55013ec8bedc5760f3abbccc14ec403c01b4cbfbf803c69c9539ff8c65f56753

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 14:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30c424839c739f3e57aea0aede247754.exe
Size

104KB
MD5

30c424839c739f3e57aea0aede247754
SHA1

e0039955f8d9de398bfaf884f0400ed332c478bc
SHA256

55013ec8bedc5760f3abbccc14ec403c01b4cbfbf803c69c9539ff8c65f56753
SHA512

7e31831e29e469181146adc8070f540aa30ea1c2be4a372dc9960866c772df50cc1f8992d559ac0b364c356dfd193fa715df72cee212a7a28e557c9fd4ae39be
SSDEEP

3072:ZjThvKi787KvBpzeoauE+h3+rJM++SYSUZCbCdW:Zciw6paobEcAJN+SYSUZCbX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gkkojgao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcagkdba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgmngglp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fakdpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoolbinc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dedkdcie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekjfcipa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffimfqgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcfkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkjmlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpcfkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhemmlhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifllil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eadopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liddbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llemdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednaqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekacmjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoolbinc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghaliknf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hopnqdan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlednamo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe

Executes dropped EXE 64 IoCs

pid	Process
116	Dkjmlk32.exe
2564	Dadeieea.exe
5096	Dlijfneg.exe
1480	Dccbbhld.exe
1632	Dhpjkojk.exe
1224	Dkoggkjo.exe
3084	Dedkdcie.exe
1284	Ekacmjgl.exe
2712	Eaklidoi.exe
3576	Elppfmoo.exe
3504	Eoolbinc.exe
2376	Edkdkplj.exe
4280	Elbmlmml.exe
1956	Ecmeig32.exe
1664	Ednaqo32.exe
1760	Eleiam32.exe
2740	Ecoangbg.exe
4132	Edpnfo32.exe
3924	Ekjfcipa.exe
1680	Eadopc32.exe
800	Fljcmlfd.exe
3416	Fafkecel.exe
1924	Fdegandp.exe
1232	Fojlngce.exe
2304	Ffddka32.exe
4184	Flnlhk32.exe
3916	Fakdpb32.exe
1940	Fhemmlhc.exe
2864	Fooeif32.exe
4820	Ffimfqgm.exe
620	Fkffog32.exe
1976	Foabofnn.exe
312	Fdnjgmle.exe
3092	Gkhbdg32.exe
4452	Gdqgmmjb.exe
4540	Gkkojgao.exe
756	Gcagkdba.exe
1968	Gfpcgpae.exe
1492	Gmjlcj32.exe
4560	Gohhpe32.exe
5020	Gfbploob.exe
2992	Ghaliknf.exe
1808	Gokdeeec.exe
2784	Gbiaapdf.exe
2548	Gdhmnlcj.exe
4128	Gkaejf32.exe
4600	Gomakdcp.exe
2416	Gfgjgo32.exe
4012	Gdjjckag.exe
3076	Hopnqdan.exe
1768	Helfik32.exe
3460	Hmcojh32.exe
4088	Hobkfd32.exe
3812	Heocnk32.exe
4440	Hkikkeeo.exe
3640	Hcpclbfa.exe
3988	Heapdjlp.exe
1216	Hkkhqd32.exe
4672	Hcbpab32.exe
2372	Hioiji32.exe
3976	Hoiafcic.exe
4068	Hbgmcnhf.exe
3836	Iiaephpc.exe
2272	Icgjmapi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Liddbc32.exe	Lffhfh32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Kebbafoj.exe	Kbceejpf.exe
File created	C:\Windows\SysWOW64\Kfckahdj.exe	Klngdpdd.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Fooeif32.exe	Fhemmlhc.exe
File opened for modification	C:\Windows\SysWOW64\Ieolehop.exe	Ifllil32.exe
File created	C:\Windows\SysWOW64\Ippohl32.dll	Jefbfgig.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ffddka32.exe	Fojlngce.exe
File created	C:\Windows\SysWOW64\Hhkephlb.dll	Ffddka32.exe
File opened for modification	C:\Windows\SysWOW64\Ghaliknf.exe	Gfbploob.exe
File created	C:\Windows\SysWOW64\Hkkhqd32.exe	Heapdjlp.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Gkkojgao.exe	Gdqgmmjb.exe
File created	C:\Windows\SysWOW64\Hopnqdan.exe	Gdjjckag.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Okokppbk.dll	Kfckahdj.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Jgmbieme.dll	Elbmlmml.exe
File opened for modification	C:\Windows\SysWOW64\Gcagkdba.exe	Gkkojgao.exe
File opened for modification	C:\Windows\SysWOW64\Gdjjckag.exe	Gfgjgo32.exe
File opened for modification	C:\Windows\SysWOW64\Klngdpdd.exe	Kfankifm.exe
File opened for modification	C:\Windows\SysWOW64\Lpcfkm32.exe	Liimncmf.exe
File created	C:\Windows\SysWOW64\Hioiji32.exe	Hcbpab32.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lllcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Edpnfo32.exe	Ecoangbg.exe
File opened for modification	C:\Windows\SysWOW64\Fhemmlhc.exe	Fakdpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cnaijinl.dll	Gcagkdba.exe
File opened for modification	C:\Windows\SysWOW64\Gfgjgo32.exe	Gomakdcp.exe
File created	C:\Windows\SysWOW64\Keblci32.dll	Icgjmapi.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Klimip32.exe	Kfmepi32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Gohhpe32.exe	Gmjlcj32.exe
File created	C:\Windows\SysWOW64\Ickchq32.exe	Ildkgc32.exe
File created	C:\Windows\SysWOW64\Mlefklpj.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Eoolbinc.exe	Elppfmoo.exe
File created	C:\Windows\SysWOW64\Npmagine.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Hkikkeeo.exe	Heocnk32.exe
File opened for modification	C:\Windows\SysWOW64\Klqcioba.exe	Kfckahdj.exe
File opened for modification	C:\Windows\SysWOW64\Liimncmf.exe	Lboeaifi.exe
File opened for modification	C:\Windows\SysWOW64\Mdjagjco.exe	Mlcifmbl.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Lgmngglp.exe	Lbabgh32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Flnlhk32.exe	Ffddka32.exe
File opened for modification	C:\Windows\SysWOW64\Hcpclbfa.exe	Hkikkeeo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2640	7968	WerFault.exe	359

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eoolbinc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcbgk32.dll"	Eoolbinc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll"	Lingibiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jimekgff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dccbbhld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfbploob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpjlklok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Flnlhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbnajo.dll"	Fdnjgmle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iledokkp.dll"	Ildkgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgddhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edkdkplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngndc32.dll"	Gbiaapdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Liimncmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fljcmlfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hobkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfmepi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lingibiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qncbfk32.dll"	Lbdolh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lllcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhcgeja.dll"	Gfgjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gomakdcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ickchq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgokmgjm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 116	1296	30c424839c739f3e57aea0aede247754.exe	83
PID 1296 wrote to memory of 116	1296	30c424839c739f3e57aea0aede247754.exe	83
PID 1296 wrote to memory of 116	1296	30c424839c739f3e57aea0aede247754.exe	83
PID 116 wrote to memory of 2564	116	Dkjmlk32.exe	84
PID 116 wrote to memory of 2564	116	Dkjmlk32.exe	84
PID 116 wrote to memory of 2564	116	Dkjmlk32.exe	84
PID 2564 wrote to memory of 5096	2564	Dadeieea.exe	85
PID 2564 wrote to memory of 5096	2564	Dadeieea.exe	85
PID 2564 wrote to memory of 5096	2564	Dadeieea.exe	85
PID 5096 wrote to memory of 1480	5096	Dlijfneg.exe	86
PID 5096 wrote to memory of 1480	5096	Dlijfneg.exe	86
PID 5096 wrote to memory of 1480	5096	Dlijfneg.exe	86
PID 1480 wrote to memory of 1632	1480	Dccbbhld.exe	87
PID 1480 wrote to memory of 1632	1480	Dccbbhld.exe	87
PID 1480 wrote to memory of 1632	1480	Dccbbhld.exe	87
PID 1632 wrote to memory of 1224	1632	Dhpjkojk.exe	88
PID 1632 wrote to memory of 1224	1632	Dhpjkojk.exe	88
PID 1632 wrote to memory of 1224	1632	Dhpjkojk.exe	88
PID 1224 wrote to memory of 3084	1224	Dkoggkjo.exe	89
PID 1224 wrote to memory of 3084	1224	Dkoggkjo.exe	89
PID 1224 wrote to memory of 3084	1224	Dkoggkjo.exe	89
PID 3084 wrote to memory of 1284	3084	Dedkdcie.exe	90
PID 3084 wrote to memory of 1284	3084	Dedkdcie.exe	90
PID 3084 wrote to memory of 1284	3084	Dedkdcie.exe	90
PID 1284 wrote to memory of 2712	1284	Ekacmjgl.exe	91
PID 1284 wrote to memory of 2712	1284	Ekacmjgl.exe	91
PID 1284 wrote to memory of 2712	1284	Ekacmjgl.exe	91
PID 2712 wrote to memory of 3576	2712	Eaklidoi.exe	92
PID 2712 wrote to memory of 3576	2712	Eaklidoi.exe	92
PID 2712 wrote to memory of 3576	2712	Eaklidoi.exe	92
PID 3576 wrote to memory of 3504	3576	Elppfmoo.exe	93
PID 3576 wrote to memory of 3504	3576	Elppfmoo.exe	93
PID 3576 wrote to memory of 3504	3576	Elppfmoo.exe	93
PID 3504 wrote to memory of 2376	3504	Eoolbinc.exe	94
PID 3504 wrote to memory of 2376	3504	Eoolbinc.exe	94
PID 3504 wrote to memory of 2376	3504	Eoolbinc.exe	94
PID 2376 wrote to memory of 4280	2376	Edkdkplj.exe	95
PID 2376 wrote to memory of 4280	2376	Edkdkplj.exe	95
PID 2376 wrote to memory of 4280	2376	Edkdkplj.exe	95
PID 4280 wrote to memory of 1956	4280	Elbmlmml.exe	96
PID 4280 wrote to memory of 1956	4280	Elbmlmml.exe	96
PID 4280 wrote to memory of 1956	4280	Elbmlmml.exe	96
PID 1956 wrote to memory of 1664	1956	Ecmeig32.exe	97
PID 1956 wrote to memory of 1664	1956	Ecmeig32.exe	97
PID 1956 wrote to memory of 1664	1956	Ecmeig32.exe	97
PID 1664 wrote to memory of 1760	1664	Ednaqo32.exe	98
PID 1664 wrote to memory of 1760	1664	Ednaqo32.exe	98
PID 1664 wrote to memory of 1760	1664	Ednaqo32.exe	98
PID 1760 wrote to memory of 2740	1760	Eleiam32.exe	99
PID 1760 wrote to memory of 2740	1760	Eleiam32.exe	99
PID 1760 wrote to memory of 2740	1760	Eleiam32.exe	99
PID 2740 wrote to memory of 4132	2740	Ecoangbg.exe	100
PID 2740 wrote to memory of 4132	2740	Ecoangbg.exe	100
PID 2740 wrote to memory of 4132	2740	Ecoangbg.exe	100
PID 4132 wrote to memory of 3924	4132	Edpnfo32.exe	101
PID 4132 wrote to memory of 3924	4132	Edpnfo32.exe	101
PID 4132 wrote to memory of 3924	4132	Edpnfo32.exe	101
PID 3924 wrote to memory of 1680	3924	Ekjfcipa.exe	102
PID 3924 wrote to memory of 1680	3924	Ekjfcipa.exe	102
PID 3924 wrote to memory of 1680	3924	Ekjfcipa.exe	102
PID 1680 wrote to memory of 800	1680	Eadopc32.exe	104
PID 1680 wrote to memory of 800	1680	Eadopc32.exe	104
PID 1680 wrote to memory of 800	1680	Eadopc32.exe	104
PID 800 wrote to memory of 3416	800	Fljcmlfd.exe	105

C:\Users\Admin\AppData\Local\Temp\30c424839c739f3e57aea0aede247754.exe
"C:\Users\Admin\AppData\Local\Temp\30c424839c739f3e57aea0aede247754.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\Dkjmlk32.exe
  C:\Windows\system32\Dkjmlk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\Dadeieea.exe
    C:\Windows\system32\Dadeieea.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\Dlijfneg.exe
      C:\Windows\system32\Dlijfneg.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\SysWOW64\Dccbbhld.exe
        
        C:\Windows\system32\Dccbbhld.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\SysWOW64\Dhpjkojk.exe
        
        C:\Windows\system32\Dhpjkojk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Dkoggkjo.exe
        
        C:\Windows\system32\Dkoggkjo.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Dedkdcie.exe
        
        C:\Windows\system32\Dedkdcie.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Ekacmjgl.exe
        
        C:\Windows\system32\Ekacmjgl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Eaklidoi.exe
        
        C:\Windows\system32\Eaklidoi.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Elppfmoo.exe
        
        C:\Windows\system32\Elppfmoo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Eoolbinc.exe
        
        C:\Windows\system32\Eoolbinc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Edkdkplj.exe
        
        C:\Windows\system32\Edkdkplj.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Elbmlmml.exe
        
        C:\Windows\system32\Elbmlmml.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ecmeig32.exe
        
        C:\Windows\system32\Ecmeig32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ednaqo32.exe
        
        C:\Windows\system32\Ednaqo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Eleiam32.exe
        
        C:\Windows\system32\Eleiam32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Edpnfo32.exe
        
        C:\Windows\system32\Edpnfo32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Ekjfcipa.exe
        
        C:\Windows\system32\Ekjfcipa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Eadopc32.exe
        
        C:\Windows\system32\Eadopc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Fafkecel.exe
        
        C:\Windows\system32\Fafkecel.exe
        23⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        24⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\Ffddka32.exe
        
        C:\Windows\system32\Ffddka32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\Flnlhk32.exe
        
        C:\Windows\system32\Flnlhk32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        32⤵
        Executes dropped EXE
        
        PID:620
        
        C:\Windows\SysWOW64\Foabofnn.exe
        
        C:\Windows\system32\Foabofnn.exe
        33⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        35⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Gcagkdba.exe
        
        C:\Windows\system32\Gcagkdba.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Gfpcgpae.exe
        
        C:\Windows\system32\Gfpcgpae.exe
        39⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\Gmjlcj32.exe
        
        C:\Windows\system32\Gmjlcj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        41⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Gfbploob.exe
        
        C:\Windows\system32\Gfbploob.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ghaliknf.exe
        
        C:\Windows\system32\Ghaliknf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        44⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Gbiaapdf.exe
        
        C:\Windows\system32\Gbiaapdf.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Gkaejf32.exe
        
        C:\Windows\system32\Gkaejf32.exe
        47⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Gomakdcp.exe
        
        C:\Windows\system32\Gomakdcp.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Gdjjckag.exe
        
        C:\Windows\system32\Gdjjckag.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Hopnqdan.exe
        
        C:\Windows\system32\Hopnqdan.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        52⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        53⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Hobkfd32.exe
        
        C:\Windows\system32\Hobkfd32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        57⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Heapdjlp.exe
        
        C:\Windows\system32\Heapdjlp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        59⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        61⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        62⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        63⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        64⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\SysWOW64\Icgjmapi.exe
        
        C:\Windows\system32\Icgjmapi.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        66⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        67⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        68⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        69⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        70⤵
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Ickchq32.exe
        
        C:\Windows\system32\Ickchq32.exe
        72⤵
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        73⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        74⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        76⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        77⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        78⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4824
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        80⤵
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        81⤵
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1916
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        83⤵
        
        PID:924
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:388
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        85⤵
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        86⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        87⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        88⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        89⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        91⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        92⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        93⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Kfmepi32.exe
        
        C:\Windows\system32\Kfmepi32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Klimip32.exe
        
        C:\Windows\system32\Klimip32.exe
        96⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Kbceejpf.exe
        
        C:\Windows\system32\Kbceejpf.exe
        97⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        98⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Klljnp32.exe
        
        C:\Windows\system32\Klljnp32.exe
        99⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Kdcbom32.exe
        
        C:\Windows\system32\Kdcbom32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        101⤵
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        102⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        104⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Lffhfh32.exe
        
        C:\Windows\system32\Lffhfh32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        107⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        108⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        109⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Lboeaifi.exe
        
        C:\Windows\system32\Lboeaifi.exe
        111⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Liimncmf.exe
        
        C:\Windows\system32\Liimncmf.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Lgmngglp.exe
        
        C:\Windows\system32\Lgmngglp.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3552
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        116⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        117⤵
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        119⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Lllcen32.exe
        
        C:\Windows\system32\Lllcen32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        121⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        122⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Mpjlklok.exe
        
        C:\Windows\system32\Mpjlklok.exe
        123⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Mgddhf32.exe
        
        C:\Windows\system32\Mgddhf32.exe
        124⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        125⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Mlampmdo.exe
        
        C:\Windows\system32\Mlampmdo.exe
        126⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        127⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Mgfqmfde.exe
        
        C:\Windows\system32\Mgfqmfde.exe
        128⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        129⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        130⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        131⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        132⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        133⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        134⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        135⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5936
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        138⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        139⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        141⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        142⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        143⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        144⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        145⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        146⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        147⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        148⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        150⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        153⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        154⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        156⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        158⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        161⤵
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        163⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7100
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        165⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        166⤵
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        167⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        168⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        169⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        173⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        174⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        175⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        178⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        179⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        181⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        182⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        183⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        184⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        186⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        187⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        188⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        190⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6856
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        192⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        193⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        194⤵
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        195⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        196⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        197⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        199⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        201⤵
        Drops file in System32 directory
        
        PID:7216
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        202⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        203⤵
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        204⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        205⤵
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        206⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        207⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        208⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        209⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        210⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        211⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        212⤵
        Drops file in System32 directory
        
        PID:7728
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        213⤵
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        214⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        215⤵
        Modifies registry class
        
        PID:7884
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        216⤵
        Modifies registry class
        
        PID:7932
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        217⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8016
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        219⤵
        Modifies registry class
        
        PID:8064
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        220⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8104
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        221⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        222⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        223⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        224⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        225⤵
        Drops file in System32 directory
        
        PID:7352
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        226⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        227⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        228⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7572
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        230⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        231⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        232⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7828
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        233⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7896
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        234⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7960
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        235⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        236⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        237⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        238⤵
        Modifies registry class
        
        PID:8184
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        239⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        240⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        241⤵
        Drops file in System32 directory
        
        PID:7464
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        242⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7504
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        243⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7640
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        244⤵
        Drops file in System32 directory
        
        PID:7736
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        245⤵
        Modifies registry class
        
        PID:7844
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        246⤵
        Drops file in System32 directory
        
        PID:8004
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        247⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7780
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        248⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8180
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        249⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        250⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        251⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        252⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7052
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        253⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        254⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        255⤵
        Modifies registry class
        
        PID:7208
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        256⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        257⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        258⤵
        Modifies registry class
        
        PID:8052
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        259⤵
        Modifies registry class
        
        PID:7172
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        260⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        261⤵
        Modifies registry class
        
        PID:7344
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        262⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        263⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        264⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        265⤵
        Drops file in System32 directory
        
        PID:7380
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        266⤵
        Drops file in System32 directory
        
        PID:8076
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        267⤵
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        268⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 420
        269⤵
        Program crash
        
        PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7968 -ip 7968
1⤵
PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anogiicl.exe

Filesize
64KB

MD5
fd4da75be14925bb4b4449589ccf8f6a

SHA1
3938cae0ff1aab7f9f6be4aab37f9938b347dc8d

SHA256
058abcfe056cb9dc3765b0a254ad3efb874a618d9c8006c0678bcea8f837e189

SHA512
c6e25b63e255520c2ac55e98d9a35267dea3bb57c965e598d9ac2e60c7bfb610f0d5fdfe4c7419d0db14ebba162f311b22b2e82d1a9b14d08aa936156f52d661

Download Submit
C:\Windows\SysWOW64\Bapolp32.dll

Filesize
7KB

MD5
140a2ce15627324c20d999366e38ebdc

SHA1
47238e9ca2bce93e701162aa9139a6a25f1fca3e

SHA256
634ac402e5b79f31acdc569a8577ed1d736f9a4fb21d27348d2cdd714eaddbe5

SHA512
1d0ad82196631067366d117e74b6c6e92a0f6f591c9e924f34269e4116e5a32def56ac942d28a5b60981a6e7d55bd34faebaa5f83939b279eef94f31a0d25823

Download Submit
C:\Windows\SysWOW64\Dadeieea.exe

Filesize
104KB

MD5
16e577f0d7d2f947a4bf9eb158f16f9e

SHA1
3131d27d1236a16dd842d401a8d8a971977f1d8c

SHA256
ea25b22669b1ae145252af44cb5de76c9b34f78b22afaf8fbef45f868a5c9636

SHA512
d46286ce06466889a0300004508ca0bbdfceab9031fd876fd39cb6f75f25975945d95c0437650aa2e8e773cdf97cf340c8e4097e30b4aa334137299b1a721b87

Download Submit
C:\Windows\SysWOW64\Dccbbhld.exe

Filesize
104KB

MD5
5ea05474ebdac683a9de7498c1fc696b

SHA1
261094804ac5f616078c6dc436b68d2bb6bf58e0

SHA256
43b167851ce0f9ba9936fdef3a9517022d35b4dbc9d03fa659b87f42001501ce

SHA512
33b7b48a6c3bd068c8d43cd990fb832d8661ec23becdd61142a7462583850a0600c1a039edfe11f2695032996bb76c3d04e951f9bded225288581b04abd6c192

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
104KB

MD5
751aefc96d2c09dd4660799aec199621

SHA1
54a2154692ff61da793cdc62b1cdd8e58036efb3

SHA256
4af86de5e99120c40dbad85a3e4178ab0c1545cbde235008c3c9e9baf7c5e6f9

SHA512
e294cac6178323c5e2ec7ae9ad8e618b72bdc5181a281f182709b247c842cf00cf13453b5443d1abeaea5c5278d711a77d4a9da464a5954e07faab09aafff9e4

Download Submit
C:\Windows\SysWOW64\Dedkdcie.exe

Filesize
104KB

MD5
af5e4c5fd34f280c388d54f041f31616

SHA1
d77a5bd3516ab34ea83ca3ff477b268ac13c4d02

SHA256
c6c9c07f7b80b5ccf8a115a1a61408ef45c6b216734cc80f27f9f5a872953135

SHA512
f48beb1042c1e053145baf9273c47077d1c57be28500ffb6267840bad730541400c1cd0beebe1ae57c0c538a523d3c82ee7952e8b09cdf3c34900ddcd1cf2e33

Download Submit
C:\Windows\SysWOW64\Dhpjkojk.exe

Filesize
104KB

MD5
c73ad75e0a21fb1ccaa7aa057502cd5a

SHA1
cd9cb8010a657e0ad983ba64c146aaea7cfedd8c

SHA256
4f285ac4d65750beb95946d84e834814ed202d173a91e29158989604441eff89

SHA512
d9d0b8b665dc60d97065823b7a12873573f18763582a724647e652f1214537b833c6eb74e07bbea5bf5a3471767da94e5dfe98fbdcf28f90795ed3b6f3e42e9f

Download Submit
C:\Windows\SysWOW64\Dkjmlk32.exe

Filesize
104KB

MD5
2d902a98f276178d52982d972f86cff9

SHA1
b6ca021eac895c1de8e9a28fdf53003970101173

SHA256
43011175e2ee1ea91a805914d2da84095c8f3343cdefb3d11eacfcecf8abb251

SHA512
ef38d599376502fce9480ff3c11752c7341b77a9fca212f1f18be7e2bdc20acd7595bd35ad7fd7f32b1da0c7c144d6bbf9e7c39d0415a09358cf8b439f963fe3

Download Submit
C:\Windows\SysWOW64\Dkoggkjo.exe

Filesize
104KB

MD5
63110e9156066dd8969cf5395b6c7302

SHA1
316aca3dbf769995ad48650fae877a49c82662db

SHA256
6062012ce5666d0140668e6c4d5c6cc3516d76be326f9c57ec2e5567ac48361f

SHA512
e5da3bc24ce12a5c0e055aa82015932c281066779057e619244f299cac90ba2583352eeed3a521a7f5efcea59e8a87f4aa976311770d952775ac0a5b8c9740d5

Download Submit
C:\Windows\SysWOW64\Dlijfneg.exe

Filesize
104KB

MD5
e60be6a1273a3a31d5cc6cd444c323f2

SHA1
a2a2e23de88d73642aa833a9b1a6d89e7c07af93

SHA256
667e79ebb2db710e62519de683aa9078d90e53eda62952dc5f124b89d70cbc99

SHA512
cc0a4515617faab6dc813d5d81ef5e1013761f1e7e9ebad532c486ecc5dc7f4d589cecad490e5c79fb0334d181d18351745c3eb02909d10d76c63b11aef9f6c2

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
104KB

MD5
98a1b032142f4c3743f1da80d24afbdd

SHA1
b97bdf5cfede46b439692f015e090b8b48baa5a0

SHA256
f0da0d52c5023e04b3fa29b0a49115d35cd91eaac9264703b03909f59b0f06e6

SHA512
3428508fe741eaedf179437611e0999e4b1ad297b4fbb488d16dcd50906a75c40c80609bee81e21e88aabe53b930e554a142f30582747e703db181ed8cc07007

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
104KB

MD5
c6be12accf16e9cbee18da024b5689f6

SHA1
72f2776fe7ed27d5b625b7ca9a5c7ef6e66a09e2

SHA256
aaf6669baf7085bdab6c8c51a8f19f037d0a24d1c0c9ef9773a11458652adbaa

SHA512
cf18c9555bc79a42cfff39112bb1daf03276cd90b09633ddf3bdab1914d56ab16afe801483694b9a39060feb0b957b9dcf157b6340e80c5c7a4c10367ff0a413

Download Submit
C:\Windows\SysWOW64\Eadopc32.exe

Filesize
104KB

MD5
f512c3260437d5087ec29998d24e07ac

SHA1
471856b4cb94582195cd965f6e09c59a55f66291

SHA256
7a680da39a22692372e3ac94c2d09a76b81f488a3d8db650190b9672c82fec8d

SHA512
61c28dba2826d27b8b0efe29d883878b97de60e112b105cd1e393313e4bdbd595ce9c468a4a951f8fcd672b9b7f951e7333491a18258d1a52d4fb715dbe81577

Download Submit
C:\Windows\SysWOW64\Eaklidoi.exe

Filesize
104KB

MD5
63e991c3461936a69869c4c12c45fda5

SHA1
87d112fa4dfcf6ef2b482a543b95be3befe63680

SHA256
9e7c3665a0d4510541af226cfa0d73170c2c94d986880e1ed5c6d9476113a86e

SHA512
fe78dfbd30d53bfdc4dfc61d99fc197b3079426f771c7e8bcf43f22b4cd3e2309ca3fcb13a5725c21ab825e7c943df4751c856c3c6fad90956be50efd5a8e58c

Download Submit
C:\Windows\SysWOW64\Ecmeig32.exe

Filesize
104KB

MD5
4cec9241b557378973482d6245bdfff1

SHA1
0cc66c24a7faa82276ca9b82f2aca753c4c1fc27

SHA256
a68353221eb0b8b5144427482236e9ecf7a9b0661f6577d322bf6ae164908adf

SHA512
fef2911d86ba7064c29ba42a669ddecf130b5967021a51a5ef1df98c5aa90d649bd639419481a53e9f7323bca15a11c1ed41477e147387645acdbb4d3d1891f3

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
104KB

MD5
5041dc9e03081f2d1abf9d45dc142ceb

SHA1
a7364b2bcb7bfc945d80e6757a77537d49dd4dc7

SHA256
5be5fcabae2a5fbde27e421fdbf81f9285dfec9394a892b4d56ea2ebfcb5e9d6

SHA512
44d33f0d10cf2c72681fc494c9c1c784e6fc94df9c3fbc9217ca46e6679d1f2f317203bf61d41d4ee4ab952c98e4ee5db6462cf29187c4e39fdfb2ab08a66cac

Download Submit
C:\Windows\SysWOW64\Edkdkplj.exe

Filesize
104KB

MD5
ecb868eeefd919639167ec303bffceb6

SHA1
d61a7ceb8250060a1b43f2e9c0196834f6bfd01c

SHA256
91047315b8166a6518992b25aa6ef4bb6b2c6eee127ddc2d237c6a2265e7b341

SHA512
1bb33cbb22912368a80b787e33a007cc875f4fe90c92952f43061449a4bf92174e2ee75da5d3cab14bfb71a9c4f89149200c3df46f15025e55322f538450e796

Download Submit
C:\Windows\SysWOW64\Ednaqo32.exe

Filesize
104KB

MD5
d6eb5d0853051abecce7ab79d47016c6

SHA1
8b10de1271261b5c583e8c1dcf05165e44719534

SHA256
641acdedeca973f19acb2487b20892fcf06605e9438f90c8228f6c9a7ced9e31

SHA512
50a9f792785ec69cae7423266d57548f82a9626ddd28bd36dd375f49198bb4b462f3857d7cee5e4134e5e2dfe536170ab33587438f6101b0f90843048ed242cf

Download Submit
C:\Windows\SysWOW64\Edpnfo32.exe

Filesize
104KB

MD5
0cd5e6c4d4d08195e51ba8095d17de39

SHA1
1b3e61bb9e0dae276ce540f9a004b9a51634c9fc

SHA256
66085d96b3d27034ce6cf9fded2d0fbadb89dfc9caa2319c3e1ae1a7a31c95c4

SHA512
d8b88f6822e1236099b1c1c7697cc351ddd57ec7625a4dfd7a0f7c9f113acb15e1d67776d59b28c14e17eef65ea4e2fe212c079e3abf8b7d04edb70df1eaa108

Download Submit
C:\Windows\SysWOW64\Ekacmjgl.exe

Filesize
104KB

MD5
54fd9d6f1f60e42ddcfee3e07572b582

SHA1
f6d8cfbac4443ace3e5a694b502c988312241c7f

SHA256
46a33a14247c5feef834558dd97e2ec76d52c075f891a749de09b512ea38f805

SHA512
2021fed8a262b50437bc6bb7175193fe78c9626c43e8553af8ec9e8c21200160a66e3c564e23a7cb9552ce93c9c1028932b02f9afc0043cc24cbb2666b2263c6

Download Submit
C:\Windows\SysWOW64\Ekjfcipa.exe

Filesize
104KB

MD5
2e8a10a449beaabf51fae783a066aa3d

SHA1
a7a71c6ffd502ca9cd6ca5a809cd743375bdd828

SHA256
e180f88592936a7831d01ac71c03d4f958092dae8de421a641bedb647f29ce36

SHA512
f4afa4386c3d09a83e08c882f00635d20841ef697c7dd446e9bf2aa12660eb61e82532beed98418aa36324a47e9c31086629d7b7223dea72738faf1a6d50753e

Download Submit
C:\Windows\SysWOW64\Elbmlmml.exe

Filesize
104KB

MD5
d14022818362b623372757b2a8885332

SHA1
3a3135616dbf96e7966030ab5a8bf866975f3c37

SHA256
a3b8120021639b75142c3a51e4f9012516db77d66e1516afe97816ffa31feb75

SHA512
8eb712d3b5c98bbab01c6946823703769f94a4c7fde4f1057bd342211509acf68bfa2ff1175ac388bf49f9b72891a425ca241521e4366b25c38cfe26990dfcd4

Download Submit
C:\Windows\SysWOW64\Eleiam32.exe

Filesize
104KB

MD5
91141dfa5b9bdb0ff216c3bd1538765a

SHA1
536b855442e21e4b6976c70609670a0cd200399f

SHA256
4e669c0a14f2633089f4b1d32da9aadb9c6b43dd2d77ba44832cd9fdf55e30f7

SHA512
6103b5f4622506d444beab1a456cc3ae86093d47d2164e8bd377ddab5049ec78fc53b31ce91a315dbd5e87e435fdae3b8ddbc7ee80e31624e5064a31eeccc08d

Download Submit
C:\Windows\SysWOW64\Elppfmoo.exe

Filesize
104KB

MD5
ed9eb84e5a74598d604bd7b0e4850c32

SHA1
ac17b7ddab385234bd03172967aa30263648bdc4

SHA256
afdbcaf2ceede0651be9aeff008602ad2b86b627143531990074909d001da7a4

SHA512
d5e08dff18d403c4fe569ebd77b2975a4f7f6fc04fb4a06791348392ee760c4089a35e8df60dbac240e955aa7d3099d335ee17c700434345421c4992e8a26efe

Download Submit
C:\Windows\SysWOW64\Eoolbinc.exe

Filesize
104KB

MD5
76dee0eabedf928357b418d6f55a437c

SHA1
ae3e4b22a1148b23b5e3fb9420a8cb2776604d5f

SHA256
02a9be26d51b96d5de70feb421a031c70ed200c027eb5501a32c8f1fbaff764c

SHA512
85d8c1bf57676712c1fe33ec5bd5eae1a056958ad8aa3b76043569c989fb10b81a891834025a00dc30fa21157c72f8d9f5597d11e77d46118295b2928b720416

Download Submit
C:\Windows\SysWOW64\Fafkecel.exe

Filesize
104KB

MD5
254c92b23317cd31fa6aeeb21d10869b

SHA1
23cd67848d4344ceb336a31aae8e76d6783c72b2

SHA256
cb17bc8fefa64272aa542f5e4b44defdfdf4b2a223a38bbe45ec5228e35ff9e4

SHA512
8d6ac3cf1aab2a1b5f55be7ef6511b56f5c231936c037968d1d414570c5c4aab44e57063c63186c1bbdffc93a761743485755f0deda1af2882d5339fdf483962

Download Submit
C:\Windows\SysWOW64\Fakdpb32.exe

Filesize
104KB

MD5
f8822997425fdd3e247ead18700a524d

SHA1
a9cd6e25d9ffe38139812f8c3e2a6dad026aaced

SHA256
ad7b2e7b2fe6d9c26ac2c5902a6dd82a20f39ef0103953180d363fa60270e9e5

SHA512
5ee409d98d9ae9248909b3392543017af036c86b805876257d891c24b7ee235d7c1205a54c42bd4453bc69aa942b63a82d7748b1eac990e2dbd4034ffc9c9355

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
104KB

MD5
2d6b93a4566ca92bde3a921910849dd2

SHA1
44619fdf6fe5dd4acf79bd258ac9b55b2a1c14b4

SHA256
ec26b290cf9352c1154c462737b58d40c4db157de9d0dce455aa30f83034cb51

SHA512
60856ae02a69a6c125eb6ad665e1d49cd9a8d6b6811b9752aa937901aa1632b86e4654c84b3f72afe8c3b038df610a942dd2353a4a3f3e2c407ceb163da9ed5d

Download Submit
C:\Windows\SysWOW64\Ffddka32.exe

Filesize
104KB

MD5
841b0a3ae3883389b6c990b0adbb4b51

SHA1
b9e7c207c32415864a817d2abf65738916521c99

SHA256
2d1835a583f8d81e9d0d14146f8532c581f353ad36490c9a65386f9b2e10ccc5

SHA512
881328db5294bce64e69ac6a6fc68c9ac30de6db3e919300e8a1bcd40c54d729b9fa3f1ec2c80984ea1462b9f60ab44da3cea8663e24cf8a49f014b37e00646e

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
104KB

MD5
357db89b0a8d78f66b97a281f55ef702

SHA1
cca7ed4858f25e7f3f45e532b198f5cf703f758f

SHA256
5c1eea62334e68cd5f6d4bb924f6ddd30891fd665a6930a275312f6d9c2d5756

SHA512
164f89605fa4dec8ddc1f993b3e6948236a3170856259508b0746134c759f5114452374c2c455c19066b88c71fe92c9a49f202638996494693e22321884252fb

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
104KB

MD5
d7c6b97a31ade001dc62ddadaf04d277

SHA1
ec05769803ccc2c82f23e71fb24f4bb05ff08da6

SHA256
97f70903692796425005cebacc0f770acb12164932dfb50e8093d5333035bbce

SHA512
d3080c5f0f185885cfab14cb72898e00291ccc24f1f5fd386e6b2954fc2179e51d239a74fef7aaf26a71ad8fc483fed1d2b51b077507314ee060b7ed3942e5ba

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
104KB

MD5
1d191b67408136927e3c13f1717b55cc

SHA1
2b281a57d1f56e42976264f4f75960101dc539e8

SHA256
e05ecfa51500373d5bdaf7c0673da7291df2d3e1648e4371b849d13608a226e6

SHA512
5b94a71d4b3b6c86f4543b929502c0255508eb954125a7b7dd2abb5a78582115faa3e43af38f00ce462083d9785bf40ee153d5b1358ffce67ebb21ded15b7602

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
104KB

MD5
ff7e3ab3df8ca4154f366fcca714f804

SHA1
6b75d4847e75b0e75297a2bd7ddb3936ddface39

SHA256
f11f0a093a4d6661b7af21f172491796b15307979d8964165a5390f346ec71ec

SHA512
a0d02c56692f10b334dabcb4a199e6e98616a80ce619021fb4e661e37adf53ab05bb8d14c966686a7f6eb3c150ed8d276cf8ace08e0236ed9735bbe986b94327

Download Submit
C:\Windows\SysWOW64\Flnlhk32.exe

Filesize
104KB

MD5
4bda6675d1228cea7872c0fa41459e7d

SHA1
ec37cb88b79d6286e2008e7ffc697b0e21c0a67f

SHA256
0ce6c0ed87403196f58dad4f18b40320b52838d01762b5ecef4c09875eb0a977

SHA512
77990258ea60051796b7096bcb3471a76c82f86e225b821510e244ce18ee261ce669c69783480fb4e5d1f17222b6b3c3e8cff2858f2c5be2e068aa339022ea83

Download Submit
C:\Windows\SysWOW64\Foabofnn.exe

Filesize
104KB

MD5
af59bb3fafbeefd458a144d0efb008f3

SHA1
6fca049ec3271acc2d79d47a60ddb483ec7f279a

SHA256
569c453f94434a9829a12d41e90177f9ee58448531ecec5856f0be46f6fd8dd2

SHA512
6633f11bc355d3f22696be43bcd900c1314f0312e1bd774a83879957229dcc9438ecb741c4878ef166e1f9821c16c62c71cc4ca32b5a395ed4b8af4f9ca6d441

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
104KB

MD5
a625ad4b4775551db86f8957b8e053b1

SHA1
a9df5a4de77c1d1524b834c376987d311b5ff7cc

SHA256
19e4d3eee89df0f9c079885193e870ec8e0d48faf0566feb652ccc7ecfa67865

SHA512
44a0a4dd3413132ac0e2f6f8327714f8b5cf1d969630a56cd8fab533ef65e3ad2c2ae53a241570bb75e6e16a0aa6f3486c2dbae3e6b208ff2ded7e971493cdac

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
104KB

MD5
2d7e3772860482ea62da895d5dabf17a

SHA1
531ea405f8e3447870877429b0dbab26d5c56105

SHA256
9dbeb68693b03039491c05715f02386599f022f6ace8dc4091cbdc850793d81e

SHA512
87c8f0d593bf02a6dc497438fa955fcc9f782b27bdfad630598294c86088bebfea25c425f88b36a2aaa1d4534e8362d8aa54904dfee1c5bd8bc0ec2db09ff208

Download Submit
C:\Windows\SysWOW64\Ipbdmaah.exe

Filesize
104KB

MD5
58e1d796b2c5b6f1611e7169f9e0d4a6

SHA1
5844532baeef554a6c9ee80ee8aeb6cd98d59f96

SHA256
f079d9fc93d0532869bceb65c271697f8425fe2b0a2ceae29e0e3fcb9e1a8d9b

SHA512
6617169be62f7e6f22ff88f51eae4e3934932fe8265fa54899778b813ced3edc5a1d1d3c3ce09a38658f991d33b1120a003e1e64d00fc30f24a4b38afbb9b6bb

Download Submit
C:\Windows\SysWOW64\Jedeph32.exe

Filesize
104KB

MD5
43ec3a9c0e7f36933dab93e099febe43

SHA1
2f03bfc571a19b2e4c68bbbdab1838113e86979a

SHA256
f70ea14f7c8203479c4ee094e44b4ca477154e6cf02374544a8f6f8f3d1bf8d7

SHA512
42da9a38b2ab2553c8180ff646f8a4a271ce8b11175457284dd6308f46785d501113d3d2f0df37014bdadc7f697768ec31afbb968ef0cec4abae6b73a9f3d511

Download Submit
C:\Windows\SysWOW64\Kfmepi32.exe

Filesize
104KB

MD5
0e7c337d80b3a594c9fd3935af60cced

SHA1
676ae5b11791af5de29666f74323f6c4420542ca

SHA256
40371b53f6d1cef3af48ec43f8c845b8fed68ac66d47703afbbd101c2ef42680

SHA512
48b5dca70e46e9fedc0acf5d83bb504f935627ff49af8e77a3c28354c0f88501639a0af415080fb83eb51ccedf5c386d6a69b89c96914728559cc2b7b03dfe92

Download Submit
C:\Windows\SysWOW64\Klqcioba.exe

Filesize
104KB

MD5
7d2d5ffe2ab363f7d416ff85d13c5f58

SHA1
16220171e7299ae3d37cc6fe0331b2f16c7ddf02

SHA256
7bf3312fb6d5e93fa4a8c7df277297c7889200b2e83e4f861b18feb8be64af98

SHA512
094f3bfdadc94c08e6bfc28899667e5d33cd9622083ff4a8b04b52dc934847ccab55f904583a4804d9c30c082d90f6a3b4af7632819e0b0ac57c2d26abff23c2

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
104KB

MD5
26e418fd45a4852870f27560bb782c88

SHA1
730211e90173b3f632911e69add7e4bf03ce4a0c

SHA256
60bd54c457fba1cf5a2c758e0dba745cf4f488250019e5245e216184139445c1

SHA512
37baf74a0fc29cfbd3cfb161c36d86cd911edb81754e9c46f21de2182b1993d305b10ddbe52cacf4431406c50d91a3cbaa6abac6da90900b5faee5e40ef3224c

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
104KB

MD5
0e1bf8dce712821a678b5da583b5e12a

SHA1
ec66d20f5c963bb365f1bcad5e0ec64ed4578476

SHA256
96f1672896f4a7f11cec60be9ebce3beea9e6bc5c7ffbe0b06b64eb9f10288a6

SHA512
d4d0ef5f7e01af4d403af83845dba704f76dc22bebeacccc9cbdbb4724f7c3fae71053e918596f7d1e3c0708e00e4370fd844cbd617d1210abe48966669aa2d1

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
104KB

MD5
b80550a7f569a9e931bb376274f47e8d

SHA1
3559d6d2178c82bf3d2c6cefa0f878432b378a99

SHA256
280b62ea0ab0f3a8f2cc4055f023aa503a7495dacdcb9963f91e734cd16c186a

SHA512
31f844cec5834a7b2fb43a52d1de4f74c63997d9107c0949bea2d9bf9f75cb8d855cc3bf12d3672b79b4b6473c1ffdeeeb31c757c988ed2795247bb5d0e621f5

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
104KB

MD5
88ee56ebfb2cc9f6ef2209be6e1262e4

SHA1
2a43fdf0f037bfde367f585e3f29f03234f5f962

SHA256
7464f4a13c6628d77a96bc85999c16d4e0bb26293ce651418533e22457b3f25d

SHA512
bbed0adc19e917cac0ee34451e8349a5657176f78ea60eb4bcde04d482fd13f876f97ab861359cead2b8d0dbb0282d8cfb0138b2a6809c45deb85210f8162d71

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
104KB

MD5
0b8ef55eff69ed66291d261ff89af6f3

SHA1
bbebd8dfb59ce4d5fd685bb55b4ee60a95f3de48

SHA256
50f8636d0dd9af1b1764bf9e680c790fd29558d83e227b0ac3523756d9d1de98

SHA512
687cd4f5a1aecc29bbe9d521c862c24f7aa3516a7d9f37363cbdfe028380cb61155d3b3aea604193f890d60f9ed9a4959a6c0a1f8cb65b1368c8580ec5ec558a

Download Submit
memory/116-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/116-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/312-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-569-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/620-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/632-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/756-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/800-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/832-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/924-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1032-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1216-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-588-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1232-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1284-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1284-598-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1296-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1296-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1304-590-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1352-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1492-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1504-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1620-512-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-44-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1664-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1684-583-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1760-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1808-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1824-549-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1916-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1924-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1940-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1976-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2052-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2272-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2312-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2372-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2704-482-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2712-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2784-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2864-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3076-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3084-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3084-591-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3092-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3392-488-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3412-495-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3416-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3460-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3504-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3576-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3640-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3652-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3812-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3820-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3836-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3916-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3924-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3976-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3988-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4012-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4068-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4132-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4184-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4452-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4472-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4504-464-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4540-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4560-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4600-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4820-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-537-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4952-603-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5020-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads