e0613ed9f089f4e129672eb506026dbc9b5ff1c1ad1d9907bc962ac0a3331fa1

Analysis

max time kernel
165s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a6b99d3d14daaddfccf699f3f8d19130.exe
Size

155KB
MD5

a6b99d3d14daaddfccf699f3f8d19130
SHA1

04b5f4a40e33589f1e1ac929c001528258cee4e6
SHA256

e0613ed9f089f4e129672eb506026dbc9b5ff1c1ad1d9907bc962ac0a3331fa1
SHA512

4e30d22f160b6dd48f5908c0cfec90caf254bd6d3e353e869c851b7b88db7eb99dbd756de308353493c45b02887441be2449424d666f47ce752989c5196beb22
SSDEEP

3072:5afHTSpHeY4VkVsc+emlrU8rzEznYfzB9BSwWO:5afHT8HAVkV2eerxrzYOzLcK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.a6b99d3d14daaddfccf699f3f8d19130.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gclafmej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inidkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iccpniqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nofoki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akihcfid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjocbhbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mllccpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hqghqpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nocbfjmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mclhjkfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Memalfcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nooikj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfiagd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mllccpfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjmdocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgocgjgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igjbci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iloajfml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piceflpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enjfli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dahfkimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqbneq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Peempn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqphic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igmoih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnpaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gglfbkin.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdopjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obfhmd32.exe

Executes dropped EXE 64 IoCs

pid	Process
3020	Dahfkimd.exe
3952	Dgdncplk.exe
2360	Dajbaika.exe
1284	Dkbgjo32.exe
1444	Dpalgenf.exe
3748	Enemaimp.exe
1620	Ekimjn32.exe
1264	Edaaccbj.exe
3024	Enjfli32.exe
4840	Ecgodpgb.exe
3432	Ecikjoep.exe
4568	Enopghee.exe
3460	Fqphic32.exe
1948	Fncibg32.exe
4708	Fkjfakng.exe
2524	Fdbkja32.exe
4572	Fjocbhbo.exe
3312	Gjaphgpl.exe
4264	Gdgdeppb.exe
2480	Gjcmngnj.exe
2676	Gclafmej.exe
2120	Gqbneq32.exe
2152	Gglfbkin.exe
1856	Hgocgjgk.exe
4468	Hqghqpnl.exe
2364	Hnkhjdle.exe
1832	Heepfn32.exe
5072	Hnmeodjc.exe
2820	Hcjmhk32.exe
1988	Hnpaec32.exe
2656	Igjbci32.exe
3724	Igmoih32.exe
4632	Iccpniqp.exe
1788	Inidkb32.exe
1952	Ilmedf32.exe
1816	Inkaqb32.exe
1392	Iloajfml.exe
1524	Jdjfohjg.exe
3324	Jlanpfkj.exe
2304	Jhhodg32.exe
2472	Jdopjh32.exe
64	Jnedgq32.exe
232	Jeolckne.exe
1528	Jlidpe32.exe
2584	Jaemilci.exe
1920	Koimbpbc.exe
3596	Kkpnga32.exe
2112	Kongmo32.exe
3416	Kdkoef32.exe
4704	Kopcbo32.exe
3544	Kejloi32.exe
4108	Kkgdhp32.exe
4608	Kaaldjil.exe
4832	Klgqabib.exe
1068	Lbqinm32.exe
2188	Lhmafcnf.exe
4764	Lbcedmnl.exe
4420	Lhpnlclc.exe
5108	Mclhjkfa.exe
4460	Mhiabbdi.exe
3740	Memalfcb.exe
2948	Mkjjdmaj.exe
4740	Madbagif.exe
4448	Mhnjna32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hnpaec32.exe	Hcjmhk32.exe
File opened for modification	C:\Windows\SysWOW64\Kongmo32.exe	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Pfeijqqe.exe	Pkoemhao.exe
File created	C:\Windows\SysWOW64\Afnlpohj.exe	Akihcfid.exe
File created	C:\Windows\SysWOW64\Gpmmbfem.dll	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Mllccpfj.exe	Mafofggd.exe
File opened for modification	C:\Windows\SysWOW64\Nocbfjmc.exe	Nhjjip32.exe
File created	C:\Windows\SysWOW64\Nfpghccm.exe	Nofoki32.exe
File created	C:\Windows\SysWOW64\Dpalgenf.exe	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Hgocgjgk.exe	Gglfbkin.exe
File created	C:\Windows\SysWOW64\Jlanpfkj.exe	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Lhmafcnf.exe	Lbqinm32.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Fjocbhbo.exe	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Jnedgq32.exe	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Elkodmbe.dll	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Gjcmngnj.exe	Gdgdeppb.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Flcmpceo.dll	Mllccpfj.exe
File created	C:\Windows\SysWOW64\Nchhfild.exe	Nkapelka.exe
File created	C:\Windows\SysWOW64\Cbpijjbj.dll	Nfpghccm.exe
File created	C:\Windows\SysWOW64\Hnkhjdle.exe	Hqghqpnl.exe
File opened for modification	C:\Windows\SysWOW64\Hnmeodjc.exe	Heepfn32.exe
File created	C:\Windows\SysWOW64\Epaaihpg.dll	Inidkb32.exe
File created	C:\Windows\SysWOW64\Eqfnqg32.dll	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Pofhbgmn.exe	Pilpfm32.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqdb32.exe	Pkmhgh32.exe
File opened for modification	C:\Windows\SysWOW64\Dajbaika.exe	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Fjocbhbo.exe	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Nhlfoodc.exe	Nocbfjmc.exe
File created	C:\Windows\SysWOW64\Ooangh32.exe	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Ecgodpgb.exe	Enjfli32.exe
File created	C:\Windows\SysWOW64\Lapmnano.dll	Hgocgjgk.exe
File created	C:\Windows\SysWOW64\Mfodpbqp.dll	Hqghqpnl.exe
File created	C:\Windows\SysWOW64\Igmoih32.exe	Igjbci32.exe
File opened for modification	C:\Windows\SysWOW64\Ilmedf32.exe	Inidkb32.exe
File created	C:\Windows\SysWOW64\Fmfbakio.dll	Nchhfild.exe
File created	C:\Windows\SysWOW64\Okailj32.exe	Ofdqcc32.exe
File created	C:\Windows\SysWOW64\Oenlmopg.dll	Ohhfknjf.exe
File created	C:\Windows\SysWOW64\Opepqban.dll	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mahklf32.exe
File opened for modification	C:\Windows\SysWOW64\Ecgodpgb.exe	Enjfli32.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Ecgodpgb.exe
File created	C:\Windows\SysWOW64\Gdgdeppb.exe	Gjaphgpl.exe
File created	C:\Windows\SysWOW64\Mohpjh32.dll	Heepfn32.exe
File created	C:\Windows\SysWOW64\Jnedgq32.exe	Jdopjh32.exe
File created	C:\Windows\SysWOW64\Kkpnga32.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Qekjhmdj.dll	Kopcbo32.exe
File opened for modification	C:\Windows\SysWOW64\Pkoemhao.exe	Peempn32.exe
File created	C:\Windows\SysWOW64\Fkjfakng.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Koimbpbc.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Mkjjdmaj.exe	Memalfcb.exe
File created	C:\Windows\SysWOW64\Lchfjc32.dll	Oljoen32.exe
File created	C:\Windows\SysWOW64\Ofdqcc32.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Inkqjp32.dll	Okailj32.exe
File created	C:\Windows\SysWOW64\Kialcj32.dll	Pfeijqqe.exe
File created	C:\Windows\SysWOW64\Ohjckodg.dll	Dajbaika.exe
File created	C:\Windows\SysWOW64\Gqhomdeb.dll	Lbqinm32.exe
File opened for modification	C:\Windows\SysWOW64\Nfiagd32.exe	Nooikj32.exe
File opened for modification	C:\Windows\SysWOW64\Ofdqcc32.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Mpaflkim.dll	Pilpfm32.exe
File created	C:\Windows\SysWOW64\Gjcmngnj.exe	Gdgdeppb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhjjip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obpkcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapijd32.dll"	Peempn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fqphic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodipp32.dll"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obpkcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enemaimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgocgjgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll"	Ofdqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmgd32.dll"	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obnnnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkiigchm.dll"	Pbddobla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igmoih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkjfakng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghikqj32.dll"	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhbfe32.dll"	Mahklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkbjk32.dll"	Aflpkpjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjcmngnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpmamlm.dll"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paifdeda.dll"	Gdgdeppb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gclafmej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igjbci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mafofggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkoemhao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akihcfid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enjfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohpjh32.dll"	Heepfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnggccfl.dll"	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Ecgodpgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gclafmej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkakncg.dll"	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhlfoodc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjeejn32.dll"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qejfkmem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfodpbqp.dll"	Hqghqpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhomgchl.dll"	Jdopjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnkilod.dll"	Ooangh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecgodpgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhiabbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoikj32.dll"	Madbagif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obfhmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Podkmgop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpacoj32.dll"	Pofhbgmn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 3020	3412	NEAS.a6b99d3d14daaddfccf699f3f8d19130.exe	87
PID 3412 wrote to memory of 3020	3412	NEAS.a6b99d3d14daaddfccf699f3f8d19130.exe	87
PID 3412 wrote to memory of 3020	3412	NEAS.a6b99d3d14daaddfccf699f3f8d19130.exe	87
PID 3020 wrote to memory of 3952	3020	Dahfkimd.exe	88
PID 3020 wrote to memory of 3952	3020	Dahfkimd.exe	88
PID 3020 wrote to memory of 3952	3020	Dahfkimd.exe	88
PID 3952 wrote to memory of 2360	3952	Dgdncplk.exe	89
PID 3952 wrote to memory of 2360	3952	Dgdncplk.exe	89
PID 3952 wrote to memory of 2360	3952	Dgdncplk.exe	89
PID 2360 wrote to memory of 1284	2360	Dajbaika.exe	90
PID 2360 wrote to memory of 1284	2360	Dajbaika.exe	90
PID 2360 wrote to memory of 1284	2360	Dajbaika.exe	90
PID 1284 wrote to memory of 1444	1284	Dkbgjo32.exe	91
PID 1284 wrote to memory of 1444	1284	Dkbgjo32.exe	91
PID 1284 wrote to memory of 1444	1284	Dkbgjo32.exe	91
PID 1444 wrote to memory of 3748	1444	Dpalgenf.exe	92
PID 1444 wrote to memory of 3748	1444	Dpalgenf.exe	92
PID 1444 wrote to memory of 3748	1444	Dpalgenf.exe	92
PID 3748 wrote to memory of 1620	3748	Enemaimp.exe	93
PID 3748 wrote to memory of 1620	3748	Enemaimp.exe	93
PID 3748 wrote to memory of 1620	3748	Enemaimp.exe	93
PID 1620 wrote to memory of 1264	1620	Ekimjn32.exe	94
PID 1620 wrote to memory of 1264	1620	Ekimjn32.exe	94
PID 1620 wrote to memory of 1264	1620	Ekimjn32.exe	94
PID 1264 wrote to memory of 3024	1264	Edaaccbj.exe	95
PID 1264 wrote to memory of 3024	1264	Edaaccbj.exe	95
PID 1264 wrote to memory of 3024	1264	Edaaccbj.exe	95
PID 3024 wrote to memory of 4840	3024	Enjfli32.exe	96
PID 3024 wrote to memory of 4840	3024	Enjfli32.exe	96
PID 3024 wrote to memory of 4840	3024	Enjfli32.exe	96
PID 4840 wrote to memory of 3432	4840	Ecgodpgb.exe	97
PID 4840 wrote to memory of 3432	4840	Ecgodpgb.exe	97
PID 4840 wrote to memory of 3432	4840	Ecgodpgb.exe	97
PID 3432 wrote to memory of 4568	3432	Ecikjoep.exe	98
PID 3432 wrote to memory of 4568	3432	Ecikjoep.exe	98
PID 3432 wrote to memory of 4568	3432	Ecikjoep.exe	98
PID 4568 wrote to memory of 3460	4568	Enopghee.exe	99
PID 4568 wrote to memory of 3460	4568	Enopghee.exe	99
PID 4568 wrote to memory of 3460	4568	Enopghee.exe	99
PID 3460 wrote to memory of 1948	3460	Fqphic32.exe	100
PID 3460 wrote to memory of 1948	3460	Fqphic32.exe	100
PID 3460 wrote to memory of 1948	3460	Fqphic32.exe	100
PID 1948 wrote to memory of 4708	1948	Fncibg32.exe	101
PID 1948 wrote to memory of 4708	1948	Fncibg32.exe	101
PID 1948 wrote to memory of 4708	1948	Fncibg32.exe	101
PID 4708 wrote to memory of 2524	4708	Fkjfakng.exe	102
PID 4708 wrote to memory of 2524	4708	Fkjfakng.exe	102
PID 4708 wrote to memory of 2524	4708	Fkjfakng.exe	102
PID 2524 wrote to memory of 4572	2524	Fdbkja32.exe	103
PID 2524 wrote to memory of 4572	2524	Fdbkja32.exe	103
PID 2524 wrote to memory of 4572	2524	Fdbkja32.exe	103
PID 4572 wrote to memory of 3312	4572	Fjocbhbo.exe	104
PID 4572 wrote to memory of 3312	4572	Fjocbhbo.exe	104
PID 4572 wrote to memory of 3312	4572	Fjocbhbo.exe	104
PID 3312 wrote to memory of 4264	3312	Gjaphgpl.exe	105
PID 3312 wrote to memory of 4264	3312	Gjaphgpl.exe	105
PID 3312 wrote to memory of 4264	3312	Gjaphgpl.exe	105
PID 4264 wrote to memory of 2480	4264	Gdgdeppb.exe	106
PID 4264 wrote to memory of 2480	4264	Gdgdeppb.exe	106
PID 4264 wrote to memory of 2480	4264	Gdgdeppb.exe	106
PID 2480 wrote to memory of 2676	2480	Gjcmngnj.exe	107
PID 2480 wrote to memory of 2676	2480	Gjcmngnj.exe	107
PID 2480 wrote to memory of 2676	2480	Gjcmngnj.exe	107
PID 2676 wrote to memory of 2120	2676	Gclafmej.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.a6b99d3d14daaddfccf699f3f8d19130.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a6b99d3d14daaddfccf699f3f8d19130.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\SysWOW64\Dahfkimd.exe
  C:\Windows\system32\Dahfkimd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\Dgdncplk.exe
    C:\Windows\system32\Dgdncplk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\SysWOW64\Dajbaika.exe
      C:\Windows\system32\Dajbaika.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Enemaimp.exe
        
        C:\Windows\system32\Enemaimp.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Enjfli32.exe
        
        C:\Windows\system32\Enjfli32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Ecgodpgb.exe
        
        C:\Windows\system32\Ecgodpgb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Fqphic32.exe
        
        C:\Windows\system32\Fqphic32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Fkjfakng.exe
        
        C:\Windows\system32\Fkjfakng.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Fjocbhbo.exe
        
        C:\Windows\system32\Fjocbhbo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Gjaphgpl.exe
        
        C:\Windows\system32\Gjaphgpl.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Gdgdeppb.exe
        
        C:\Windows\system32\Gdgdeppb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Gjcmngnj.exe
        
        C:\Windows\system32\Gjcmngnj.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Gclafmej.exe
        
        C:\Windows\system32\Gclafmej.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Gqbneq32.exe
        
        C:\Windows\system32\Gqbneq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Gglfbkin.exe
        
        C:\Windows\system32\Gglfbkin.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Hgocgjgk.exe
        
        C:\Windows\system32\Hgocgjgk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Hqghqpnl.exe
        
        C:\Windows\system32\Hqghqpnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Hnkhjdle.exe
        
        C:\Windows\system32\Hnkhjdle.exe
        27⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\SysWOW64\Heepfn32.exe
        
        C:\Windows\system32\Heepfn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Hnmeodjc.exe
        
        C:\Windows\system32\Hnmeodjc.exe
        29⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Hcjmhk32.exe
        
        C:\Windows\system32\Hcjmhk32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\Hnpaec32.exe
        
        C:\Windows\system32\Hnpaec32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Igjbci32.exe
        
        C:\Windows\system32\Igjbci32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Igmoih32.exe
        
        C:\Windows\system32\Igmoih32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Iccpniqp.exe
        
        C:\Windows\system32\Iccpniqp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Inidkb32.exe
        
        C:\Windows\system32\Inidkb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Ilmedf32.exe
        
        C:\Windows\system32\Ilmedf32.exe
        36⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Iloajfml.exe
        
        C:\Windows\system32\Iloajfml.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Jdopjh32.exe
        
        C:\Windows\system32\Jdopjh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        44⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        49⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        55⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1068
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Mclhjkfa.exe
        
        C:\Windows\system32\Mclhjkfa.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Mhiabbdi.exe
        
        C:\Windows\system32\Mhiabbdi.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Memalfcb.exe
        
        C:\Windows\system32\Memalfcb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Mkjjdmaj.exe
        
        C:\Windows\system32\Mkjjdmaj.exe
        63⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Madbagif.exe
        
        C:\Windows\system32\Madbagif.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Mafofggd.exe
        
        C:\Windows\system32\Mafofggd.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Mllccpfj.exe
        
        C:\Windows\system32\Mllccpfj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Mahklf32.exe
        
        C:\Windows\system32\Mahklf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        69⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        71⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        72⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        75⤵
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        76⤵
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Nhjjip32.exe
        
        C:\Windows\system32\Nhjjip32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Nocbfjmc.exe
        
        C:\Windows\system32\Nocbfjmc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Nhlfoodc.exe
        
        C:\Windows\system32\Nhlfoodc.exe
        79⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Nofoki32.exe
        
        C:\Windows\system32\Nofoki32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Nfpghccm.exe
        
        C:\Windows\system32\Nfpghccm.exe
        81⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Obfhmd32.exe
        
        C:\Windows\system32\Obfhmd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        84⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ofdqcc32.exe
        
        C:\Windows\system32\Ofdqcc32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Odjmdocp.exe
        
        C:\Windows\system32\Odjmdocp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Obnnnc32.exe
        
        C:\Windows\system32\Obnnnc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Ooangh32.exe
        
        C:\Windows\system32\Ooangh32.exe
        93⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Obpkcc32.exe
        
        C:\Windows\system32\Obpkcc32.exe
        94⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Pijcpmhc.exe
        
        C:\Windows\system32\Pijcpmhc.exe
        95⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5888
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Pofhbgmn.exe
        
        C:\Windows\system32\Pofhbgmn.exe
        99⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Pbddobla.exe
        
        C:\Windows\system32\Pbddobla.exe
        100⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Pbgqdb32.exe
        
        C:\Windows\system32\Pbgqdb32.exe
        102⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Peempn32.exe
        
        C:\Windows\system32\Peempn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Pkoemhao.exe
        
        C:\Windows\system32\Pkoemhao.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Piceflpi.exe
        
        C:\Windows\system32\Piceflpi.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Pcijce32.exe
        
        C:\Windows\system32\Pcijce32.exe
        107⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        108⤵
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Qkdohg32.exe
        
        C:\Windows\system32\Qkdohg32.exe
        109⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        110⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        111⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        114⤵
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        115⤵
        
        PID:5868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
155KB

MD5
5014d775ca9d242dbf60377e142fe8f9

SHA1
a912da42797736461b07e3ca900f026ee27ac3ea

SHA256
a600288278f353a65afd3b5814e6ffc4fedf75b67de634f70b7fb3dc1217df6d

SHA512
ff1b83c4e0d2931a8784280092dd3b40aac3e04016adc930e333a57be8ff3bde67aacc5a244598a46d9b7e9427a11718a7c8c0c2383db27fdd1927fda7540f17

Download Submit
C:\Windows\SysWOW64\Dahfkimd.exe

Filesize
155KB

MD5
5014d775ca9d242dbf60377e142fe8f9

SHA1
a912da42797736461b07e3ca900f026ee27ac3ea

SHA256
a600288278f353a65afd3b5814e6ffc4fedf75b67de634f70b7fb3dc1217df6d

SHA512
ff1b83c4e0d2931a8784280092dd3b40aac3e04016adc930e333a57be8ff3bde67aacc5a244598a46d9b7e9427a11718a7c8c0c2383db27fdd1927fda7540f17

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
155KB

MD5
fe580cf0dbb14511c3ed0ed7fd108e6e

SHA1
5a7ed3b8978c5507470391c50a2b87344447ec68

SHA256
863b7f655ed44c7f0af61eb549e13a133a2d34893a87ccd26d6b03251ef4b272

SHA512
e17a2547cc20f54069a76000f00454be54c1acbbb2031bceb75276eff94aa0750be3a011daeff3d3c1e882f191483372ac49f9b9f7f87289264267e48c1f0e10

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
155KB

MD5
fe580cf0dbb14511c3ed0ed7fd108e6e

SHA1
5a7ed3b8978c5507470391c50a2b87344447ec68

SHA256
863b7f655ed44c7f0af61eb549e13a133a2d34893a87ccd26d6b03251ef4b272

SHA512
e17a2547cc20f54069a76000f00454be54c1acbbb2031bceb75276eff94aa0750be3a011daeff3d3c1e882f191483372ac49f9b9f7f87289264267e48c1f0e10

Download Submit
C:\Windows\SysWOW64\Dajbaika.exe

Filesize
155KB

MD5
fe580cf0dbb14511c3ed0ed7fd108e6e

SHA1
5a7ed3b8978c5507470391c50a2b87344447ec68

SHA256
863b7f655ed44c7f0af61eb549e13a133a2d34893a87ccd26d6b03251ef4b272

SHA512
e17a2547cc20f54069a76000f00454be54c1acbbb2031bceb75276eff94aa0750be3a011daeff3d3c1e882f191483372ac49f9b9f7f87289264267e48c1f0e10

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
155KB

MD5
919053342737b868068ceea18936d970

SHA1
219fdf41893b614a4d2558def77dd3700dfa9bf8

SHA256
ed7ba5a3c9381c81e59582516942cbf8d9139577809a4a4ef81e7f0a12cc9fe0

SHA512
54955798180cfdc2495ba74b7503c7a9583c1eb6e70c9c9b27f1680a6423de400b361d298fee8e447fcaf7788edbde9021b02cd6dc681ed5a86211895f4550e5

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
155KB

MD5
919053342737b868068ceea18936d970

SHA1
219fdf41893b614a4d2558def77dd3700dfa9bf8

SHA256
ed7ba5a3c9381c81e59582516942cbf8d9139577809a4a4ef81e7f0a12cc9fe0

SHA512
54955798180cfdc2495ba74b7503c7a9583c1eb6e70c9c9b27f1680a6423de400b361d298fee8e447fcaf7788edbde9021b02cd6dc681ed5a86211895f4550e5

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
155KB

MD5
0b5f534a10a389c588bfb809f40eec47

SHA1
cf24f03ff76120730c99140abc447137f2db00e2

SHA256
15fa3cbfac2fad96261a98a354623539a6f5f43d3c6cc3eea83ab1b844a3681e

SHA512
37e7daec313d8d87de3d51bb0de859cec86de53279ab9f7535b290932ba79490c4ad0e98cc0eeb324cbdfc9b79b4c0f5d78748a2f686b7db4a17437bf94f526c

Download Submit
C:\Windows\SysWOW64\Dkbgjo32.exe

Filesize
155KB

MD5
0b5f534a10a389c588bfb809f40eec47

SHA1
cf24f03ff76120730c99140abc447137f2db00e2

SHA256
15fa3cbfac2fad96261a98a354623539a6f5f43d3c6cc3eea83ab1b844a3681e

SHA512
37e7daec313d8d87de3d51bb0de859cec86de53279ab9f7535b290932ba79490c4ad0e98cc0eeb324cbdfc9b79b4c0f5d78748a2f686b7db4a17437bf94f526c

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
155KB

MD5
6f736c6a4579982d79e4bc4ecc0778ec

SHA1
e8a15942c24e541d928e518f74ea3d6ae7839bf4

SHA256
ac3827d58d4d57b18cb88a367d044877d582474c6cf9ced611c0e81d4e523f57

SHA512
120478e68157416907b44c33d5d4c7676c00e257ec5673234697e0ab32f01a3c4bc8c16a12f2478906638c6d77c1ccc3d8c7a01470e872425e5e137d244e6b27

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
155KB

MD5
6f736c6a4579982d79e4bc4ecc0778ec

SHA1
e8a15942c24e541d928e518f74ea3d6ae7839bf4

SHA256
ac3827d58d4d57b18cb88a367d044877d582474c6cf9ced611c0e81d4e523f57

SHA512
120478e68157416907b44c33d5d4c7676c00e257ec5673234697e0ab32f01a3c4bc8c16a12f2478906638c6d77c1ccc3d8c7a01470e872425e5e137d244e6b27

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
155KB

MD5
3f8a80a6d273c45e56fdada5c4ca138e

SHA1
5d550701a53b76759a5fa08cb0e8a73eb6ecc724

SHA256
5d24aef584bd073e96cc30ba21cc76100559732a65448ef44a5427978974afbb

SHA512
e8b6f69b93de3504ad0e72e8a11bafa16f7de1d186f5ba2f32da48440578edcdde8386fbf52b1a6aa648b613b7cbd1caf1e86d0ba5041ec738509ead0ce95eea

Download Submit
C:\Windows\SysWOW64\Ecgodpgb.exe

Filesize
155KB

MD5
3f8a80a6d273c45e56fdada5c4ca138e

SHA1
5d550701a53b76759a5fa08cb0e8a73eb6ecc724

SHA256
5d24aef584bd073e96cc30ba21cc76100559732a65448ef44a5427978974afbb

SHA512
e8b6f69b93de3504ad0e72e8a11bafa16f7de1d186f5ba2f32da48440578edcdde8386fbf52b1a6aa648b613b7cbd1caf1e86d0ba5041ec738509ead0ce95eea

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
155KB

MD5
8b4b272a364efdb93ba0ca8d35d56dd9

SHA1
ef4476f0f6b6ecc000ca9e72f48b805bf8d371c2

SHA256
a73a2d3eafe66f9f632ee91de5dcc3b9324210f4e7ffb05719c1d36f9956478c

SHA512
83d58735c1f58707d9887ce56d06ecd2ef1f5627a07a7f0a33167c6954571db3138e3faee86325ba85d478ca5d11a8b7a0a776cc57f9a23ad3f6edb952a80c6d

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
155KB

MD5
8b4b272a364efdb93ba0ca8d35d56dd9

SHA1
ef4476f0f6b6ecc000ca9e72f48b805bf8d371c2

SHA256
a73a2d3eafe66f9f632ee91de5dcc3b9324210f4e7ffb05719c1d36f9956478c

SHA512
83d58735c1f58707d9887ce56d06ecd2ef1f5627a07a7f0a33167c6954571db3138e3faee86325ba85d478ca5d11a8b7a0a776cc57f9a23ad3f6edb952a80c6d

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
155KB

MD5
268239c98b9375e46bf42106d03b2fab

SHA1
c8f50e2e19effe36ddb797d7ad5b3de34ba21916

SHA256
89988a084fa132b5f20025585d1facc2f0e678dc5f1c0784e3c1af499e806e8c

SHA512
a60c010e648d6c438bb02c7445a4f49747d585dbea25b1ac30be45af908f8853344cff2a69bfd6aa9e52585f424b66f68aea61718a58abb88a330b302e35d86a

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
155KB

MD5
268239c98b9375e46bf42106d03b2fab

SHA1
c8f50e2e19effe36ddb797d7ad5b3de34ba21916

SHA256
89988a084fa132b5f20025585d1facc2f0e678dc5f1c0784e3c1af499e806e8c

SHA512
a60c010e648d6c438bb02c7445a4f49747d585dbea25b1ac30be45af908f8853344cff2a69bfd6aa9e52585f424b66f68aea61718a58abb88a330b302e35d86a

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
155KB

MD5
7e08634f6c9a20e4acf61b9f286990b5

SHA1
a43a3b05b89d6b719314a3f9399564f71247f52e

SHA256
20da9e69f9134f38f4adbb9ba4d1b5c342ab69b899f0aba671c1f71f03fed61c

SHA512
50998ab8d9bcc273a766ea2c78578ca49e0f3c12bf4f641203a09b0237b3673eb97923e84796854b99b82b1e0de53fbad935a4692b269e98601fac1c6c3b0a11

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
155KB

MD5
7e08634f6c9a20e4acf61b9f286990b5

SHA1
a43a3b05b89d6b719314a3f9399564f71247f52e

SHA256
20da9e69f9134f38f4adbb9ba4d1b5c342ab69b899f0aba671c1f71f03fed61c

SHA512
50998ab8d9bcc273a766ea2c78578ca49e0f3c12bf4f641203a09b0237b3673eb97923e84796854b99b82b1e0de53fbad935a4692b269e98601fac1c6c3b0a11

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
155KB

MD5
a00e95e96db7d9e8c84cb71475234d34

SHA1
cb11e7132e4f60b9c1be4e7369ef014a7d805c6d

SHA256
147cdce16bbd0ca9725b82d2e11bc401c1014e1a9839108404f59f4600fb9635

SHA512
769bc54942fdce56b3315a0a6b39a1d1ee6d89068b85d32ac8dbdf62032a3d1db46a9eea00709d8bf8e6bd42a11554455baabb17009f1e10a191837ff50718ad

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
155KB

MD5
a00e95e96db7d9e8c84cb71475234d34

SHA1
cb11e7132e4f60b9c1be4e7369ef014a7d805c6d

SHA256
147cdce16bbd0ca9725b82d2e11bc401c1014e1a9839108404f59f4600fb9635

SHA512
769bc54942fdce56b3315a0a6b39a1d1ee6d89068b85d32ac8dbdf62032a3d1db46a9eea00709d8bf8e6bd42a11554455baabb17009f1e10a191837ff50718ad

Download Submit
C:\Windows\SysWOW64\Enemaimp.exe

Filesize
155KB

MD5
a00e95e96db7d9e8c84cb71475234d34

SHA1
cb11e7132e4f60b9c1be4e7369ef014a7d805c6d

SHA256
147cdce16bbd0ca9725b82d2e11bc401c1014e1a9839108404f59f4600fb9635

SHA512
769bc54942fdce56b3315a0a6b39a1d1ee6d89068b85d32ac8dbdf62032a3d1db46a9eea00709d8bf8e6bd42a11554455baabb17009f1e10a191837ff50718ad

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
155KB

MD5
16d93bdd2ba0ce15efb8fd5228fb3afe

SHA1
81d7d399befe5d6eb9f1382a563bd1d66ea48520

SHA256
3d2f1c5c23a7e9874a83e839d59e93e53bd7946bfb28ff49f49766456564e6c6

SHA512
304ba3b4af2e3bb63d5be8b94e47e521da4e47aa130e2e8cefff09847dc158f805d322f74ff8af97e3bc453451a307507cf33aec3e873ab11234fc6be9075132

Download Submit
C:\Windows\SysWOW64\Enjfli32.exe

Filesize
155KB

MD5
16d93bdd2ba0ce15efb8fd5228fb3afe

SHA1
81d7d399befe5d6eb9f1382a563bd1d66ea48520

SHA256
3d2f1c5c23a7e9874a83e839d59e93e53bd7946bfb28ff49f49766456564e6c6

SHA512
304ba3b4af2e3bb63d5be8b94e47e521da4e47aa130e2e8cefff09847dc158f805d322f74ff8af97e3bc453451a307507cf33aec3e873ab11234fc6be9075132

Download Submit
C:\Windows\SysWOW64\Enopghee.exe

Filesize
155KB

MD5
1c9ce92e2dea137c2bf130ae3d65a12f

SHA1
046f7c8cb7cb45ca7120635bc114c2d601992a29

SHA256
9c8700ee80823e4ccca656d1618facdd41829423a77b04e7f136cea462f28e1d

SHA512
9568efae879f9982318f9c09f7fd2da04b69217d48ae8103f2e905b4666a26b7840f68d859e6e16447984327208dd895c2e54989b8131658af96e73c75592aef

Download Submit
C:\Windows\SysWOW64\Enopghee.exe

Filesize
155KB

MD5
1c9ce92e2dea137c2bf130ae3d65a12f

SHA1
046f7c8cb7cb45ca7120635bc114c2d601992a29

SHA256
9c8700ee80823e4ccca656d1618facdd41829423a77b04e7f136cea462f28e1d

SHA512
9568efae879f9982318f9c09f7fd2da04b69217d48ae8103f2e905b4666a26b7840f68d859e6e16447984327208dd895c2e54989b8131658af96e73c75592aef

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
155KB

MD5
4d7e2611c685309193726768312c814b

SHA1
15726e713fb93d0bed5d81937d417836d5eeb2a7

SHA256
461463105c8cf4f99a8fb283c7adeae7fa37bfc7b8ce01b68193f44ca27e808f

SHA512
239053da2cd119f286fc92ff8c6ef2982388b4c12a73431a5ac6ae26394cd9aa09b7415e45374e4f6d18673f380b0147b9ceb6b6c679e4035ca6396149f0dee0

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
155KB

MD5
4d7e2611c685309193726768312c814b

SHA1
15726e713fb93d0bed5d81937d417836d5eeb2a7

SHA256
461463105c8cf4f99a8fb283c7adeae7fa37bfc7b8ce01b68193f44ca27e808f

SHA512
239053da2cd119f286fc92ff8c6ef2982388b4c12a73431a5ac6ae26394cd9aa09b7415e45374e4f6d18673f380b0147b9ceb6b6c679e4035ca6396149f0dee0

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
155KB

MD5
f918570faf8b7759432036100d0e745e

SHA1
2f6676e75dc73611d266036f705502621cf06654

SHA256
b2d3e2b8291f6e1e659e8fa3f9b05ed88b3f8f321556437937cc82f5ae87c783

SHA512
ec546c853566b412a27236422953ea73cc380b2d77ed146c1b5c9e3f7a70c30345f6b07ac2e322c1fd65a1d0aa7d837ff1413547122786c55b9472269f16f1bf

Download Submit
C:\Windows\SysWOW64\Fjocbhbo.exe

Filesize
155KB

MD5
f918570faf8b7759432036100d0e745e

SHA1
2f6676e75dc73611d266036f705502621cf06654

SHA256
b2d3e2b8291f6e1e659e8fa3f9b05ed88b3f8f321556437937cc82f5ae87c783

SHA512
ec546c853566b412a27236422953ea73cc380b2d77ed146c1b5c9e3f7a70c30345f6b07ac2e322c1fd65a1d0aa7d837ff1413547122786c55b9472269f16f1bf

Download Submit
C:\Windows\SysWOW64\Fkjfakng.exe

Filesize
155KB

MD5
9b3ca7991431fc05f49a56be70010f28

SHA1
2ab2aafa9edde9ac50fdfe5583da47b391f70bed

SHA256
c9ed56f231a3e9e313a25f4e7eb57180530544f587847fd0e1418ce33b802231

SHA512
42574af4aa83226c2d41cd92ee7582f7efe44ca5ef0a64feea05d69c53d3ac43cafd662483737929beb9501ed9a54e30daf33cef619b6d86fab1868788f22481

Download Submit
C:\Windows\SysWOW64\Fkjfakng.exe

Filesize
155KB

MD5
9b3ca7991431fc05f49a56be70010f28

SHA1
2ab2aafa9edde9ac50fdfe5583da47b391f70bed

SHA256
c9ed56f231a3e9e313a25f4e7eb57180530544f587847fd0e1418ce33b802231

SHA512
42574af4aa83226c2d41cd92ee7582f7efe44ca5ef0a64feea05d69c53d3ac43cafd662483737929beb9501ed9a54e30daf33cef619b6d86fab1868788f22481

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
155KB

MD5
ef9089b2b4388db928389297421ef43a

SHA1
e56d0f6f3f006612b4535cd3a7d2397c1ee4e84b

SHA256
452e6c4ca33e4c15ff4bbb17b26b03c037b966b5e973de7c232ed9f02bc6627d

SHA512
f7cee689a463d543c592e309d1fb83df55c3855105400fdf7e66f264e12f2e522a18ff402de3ad5e2bc5555a420031c1cbfa6d79e0c7eac62fd8f86ab328c37c

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
155KB

MD5
ef9089b2b4388db928389297421ef43a

SHA1
e56d0f6f3f006612b4535cd3a7d2397c1ee4e84b

SHA256
452e6c4ca33e4c15ff4bbb17b26b03c037b966b5e973de7c232ed9f02bc6627d

SHA512
f7cee689a463d543c592e309d1fb83df55c3855105400fdf7e66f264e12f2e522a18ff402de3ad5e2bc5555a420031c1cbfa6d79e0c7eac62fd8f86ab328c37c

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
155KB

MD5
2561b24695ed21cedd0eca4f31724547

SHA1
7ded14bcb63d1272dd6c4bf7fd98c615be7c986c

SHA256
908366b57001e2373203a3f6bc7ef140c3e7cbc3b246347d2879b82197236584

SHA512
34f044143fc2d7aa483a4442faf6f81fda3079efb4d423d26a0f9352fe0311eb7bba3c93cbdfca97f77773225117e08681e2b6c9ffa9e249d8e1b3722e3b2fd0

Download Submit
C:\Windows\SysWOW64\Fqphic32.exe

Filesize
155KB

MD5
2561b24695ed21cedd0eca4f31724547

SHA1
7ded14bcb63d1272dd6c4bf7fd98c615be7c986c

SHA256
908366b57001e2373203a3f6bc7ef140c3e7cbc3b246347d2879b82197236584

SHA512
34f044143fc2d7aa483a4442faf6f81fda3079efb4d423d26a0f9352fe0311eb7bba3c93cbdfca97f77773225117e08681e2b6c9ffa9e249d8e1b3722e3b2fd0

Download Submit
C:\Windows\SysWOW64\Gclafmej.exe

Filesize
155KB

MD5
56a9c817a86f0133107a22e0b61facb6

SHA1
3da12f92c2f33f53bbe8cd9d88fecaa7c4f02b03

SHA256
25e519089670ca2d6fa05106a194636cb7cbc1b7438d0200bc2687a7b9158d4a

SHA512
24bb4736f585a63aaeb4755cfde51d1576be1226c83f5555429de8ba5f101c5fddf6f60e85207c8f15709e3ae08e576226eaefbfdd17fa28d3179201f75eef1f

Download Submit
C:\Windows\SysWOW64\Gclafmej.exe

Filesize
155KB

MD5
56a9c817a86f0133107a22e0b61facb6

SHA1
3da12f92c2f33f53bbe8cd9d88fecaa7c4f02b03

SHA256
25e519089670ca2d6fa05106a194636cb7cbc1b7438d0200bc2687a7b9158d4a

SHA512
24bb4736f585a63aaeb4755cfde51d1576be1226c83f5555429de8ba5f101c5fddf6f60e85207c8f15709e3ae08e576226eaefbfdd17fa28d3179201f75eef1f

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
155KB

MD5
03d7c8f9879e2b6257a5f0f65f8b4afb

SHA1
c2beccd72cba2ae619b1ce0eb221c2b00f1aa5d1

SHA256
2519f597d3fc2b1647742d7e2274cb42f233968d6e32dcc887c4665b4c8d0207

SHA512
9b194a953b89ad92142ba93786f100a3e34f3960b0a266198d805ceca967d5da85913d11909440be0cfc6c47919ca7073095326ffb899b87da0d8b8a864ea9dd

Download Submit
C:\Windows\SysWOW64\Gdgdeppb.exe

Filesize
155KB

MD5
03d7c8f9879e2b6257a5f0f65f8b4afb

SHA1
c2beccd72cba2ae619b1ce0eb221c2b00f1aa5d1

SHA256
2519f597d3fc2b1647742d7e2274cb42f233968d6e32dcc887c4665b4c8d0207

SHA512
9b194a953b89ad92142ba93786f100a3e34f3960b0a266198d805ceca967d5da85913d11909440be0cfc6c47919ca7073095326ffb899b87da0d8b8a864ea9dd

Download Submit
C:\Windows\SysWOW64\Gdmkfp32.dll

Filesize
7KB

MD5
142071c88d2774f35df854b918927d6f

SHA1
479cd2fded56d81f948a54d078e3da6414019578

SHA256
16bf6f4616a4bfad84e366ae21604fcad55084fec948ab05e1a8fef28b96f242

SHA512
a2028b0bb69aeb8cd6ca1f05f395b6cc828807a062780383a6d44e25253679187b2365138f2c48815d0aa4a1cf7e0ebb9bb4f60dc265c09c2e89df8773439a1e

Download Submit
C:\Windows\SysWOW64\Gglfbkin.exe

Filesize
155KB

MD5
7ec524483a80a9b917002dff31d04b73

SHA1
589b150e820c8cb124b79fbca8856fa8a6ce6063

SHA256
798d1af63bf7356e56b9c63a085502c4de80668fd85b822f0022d98beeb36edb

SHA512
0bb58d7776816faf7a017480bcf6a6d15cef7b75e1470941858536b5a0aa0e5b553543547cf5c47427ab23cf4524a413eec5e839deaf5c379bf26a497e4c4a23

Download Submit
C:\Windows\SysWOW64\Gglfbkin.exe

Filesize
155KB

MD5
7ec524483a80a9b917002dff31d04b73

SHA1
589b150e820c8cb124b79fbca8856fa8a6ce6063

SHA256
798d1af63bf7356e56b9c63a085502c4de80668fd85b822f0022d98beeb36edb

SHA512
0bb58d7776816faf7a017480bcf6a6d15cef7b75e1470941858536b5a0aa0e5b553543547cf5c47427ab23cf4524a413eec5e839deaf5c379bf26a497e4c4a23

Download Submit
C:\Windows\SysWOW64\Gjaphgpl.exe

Filesize
155KB

MD5
e008abef79687bcd674b129154cc2ae4

SHA1
778c75bd6d28b1c22eec246af5cb2c395bf24b05

SHA256
20e9f232eeaa8ff832275c8fff86830d023dc3303221894c115097f9301e0784

SHA512
34a936bfa215c8e21e7af1228478f6a9c36bd01f0d13f21bac237034d1651177950f8875c4d70495dbde588e3da9c585374d32b476bad33655eba5952969148c

Download Submit
C:\Windows\SysWOW64\Gjaphgpl.exe

Filesize
155KB

MD5
e008abef79687bcd674b129154cc2ae4

SHA1
778c75bd6d28b1c22eec246af5cb2c395bf24b05

SHA256
20e9f232eeaa8ff832275c8fff86830d023dc3303221894c115097f9301e0784

SHA512
34a936bfa215c8e21e7af1228478f6a9c36bd01f0d13f21bac237034d1651177950f8875c4d70495dbde588e3da9c585374d32b476bad33655eba5952969148c

Download Submit
C:\Windows\SysWOW64\Gjcmngnj.exe

Filesize
155KB

MD5
92a43777b8d9a55c76a4584bd26d6df5

SHA1
f8a43a3460ae93c663d7c244fbcb70ed526ae744

SHA256
f3c69e90bd0b6c28bf93f558a0798205cc7f970dae8c489342c24b3575f8656c

SHA512
bc5545a47ea142fbc85b9b715955188386122d1e38116670704f73d549feb802fe32164de195eb658a4088e030346d59c23cc05e9197c1689cc59d8a96c7b432

Download Submit
C:\Windows\SysWOW64\Gjcmngnj.exe

Filesize
155KB

MD5
92a43777b8d9a55c76a4584bd26d6df5

SHA1
f8a43a3460ae93c663d7c244fbcb70ed526ae744

SHA256
f3c69e90bd0b6c28bf93f558a0798205cc7f970dae8c489342c24b3575f8656c

SHA512
bc5545a47ea142fbc85b9b715955188386122d1e38116670704f73d549feb802fe32164de195eb658a4088e030346d59c23cc05e9197c1689cc59d8a96c7b432

Download Submit
C:\Windows\SysWOW64\Gqbneq32.exe

Filesize
155KB

MD5
a5b23734f318a19017c07b5577c3633f

SHA1
f3cf0728fb784dee866f17cad36d36b8b8185975

SHA256
67e63cd4832307d42fe7503f9b807d3bafa91e43cadcca1e4ba0ae93fd1aa7b1

SHA512
bff1017669b324a76f3ce88ef988f625f7b628a619af3dc2b8b937d98b704175b08006d9180dd5928e84d73a30250ef29ca4156e308c1fcae6290431ff63d53c

Download Submit
C:\Windows\SysWOW64\Gqbneq32.exe

Filesize
155KB

MD5
a5b23734f318a19017c07b5577c3633f

SHA1
f3cf0728fb784dee866f17cad36d36b8b8185975

SHA256
67e63cd4832307d42fe7503f9b807d3bafa91e43cadcca1e4ba0ae93fd1aa7b1

SHA512
bff1017669b324a76f3ce88ef988f625f7b628a619af3dc2b8b937d98b704175b08006d9180dd5928e84d73a30250ef29ca4156e308c1fcae6290431ff63d53c

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
155KB

MD5
76ddb6082e945d8c183caec8b46e100c

SHA1
b7b2bdeb80c1ef2786689b8be74d26712e88792e

SHA256
87bbc99862014f4283bf34f6a7b8bf239101753d3160d79ced3270f9099647fc

SHA512
2536fd473ba26b4cdb34c769c06aa14f28cf2fb8052bae8f5602f0f89d3ff55cb4fbbb00725e1c4225260222231a46ff86ccde1533fdff8f8c1329d51bf8e982

Download Submit
C:\Windows\SysWOW64\Hcjmhk32.exe

Filesize
155KB

MD5
76ddb6082e945d8c183caec8b46e100c

SHA1
b7b2bdeb80c1ef2786689b8be74d26712e88792e

SHA256
87bbc99862014f4283bf34f6a7b8bf239101753d3160d79ced3270f9099647fc

SHA512
2536fd473ba26b4cdb34c769c06aa14f28cf2fb8052bae8f5602f0f89d3ff55cb4fbbb00725e1c4225260222231a46ff86ccde1533fdff8f8c1329d51bf8e982

Download Submit
C:\Windows\SysWOW64\Heepfn32.exe

Filesize
155KB

MD5
cf648c6b3a81d788b017d114725bd6dd

SHA1
f63fe6913c35c83684fde5155f350b07f25534ba

SHA256
2dcd8dc3ae290c8f0278371bbe9398343f63fcbd69de65b189ed485fbcf5cc6e

SHA512
64ebc1be1e6f04f10561b10650b5e92255514c39bc3801fa15ed6010d15ca562b6e79600feb22c644b9baf1ecdbb7dc32091b1e7db44622b321b2695892b49da

Download Submit
C:\Windows\SysWOW64\Heepfn32.exe

Filesize
155KB

MD5
cf648c6b3a81d788b017d114725bd6dd

SHA1
f63fe6913c35c83684fde5155f350b07f25534ba

SHA256
2dcd8dc3ae290c8f0278371bbe9398343f63fcbd69de65b189ed485fbcf5cc6e

SHA512
64ebc1be1e6f04f10561b10650b5e92255514c39bc3801fa15ed6010d15ca562b6e79600feb22c644b9baf1ecdbb7dc32091b1e7db44622b321b2695892b49da

Download Submit
C:\Windows\SysWOW64\Hgocgjgk.exe

Filesize
155KB

MD5
8ffbb4aecd93788b0ce5f44c094bf336

SHA1
17ac2eef831d0951bee79bbbed8874d37d96ea68

SHA256
2488461c3702774550b8560799ab786f4c95e9875f445ede817b93f120870719

SHA512
8e1083716ac3a937e045cfcf432e7729809fcda16811931c3881becdf1f7b1b1dbeed1f05bbf7b23920fdab38c20c3cded4f7ae0e8d4c834c2515df538181c61

Download Submit
C:\Windows\SysWOW64\Hgocgjgk.exe

Filesize
155KB

MD5
8ffbb4aecd93788b0ce5f44c094bf336

SHA1
17ac2eef831d0951bee79bbbed8874d37d96ea68

SHA256
2488461c3702774550b8560799ab786f4c95e9875f445ede817b93f120870719

SHA512
8e1083716ac3a937e045cfcf432e7729809fcda16811931c3881becdf1f7b1b1dbeed1f05bbf7b23920fdab38c20c3cded4f7ae0e8d4c834c2515df538181c61

Download Submit
C:\Windows\SysWOW64\Hnkhjdle.exe

Filesize
155KB

MD5
608c2c278d8d7b693dbfa124e50e1da5

SHA1
f9c03b9a0715d78ef9a61efdea551331fa63bd6f

SHA256
e6741938feea78fb72af74da7de582fa116b98447778a8b6e1b3f8a3676eccf0

SHA512
be8e0ecd6fdc6a90634dd5777e4d92600dff75d4877847484cee37e1a0bee78d7ec5499c3ad21ffa97f9a71f31d572891353ea5ed44ab7af522d4861ab73d6df

Download Submit
C:\Windows\SysWOW64\Hnkhjdle.exe

Filesize
155KB

MD5
608c2c278d8d7b693dbfa124e50e1da5

SHA1
f9c03b9a0715d78ef9a61efdea551331fa63bd6f

SHA256
e6741938feea78fb72af74da7de582fa116b98447778a8b6e1b3f8a3676eccf0

SHA512
be8e0ecd6fdc6a90634dd5777e4d92600dff75d4877847484cee37e1a0bee78d7ec5499c3ad21ffa97f9a71f31d572891353ea5ed44ab7af522d4861ab73d6df

Download Submit
C:\Windows\SysWOW64\Hnmeodjc.exe

Filesize
155KB

MD5
85e1338e317b8fe1664630f76970ef80

SHA1
f4890f7aab470ab62c4bee929a3a3c4f866d2a88

SHA256
5a683534341161c01543fd617f78711af9308d82414103aa64168dadda624b67

SHA512
29d805864b3da9a6f12d53fe65c778e7e7e671ffb713609b89af9632f6ba8e6738f5b95ac08f13acdb10e9415a407094f59af745230a4e59280883c37b79ea9f

Download Submit
C:\Windows\SysWOW64\Hnmeodjc.exe

Filesize
155KB

MD5
85e1338e317b8fe1664630f76970ef80

SHA1
f4890f7aab470ab62c4bee929a3a3c4f866d2a88

SHA256
5a683534341161c01543fd617f78711af9308d82414103aa64168dadda624b67

SHA512
29d805864b3da9a6f12d53fe65c778e7e7e671ffb713609b89af9632f6ba8e6738f5b95ac08f13acdb10e9415a407094f59af745230a4e59280883c37b79ea9f

Download Submit
C:\Windows\SysWOW64\Hnpaec32.exe

Filesize
155KB

MD5
f7b899097287212557f8f1056048f90d

SHA1
2143005f4f7a8dd9f53f105d9be055707eb63376

SHA256
38f242ec56bb28598fc854c0353bfdd07453f602835cd25788a1142802b5aca8

SHA512
873449c9fd0d37201d20d026fb52dda0828b769effdfaee6b2933a3295424f949acad68a40e4dc84e9f33ab0767e1e94fdc4b3167ae38cf85eeae804181c8358

Download Submit
C:\Windows\SysWOW64\Hnpaec32.exe

Filesize
155KB

MD5
f7b899097287212557f8f1056048f90d

SHA1
2143005f4f7a8dd9f53f105d9be055707eb63376

SHA256
38f242ec56bb28598fc854c0353bfdd07453f602835cd25788a1142802b5aca8

SHA512
873449c9fd0d37201d20d026fb52dda0828b769effdfaee6b2933a3295424f949acad68a40e4dc84e9f33ab0767e1e94fdc4b3167ae38cf85eeae804181c8358

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
155KB

MD5
7cebded79b6c3d9d542b0bfdd82b331c

SHA1
659d8ec1cf458a600eaffdc3c3a535cbc01495bc

SHA256
a24c5f3f5c328d0fb69b6b0c880de07db73369cc1d94f0c556858577de2f626b

SHA512
a929429ddba74fecc8a23043c6bd7da182c11bcbb0c9187edaa8eaf103ad7c6e24265ef67241941610724c1cd4da169032fe7bd772be5b623b1daf0f8450cf61

Download Submit
C:\Windows\SysWOW64\Hqghqpnl.exe

Filesize
155KB

MD5
7cebded79b6c3d9d542b0bfdd82b331c

SHA1
659d8ec1cf458a600eaffdc3c3a535cbc01495bc

SHA256
a24c5f3f5c328d0fb69b6b0c880de07db73369cc1d94f0c556858577de2f626b

SHA512
a929429ddba74fecc8a23043c6bd7da182c11bcbb0c9187edaa8eaf103ad7c6e24265ef67241941610724c1cd4da169032fe7bd772be5b623b1daf0f8450cf61

Download Submit
C:\Windows\SysWOW64\Igjbci32.exe

Filesize
155KB

MD5
8b3945d20bc7b040bca00043ae10f43c

SHA1
bbf6a67d8c20317748e7cd2f6382b9d723099b38

SHA256
fe5212e6bc741fc7254f75d199a32287b79330a7d5b037161376d9e0003f76a1

SHA512
ba704325eb4e670414827945addabe32d40adbc7bc3d648d1ee4c0a5fd618ba891abec56a119b82b056aee3ecaa4a314912a665e0614c78903b40a87cadceaa2

Download Submit
C:\Windows\SysWOW64\Igjbci32.exe

Filesize
155KB

MD5
8b3945d20bc7b040bca00043ae10f43c

SHA1
bbf6a67d8c20317748e7cd2f6382b9d723099b38

SHA256
fe5212e6bc741fc7254f75d199a32287b79330a7d5b037161376d9e0003f76a1

SHA512
ba704325eb4e670414827945addabe32d40adbc7bc3d648d1ee4c0a5fd618ba891abec56a119b82b056aee3ecaa4a314912a665e0614c78903b40a87cadceaa2

Download Submit
C:\Windows\SysWOW64\Igmoih32.exe

Filesize
155KB

MD5
eef24b4cbdb252d8f74b086dde958be1

SHA1
1923159ca292e5bed808cae0051aa6d73afc045e

SHA256
df5cb59a12d8d77b7fa169898ad4a1adf6ba8e03a1440d846c0825b7007dfd51

SHA512
8db25c148f47c539a4c933dafbcf587e005eeb8f8e8d8346eb6909e44551fc328ad06a4f23c54d2e81a1fd24a1d724800d98df99ff244e5e139ae23788be0444

Download Submit
C:\Windows\SysWOW64\Igmoih32.exe

Filesize
155KB

MD5
eef24b4cbdb252d8f74b086dde958be1

SHA1
1923159ca292e5bed808cae0051aa6d73afc045e

SHA256
df5cb59a12d8d77b7fa169898ad4a1adf6ba8e03a1440d846c0825b7007dfd51

SHA512
8db25c148f47c539a4c933dafbcf587e005eeb8f8e8d8346eb6909e44551fc328ad06a4f23c54d2e81a1fd24a1d724800d98df99ff244e5e139ae23788be0444

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
155KB

MD5
555b4daf4b87387a7d5fed3451da8374

SHA1
6de60162420096f95c1ceb766cd291652f07e564

SHA256
39672416dce37dfce3f9bf0392c2d4f945b6e94113ae6857cd96d207ad8a843d

SHA512
06990ca181f9a043eed794b1fe19be38ae6540da23bf3a2fb8b11f17fd20359f52226bf753b5da59cfc6116cf78c48ea8ff04292fadec898016a3de59bdd9002

Download Submit
C:\Windows\SysWOW64\Kkgdhp32.exe

Filesize
155KB

MD5
6dd68a18fe2c6d0f854fe1e165629644

SHA1
c48748f10236c72e4880f9f195688aade703fddf

SHA256
8e321d72866c0ff1b80b44f10214bf2758f3307983ee2ee5ccc7110d9a1bf572

SHA512
c517395b1a5e20e3ac524a96aabb39752e820ad88a6bf0487933e433412e00f1e5a5cc4e5184228fcb9115bf8bac2bcf7ebb224085573e2333f4bc1a9370902c

Download Submit
C:\Windows\SysWOW64\Klgqabib.exe

Filesize
155KB

MD5
646a8f1bee0f12c94249ae2470751e50

SHA1
018ed60f1a1eb9feb26ac566754371035ed904a1

SHA256
1586c169599a304693c6b1fb129605473bc33fab6ff8a7995a18c1eccdf2cae9

SHA512
0ddd95a5fa562373e0378ca527cd3dd36d9a790b5754be58b0d7cac507d8f9fbe3ab5997d1ed7cd6f00c435aca6ca0888d7c1d9e147548510e33dc4770d7d6fe

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
155KB

MD5
eee9ca9ecb18dcdec58073f3c30a75f0

SHA1
8761136a892d8c6a3854a3127e95cbbb3a87ab84

SHA256
6de5fe51d427885600e550367c502b02272544f6e82c6831362eaa56103c2bc3

SHA512
5ff5b0dcb0cb728897f576877dae60d1884a5eac6bf3b1f2b6390d0c04f303c411568b3af61c1c7f404bf53f0e7f22cd8db7f7bd905c1d1a5b1826bb325c244e

Download Submit
C:\Windows\SysWOW64\Mclhjkfa.exe

Filesize
155KB

MD5
beb6665aede92aa66f18c08db0824671

SHA1
9c24f2fac87093c589d26b7381549e666457c02c

SHA256
a4a2b476fce5d8d9893955fcfd9939ab5cd3403c12da4cd994a75ac3161bb7c7

SHA512
632ed12ef9cfc1b7857d4e60c768e94e6a76df93df088d44f6fb0d6f9a57f71a618ead07844244a6e31ebf450d552e2b015d57f29f9174ba8f23d8a396b8713a

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
155KB

MD5
0f3af2f0450bfca3b60a284a60f14544

SHA1
92b35ce8ac28f664449ae25a3ed5a6bfcd0e0b5c

SHA256
650f22db68f88d9e00a2cce03816acf56085c99708bfbac7875c1569a2b12ec3

SHA512
e7f53bb6cf49f88619b6f76b879fdf2a3d3c41f3e76bb72a6b2c5aacb6d3890d005e0d2bde0015aa1a826e98521e284b00dc06bf205a9a52b4ab5ec5fba2cfe5

Download Submit
memory/64-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/232-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1068-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1264-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1284-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1392-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1444-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1524-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1528-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1620-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1788-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1816-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1856-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1920-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-111-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1952-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1988-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2120-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2152-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2188-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2304-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2360-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2364-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2472-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2480-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2656-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2676-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2820-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2948-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3020-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3024-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3312-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3324-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3412-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3416-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3432-87-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3460-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3544-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3596-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3724-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3740-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3748-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3952-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4108-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4264-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4420-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4468-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4568-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4572-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4632-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4704-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4708-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4740-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4764-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4832-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5072-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5108-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads