217cf17f4307a93c06ea75fc40e3b811d444fe30e2d7cf0c6f613de390cc981e

Analysis

max time kernel
138s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2023 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe
Size

71KB
MD5

b99da49b773c5d0fc9bb4e1089f2ab60
SHA1

99ecb6d18987b97e8931ce1833b59ce790ed3a81
SHA256

217cf17f4307a93c06ea75fc40e3b811d444fe30e2d7cf0c6f613de390cc981e
SHA512

681186451a45e999e9bea25c7fe4c281718800d71577a7a252ab62141d9d734274e273a61d16f79db0741ea368d54355bfc70a15f5c7fd1ea3f0df52e587798f
SSDEEP

1536:UKBfIAfABpZHM5kkkrMq2OaNyZ6WnCx5RQSDbEyRCRRRoR4Rk:UKBDIjBM55kYq2OaNHYGeMEy032ya

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enbjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpffeaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deqcbpld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enigke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbjcljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nncccnol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpdcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpqldc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipeeobbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klfaapbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iepaaico.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljhnlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfeeabda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pagbaglh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfpcoefj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnoiqdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihnomjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fihnomjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmmfmhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfpcoefj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlnjbedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imiehfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipoheakj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbnoiqdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hoeieolb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibfnqmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkhnjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clgbmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe

Executes dropped EXE 64 IoCs

pid	Process
2312	Clgbmp32.exe
1840	Cfpffeaj.exe
1104	Ckmonl32.exe
3460	Chqogq32.exe
1588	Dbicpfdk.exe
2044	Dnpdegjp.exe
4784	Dheibpje.exe
1480	Dfiildio.exe
4252	Dkfadkgf.exe
736	Dbpjaeoc.exe
4672	Dkhnjk32.exe
3436	Deqcbpld.exe
1532	Enigke32.exe
3052	Enkdaepb.exe
5084	Ekodjiol.exe
1496	Ekaapi32.exe
4288	Eblimcdf.exe
4024	Enbjad32.exe
1700	Fihnomjp.exe
4104	Fpdcag32.exe
2580	Gbnoiqdq.exe
3972	Gflhoo32.exe
2888	Goglcahb.exe
1192	Gpgind32.exe
4012	Hedafk32.exe
4172	Hlnjbedi.exe
1648	Hmmfmhll.exe
1804	Hbjoeojc.exe
4760	Hfhgkmpj.exe
5088	Hpqldc32.exe
2944	Hfjdqmng.exe
3600	Iepaaico.exe
1632	Ipeeobbe.exe
804	Imiehfao.exe
4976	Ibfnqmpf.exe
3452	Ilnbicff.exe
4792	Igdgglfl.exe
3444	Iplkpa32.exe
3884	Ieidhh32.exe
4064	Ipoheakj.exe
2356	Jiglnf32.exe
5024	Kpmdfonj.exe
4008	Keimof32.exe
2788	Kpoalo32.exe
2248	Klfaapbl.exe
2748	Kfnfjehl.exe
5000	Klhnfo32.exe
1776	Kfpcoefj.exe
3348	Lpfgmnfp.exe
3736	Lfbped32.exe
4544	Lcgpni32.exe
4568	Lnldla32.exe
1616	Lcimdh32.exe
772	Lopmii32.exe
4440	Ljeafb32.exe
2240	Lobjni32.exe
3544	Ljhnlb32.exe
1552	Mqafhl32.exe
4592	Mjjkaabc.exe
4912	Mogcihaj.exe
4360	Mqfpckhm.exe
4144	Mgphpe32.exe
1512	Mfeeabda.exe
2872	Mqkiok32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qfkqjmdg.exe	Panhbfep.exe
File opened for modification	C:\Windows\SysWOW64\Enigke32.exe	Deqcbpld.exe
File opened for modification	C:\Windows\SysWOW64\Lcimdh32.exe	Lnldla32.exe
File created	C:\Windows\SysWOW64\Jlllhigk.dll	Ljhnlb32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjdqmng.exe	Hpqldc32.exe
File created	C:\Windows\SysWOW64\Ibfnqmpf.exe	Imiehfao.exe
File created	C:\Windows\SysWOW64\Fmplqd32.dll	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Ofhknodl.exe	Ompfej32.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Ompfej32.exe
File created	C:\Windows\SysWOW64\Ckmonl32.exe	Cfpffeaj.exe
File opened for modification	C:\Windows\SysWOW64\Enkdaepb.exe	Enigke32.exe
File opened for modification	C:\Windows\SysWOW64\Ekaapi32.exe	Ekodjiol.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Kibohd32.dll	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Pnkbkk32.exe	Phajna32.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Pffgom32.exe
File created	C:\Windows\SysWOW64\Lnldla32.exe	Lcgpni32.exe
File created	C:\Windows\SysWOW64\Iplkpa32.exe	Igdgglfl.exe
File created	C:\Windows\SysWOW64\Jbhfhgch.dll	Kfnfjehl.exe
File created	C:\Windows\SysWOW64\Hlhefcoo.dll	Pmiikh32.exe
File opened for modification	C:\Windows\SysWOW64\Chqogq32.exe	Ckmonl32.exe
File created	C:\Windows\SysWOW64\Ndmdae32.dll	Hmmfmhll.exe
File created	C:\Windows\SysWOW64\Cfidbo32.dll	Ilnbicff.exe
File created	C:\Windows\SysWOW64\Dohjem32.dll	Kfpcoefj.exe
File created	C:\Windows\SysWOW64\Difebl32.dll	Mqfpckhm.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Amdomd32.dll	Ckmonl32.exe
File created	C:\Windows\SysWOW64\Hhblffgn.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Ahmjjoig.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Kpoalo32.exe	Keimof32.exe
File opened for modification	C:\Windows\SysWOW64\Klfaapbl.exe	Kpoalo32.exe
File created	C:\Windows\SysWOW64\Kfnfjehl.exe	Klfaapbl.exe
File created	C:\Windows\SysWOW64\Mpolbbim.dll	Nnafno32.exe
File created	C:\Windows\SysWOW64\Jbofpe32.dll	Nagiji32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmonl32.exe	Cfpffeaj.exe
File created	C:\Windows\SysWOW64\Nobkpkdh.dll	Dkfadkgf.exe
File opened for modification	C:\Windows\SysWOW64\Iplkpa32.exe	Igdgglfl.exe
File created	C:\Windows\SysWOW64\Eepmqdbn.dll	Ahmjjoig.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Cglbhhga.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Clgbmp32.exe	NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe
File created	C:\Windows\SysWOW64\Fihnomjp.exe	Enbjad32.exe
File created	C:\Windows\SysWOW64\Kpmdfonj.exe	Jiglnf32.exe
File opened for modification	C:\Windows\SysWOW64\Nncccnol.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Dheibpje.exe	Dnpdegjp.exe
File opened for modification	C:\Windows\SysWOW64\Dfiildio.exe	Dheibpje.exe
File created	C:\Windows\SysWOW64\Pqlhmf32.dll	Hpqldc32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Oplfkeob.exe	Nfcabp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhpimhp.exe	Opclldhj.exe
File created	C:\Windows\SysWOW64\Cpkhqmjb.dll	Ckebcg32.exe
File opened for modification	C:\Windows\SysWOW64\Igdgglfl.exe	Ilnbicff.exe
File created	C:\Windows\SysWOW64\Ipgijcij.dll	Lpfgmnfp.exe
File opened for modification	C:\Windows\SysWOW64\Mogcihaj.exe	Mjjkaabc.exe
File opened for modification	C:\Windows\SysWOW64\Mqkiok32.exe	Mfeeabda.exe
File created	C:\Windows\SysWOW64\Ckbemgcp.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Lfebfnqn.dll	Gpgind32.exe
File created	C:\Windows\SysWOW64\Hmmfmhll.exe	Hlnjbedi.exe
File opened for modification	C:\Windows\SysWOW64\Iepaaico.exe	Hoeieolb.exe
File opened for modification	C:\Windows\SysWOW64\Hmmfmhll.exe	Hlnjbedi.exe
File created	C:\Windows\SysWOW64\Dfjehbcf.dll	Iepaaico.exe
File created	C:\Windows\SysWOW64\Ngidlo32.dll	Lopmii32.exe
File created	C:\Windows\SysWOW64\Chqogq32.exe	Ckmonl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5592	5320	WerFault.exe	211

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiildio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hlnjbedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepmqdbn.dll"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klhnfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljeafb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biafno32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enbjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfjdqmng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hoeieolb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodcb32.dll"	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll"	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khfclo32.dll"	Cfpffeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmmfmhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakoidm.dll"	Iplkpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mqafhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckmonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chqogq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfjehbcf.dll"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipeeobbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hedafk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll"	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgpni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbicpfdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpgind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpoalo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mogcihaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heeeiopa.dll"	NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeeobqbq.dll"	Dfiildio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kfpcoefj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll"	Lobjni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll"	Ljhnlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldldehjm.dll"	Hedafk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imiehfao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 2312	5028	NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe	86
PID 5028 wrote to memory of 2312	5028	NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe	86
PID 5028 wrote to memory of 2312	5028	NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe	86
PID 2312 wrote to memory of 1840	2312	Clgbmp32.exe	87
PID 2312 wrote to memory of 1840	2312	Clgbmp32.exe	87
PID 2312 wrote to memory of 1840	2312	Clgbmp32.exe	87
PID 1840 wrote to memory of 1104	1840	Cfpffeaj.exe	88
PID 1840 wrote to memory of 1104	1840	Cfpffeaj.exe	88
PID 1840 wrote to memory of 1104	1840	Cfpffeaj.exe	88
PID 1104 wrote to memory of 3460	1104	Ckmonl32.exe	89
PID 1104 wrote to memory of 3460	1104	Ckmonl32.exe	89
PID 1104 wrote to memory of 3460	1104	Ckmonl32.exe	89
PID 3460 wrote to memory of 1588	3460	Chqogq32.exe	90
PID 3460 wrote to memory of 1588	3460	Chqogq32.exe	90
PID 3460 wrote to memory of 1588	3460	Chqogq32.exe	90
PID 1588 wrote to memory of 2044	1588	Dbicpfdk.exe	91
PID 1588 wrote to memory of 2044	1588	Dbicpfdk.exe	91
PID 1588 wrote to memory of 2044	1588	Dbicpfdk.exe	91
PID 2044 wrote to memory of 4784	2044	Dnpdegjp.exe	92
PID 2044 wrote to memory of 4784	2044	Dnpdegjp.exe	92
PID 2044 wrote to memory of 4784	2044	Dnpdegjp.exe	92
PID 4784 wrote to memory of 1480	4784	Dheibpje.exe	93
PID 4784 wrote to memory of 1480	4784	Dheibpje.exe	93
PID 4784 wrote to memory of 1480	4784	Dheibpje.exe	93
PID 1480 wrote to memory of 4252	1480	Dfiildio.exe	94
PID 1480 wrote to memory of 4252	1480	Dfiildio.exe	94
PID 1480 wrote to memory of 4252	1480	Dfiildio.exe	94
PID 4252 wrote to memory of 736	4252	Dkfadkgf.exe	95
PID 4252 wrote to memory of 736	4252	Dkfadkgf.exe	95
PID 4252 wrote to memory of 736	4252	Dkfadkgf.exe	95
PID 736 wrote to memory of 4672	736	Dbpjaeoc.exe	96
PID 736 wrote to memory of 4672	736	Dbpjaeoc.exe	96
PID 736 wrote to memory of 4672	736	Dbpjaeoc.exe	96
PID 4672 wrote to memory of 3436	4672	Dkhnjk32.exe	97
PID 4672 wrote to memory of 3436	4672	Dkhnjk32.exe	97
PID 4672 wrote to memory of 3436	4672	Dkhnjk32.exe	97
PID 3436 wrote to memory of 1532	3436	Deqcbpld.exe	98
PID 3436 wrote to memory of 1532	3436	Deqcbpld.exe	98
PID 3436 wrote to memory of 1532	3436	Deqcbpld.exe	98
PID 1532 wrote to memory of 3052	1532	Enigke32.exe	99
PID 1532 wrote to memory of 3052	1532	Enigke32.exe	99
PID 1532 wrote to memory of 3052	1532	Enigke32.exe	99
PID 3052 wrote to memory of 5084	3052	Enkdaepb.exe	100
PID 3052 wrote to memory of 5084	3052	Enkdaepb.exe	100
PID 3052 wrote to memory of 5084	3052	Enkdaepb.exe	100
PID 5084 wrote to memory of 1496	5084	Ekodjiol.exe	101
PID 5084 wrote to memory of 1496	5084	Ekodjiol.exe	101
PID 5084 wrote to memory of 1496	5084	Ekodjiol.exe	101
PID 1496 wrote to memory of 4288	1496	Ekaapi32.exe	102
PID 1496 wrote to memory of 4288	1496	Ekaapi32.exe	102
PID 1496 wrote to memory of 4288	1496	Ekaapi32.exe	102
PID 4288 wrote to memory of 4024	4288	Eblimcdf.exe	103
PID 4288 wrote to memory of 4024	4288	Eblimcdf.exe	103
PID 4288 wrote to memory of 4024	4288	Eblimcdf.exe	103
PID 4024 wrote to memory of 1700	4024	Enbjad32.exe	104
PID 4024 wrote to memory of 1700	4024	Enbjad32.exe	104
PID 4024 wrote to memory of 1700	4024	Enbjad32.exe	104
PID 1700 wrote to memory of 4104	1700	Fihnomjp.exe	105
PID 1700 wrote to memory of 4104	1700	Fihnomjp.exe	105
PID 1700 wrote to memory of 4104	1700	Fihnomjp.exe	105
PID 4104 wrote to memory of 2580	4104	Fpdcag32.exe	106
PID 4104 wrote to memory of 2580	4104	Fpdcag32.exe	106
PID 4104 wrote to memory of 2580	4104	Fpdcag32.exe	106
PID 2580 wrote to memory of 3972	2580	Gbnoiqdq.exe	108

C:\Users\Admin\AppData\Local\Temp\NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b99da49b773c5d0fc9bb4e1089f2ab60.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\Clgbmp32.exe
  C:\Windows\system32\Clgbmp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\Cfpffeaj.exe
    C:\Windows\system32\Cfpffeaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\Ckmonl32.exe
      C:\Windows\system32\Ckmonl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\SysWOW64\Chqogq32.exe
        
        C:\Windows\system32\Chqogq32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
      - C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Dfiildio.exe
        
        C:\Windows\system32\Dfiildio.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Dkfadkgf.exe
        
        C:\Windows\system32\Dkfadkgf.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Dbpjaeoc.exe
        
        C:\Windows\system32\Dbpjaeoc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Dkhnjk32.exe
        
        C:\Windows\system32\Dkhnjk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Deqcbpld.exe
        
        C:\Windows\system32\Deqcbpld.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Enkdaepb.exe
        
        C:\Windows\system32\Enkdaepb.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Ekaapi32.exe
        
        C:\Windows\system32\Ekaapi32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Enbjad32.exe
        
        C:\Windows\system32\Enbjad32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Fihnomjp.exe
        
        C:\Windows\system32\Fihnomjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Fpdcag32.exe
        
        C:\Windows\system32\Fpdcag32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Gflhoo32.exe
        
        C:\Windows\system32\Gflhoo32.exe
        23⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        24⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Hbjoeojc.exe
        
        C:\Windows\system32\Hbjoeojc.exe
        29⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        30⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Hfjdqmng.exe
        
        C:\Windows\system32\Hfjdqmng.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Imiehfao.exe
        
        C:\Windows\system32\Imiehfao.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        41⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\SysWOW64\Ipoheakj.exe
        
        C:\Windows\system32\Ipoheakj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        44⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Keimof32.exe
        
        C:\Windows\system32\Keimof32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Klfaapbl.exe
        
        C:\Windows\system32\Klfaapbl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        52⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Lcgpni32.exe
        
        C:\Windows\system32\Lcgpni32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Lnldla32.exe
        
        C:\Windows\system32\Lnldla32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Lcimdh32.exe
        
        C:\Windows\system32\Lcimdh32.exe
        55⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\Ljeafb32.exe
        
        C:\Windows\system32\Ljeafb32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Lobjni32.exe
        
        C:\Windows\system32\Lobjni32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        64⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Mfeeabda.exe
        
        C:\Windows\system32\Mfeeabda.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        68⤵
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\Nncccnol.exe
        
        C:\Windows\system32\Nncccnol.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4480
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        71⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        72⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2136
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        76⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        79⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        81⤵
        
        PID:680
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        83⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        86⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        90⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        92⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        93⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        94⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        95⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        97⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        103⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        104⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        109⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        112⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        114⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        115⤵
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        117⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        119⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        120⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        121⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 420
        122⤵
        Program crash
        
        PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5320 -ip 5320
1⤵
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
71KB

MD5
b987aa7c5a134d270f1b317358a2a6e7

SHA1
ae0d72ee152e39e1e8e227cf7a54f38bcb8da923

SHA256
16c81bbb6c2b826481d27ecb292b977cac39d09d446fbb56fa27e5d30d85e142

SHA512
4bf0ab8b9a9e61e849a2f66abbca8133a750c82fe3e93aafa6a46be628bd6d29afec92ca77aaed6c8edce2b6e94dca8258e3fca50430d0ae4c4792b1288a7a62

Download Submit
C:\Windows\SysWOW64\Cfpffeaj.exe

Filesize
71KB

MD5
b987aa7c5a134d270f1b317358a2a6e7

SHA1
ae0d72ee152e39e1e8e227cf7a54f38bcb8da923

SHA256
16c81bbb6c2b826481d27ecb292b977cac39d09d446fbb56fa27e5d30d85e142

SHA512
4bf0ab8b9a9e61e849a2f66abbca8133a750c82fe3e93aafa6a46be628bd6d29afec92ca77aaed6c8edce2b6e94dca8258e3fca50430d0ae4c4792b1288a7a62

Download Submit
C:\Windows\SysWOW64\Chqogq32.exe

Filesize
71KB

MD5
43d15fe3170061b8c3a882471a2fe3c3

SHA1
5eede42f8ea46d443b81ced02ac0723ed5b7b287

SHA256
98493ade8e016ba6d69f17e4c89d7f3105454b77a5367118b60c806fce8d6952

SHA512
de8c441d14e460646d57273b18c9e2c2d09a7324e354581d2182aed9e56f9d2927addea318bab00a54548ba983dceaaedff43e36e5032c51f6069ef07e915c6b

Download Submit
C:\Windows\SysWOW64\Chqogq32.exe

Filesize
71KB

MD5
43d15fe3170061b8c3a882471a2fe3c3

SHA1
5eede42f8ea46d443b81ced02ac0723ed5b7b287

SHA256
98493ade8e016ba6d69f17e4c89d7f3105454b77a5367118b60c806fce8d6952

SHA512
de8c441d14e460646d57273b18c9e2c2d09a7324e354581d2182aed9e56f9d2927addea318bab00a54548ba983dceaaedff43e36e5032c51f6069ef07e915c6b

Download Submit
C:\Windows\SysWOW64\Ckmonl32.exe

Filesize
71KB

MD5
969beeeb91c33133e20e12f8534cc16f

SHA1
675505e5af5d60434ecc684c19946539324d58a8

SHA256
daacf44034cb0f78949a22e0eb99341c3475d0c1229767d2bf9a8e4fdd248cb0

SHA512
f067a5c4697f95aee6896f08e2cba3430c68852d7b48832867c3595585b9ad809c6342b61b22f66fc96cc21a60f5049b7a81c868ee7c8dd29ce1c57338942e56

Download Submit
C:\Windows\SysWOW64\Ckmonl32.exe

Filesize
71KB

MD5
969beeeb91c33133e20e12f8534cc16f

SHA1
675505e5af5d60434ecc684c19946539324d58a8

SHA256
daacf44034cb0f78949a22e0eb99341c3475d0c1229767d2bf9a8e4fdd248cb0

SHA512
f067a5c4697f95aee6896f08e2cba3430c68852d7b48832867c3595585b9ad809c6342b61b22f66fc96cc21a60f5049b7a81c868ee7c8dd29ce1c57338942e56

Download Submit
C:\Windows\SysWOW64\Clgbmp32.exe

Filesize
71KB

MD5
96c6ddf752b513c85485eb622ea01036

SHA1
bb3a634bd33fb55bc77f8f98cb08d41ac4c02ab9

SHA256
2fad5ff8771dd0fd41daa1138b18f593e9210cb8345dcd096cb562fa8cd3f8ea

SHA512
7502f2ac44ceae3bbd9256713ec063b00afafb23f9cd1b73c7c5d09d77299127a914b1e552cb7c971b542d48d60e666fb9c3c6a8e512adf9a5ac730940826032

Download Submit
C:\Windows\SysWOW64\Clgbmp32.exe

Filesize
71KB

MD5
96c6ddf752b513c85485eb622ea01036

SHA1
bb3a634bd33fb55bc77f8f98cb08d41ac4c02ab9

SHA256
2fad5ff8771dd0fd41daa1138b18f593e9210cb8345dcd096cb562fa8cd3f8ea

SHA512
7502f2ac44ceae3bbd9256713ec063b00afafb23f9cd1b73c7c5d09d77299127a914b1e552cb7c971b542d48d60e666fb9c3c6a8e512adf9a5ac730940826032

Download Submit
C:\Windows\SysWOW64\Dbicpfdk.exe

Filesize
71KB

MD5
7ac053074a9dc6a80d7260a4bfde74a0

SHA1
3e44d8bcf3eec4edf2dbde63c51dcc71c34139b1

SHA256
30422c69afb241b64ca97b59d7d4c9a8bb553a2438a9da7a74ed7dbafce356f1

SHA512
7c8a2d1d526d2ac07eaddd48727ccf0d6306b7e4bca441b823da7bee2ccdd6adae66a6f4984e49b62478b34d2acf87ca7172d6578a01c0cebfdf422871ab2420

Download Submit
C:\Windows\SysWOW64\Dbicpfdk.exe

Filesize
71KB

MD5
7ac053074a9dc6a80d7260a4bfde74a0

SHA1
3e44d8bcf3eec4edf2dbde63c51dcc71c34139b1

SHA256
30422c69afb241b64ca97b59d7d4c9a8bb553a2438a9da7a74ed7dbafce356f1

SHA512
7c8a2d1d526d2ac07eaddd48727ccf0d6306b7e4bca441b823da7bee2ccdd6adae66a6f4984e49b62478b34d2acf87ca7172d6578a01c0cebfdf422871ab2420

Download Submit
C:\Windows\SysWOW64\Dbpjaeoc.exe

Filesize
71KB

MD5
f6af1df8bea7a61f54d9b0989b0574eb

SHA1
3313c464901cf4fa2e7e5f521e0d9d6a0b485b38

SHA256
8e5e5ea02bf9af1bd00727f8f2c72a4191eb0904d54e46a87e1e2e26957328d8

SHA512
5fafdd3dae0ba852610a8fd9a3804ae3d50a5f3f62c940bd91263f421f27947b958cc08595c7670e481a51725037d4b0b268f24d41aaee257cd6134fe88136c0

Download Submit
C:\Windows\SysWOW64\Dbpjaeoc.exe

Filesize
71KB

MD5
f6af1df8bea7a61f54d9b0989b0574eb

SHA1
3313c464901cf4fa2e7e5f521e0d9d6a0b485b38

SHA256
8e5e5ea02bf9af1bd00727f8f2c72a4191eb0904d54e46a87e1e2e26957328d8

SHA512
5fafdd3dae0ba852610a8fd9a3804ae3d50a5f3f62c940bd91263f421f27947b958cc08595c7670e481a51725037d4b0b268f24d41aaee257cd6134fe88136c0

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
71KB

MD5
fefa9b4251e09053fd8f7cfcae9c1af2

SHA1
dece5317e1eeda8206a84be868343554647e3be4

SHA256
a7384c6d11791724c6a443c9c5a70248f7069c839df3c86ecc40b7051cc5f3f9

SHA512
e5ad73c7e6adbee332e827147ef417b69e2e9ed0156bd73210ddf3b88328a848d14e3176e562985fe4d96db8e31f7746e5face8fa03cc22e51b8018adb0056dd

Download Submit
C:\Windows\SysWOW64\Deqcbpld.exe

Filesize
71KB

MD5
fefa9b4251e09053fd8f7cfcae9c1af2

SHA1
dece5317e1eeda8206a84be868343554647e3be4

SHA256
a7384c6d11791724c6a443c9c5a70248f7069c839df3c86ecc40b7051cc5f3f9

SHA512
e5ad73c7e6adbee332e827147ef417b69e2e9ed0156bd73210ddf3b88328a848d14e3176e562985fe4d96db8e31f7746e5face8fa03cc22e51b8018adb0056dd

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
71KB

MD5
37fece7afd1a214e29eb959fd9e70c13

SHA1
53d0f435f1f9108cd21e673fb97950ecf58985a5

SHA256
5bf837f47c82d82d99045f083d35297fd43512936f56589d877e0bff1532bc2d

SHA512
e22dabb8f32af29d38c95ab97e9e31d3f41eb76f89cd2a1ed514c95e4faba52563d9bf625053e41d81506996f638ec335c60f506272f157b4c8ddf4765b6d988

Download Submit
C:\Windows\SysWOW64\Dfiildio.exe

Filesize
71KB

MD5
37fece7afd1a214e29eb959fd9e70c13

SHA1
53d0f435f1f9108cd21e673fb97950ecf58985a5

SHA256
5bf837f47c82d82d99045f083d35297fd43512936f56589d877e0bff1532bc2d

SHA512
e22dabb8f32af29d38c95ab97e9e31d3f41eb76f89cd2a1ed514c95e4faba52563d9bf625053e41d81506996f638ec335c60f506272f157b4c8ddf4765b6d988

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
71KB

MD5
47d247d28a5e591ccf0065754e97768b

SHA1
306730913d27cbb74011d1e8850bf1d09a4805f0

SHA256
38d460e11c2d9816992126591cd036aba03c008a75212c9ca1762bc8bb44debd

SHA512
ac8ffa35d151f7f5257ccb017191383eae4837470c8b98d952db6dcfa08bf9158fee5d8d888811f87780aac887ba72fb308088b67d0c5d61080c23fa2327100f

Download Submit
C:\Windows\SysWOW64\Dheibpje.exe

Filesize
71KB

MD5
47d247d28a5e591ccf0065754e97768b

SHA1
306730913d27cbb74011d1e8850bf1d09a4805f0

SHA256
38d460e11c2d9816992126591cd036aba03c008a75212c9ca1762bc8bb44debd

SHA512
ac8ffa35d151f7f5257ccb017191383eae4837470c8b98d952db6dcfa08bf9158fee5d8d888811f87780aac887ba72fb308088b67d0c5d61080c23fa2327100f

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
71KB

MD5
264bb4912b959310dc2704dfdaf16569

SHA1
18e6d8df2e27dcdbac324ebbec75a2ae90630c18

SHA256
98f00e5363c078dc1bc7df7cbb8aca874b8b89b75136b9bdab24f8956c76887a

SHA512
2e75ae4adf9b74961163180b15f5d4564ee33ddcb8b3f5bd6b6d553bc283811f7b12dd3fd1f7cd2af843937a364681bf7717d91b507794d83c06cd06025d5156

Download Submit
C:\Windows\SysWOW64\Dkfadkgf.exe

Filesize
71KB

MD5
264bb4912b959310dc2704dfdaf16569

SHA1
18e6d8df2e27dcdbac324ebbec75a2ae90630c18

SHA256
98f00e5363c078dc1bc7df7cbb8aca874b8b89b75136b9bdab24f8956c76887a

SHA512
2e75ae4adf9b74961163180b15f5d4564ee33ddcb8b3f5bd6b6d553bc283811f7b12dd3fd1f7cd2af843937a364681bf7717d91b507794d83c06cd06025d5156

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
71KB

MD5
34749cad8c90e8db2c2b01d6bd22fb9b

SHA1
a34c755825367a7a2592165673deeb0737e3397b

SHA256
f69ca93efeb2250093a85b6ec58b66e8a4114a48ec459c8184f873541595a621

SHA512
89903aa7de87b5c6feb1b5946c2f13923e450cac4d2e141ee6d7d6334264e274e296d1bf9d0c1d639e93aec13518eb433a27ad4ea3536a3aab04953bb787c311

Download Submit
C:\Windows\SysWOW64\Dkhnjk32.exe

Filesize
71KB

MD5
34749cad8c90e8db2c2b01d6bd22fb9b

SHA1
a34c755825367a7a2592165673deeb0737e3397b

SHA256
f69ca93efeb2250093a85b6ec58b66e8a4114a48ec459c8184f873541595a621

SHA512
89903aa7de87b5c6feb1b5946c2f13923e450cac4d2e141ee6d7d6334264e274e296d1bf9d0c1d639e93aec13518eb433a27ad4ea3536a3aab04953bb787c311

Download Submit
C:\Windows\SysWOW64\Dnpdegjp.exe

Filesize
71KB

MD5
80f87093577301aad8c28bde09241eed

SHA1
8aa80f8addce4e1932542a0033c8461f32e0f0f5

SHA256
d86ca89eb8ecb03403e41d9ed082fab4f26a1fb9455a9d2d73b05d45aa080408

SHA512
6aeb98f4cf108999558b81c313fecef92e934cf6694301c1f35f512724bcb967565602a03a6896913166fd593e0f406d84db96db4bbd3994a4a211916610983c

Download Submit
C:\Windows\SysWOW64\Dnpdegjp.exe

Filesize
71KB

MD5
80f87093577301aad8c28bde09241eed

SHA1
8aa80f8addce4e1932542a0033c8461f32e0f0f5

SHA256
d86ca89eb8ecb03403e41d9ed082fab4f26a1fb9455a9d2d73b05d45aa080408

SHA512
6aeb98f4cf108999558b81c313fecef92e934cf6694301c1f35f512724bcb967565602a03a6896913166fd593e0f406d84db96db4bbd3994a4a211916610983c

Download Submit
C:\Windows\SysWOW64\Dnpdegjp.exe

Filesize
71KB

MD5
80f87093577301aad8c28bde09241eed

SHA1
8aa80f8addce4e1932542a0033c8461f32e0f0f5

SHA256
d86ca89eb8ecb03403e41d9ed082fab4f26a1fb9455a9d2d73b05d45aa080408

SHA512
6aeb98f4cf108999558b81c313fecef92e934cf6694301c1f35f512724bcb967565602a03a6896913166fd593e0f406d84db96db4bbd3994a4a211916610983c

Download Submit
C:\Windows\SysWOW64\Eblimcdf.exe

Filesize
71KB

MD5
2ee731412ad5334b30221b9014cf3942

SHA1
df9254dd6e579cec39b910216ef32e6d5de0e19c

SHA256
e37e9eb895009b9cd67e1714e75b5b00eedcd261bdc764802060b05af0e68043

SHA512
036d468f332c5b19e369111ee03f278e362bdc284c4a3fe02c524eb0e53de94a5a217457f8620cccffac584fc589b5c9ce3cc9c0b3e3d551814a70dd23da996c

Download Submit
C:\Windows\SysWOW64\Eblimcdf.exe

Filesize
71KB

MD5
2ee731412ad5334b30221b9014cf3942

SHA1
df9254dd6e579cec39b910216ef32e6d5de0e19c

SHA256
e37e9eb895009b9cd67e1714e75b5b00eedcd261bdc764802060b05af0e68043

SHA512
036d468f332c5b19e369111ee03f278e362bdc284c4a3fe02c524eb0e53de94a5a217457f8620cccffac584fc589b5c9ce3cc9c0b3e3d551814a70dd23da996c

Download Submit
C:\Windows\SysWOW64\Ekaapi32.exe

Filesize
71KB

MD5
cfe21d53eecbaa8e270616750c091beb

SHA1
f1ef5fda62354c9e82c3655e2adc9f2783cea753

SHA256
0413e8fac38501af86fbe007a3f6433660b977f7cfbacd2aa217f9f2d360dfd8

SHA512
3e59095ea7691e2fe71d126f23bdbaf38b0757713bd41ece44281625adca65437ddc405b7ad1942f6584941c51aa34b91b51c5276f9537b6621c7cdb8ba437bd

Download Submit
C:\Windows\SysWOW64\Ekaapi32.exe

Filesize
71KB

MD5
cfe21d53eecbaa8e270616750c091beb

SHA1
f1ef5fda62354c9e82c3655e2adc9f2783cea753

SHA256
0413e8fac38501af86fbe007a3f6433660b977f7cfbacd2aa217f9f2d360dfd8

SHA512
3e59095ea7691e2fe71d126f23bdbaf38b0757713bd41ece44281625adca65437ddc405b7ad1942f6584941c51aa34b91b51c5276f9537b6621c7cdb8ba437bd

Download Submit
C:\Windows\SysWOW64\Ekodjiol.exe

Filesize
71KB

MD5
40d685c4c3390c87f563997c3b1fcf3b

SHA1
ebbf481ba972b7924f3564e78387bb054d944ce4

SHA256
9dd572ca43c05f0b64a1ea1a8744a294f8c08b76d0c688f795fa0f4c9d031170

SHA512
6fef039066dbf65d4a4acfff6b4dec7364fb231817349ac16de195efb9d25ea36c9ca6decd7d0887cde53bfd6319346fda9fd4565424836665c8ab588d4c439f

Download Submit
C:\Windows\SysWOW64\Ekodjiol.exe

Filesize
71KB

MD5
40d685c4c3390c87f563997c3b1fcf3b

SHA1
ebbf481ba972b7924f3564e78387bb054d944ce4

SHA256
9dd572ca43c05f0b64a1ea1a8744a294f8c08b76d0c688f795fa0f4c9d031170

SHA512
6fef039066dbf65d4a4acfff6b4dec7364fb231817349ac16de195efb9d25ea36c9ca6decd7d0887cde53bfd6319346fda9fd4565424836665c8ab588d4c439f

Download Submit
C:\Windows\SysWOW64\Enbjad32.exe

Filesize
71KB

MD5
eb824ac281f356ca1a1e25c4e37d18f6

SHA1
7fccb7295c30ce61de7776b5e0d6f1eabb5faf83

SHA256
22c676861641da0ef514a4771959c5620ff84e480f48737a8d31925d354f685b

SHA512
37c89c533e733246a31c2e6b3e44c30ee9474246012d7a1f606fbd8aee6947494bd51cec376665f83742f8be0059539d79ac92ff4ccecf58edd9994437a50b9d

Download Submit
C:\Windows\SysWOW64\Enbjad32.exe

Filesize
71KB

MD5
eb824ac281f356ca1a1e25c4e37d18f6

SHA1
7fccb7295c30ce61de7776b5e0d6f1eabb5faf83

SHA256
22c676861641da0ef514a4771959c5620ff84e480f48737a8d31925d354f685b

SHA512
37c89c533e733246a31c2e6b3e44c30ee9474246012d7a1f606fbd8aee6947494bd51cec376665f83742f8be0059539d79ac92ff4ccecf58edd9994437a50b9d

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
71KB

MD5
cbe1e88d905fcdf4c0b227efb3ffaec9

SHA1
222866d9c2638c997307e0124d61ac89f94f35f9

SHA256
b06cd582f03626d2415392ee00d98915fbc1f055eb6ff0c3a3c40e7f6c992e33

SHA512
cf6e469248bdf311133d39956489d407d642af710d739cc11de7913b3e7818114ef3be1049dba6e41a87ceeca9b9821ec0dded9dae7f056112aadd88f08cf691

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
71KB

MD5
cbe1e88d905fcdf4c0b227efb3ffaec9

SHA1
222866d9c2638c997307e0124d61ac89f94f35f9

SHA256
b06cd582f03626d2415392ee00d98915fbc1f055eb6ff0c3a3c40e7f6c992e33

SHA512
cf6e469248bdf311133d39956489d407d642af710d739cc11de7913b3e7818114ef3be1049dba6e41a87ceeca9b9821ec0dded9dae7f056112aadd88f08cf691

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
71KB

MD5
7eee58a436b3dcc76e0699da70f6b953

SHA1
4aa71504124946482a01825a197892c23003ae1d

SHA256
510d8876f90d320c55d2843c2bc45fecef9a0bc746d908c0cc7b715564ad5895

SHA512
9a192ad6614e917b737b94b0cf901aaaff365f931a0ab5869937752fa8f352f44e44b89ee82c16cdd83e39831b1e54e1e47a0e71d6ea77980eb7fbf2282b2723

Download Submit
C:\Windows\SysWOW64\Enkdaepb.exe

Filesize
71KB

MD5
7eee58a436b3dcc76e0699da70f6b953

SHA1
4aa71504124946482a01825a197892c23003ae1d

SHA256
510d8876f90d320c55d2843c2bc45fecef9a0bc746d908c0cc7b715564ad5895

SHA512
9a192ad6614e917b737b94b0cf901aaaff365f931a0ab5869937752fa8f352f44e44b89ee82c16cdd83e39831b1e54e1e47a0e71d6ea77980eb7fbf2282b2723

Download Submit
C:\Windows\SysWOW64\Fihnomjp.exe

Filesize
71KB

MD5
a223a73866e068cedcc0c4e8f14b4906

SHA1
fa787679de3994edd7107249acb330e733dc6b20

SHA256
0294b4f2ae6a31ffd4c0b4c23a495fe0e58a7da3455983c872ae6a03545fd79c

SHA512
90cebbc61729569d470a93fe581e6f1115b3962a45c8335be42a8306089bf213793770aa60178866818002d6285795ba2c5d4b40f75fe5c3792cc89589c450cc

Download Submit
C:\Windows\SysWOW64\Fihnomjp.exe

Filesize
71KB

MD5
a223a73866e068cedcc0c4e8f14b4906

SHA1
fa787679de3994edd7107249acb330e733dc6b20

SHA256
0294b4f2ae6a31ffd4c0b4c23a495fe0e58a7da3455983c872ae6a03545fd79c

SHA512
90cebbc61729569d470a93fe581e6f1115b3962a45c8335be42a8306089bf213793770aa60178866818002d6285795ba2c5d4b40f75fe5c3792cc89589c450cc

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
71KB

MD5
61b84f842efbbac931c066822dd05199

SHA1
cce975934a5ddb7f907ab69b5aedcf8b583c8af5

SHA256
e0019011ce51bc2b78eb599fb54ad2142e40beef02f3325aa788f9b45f4ab21f

SHA512
10a1e394ab9a74c2d9712770b3c05fe0148824bf68503c8534b23f8e139519a6209bcafe6fdb77d798c82f2495dc76f3257a26f4220842869a40ac87cb657e62

Download Submit
C:\Windows\SysWOW64\Fpdcag32.exe

Filesize
71KB

MD5
61b84f842efbbac931c066822dd05199

SHA1
cce975934a5ddb7f907ab69b5aedcf8b583c8af5

SHA256
e0019011ce51bc2b78eb599fb54ad2142e40beef02f3325aa788f9b45f4ab21f

SHA512
10a1e394ab9a74c2d9712770b3c05fe0148824bf68503c8534b23f8e139519a6209bcafe6fdb77d798c82f2495dc76f3257a26f4220842869a40ac87cb657e62

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
71KB

MD5
d3dae885450575b084dd429319e072ec

SHA1
5f1f9c663db3d69e761126930c39d0c73273826b

SHA256
ff340a3cee4ed31027349ee0690551ec6dc9b7c57880f0b87c5d81364d75f1dc

SHA512
076809b7de6f7f2a169f5ba52e0be476585b9c9ebfeeb077d1daa70548877b4f5d023b5a5fb2da2620639de943150f6cc6e192f1a8d6fb7963eff2a681440839

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
71KB

MD5
d3dae885450575b084dd429319e072ec

SHA1
5f1f9c663db3d69e761126930c39d0c73273826b

SHA256
ff340a3cee4ed31027349ee0690551ec6dc9b7c57880f0b87c5d81364d75f1dc

SHA512
076809b7de6f7f2a169f5ba52e0be476585b9c9ebfeeb077d1daa70548877b4f5d023b5a5fb2da2620639de943150f6cc6e192f1a8d6fb7963eff2a681440839

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
71KB

MD5
89627321cf0589cb4bb41e97bd5b628e

SHA1
50b7d6b5175801150c0243329b0670772a16c261

SHA256
8c675bab88d53321625678684a5a728b123f03793ea25285a447078315628aed

SHA512
e21f9ae9da73866ae7246292f019a1378d58c1a38200ed32bf354b0530a4fe15d0e871cdf964236c14287c1ab1f4967f7ad630f045c0f673f5b4e1ae5243cae8

Download Submit
C:\Windows\SysWOW64\Gflhoo32.exe

Filesize
71KB

MD5
89627321cf0589cb4bb41e97bd5b628e

SHA1
50b7d6b5175801150c0243329b0670772a16c261

SHA256
8c675bab88d53321625678684a5a728b123f03793ea25285a447078315628aed

SHA512
e21f9ae9da73866ae7246292f019a1378d58c1a38200ed32bf354b0530a4fe15d0e871cdf964236c14287c1ab1f4967f7ad630f045c0f673f5b4e1ae5243cae8

Download Submit
C:\Windows\SysWOW64\Goglcahb.exe

Filesize
71KB

MD5
a979a9bb6543acf0044d1d8fa0b1fa70

SHA1
740e7aa2c5f2f479a4b278e2313cb4287e190516

SHA256
d80d08d246c6b5b0ca5727489bc3293284d0340b0b708383efff53f758ff0160

SHA512
40ca1c2288e9f9099431317faf01c4a3d7563876b43a496ca72ea4cf3d478fbc1a2b86bf4e763461b01ae08880f9d5bb55565a43307b539a751decb56d94e451

Download Submit
C:\Windows\SysWOW64\Goglcahb.exe

Filesize
71KB

MD5
a979a9bb6543acf0044d1d8fa0b1fa70

SHA1
740e7aa2c5f2f479a4b278e2313cb4287e190516

SHA256
d80d08d246c6b5b0ca5727489bc3293284d0340b0b708383efff53f758ff0160

SHA512
40ca1c2288e9f9099431317faf01c4a3d7563876b43a496ca72ea4cf3d478fbc1a2b86bf4e763461b01ae08880f9d5bb55565a43307b539a751decb56d94e451

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
71KB

MD5
d24e1c76b6c3ba5c6debce09882a0fd5

SHA1
02ae5c93b6b78bc4a4dac3a206cfe2766ef92bb9

SHA256
25ae46fb8828027ebf94579bafba5dcea557c16efc4499b207720d87c9774e0f

SHA512
c5c8db4cc2ddf6ad8dca705540ec7d07e8362ab8f936322ab25dbabf76105044e45b124cc833b8ef644d7a0ecd1c7432a789510f67c03d89f41367229fa75299

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
71KB

MD5
d24e1c76b6c3ba5c6debce09882a0fd5

SHA1
02ae5c93b6b78bc4a4dac3a206cfe2766ef92bb9

SHA256
25ae46fb8828027ebf94579bafba5dcea557c16efc4499b207720d87c9774e0f

SHA512
c5c8db4cc2ddf6ad8dca705540ec7d07e8362ab8f936322ab25dbabf76105044e45b124cc833b8ef644d7a0ecd1c7432a789510f67c03d89f41367229fa75299

Download Submit
C:\Windows\SysWOW64\Hbjoeojc.exe

Filesize
71KB

MD5
ba0086fbc648bdc7a2ba91929c3e2b7a

SHA1
2d4ab766d6a1b24bd73abdaae7a164ae9c4e6b2b

SHA256
2807c600266626940c342ba53bc1bb0ff89833b2f32d26bd275589ab3db9ff2b

SHA512
8321a2fce988c55b1d4a639fab8622c87e6f50b1217ffb2591c1723358bae1de8fa6c03f9139eedc9484125377e69a4134fa27379ee65afa0c56409e94b360a1

Download Submit
C:\Windows\SysWOW64\Hbjoeojc.exe

Filesize
71KB

MD5
ba0086fbc648bdc7a2ba91929c3e2b7a

SHA1
2d4ab766d6a1b24bd73abdaae7a164ae9c4e6b2b

SHA256
2807c600266626940c342ba53bc1bb0ff89833b2f32d26bd275589ab3db9ff2b

SHA512
8321a2fce988c55b1d4a639fab8622c87e6f50b1217ffb2591c1723358bae1de8fa6c03f9139eedc9484125377e69a4134fa27379ee65afa0c56409e94b360a1

Download Submit
C:\Windows\SysWOW64\Hedafk32.exe

Filesize
71KB

MD5
1bf652324fa510d8cc71f2c908b7d127

SHA1
57c33b8997cdc9bd851e7b48200a74f868c052cb

SHA256
cf137322c0bcfa2268d63a21b2e4756864f56488341cca0478d4e149702a18a2

SHA512
e7f968d3853266ace97cde08a02ac23e1e5287d589a8aeccea6eb2d1404576d892f18ec5fd490d1fc8a13c83dd10c55a4069b35f486a61f9ab76207ab1e65f75

Download Submit
C:\Windows\SysWOW64\Hedafk32.exe

Filesize
71KB

MD5
1bf652324fa510d8cc71f2c908b7d127

SHA1
57c33b8997cdc9bd851e7b48200a74f868c052cb

SHA256
cf137322c0bcfa2268d63a21b2e4756864f56488341cca0478d4e149702a18a2

SHA512
e7f968d3853266ace97cde08a02ac23e1e5287d589a8aeccea6eb2d1404576d892f18ec5fd490d1fc8a13c83dd10c55a4069b35f486a61f9ab76207ab1e65f75

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
71KB

MD5
f46a1942a6e744ff8b1e084dce8dc634

SHA1
e586db071011975bf8530eee60d6874e697371ed

SHA256
2092008c59797f0babd883b4c1d21cbf817651a5d21bd390d1856703d3d5e2a9

SHA512
e34dd2cac6d22555ee8e11bdf03a7bb8cfdb902677f25d2650ae2872957658471487005bfdb8c7eec3842847e35dc19379564fff60131aba3fde46954cb4d75d

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
71KB

MD5
f46a1942a6e744ff8b1e084dce8dc634

SHA1
e586db071011975bf8530eee60d6874e697371ed

SHA256
2092008c59797f0babd883b4c1d21cbf817651a5d21bd390d1856703d3d5e2a9

SHA512
e34dd2cac6d22555ee8e11bdf03a7bb8cfdb902677f25d2650ae2872957658471487005bfdb8c7eec3842847e35dc19379564fff60131aba3fde46954cb4d75d

Download Submit
C:\Windows\SysWOW64\Hfjdqmng.exe

Filesize
71KB

MD5
1a0647f1188ba57a4505827731c96a47

SHA1
8c1d73b66ed5310c98d4e7dd6ff025f2e521b76a

SHA256
3f4cfe1043301bde3efdac7d8dc34341fb4f96a0979755ade4f50e3c14b9b782

SHA512
b78a5826ea823ea30e63ddea3fa2b4eeedce640cecdb1e380b8559e874ca6f27df194d3fcf676f25e9c77ce0c62042c8be8ce3d2bbb5629a1f4bf76554823e4b

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
71KB

MD5
ec67f7a9a097f3c62c02e86d3f60455c

SHA1
d44c59a90940929cde5967ababa753a6b56885ce

SHA256
baf99ce6d31f1adcb15698cefadb97fe541cce83c7e2c8e723dc112d0f23f87c

SHA512
ef42a4c5c1dbf6ab6954cfbaded440f698a8d9c13a73523272445ad3743fe308a845cceddbec1dbaa03bb5bc1b5f43f35f396a49b6ef2a1fa7ce0a98a31acad6

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
71KB

MD5
ec67f7a9a097f3c62c02e86d3f60455c

SHA1
d44c59a90940929cde5967ababa753a6b56885ce

SHA256
baf99ce6d31f1adcb15698cefadb97fe541cce83c7e2c8e723dc112d0f23f87c

SHA512
ef42a4c5c1dbf6ab6954cfbaded440f698a8d9c13a73523272445ad3743fe308a845cceddbec1dbaa03bb5bc1b5f43f35f396a49b6ef2a1fa7ce0a98a31acad6

Download Submit
C:\Windows\SysWOW64\Hmmfmhll.exe

Filesize
71KB

MD5
e52480d4f83f2e5e51b3a20f34722e07

SHA1
8d70fd104db41e8649c454a8f5d8e1f81d181c57

SHA256
47d1e4ce6c8fa1f1758e8162883c11440a9c285ddc3fc37471da710bd0550ed0

SHA512
e6d0b627fcb21cf758b7396966db9a6e3a789c951b5121fdde13fb467ba87340f5d07d35a145c658c9baf651f4d9e014397deee8d84257f0a2bd9d40ab989257

Download Submit
C:\Windows\SysWOW64\Hmmfmhll.exe

Filesize
71KB

MD5
e52480d4f83f2e5e51b3a20f34722e07

SHA1
8d70fd104db41e8649c454a8f5d8e1f81d181c57

SHA256
47d1e4ce6c8fa1f1758e8162883c11440a9c285ddc3fc37471da710bd0550ed0

SHA512
e6d0b627fcb21cf758b7396966db9a6e3a789c951b5121fdde13fb467ba87340f5d07d35a145c658c9baf651f4d9e014397deee8d84257f0a2bd9d40ab989257

Download Submit
C:\Windows\SysWOW64\Hpqldc32.exe

Filesize
71KB

MD5
48b8204ed3f332efcc0569f87b50e9a4

SHA1
9ed33f2e11c94c0c62a94b5fc52e271f083141c2

SHA256
3537d82cfa24665204240a7077dd4a5ba3f8eea0d9b8cd660c6538be13ae1852

SHA512
db14e3cf8695b099cbe7d4f94cc306f1266009e454217cba903534a303a077bbbef2cd085d66d54b2e57c168c0727b233eeec3a5a31c527f40a6943b8c5ac1a3

Download Submit
C:\Windows\SysWOW64\Hpqldc32.exe

Filesize
71KB

MD5
48b8204ed3f332efcc0569f87b50e9a4

SHA1
9ed33f2e11c94c0c62a94b5fc52e271f083141c2

SHA256
3537d82cfa24665204240a7077dd4a5ba3f8eea0d9b8cd660c6538be13ae1852

SHA512
db14e3cf8695b099cbe7d4f94cc306f1266009e454217cba903534a303a077bbbef2cd085d66d54b2e57c168c0727b233eeec3a5a31c527f40a6943b8c5ac1a3

Download Submit
C:\Windows\SysWOW64\Iepaaico.exe

Filesize
71KB

MD5
21d69a8c924114087d2fc7482bcd4d59

SHA1
96e72b1fd29d55972056f55ee68797cf6c7aa8f8

SHA256
3e35e58e34796e9da8699d5d42baa8984e47c4bbf37eb1b16fa67256210829ea

SHA512
351ade37ac351e40e892cd40116a5ab8809b2f7ca74a4990cd908b1c9d12da7d4ef64bd0d5c1d4470a30ca3ec280e81579e65fc00d4b3ee518f09a84f7317aec

Download Submit
C:\Windows\SysWOW64\Iepaaico.exe

Filesize
71KB

MD5
21d69a8c924114087d2fc7482bcd4d59

SHA1
96e72b1fd29d55972056f55ee68797cf6c7aa8f8

SHA256
3e35e58e34796e9da8699d5d42baa8984e47c4bbf37eb1b16fa67256210829ea

SHA512
351ade37ac351e40e892cd40116a5ab8809b2f7ca74a4990cd908b1c9d12da7d4ef64bd0d5c1d4470a30ca3ec280e81579e65fc00d4b3ee518f09a84f7317aec

Download Submit
C:\Windows\SysWOW64\Ipeeobbe.exe

Filesize
71KB

MD5
e773f17b61f484ac9dbd19737a781ed2

SHA1
cf94e7d7adc600f384c26565c39acdf583067d59

SHA256
053cb7502650228318fedc45f8cd78181b835a029c802cdeb94866c5283a0e06

SHA512
18515331b6bfc33dd4551ba5810ee1fa0a737a3a8642c1b91367af817b27bfc6640f7b8de8b5261ec315a7b0775a440de279fe2773dc4498285199affd19ab4c

Download Submit
C:\Windows\SysWOW64\Klfaapbl.exe

Filesize
71KB

MD5
e75af5a55aa108612990815db157a5fd

SHA1
30b9592eeea9d08da90035fa87f4e2fbb17b5a0a

SHA256
87540f8f446f323d8195b3f3f8a6633b9e1b15e34b75ad72e89e85540cc14313

SHA512
5fa0d78de5e2e3c73715de13204526a889c6ff4f1fcb9852d30e0cac285c6bdfeefb168d43087cd297c58c51cc6b4375f1c5e6c10248f2de1c131927710787a0

Download Submit
C:\Windows\SysWOW64\Lcgpni32.exe

Filesize
71KB

MD5
90d99878720537ed045e75e4ed256de4

SHA1
7fe318d43c969ee31ffe7e3ae62e84ea0e41e681

SHA256
33f852613be586d563df321bca548d98dbbf9f113852ceec5bb484f4bfc8c84d

SHA512
2ad2d37a5ed16a750281feaf778b896d648551800e6407e3898bce9c90b9e534bed138272e9dea5a65f8a13937b65fff43efad1e269b034d9a76dcd0fddcb657

Download Submit
C:\Windows\SysWOW64\Nohffe32.dll

Filesize
7KB

MD5
305518fea2fc5483eb7b82ffa37e18a0

SHA1
5e4f2e1b5be1925094f44c6f1445d41c8b78f583

SHA256
4de251b71044aba1c0e08c74cdc971c62e24ce023e60e1a8d3b7d632b88a27c3

SHA512
2775d40dab607031c3d48e207ba543731620f0fb2a4bf9577a4bd6db16ca576c432203e72125ddee3cfe497d2b303630c64e303b5bb84fccfa088d139a5b2aac

Download Submit
memory/736-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/772-389-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/804-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1104-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1192-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1480-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1496-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1532-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1552-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1616-383-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1632-263-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1648-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1700-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1776-353-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1804-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1840-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2044-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2240-401-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-335-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2312-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-311-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2580-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2748-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2788-329-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-183-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2944-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3052-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3348-359-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3436-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3444-297-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3452-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3460-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3544-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3600-255-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3736-365-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3884-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3972-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4012-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4024-148-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4064-305-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4104-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-437-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4172-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4252-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4288-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4360-431-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4440-395-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4544-371-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4568-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4592-419-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4672-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4760-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4768-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4784-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4792-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4912-425-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-275-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5000-347-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5024-317-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5028-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5084-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads