3506e406ccf0b2f225db9fbf27843

SHA1
a800beb9e83e880041a7af21f0c440a2b25eef8d

SHA256
e7a025cc3f48aa2956ebe13a70e501e866eca76ab68d189f5ea347371b7406db

SHA512
f11867ebdc921744e23a0e44ba505c80616af9aab73bbb46880e882aba0116248eecb874dbccc1252a0dcca52446fc6e5e5a00b4683adb3e50d7f365f1d9823e

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
89KB

MD5
aa4642ae909eb0c1872531e08532078c

SHA1
62ced70695c7eed13488b3ff1351204c4397e7c5

SHA256
5276ca4422f968c28b13f71e44313de7144c882969d95a47888ba0fdfbccc1df

SHA512
d5c211708561df7fa3784cef7228e3c0998ef8744c03b41f6cf6473d4c4cdac8fb4803656d745edc7ad66ef7eafef864c4df82a51f1568722e1176715f57c176

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
89KB

MD5
93bafae02cbba11fbe848595c662002b

SHA1
8185400a6d0c8ae5ca4274e72f4566b3f2873880

SHA256
93cf69cb631bfa2ac0eefbb3d2e7eda0ba7eae96a87c10fe96110b584dfeb738

SHA512
baeb55df3c5c993400c0e1adb0854ed50e3f927ea9d4cb54a9f5ff88548d2a6dffcd9dc2566a99e1ebb508a34726432c716e989729b2c86f93604dbb763dc788

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
89KB

MD5
5fd316c22436f5aa8465d5f18ee85a7a

SHA1
fe5acbca30b136a8b2610bf5c9c182b6d287bbd4

SHA256
2021ed8d29f2d83104064228bf5bfbc2090cd9436af3d781ad5f4e2e4632371d

SHA512
a707f06a576c88afba0db82887d54f6f56d94e3335a83528852c5e1c92a989ae0227a07e810d58411685bb8d7de3bebe4d6b26c30b09bed1e578cd78ce9c3d4e

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
89KB

MD5
adc89395d8eca760e4704fb4cedc9262

SHA1
98019c0ce3adb70f5d3ff104716d546f1cf8724b

SHA256
8e2b9926fe29d3f474949928c25aec5ab2d329a42afce0f10018563f4a946a13

SHA512
d132e799b76e5dfad0dc5bcd699ecc0aadb07a37e8064a89c9c542ccc35dc06bd0695f6e0416a2054d893f49f39afeb4ffdf523b27ce4fb740405cd645ab4c93

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
89KB

MD5
86bfa65cdd6f86c910a5d3ba35fe4d01

SHA1
2fb694ce941eff5a045843b441e15b8ce47ca9ca

SHA256
18082509dc4c0fed20d1c89de04fa16a2d9a676dbcd6a2e24cd42eb7e21e1b3a

SHA512
4618fedc7b78b088a2f741ae85fa69886a84902f7d2d688c3cbf20cc940835009547bfb2ca50652ea28837035d39b68d82e7a4a33f0927ff2728cdad44061aca

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
89KB

MD5
86147b5d3e40ac23de828b401b8e3096

SHA1
4df5393c06c2fbec34b3734fec61805172e77547

SHA256
0bb7b728232f5887104881f31440dfbd8d24dc0a2c9c3355968690a451014d43

SHA512
f3fa8a46f8e196f51a381f25248c9827c0d21386d5a74b6a029d1b37665f75fc35274b2497667ef32b40671558fd61c438b3b6033cfaa80edbf80360921c1072

Download Submit
C:\Windows\SysWOW64\Genjanmh.dll

Filesize
7KB

MD5
5592379719319597616511c2e4893a13

SHA1
b854e93edca0d1eb0a43c503ae7592f9738ee342

SHA256
1d10ac7d847a3fbab8df624f685b56e9ec345e48c14d7e6513de9e9dcc70cca9

SHA512
6cc21d197851b8dcf30facb67443e34ee1ee9e5baec912d41518f540eb5cb8290ac25689eb1d57cc2f86eba1e9b41579679f1f4c48c95e0bbac9b1d3a5423015

Download Submit
memory/224-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/428-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1012-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1036-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1056-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1696-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-147-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2528-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3160-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3200-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3252-392-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4660-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4936-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5080-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads