ec2eaa97ef82927fb745332de9d71e57ea4ea467725d0483fb7fb7716c0aa37a

Analysis

max time kernel
137s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7cbc88252f8d1700c0940d64a376a414.exe
Size

272KB
MD5

7cbc88252f8d1700c0940d64a376a414
SHA1

a8057612092e1dc20832784371db927aa7989374
SHA256

ec2eaa97ef82927fb745332de9d71e57ea4ea467725d0483fb7fb7716c0aa37a
SHA512

8a2d008306a88b28c04a82a32224a1899430715799109083f688fb14414c05fd7094392a4bd30cef52700c2a9d3ff6c2f9e6d1cc288436a34df810d45e4347ef
SSDEEP

6144:O3J6U48hViZukD6xjC6ZgsOK4AHXwpnxGvN98gZ+/+:O3IU4oqex+6ZxyhY97n

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fganqbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmhdmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlolpq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coadnlnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpbflg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmfkhmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmpmnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eghkjdoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbbicl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gngeik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhaggp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqkqhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfagighf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gehbjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogcnmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clgbmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiodpl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmmqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Halhfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loacdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggmmlamj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oophlo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjnnbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjgfb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmhdmea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihmfco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apodoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdnhih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnqfcbnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnlodjpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haodle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiahnnph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpbflg32.exe

Executes dropped EXE 64 IoCs

pid	Process
464	Coadnlnb.exe
1736	Cleegp32.exe
1516	Cbbnpg32.exe
3108	Clgbmp32.exe
3892	Cljobphg.exe
3044	Cbfgkffn.exe
4776	Dkokcl32.exe
2148	Dmohno32.exe
2880	Dkceokii.exe
4664	Dmcain32.exe
3908	Dflfac32.exe
2508	Dngjff32.exe
4932	Emhkdmlg.exe
4884	Efpomccg.exe
1672	Eiahnnph.exe
3800	Eehicoel.exe
2532	Eblimcdf.exe
3488	Efjbcakl.exe
5000	Fpbflg32.exe
3952	Fbbpmb32.exe
548	Flkdfh32.exe
1712	Fiodpl32.exe
2216	Flpmagqi.exe
4308	Gehbjm32.exe
4064	Gnqfcbnj.exe
2960	Gmafajfi.exe
808	Gppcmeem.exe
1808	Gihgfk32.exe
2276	Glipgf32.exe
4364	Hfcnpn32.exe
4144	Jedccfqg.exe
4284	Jlolpq32.exe
4108	Kpmdfonj.exe
1768	Kgflcifg.exe
3040	Knqepc32.exe
1876	Kflide32.exe
5004	Kcpjnjii.exe
4416	Knenkbio.exe
1480	Kofkbk32.exe
4276	Lljklo32.exe
1512	Lcdciiec.exe
2040	Lnjgfb32.exe
3856	Lgbloglj.exe
1104	Lqkqhm32.exe
3544	Lgdidgjg.exe
3440	Lopmii32.exe
1472	Lfjfecno.exe
3200	Lcnfohmi.exe
3556	Ljhnlb32.exe
5080	Mmfkhmdi.exe
1276	Mgloefco.exe
3028	Mqdcnl32.exe
624	Mfqlfb32.exe
224	Mqfpckhm.exe
4880	Mgphpe32.exe
3508	Mmmqhl32.exe
3100	Mcgiefen.exe
3352	Mmpmnl32.exe
2844	Mgeakekd.exe
2676	Nqmfdj32.exe
4504	Npbceggm.exe
3860	Nflkbanj.exe
2996	Npepkf32.exe
4536	Nnfpinmi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lqkqhm32.exe	Lgbloglj.exe
File opened for modification	C:\Windows\SysWOW64\Onmfimga.exe	Ogcnmc32.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	Caageq32.exe
File created	C:\Windows\SysWOW64\Oiikeffm.dll	Doojec32.exe
File created	C:\Windows\SysWOW64\Heeeiopa.dll	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Mkiongah.dll	Fbbicl32.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Pfojdh32.exe	Omfekbdh.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Cljobphg.exe	Clgbmp32.exe
File created	C:\Windows\SysWOW64\Nadleilm.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Fenpmnno.dll	Ogcnmc32.exe
File created	C:\Windows\SysWOW64\Clgbmp32.exe	Cbbnpg32.exe
File created	C:\Windows\SysWOW64\Mgmodn32.dll	Bkgeainn.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Ilnlom32.exe	Ieccbbkn.exe
File opened for modification	C:\Windows\SysWOW64\Aopemh32.exe	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Eiahnnph.exe	Efpomccg.exe
File created	C:\Windows\SysWOW64\Hnjfof32.dll	Hihibbjo.exe
File created	C:\Windows\SysWOW64\Eciqfjec.dll	Iacngdgj.exe
File created	C:\Windows\SysWOW64\Lfdqcn32.dll	Phonha32.exe
File created	C:\Windows\SysWOW64\Pninea32.dll	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Knqepc32.exe	Kgflcifg.exe
File opened for modification	C:\Windows\SysWOW64\Nnfpinmi.exe	Npepkf32.exe
File created	C:\Windows\SysWOW64\Ogpmdqpl.dll	Dqpfmlce.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pblajhje.exe
File opened for modification	C:\Windows\SysWOW64\Dngjff32.exe	Dflfac32.exe
File created	C:\Windows\SysWOW64\Phlepppi.dll	Aopemh32.exe
File opened for modification	C:\Windows\SysWOW64\Gngeik32.exe	Ggmmlamj.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Cncnob32.exe
File opened for modification	C:\Windows\SysWOW64\Mmfkhmdi.exe	Ljhnlb32.exe
File created	C:\Windows\SysWOW64\Ganldgib.exe	Gpmomo32.exe
File opened for modification	C:\Windows\SysWOW64\Geldkfpi.exe	Gpolbo32.exe
File created	C:\Windows\SysWOW64\Likage32.dll	Ofjqihnn.exe
File opened for modification	C:\Windows\SysWOW64\Gpmomo32.exe	Galoohke.exe
File created	C:\Windows\SysWOW64\Ajiqfi32.dll	Hlkfbocp.exe
File created	C:\Windows\SysWOW64\Lfqedp32.dll	Lojmcdgl.exe
File created	C:\Windows\SysWOW64\Jedccfqg.exe	Hfcnpn32.exe
File created	C:\Windows\SysWOW64\Nnfpinmi.exe	Npepkf32.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Oaplqh32.exe
File opened for modification	C:\Windows\SysWOW64\Jlbejloe.exe	Iamamcop.exe
File created	C:\Windows\SysWOW64\Mjnnbk32.exe	Mpeiie32.exe
File created	C:\Windows\SysWOW64\Kcpjnjii.exe	Kflide32.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Fooclapd.exe	Eghkjdoa.exe
File created	C:\Windows\SysWOW64\Gpmomo32.exe	Galoohke.exe
File opened for modification	C:\Windows\SysWOW64\Joekag32.exe	Jemfhacc.exe
File opened for modification	C:\Windows\SysWOW64\Mpeiie32.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Nbbeml32.exe
File opened for modification	C:\Windows\SysWOW64\Lckboblp.exe	Lhenai32.exe
File opened for modification	C:\Windows\SysWOW64\Opbean32.exe	Ofjqihnn.exe
File opened for modification	C:\Windows\SysWOW64\Dflfac32.exe	Dmcain32.exe
File created	C:\Windows\SysWOW64\Jcdihk32.dll	Fdnhih32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdciiec.exe	Lljklo32.exe
File created	C:\Windows\SysWOW64\Nchcpi32.dll	Cljobphg.exe
File created	C:\Windows\SysWOW64\Npepkf32.exe	Nflkbanj.exe
File created	C:\Windows\SysWOW64\Igafkb32.dll	Pjbcplpe.exe
File opened for modification	C:\Windows\SysWOW64\Gghdaa32.exe	Ganldgib.exe
File created	C:\Windows\SysWOW64\Ipbaol32.exe	Hihibbjo.exe
File created	C:\Windows\SysWOW64\Cbfgkffn.exe	Cljobphg.exe
File created	C:\Windows\SysWOW64\Emamkgpg.dll	Enpfan32.exe
File opened for modification	C:\Windows\SysWOW64\Fdlkdhnk.exe	Fooclapd.exe
File created	C:\Windows\SysWOW64\Jadgnb32.exe	Joekag32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
8336	8248	WerFault.exe	353

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbbicl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiikeffm.dll"	Doojec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emamkgpg.dll"	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eghkjdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll"	Aagkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdihk32.dll"	Fdnhih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpmnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojqcnhkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodlgn32.dll"	Gokbgpeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fofilp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Modpib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqgedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgfnm32.dll"	Joekag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ondljl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll"	Phonha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhikci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebfign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll"	Jadgnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kflide32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqpfmlce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebaplnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehdpem.dll"	Halhfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pblajhje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfcnpn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkgeainn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkceokii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnnfkal.dll"	Galoohke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbenoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhego32.dll"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nofefp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kofkbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll"	Akpoaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabjq32.dll"	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdihjbp.dll"	Ipbaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eciqfjec.dll"	Iacngdgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjokon32.dll"	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfnhfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchcpi32.dll"	Cljobphg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll"	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpeiie32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 464	5108	NEAS.7cbc88252f8d1700c0940d64a376a414.exe	84
PID 5108 wrote to memory of 464	5108	NEAS.7cbc88252f8d1700c0940d64a376a414.exe	84
PID 5108 wrote to memory of 464	5108	NEAS.7cbc88252f8d1700c0940d64a376a414.exe	84
PID 464 wrote to memory of 1736	464	Coadnlnb.exe	85
PID 464 wrote to memory of 1736	464	Coadnlnb.exe	85
PID 464 wrote to memory of 1736	464	Coadnlnb.exe	85
PID 1736 wrote to memory of 1516	1736	Cleegp32.exe	86
PID 1736 wrote to memory of 1516	1736	Cleegp32.exe	86
PID 1736 wrote to memory of 1516	1736	Cleegp32.exe	86
PID 1516 wrote to memory of 3108	1516	Cbbnpg32.exe	87
PID 1516 wrote to memory of 3108	1516	Cbbnpg32.exe	87
PID 1516 wrote to memory of 3108	1516	Cbbnpg32.exe	87
PID 3108 wrote to memory of 3892	3108	Clgbmp32.exe	88
PID 3108 wrote to memory of 3892	3108	Clgbmp32.exe	88
PID 3108 wrote to memory of 3892	3108	Clgbmp32.exe	88
PID 3892 wrote to memory of 3044	3892	Cljobphg.exe	89
PID 3892 wrote to memory of 3044	3892	Cljobphg.exe	89
PID 3892 wrote to memory of 3044	3892	Cljobphg.exe	89
PID 3044 wrote to memory of 4776	3044	Cbfgkffn.exe	90
PID 3044 wrote to memory of 4776	3044	Cbfgkffn.exe	90
PID 3044 wrote to memory of 4776	3044	Cbfgkffn.exe	90
PID 4776 wrote to memory of 2148	4776	Dkokcl32.exe	91
PID 4776 wrote to memory of 2148	4776	Dkokcl32.exe	91
PID 4776 wrote to memory of 2148	4776	Dkokcl32.exe	91
PID 2148 wrote to memory of 2880	2148	Dmohno32.exe	92
PID 2148 wrote to memory of 2880	2148	Dmohno32.exe	92
PID 2148 wrote to memory of 2880	2148	Dmohno32.exe	92
PID 2880 wrote to memory of 4664	2880	Dkceokii.exe	94
PID 2880 wrote to memory of 4664	2880	Dkceokii.exe	94
PID 2880 wrote to memory of 4664	2880	Dkceokii.exe	94
PID 4664 wrote to memory of 3908	4664	Dmcain32.exe	93
PID 4664 wrote to memory of 3908	4664	Dmcain32.exe	93
PID 4664 wrote to memory of 3908	4664	Dmcain32.exe	93
PID 3908 wrote to memory of 2508	3908	Dflfac32.exe	95
PID 3908 wrote to memory of 2508	3908	Dflfac32.exe	95
PID 3908 wrote to memory of 2508	3908	Dflfac32.exe	95
PID 2508 wrote to memory of 4932	2508	Dngjff32.exe	99
PID 2508 wrote to memory of 4932	2508	Dngjff32.exe	99
PID 2508 wrote to memory of 4932	2508	Dngjff32.exe	99
PID 4932 wrote to memory of 4884	4932	Emhkdmlg.exe	96
PID 4932 wrote to memory of 4884	4932	Emhkdmlg.exe	96
PID 4932 wrote to memory of 4884	4932	Emhkdmlg.exe	96
PID 4884 wrote to memory of 1672	4884	Efpomccg.exe	97
PID 4884 wrote to memory of 1672	4884	Efpomccg.exe	97
PID 4884 wrote to memory of 1672	4884	Efpomccg.exe	97
PID 1672 wrote to memory of 3800	1672	Eiahnnph.exe	100
PID 1672 wrote to memory of 3800	1672	Eiahnnph.exe	100
PID 1672 wrote to memory of 3800	1672	Eiahnnph.exe	100
PID 3800 wrote to memory of 2532	3800	Eehicoel.exe	101
PID 3800 wrote to memory of 2532	3800	Eehicoel.exe	101
PID 3800 wrote to memory of 2532	3800	Eehicoel.exe	101
PID 2532 wrote to memory of 3488	2532	Eblimcdf.exe	102
PID 2532 wrote to memory of 3488	2532	Eblimcdf.exe	102
PID 2532 wrote to memory of 3488	2532	Eblimcdf.exe	102
PID 3488 wrote to memory of 5000	3488	Efjbcakl.exe	103
PID 3488 wrote to memory of 5000	3488	Efjbcakl.exe	103
PID 3488 wrote to memory of 5000	3488	Efjbcakl.exe	103
PID 5000 wrote to memory of 3952	5000	Fpbflg32.exe	104
PID 5000 wrote to memory of 3952	5000	Fpbflg32.exe	104
PID 5000 wrote to memory of 3952	5000	Fpbflg32.exe	104
PID 3952 wrote to memory of 548	3952	Fbbpmb32.exe	105
PID 3952 wrote to memory of 548	3952	Fbbpmb32.exe	105
PID 3952 wrote to memory of 548	3952	Fbbpmb32.exe	105
PID 548 wrote to memory of 1712	548	Flkdfh32.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.7cbc88252f8d1700c0940d64a376a414.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7cbc88252f8d1700c0940d64a376a414.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\Coadnlnb.exe
  C:\Windows\system32\Coadnlnb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\Cleegp32.exe
    C:\Windows\system32\Cleegp32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\Cbbnpg32.exe
      C:\Windows\system32\Cbbnpg32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\Clgbmp32.exe
        
        C:\Windows\system32\Clgbmp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\SysWOW64\Cljobphg.exe
        
        C:\Windows\system32\Cljobphg.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Cbfgkffn.exe
        
        C:\Windows\system32\Cbfgkffn.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Dmohno32.exe
        
        C:\Windows\system32\Dmohno32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Dkceokii.exe
        
        C:\Windows\system32\Dkceokii.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4664

C:\Windows\SysWOW64\Dflfac32.exe
C:\Windows\system32\Dflfac32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\Dngjff32.exe
  C:\Windows\system32\Dngjff32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\Emhkdmlg.exe
    C:\Windows\system32\Emhkdmlg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4932

C:\Windows\SysWOW64\Efpomccg.exe
C:\Windows\system32\Efpomccg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\Eiahnnph.exe
  C:\Windows\system32\Eiahnnph.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\Eehicoel.exe
    C:\Windows\system32\Eehicoel.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\Eblimcdf.exe
      C:\Windows\system32\Eblimcdf.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\Efjbcakl.exe
        
        C:\Windows\system32\Efjbcakl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Flkdfh32.exe
        
        C:\Windows\system32\Flkdfh32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Flpmagqi.exe
        
        C:\Windows\system32\Flpmagqi.exe
        10⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Gmafajfi.exe
        
        C:\Windows\system32\Gmafajfi.exe
        13⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        15⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Glipgf32.exe
        
        C:\Windows\system32\Glipgf32.exe
        16⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        18⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        20⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        22⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Lljklo32.exe
        
        C:\Windows\system32\Lljklo32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        28⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        33⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        34⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        35⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Mmfkhmdi.exe
        
        C:\Windows\system32\Mmfkhmdi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        39⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        40⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        41⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        42⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\Mmmqhl32.exe
        
        C:\Windows\system32\Mmmqhl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        44⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        46⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        48⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        52⤵
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        53⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        54⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1896
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2620
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        58⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        59⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        60⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        61⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        62⤵
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        63⤵
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        64⤵
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        65⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        66⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        68⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        69⤵
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        70⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        71⤵
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:344
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        74⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        75⤵
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        76⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4916
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        78⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        79⤵
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        80⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        81⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        82⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        83⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        84⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        85⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        87⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        88⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        89⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        92⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        93⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        95⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        96⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        97⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        99⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        100⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        102⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        103⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        104⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        105⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        106⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        108⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        110⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        112⤵
        
        PID:5200

C:\Windows\SysWOW64\Coegoe32.exe
C:\Windows\system32\Coegoe32.exe
1⤵
PID:5316
- C:\Windows\SysWOW64\Chnlgjlb.exe
  C:\Windows\system32\Chnlgjlb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:5472
- - C:\Windows\SysWOW64\Cogddd32.exe
    C:\Windows\system32\Cogddd32.exe
    3⤵
    PID:5632
  - - C:\Windows\SysWOW64\Dgcihgaj.exe
      C:\Windows\system32\Dgcihgaj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      PID:5792
    - - C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
      - C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        6⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        8⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Dqnjgl32.exe
        
        C:\Windows\system32\Dqnjgl32.exe
        9⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        10⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        12⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        13⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        14⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Dhikci32.exe
        
        C:\Windows\system32\Dhikci32.exe
        15⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Doccpcja.exe
        
        C:\Windows\system32\Doccpcja.exe
        16⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        17⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Ehlhih32.exe
        
        C:\Windows\system32\Ehlhih32.exe
        18⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        19⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        21⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Ebfign32.exe
        
        C:\Windows\system32\Ebfign32.exe
        22⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Eojiqb32.exe
        
        C:\Windows\system32\Eojiqb32.exe
        23⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        24⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Ehbnigjj.exe
        
        C:\Windows\system32\Ehbnigjj.exe
        25⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Fooclapd.exe
        
        C:\Windows\system32\Fooclapd.exe
        28⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        29⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        30⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        31⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Fkhpfbce.exe
        
        C:\Windows\system32\Fkhpfbce.exe
        33⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        35⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Fofilp32.exe
        
        C:\Windows\system32\Fofilp32.exe
        36⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Fqgedh32.exe
        
        C:\Windows\system32\Fqgedh32.exe
        37⤵
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Fganqbgg.exe
        
        C:\Windows\system32\Fganqbgg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Fohfbpgi.exe
        
        C:\Windows\system32\Fohfbpgi.exe
        39⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Fajbjh32.exe
        
        C:\Windows\system32\Fajbjh32.exe
        40⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        41⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        42⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Galoohke.exe
        
        C:\Windows\system32\Galoohke.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6304
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        44⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        45⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        46⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Gpolbo32.exe
        
        C:\Windows\system32\Gpolbo32.exe
        47⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        48⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Glfmgp32.exe
        
        C:\Windows\system32\Glfmgp32.exe
        49⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6868
        
        C:\Windows\SysWOW64\Gaebef32.exe
        
        C:\Windows\system32\Gaebef32.exe
        52⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\Hlkfbocp.exe
        
        C:\Windows\system32\Hlkfbocp.exe
        53⤵
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        54⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        57⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Hpmhdmea.exe
        
        C:\Windows\system32\Hpmhdmea.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6596
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6668
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        61⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        62⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        63⤵
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Ipbaol32.exe
        
        C:\Windows\system32\Ipbaol32.exe
        64⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        67⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Ibcjqgnm.exe
        
        C:\Windows\system32\Ibcjqgnm.exe
        68⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        69⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        70⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        71⤵
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Ilnlom32.exe
        
        C:\Windows\system32\Ilnlom32.exe
        72⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Iefphb32.exe
        
        C:\Windows\system32\Iefphb32.exe
        73⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        74⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Iamamcop.exe
        
        C:\Windows\system32\Iamamcop.exe
        75⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        76⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Jblmgf32.exe
        
        C:\Windows\system32\Jblmgf32.exe
        77⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        78⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        79⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        80⤵
        Drops file in System32 directory
        
        PID:7184
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        82⤵
        Modifies registry class
        
        PID:7284
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        83⤵
        Drops file in System32 directory
        
        PID:7320
        
        C:\Windows\SysWOW64\Ledepn32.exe
        
        C:\Windows\system32\Ledepn32.exe
        84⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\Lpjjmg32.exe
        
        C:\Windows\system32\Lpjjmg32.exe
        85⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        86⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\Lhenai32.exe
        
        C:\Windows\system32\Lhenai32.exe
        87⤵
        Drops file in System32 directory
        
        PID:7536
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        88⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Ljdkll32.exe
        
        C:\Windows\system32\Ljdkll32.exe
        89⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\Loacdc32.exe
        
        C:\Windows\system32\Loacdc32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7688
        
        C:\Windows\SysWOW64\Mfkkqmiq.exe
        
        C:\Windows\system32\Mfkkqmiq.exe
        91⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\Mledmg32.exe
        
        C:\Windows\system32\Mledmg32.exe
        92⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\Modpib32.exe
        
        C:\Windows\system32\Modpib32.exe
        93⤵
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Mfnhfm32.exe
        
        C:\Windows\system32\Mfnhfm32.exe
        94⤵
        Modifies registry class
        
        PID:7888
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        95⤵
        Modifies registry class
        
        PID:7924
        
        C:\Windows\SysWOW64\Mbdiknlb.exe
        
        C:\Windows\system32\Mbdiknlb.exe
        96⤵
        Drops file in System32 directory
        
        PID:7964
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8004
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\SysWOW64\Mlljnf32.exe
        
        C:\Windows\system32\Mlljnf32.exe
        99⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        100⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8188
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        102⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        103⤵
        Modifies registry class
        
        PID:7300
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        104⤵
        Modifies registry class
        
        PID:7364
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7476
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        106⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\Njgqhicg.exe
        
        C:\Windows\system32\Njgqhicg.exe
        107⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        108⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        109⤵
        Drops file in System32 directory
        
        PID:7820
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        110⤵
        Modifies registry class
        
        PID:7896
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        111⤵
        Modifies registry class
        
        PID:7956
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        112⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8092
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        114⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        115⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        116⤵
        Modifies registry class
        
        PID:7420
        
        C:\Windows\SysWOW64\Ojqcnhkl.exe
        
        C:\Windows\system32\Ojqcnhkl.exe
        117⤵
        Modifies registry class
        
        PID:7544
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        118⤵
        Modifies registry class
        
        PID:7676
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7824
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        120⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\Oophlo32.exe
        
        C:\Windows\system32\Oophlo32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8072
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        122⤵
        Drops file in System32 directory
        
        PID:8168
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        123⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        124⤵
        Modifies registry class
        
        PID:7620
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        125⤵
        Drops file in System32 directory
        
        PID:7804
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        126⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        127⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7532
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        129⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        130⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\Paihlpfi.exe
        
        C:\Windows\system32\Paihlpfi.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7948
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7788
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        133⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8208
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        135⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8248 -s 404
        136⤵
        Program crash
        
        PID:8336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 8248 -ip 8248
1⤵
PID:8312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
272KB

MD5
7bb1ad8ec68f0f9e12630caba1e8ed05

SHA1
f717de6c36d0319682f86dc9c63f07c46091d07d

SHA256
b1d940625e573d94b8ba357e3ee1a99a46e24682df7028ab66c6391e30c79c80

SHA512
815674a4b0edbe55600857f9a8176f6fc21d737c5937acd6988a155fc6ec2b99ddf46564125208bab27c4ed525f2b50cbbdc46823206d4e7506ecc195e8635b5

Download Submit
C:\Windows\SysWOW64\Cbbnpg32.exe

Filesize
272KB

MD5
7bb1ad8ec68f0f9e12630caba1e8ed05

SHA1
f717de6c36d0319682f86dc9c63f07c46091d07d

SHA256
b1d940625e573d94b8ba357e3ee1a99a46e24682df7028ab66c6391e30c79c80

SHA512
815674a4b0edbe55600857f9a8176f6fc21d737c5937acd6988a155fc6ec2b99ddf46564125208bab27c4ed525f2b50cbbdc46823206d4e7506ecc195e8635b5

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
272KB

MD5
09efd7efba0a597eadd7db43a69b402f

SHA1
23d72a0f7187d4cf8cdb5e7187fa6f948854f9c9

SHA256
e1a7729d1a2c1eccc589606ae92f199d101020cdff6043085ac6ae3930da5c8f

SHA512
219365d824fff6b31d215bceeeb8f244d61d47defd522d18fda4ac8d3b8b3d30f24bf7decc49edcfc64afa82702c4b9c05ec91d77eba1a74e6af3b088e92052c

Download Submit
C:\Windows\SysWOW64\Cbfgkffn.exe

Filesize
272KB

MD5
09efd7efba0a597eadd7db43a69b402f

SHA1
23d72a0f7187d4cf8cdb5e7187fa6f948854f9c9

SHA256
e1a7729d1a2c1eccc589606ae92f199d101020cdff6043085ac6ae3930da5c8f

SHA512
219365d824fff6b31d215bceeeb8f244d61d47defd522d18fda4ac8d3b8b3d30f24bf7decc49edcfc64afa82702c4b9c05ec91d77eba1a74e6af3b088e92052c

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
272KB

MD5
ff13db75702228e2924d195cb1276d6e

SHA1
5bb55e593dd3d2ab95b9d820df43c7892b19a101

SHA256
4a0a52a20f86e6be56d61cf2a01d98f59ab4dc2d8695f91bab9ade3a485136ee

SHA512
d605c254034ee27206f3541ba93fb44a830d90353b329e4f8e7c6c30487f15903971baac8ede1962ab06f96bec85b0dd59e3b4891eefd817a465257b8129ed48

Download Submit
C:\Windows\SysWOW64\Cleegp32.exe

Filesize
272KB

MD5
ff13db75702228e2924d195cb1276d6e

SHA1
5bb55e593dd3d2ab95b9d820df43c7892b19a101

SHA256
4a0a52a20f86e6be56d61cf2a01d98f59ab4dc2d8695f91bab9ade3a485136ee

SHA512
d605c254034ee27206f3541ba93fb44a830d90353b329e4f8e7c6c30487f15903971baac8ede1962ab06f96bec85b0dd59e3b4891eefd817a465257b8129ed48

Download Submit
C:\Windows\SysWOW64\Clgbmp32.exe

Filesize
272KB

MD5
4e5c421793ba034347ea4f5736e74289

SHA1
e6b1e222c2863571e09a2688b3d3c98bfaf64164

SHA256
d4d59685aeb67d8bbb84c9dfe5d897ec9cc60b8fc5d97e11051ae1cbaf29e913

SHA512
4ef67120d0ec0b2ec03c1781314f203b0ced4c1cfd258c89d361fd655bf58643c9bbb9061da0e580b2fdfb8e68b71d76002f4e1767ef2acf658da993850aa417

Download Submit
C:\Windows\SysWOW64\Clgbmp32.exe

Filesize
272KB

MD5
4e5c421793ba034347ea4f5736e74289

SHA1
e6b1e222c2863571e09a2688b3d3c98bfaf64164

SHA256
d4d59685aeb67d8bbb84c9dfe5d897ec9cc60b8fc5d97e11051ae1cbaf29e913

SHA512
4ef67120d0ec0b2ec03c1781314f203b0ced4c1cfd258c89d361fd655bf58643c9bbb9061da0e580b2fdfb8e68b71d76002f4e1767ef2acf658da993850aa417

Download Submit
C:\Windows\SysWOW64\Cljobphg.exe

Filesize
272KB

MD5
39edbae5a3bb54984be08db5791c0fbc

SHA1
abb50148423cd8ab6f88587c393958a48b6c4cfb

SHA256
5d18c369c1a217460eeaca42894e905e1a50f9bfb204d3d2481d27d979ff47a1

SHA512
c40089a4ad0e1319d2dc513e64ff6ec71be58f05654db0e0d75f76c8ecfcdae667b2b36f4012730ca2febe99eab61f81f208cb1a561a8866bab4818e0c080a6c

Download Submit
C:\Windows\SysWOW64\Cljobphg.exe

Filesize
272KB

MD5
39edbae5a3bb54984be08db5791c0fbc

SHA1
abb50148423cd8ab6f88587c393958a48b6c4cfb

SHA256
5d18c369c1a217460eeaca42894e905e1a50f9bfb204d3d2481d27d979ff47a1

SHA512
c40089a4ad0e1319d2dc513e64ff6ec71be58f05654db0e0d75f76c8ecfcdae667b2b36f4012730ca2febe99eab61f81f208cb1a561a8866bab4818e0c080a6c

Download Submit
C:\Windows\SysWOW64\Coadnlnb.exe

Filesize
272KB

MD5
2aa24e61171c15b38233250f0449af9c

SHA1
03089dd84cbcd8ebb981745575f1e65a6613152c

SHA256
381504a5e2de81e8fa7309f64521f58d5e5405acd99699944160fba0fdabce56

SHA512
1db576afdd7ee70cfa99150485a8adb6e7f6eded76b7cd553f38c6557e4645bba77d7ac23d6e510278917806857288087ca29d41ee6237bcf93757e0e9409591

Download Submit
C:\Windows\SysWOW64\Coadnlnb.exe

Filesize
272KB

MD5
2aa24e61171c15b38233250f0449af9c

SHA1
03089dd84cbcd8ebb981745575f1e65a6613152c

SHA256
381504a5e2de81e8fa7309f64521f58d5e5405acd99699944160fba0fdabce56

SHA512
1db576afdd7ee70cfa99150485a8adb6e7f6eded76b7cd553f38c6557e4645bba77d7ac23d6e510278917806857288087ca29d41ee6237bcf93757e0e9409591

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
272KB

MD5
e26c40d81485cb6a3514112adf9a638f

SHA1
6ac5954c1426f37d7ec464712f4d9780240c28d9

SHA256
d5f7c723ac620487eaf11333f3f19007b1c415401ad1ecb06d8b54d626128b19

SHA512
23a49bcfa2e4967f0a9291f0fb4f9bd1c617edc401efe20446103c57152f838cb3f897f912b5bdcfcd190ca805edb1da30eef3ba75d9f9960272290b78b30dfb

Download Submit
C:\Windows\SysWOW64\Dflfac32.exe

Filesize
272KB

MD5
e26c40d81485cb6a3514112adf9a638f

SHA1
6ac5954c1426f37d7ec464712f4d9780240c28d9

SHA256
d5f7c723ac620487eaf11333f3f19007b1c415401ad1ecb06d8b54d626128b19

SHA512
23a49bcfa2e4967f0a9291f0fb4f9bd1c617edc401efe20446103c57152f838cb3f897f912b5bdcfcd190ca805edb1da30eef3ba75d9f9960272290b78b30dfb

Download Submit
C:\Windows\SysWOW64\Dkceokii.exe

Filesize
272KB

MD5
0a6517e9fa3ba21ca068242f17bd9d17

SHA1
64ba68732a6f648f3f4f7ab64e8de7d3b303a23c

SHA256
fff10eb83fb39a92618b4af397eb541217326a34d61cd107c21631eb9f47bbeb

SHA512
f49e5f34dc35b91334fff9033f4cdc6cd7f14b25ceb3e957db4b8b255ee6c91c5d35cca9ee732ef19bb35bf082f06a65934552ec549bd0094cf347353edc4bda

Download Submit
C:\Windows\SysWOW64\Dkceokii.exe

Filesize
272KB

MD5
0a6517e9fa3ba21ca068242f17bd9d17

SHA1
64ba68732a6f648f3f4f7ab64e8de7d3b303a23c

SHA256
fff10eb83fb39a92618b4af397eb541217326a34d61cd107c21631eb9f47bbeb

SHA512
f49e5f34dc35b91334fff9033f4cdc6cd7f14b25ceb3e957db4b8b255ee6c91c5d35cca9ee732ef19bb35bf082f06a65934552ec549bd0094cf347353edc4bda

Download Submit
C:\Windows\SysWOW64\Dkokcl32.exe

Filesize
272KB

MD5
dc0baa2b5bb2a87af31d6503c3c82e3b

SHA1
82586dfac96cf8b5aee8c5660f518fa0f51c3e18

SHA256
2739cec8b5540495c1d0f342d33bfd09e839eb0f1bb8dd442203b7c08d5ba933

SHA512
f9181516649a96b8e4219d9b7bb44d218e74a18de75e657023ee0eec452d34ef2da7cfbfbc12a2a38ed9e062bea3c3988cae25e203026c2a32d3e27daac8a1d3

Download Submit
C:\Windows\SysWOW64\Dkokcl32.exe

Filesize
272KB

MD5
dc0baa2b5bb2a87af31d6503c3c82e3b

SHA1
82586dfac96cf8b5aee8c5660f518fa0f51c3e18

SHA256
2739cec8b5540495c1d0f342d33bfd09e839eb0f1bb8dd442203b7c08d5ba933

SHA512
f9181516649a96b8e4219d9b7bb44d218e74a18de75e657023ee0eec452d34ef2da7cfbfbc12a2a38ed9e062bea3c3988cae25e203026c2a32d3e27daac8a1d3

Download Submit
C:\Windows\SysWOW64\Dmcain32.exe

Filesize
272KB

MD5
18a314d0f2239ee4680f18e8653fb565

SHA1
197e91ec27c57ebbc7ff531d558b9df7bee79504

SHA256
86076f99151b15fdbd7efcf201d1a500550db0339a0e2862c7f866cd3e50f06a

SHA512
c744899cef3c3be62d9678437554dbb6a22f21eb0a19a059ba4bf52c9d8a7fc62c6e425f8749003b7faa4464bef8d8fa3f9e1bdd178fdcdfe40f30f78091a58d

Download Submit
C:\Windows\SysWOW64\Dmcain32.exe

Filesize
272KB

MD5
18a314d0f2239ee4680f18e8653fb565

SHA1
197e91ec27c57ebbc7ff531d558b9df7bee79504

SHA256
86076f99151b15fdbd7efcf201d1a500550db0339a0e2862c7f866cd3e50f06a

SHA512
c744899cef3c3be62d9678437554dbb6a22f21eb0a19a059ba4bf52c9d8a7fc62c6e425f8749003b7faa4464bef8d8fa3f9e1bdd178fdcdfe40f30f78091a58d

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
272KB

MD5
c0281fd037098191d1f23aefc09d5d98

SHA1
9202378eab0b46f9a4e349caf5bcf9773ac5730b

SHA256
05cc05e05953c53b84dec5e29e43756c8289bca2f3d45a4c2f434e8d1b6f6402

SHA512
192c0203d1a4695f2c6fb56584f35bb573596d4c4a9229af713bddc78329853b8a344ae3ee864cae188d2510ea121f1abeda158d0ebe39b39ed37ce460429d36

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
272KB

MD5
c0281fd037098191d1f23aefc09d5d98

SHA1
9202378eab0b46f9a4e349caf5bcf9773ac5730b

SHA256
05cc05e05953c53b84dec5e29e43756c8289bca2f3d45a4c2f434e8d1b6f6402

SHA512
192c0203d1a4695f2c6fb56584f35bb573596d4c4a9229af713bddc78329853b8a344ae3ee864cae188d2510ea121f1abeda158d0ebe39b39ed37ce460429d36

Download Submit
C:\Windows\SysWOW64\Dmohno32.exe

Filesize
272KB

MD5
c0281fd037098191d1f23aefc09d5d98

SHA1
9202378eab0b46f9a4e349caf5bcf9773ac5730b

SHA256
05cc05e05953c53b84dec5e29e43756c8289bca2f3d45a4c2f434e8d1b6f6402

SHA512
192c0203d1a4695f2c6fb56584f35bb573596d4c4a9229af713bddc78329853b8a344ae3ee864cae188d2510ea121f1abeda158d0ebe39b39ed37ce460429d36

Download Submit
C:\Windows\SysWOW64\Dngjff32.exe

Filesize
272KB

MD5
fe5a6925f39d8d096b42b07e30cf6e5f

SHA1
75629fad6c33da589a54e98c5c3a29d3d1354f4a

SHA256
5e15a57c9a808ecb308e87ac19d87f4133049edc618ecb3e58c2bdf94594a09f

SHA512
c5d824740f2ae9f81327a45bacf485afbbf285cf7f60503ed2939b3f2cf75780d5fdb64fc7b2cf2b8ca0ba334fef6379fa515521167390faa4142bf417a6e9a4

Download Submit
C:\Windows\SysWOW64\Dngjff32.exe

Filesize
272KB

MD5
fe5a6925f39d8d096b42b07e30cf6e5f

SHA1
75629fad6c33da589a54e98c5c3a29d3d1354f4a

SHA256
5e15a57c9a808ecb308e87ac19d87f4133049edc618ecb3e58c2bdf94594a09f

SHA512
c5d824740f2ae9f81327a45bacf485afbbf285cf7f60503ed2939b3f2cf75780d5fdb64fc7b2cf2b8ca0ba334fef6379fa515521167390faa4142bf417a6e9a4

Download Submit
C:\Windows\SysWOW64\Eblimcdf.exe

Filesize
272KB

MD5
5f6676c1f1ffa1f2d4a0d4295f36dd5b

SHA1
275b67cfa8299626bb4c8cad9e4b02e3abd66f01

SHA256
0bcc6c8fd20d114ea26a42638cbcf00519225e34dae338545a34de0400540535

SHA512
4a03614cb2447d6a3763c669f3cad3d1c552ba3516bb9b992b7aea3c52da9727ba09de30f76f29ee95b3a3715ef6a7f1b1581163965f307819a540fa60705a65

Download Submit
C:\Windows\SysWOW64\Eblimcdf.exe

Filesize
272KB

MD5
5f6676c1f1ffa1f2d4a0d4295f36dd5b

SHA1
275b67cfa8299626bb4c8cad9e4b02e3abd66f01

SHA256
0bcc6c8fd20d114ea26a42638cbcf00519225e34dae338545a34de0400540535

SHA512
4a03614cb2447d6a3763c669f3cad3d1c552ba3516bb9b992b7aea3c52da9727ba09de30f76f29ee95b3a3715ef6a7f1b1581163965f307819a540fa60705a65

Download Submit
C:\Windows\SysWOW64\Eehicoel.exe

Filesize
272KB

MD5
3ab889177a52d2509a4fb6f309c6067e

SHA1
341d4abe4cb0340e388933ae6796340db5b884bb

SHA256
729291c4a140e785b8d14fc4be785ab74089a21b4fbb37b96b107a36c403a54f

SHA512
a2f7e3e790697686b608b2a3628892d815e19f247feec25df109fe22e2f37fe345ac501c6b06930d3efffc5a8c89d0a6a177054273e8d90f2c08b30d7b2413d3

Download Submit
C:\Windows\SysWOW64\Eehicoel.exe

Filesize
272KB

MD5
3ab889177a52d2509a4fb6f309c6067e

SHA1
341d4abe4cb0340e388933ae6796340db5b884bb

SHA256
729291c4a140e785b8d14fc4be785ab74089a21b4fbb37b96b107a36c403a54f

SHA512
a2f7e3e790697686b608b2a3628892d815e19f247feec25df109fe22e2f37fe345ac501c6b06930d3efffc5a8c89d0a6a177054273e8d90f2c08b30d7b2413d3

Download Submit
C:\Windows\SysWOW64\Efjbcakl.exe

Filesize
272KB

MD5
0e7ff17c958f6c19f08ad080b91811e2

SHA1
87f3d8b852f5b4a82e84b39af6c4083fdb565908

SHA256
07238b514f45fb42f72d01ce81364ee07368d24b81a3766e6bdbceea5b801927

SHA512
ae7b048adb7ed3f71ee9afb2af4003d392a8664ef47510d728fc1eb2f0d40ab34bdeb1c9934bb947a2bd699ffd9a319ff2cccb626b8d06616f3c9579af961929

Download Submit
C:\Windows\SysWOW64\Efjbcakl.exe

Filesize
272KB

MD5
0e7ff17c958f6c19f08ad080b91811e2

SHA1
87f3d8b852f5b4a82e84b39af6c4083fdb565908

SHA256
07238b514f45fb42f72d01ce81364ee07368d24b81a3766e6bdbceea5b801927

SHA512
ae7b048adb7ed3f71ee9afb2af4003d392a8664ef47510d728fc1eb2f0d40ab34bdeb1c9934bb947a2bd699ffd9a319ff2cccb626b8d06616f3c9579af961929

Download Submit
C:\Windows\SysWOW64\Efpomccg.exe

Filesize
272KB

MD5
9a8009778ef78571a03caa1ebd23eaed

SHA1
97bc5c2a56e75f2cd3b23cc70bdd5d467df19ecd

SHA256
046ce2d1e74bd0f6472eeaacfac5fdbb25f108dd0cca0a4feeaaf07d8000daef

SHA512
02bc883520c83e8b85b5d5eef548709f8350552a001fd8beb7438613209a99fa22bcb0e8874719947b041e930ff23bfe00db718fb9d7cce2b969a6d2dba17489

Download Submit
C:\Windows\SysWOW64\Efpomccg.exe

Filesize
272KB

MD5
9a8009778ef78571a03caa1ebd23eaed

SHA1
97bc5c2a56e75f2cd3b23cc70bdd5d467df19ecd

SHA256
046ce2d1e74bd0f6472eeaacfac5fdbb25f108dd0cca0a4feeaaf07d8000daef

SHA512
02bc883520c83e8b85b5d5eef548709f8350552a001fd8beb7438613209a99fa22bcb0e8874719947b041e930ff23bfe00db718fb9d7cce2b969a6d2dba17489

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
272KB

MD5
243e666ed70a80fdde679d72d03e731a

SHA1
90ed2f4bd266fba5bb384a654d23f75ac3e83b6c

SHA256
ee7b58fcada6da33f2febff018ade6893a023ecc82a3bc7007c1ebedb2f870ae

SHA512
f34545ad50676d685d6d4729dad271d074228eb846a0503a10d3794c4823653bf0d3f9dacfc4065575b53ef90a3725f4b865c21d085f5da42740ed67c89b175c

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
272KB

MD5
243e666ed70a80fdde679d72d03e731a

SHA1
90ed2f4bd266fba5bb384a654d23f75ac3e83b6c

SHA256
ee7b58fcada6da33f2febff018ade6893a023ecc82a3bc7007c1ebedb2f870ae

SHA512
f34545ad50676d685d6d4729dad271d074228eb846a0503a10d3794c4823653bf0d3f9dacfc4065575b53ef90a3725f4b865c21d085f5da42740ed67c89b175c

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
272KB

MD5
95a9bf17b497e98e36be4c0098c7ed7c

SHA1
b5f71f428223eb97c0dd91a7d1e58c17fc2d5628

SHA256
172f15b29da5f4f44b4b98ef9eaafc4569cc850bb71bf364a6fb484fd37a6dcc

SHA512
f900a5ca6fe1abe4ef35ca0613e27d1647cea2a6c1cc1844f10a7c7dd80baa025f1eedc03bc773f7a07d32e97f0d7eb5d56dbd2bc66c045a43880cb82cf6fbd4

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
272KB

MD5
95a9bf17b497e98e36be4c0098c7ed7c

SHA1
b5f71f428223eb97c0dd91a7d1e58c17fc2d5628

SHA256
172f15b29da5f4f44b4b98ef9eaafc4569cc850bb71bf364a6fb484fd37a6dcc

SHA512
f900a5ca6fe1abe4ef35ca0613e27d1647cea2a6c1cc1844f10a7c7dd80baa025f1eedc03bc773f7a07d32e97f0d7eb5d56dbd2bc66c045a43880cb82cf6fbd4

Download Submit
C:\Windows\SysWOW64\Enpfan32.exe

Filesize
272KB

MD5
f15130e24d6421c9101751984b70c659

SHA1
8d6f2f615574b70450860dae1820c016e2b5e727

SHA256
ba71a49b0b09753d903b72ddaeb23e450afa70f38d70f3757aa91726af0cb57d

SHA512
80c8ceedc47c44cef49339df1db748930d506435591c7ee446eca393b22c2249e10b1b3644774b064a6aa5c20086f495f664c98d98af33ea9da348491f2efab3

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
272KB

MD5
43e70779dbeb868a5c2d4074198fbfe1

SHA1
fc8d221979a8bedb977199c0280829a71b1a29fe

SHA256
9c37dfbfd1efc2cbd3dc8add348d8269340b05cf2920b60040f1c87ca942817b

SHA512
428d0d3715ff724167f5a1e1af1b4ac5b698bc9aa090aa9cd857036b8c31a3250f43072b54967972ac0f09f1031c386e57243a3b92d855a212d15b72b20d2866

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
272KB

MD5
43e70779dbeb868a5c2d4074198fbfe1

SHA1
fc8d221979a8bedb977199c0280829a71b1a29fe

SHA256
9c37dfbfd1efc2cbd3dc8add348d8269340b05cf2920b60040f1c87ca942817b

SHA512
428d0d3715ff724167f5a1e1af1b4ac5b698bc9aa090aa9cd857036b8c31a3250f43072b54967972ac0f09f1031c386e57243a3b92d855a212d15b72b20d2866

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
272KB

MD5
be689259a9c1f22fe30b2bf55097ae6f

SHA1
2a783221d73346f4041ced3396a02f0b7e23b5f7

SHA256
46536c39738263a59a90a7881392e1cda0b42496b5b559958412e1c886bf6610

SHA512
f276ff890ced368adb2a1cedf25163b78af0b837964a0749f51b2611902152f5c5a493c5acdaa30411f9d65be0c0fa33aef1bd6859c8780c10b22678488597a7

Download Submit
C:\Windows\SysWOW64\Fiodpl32.exe

Filesize
272KB

MD5
be689259a9c1f22fe30b2bf55097ae6f

SHA1
2a783221d73346f4041ced3396a02f0b7e23b5f7

SHA256
46536c39738263a59a90a7881392e1cda0b42496b5b559958412e1c886bf6610

SHA512
f276ff890ced368adb2a1cedf25163b78af0b837964a0749f51b2611902152f5c5a493c5acdaa30411f9d65be0c0fa33aef1bd6859c8780c10b22678488597a7

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
272KB

MD5
ca395826b82357831c2c5b7b34421cfc

SHA1
81689128e71a68f688a828a7de43701109e1a798

SHA256
2dd99c3f8c02a5b24712df4973d02512ca7567e186facf7ae5f23181ce59fabe

SHA512
25192df7484cc0937512d415b6a89f9974aade908f3bd82e98d8a2135a66111f6521375608d1cdd856cd1d0c6511b04080e647c321db7299179701e3851e6342

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
272KB

MD5
ca395826b82357831c2c5b7b34421cfc

SHA1
81689128e71a68f688a828a7de43701109e1a798

SHA256
2dd99c3f8c02a5b24712df4973d02512ca7567e186facf7ae5f23181ce59fabe

SHA512
25192df7484cc0937512d415b6a89f9974aade908f3bd82e98d8a2135a66111f6521375608d1cdd856cd1d0c6511b04080e647c321db7299179701e3851e6342

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
272KB

MD5
dcb4c6ef4121f5e636e823e6fc35f27b

SHA1
d3c18da00f14ef7f1353a640c03e77e3d1ab8b9a

SHA256
971f55a79ce3845d00eb40f9e0424786e1e4bdfad9301c036d4f501f45b7232f

SHA512
cf818a249146d90d2d7d33d03c86b9883aff5fad037695d5cf597dbff16338806f9ff910cfa922a6595ccf391e557c380e72a86c5e2b526fc967e51fb7bf4819

Download Submit
C:\Windows\SysWOW64\Flpmagqi.exe

Filesize
272KB

MD5
dcb4c6ef4121f5e636e823e6fc35f27b

SHA1
d3c18da00f14ef7f1353a640c03e77e3d1ab8b9a

SHA256
971f55a79ce3845d00eb40f9e0424786e1e4bdfad9301c036d4f501f45b7232f

SHA512
cf818a249146d90d2d7d33d03c86b9883aff5fad037695d5cf597dbff16338806f9ff910cfa922a6595ccf391e557c380e72a86c5e2b526fc967e51fb7bf4819

Download Submit
C:\Windows\SysWOW64\Fpbflg32.exe

Filesize
272KB

MD5
648e989d405db5f1e02c2d9dd5c1b58d

SHA1
c9b1a7ed5c5f090e0cf0d2be32503329a1819af6

SHA256
d32d862bad529b34cceb5a0e830f4c53e20a377b823256086161790ab531aa9b

SHA512
db345c14015288da07668e20f2add6011ae143be94af83d37356eaa3d488e0c6bedbd8d480a93220b550554a475cea15e902da51407c7b038da97db049c6d2b1

Download Submit
C:\Windows\SysWOW64\Fpbflg32.exe

Filesize
272KB

MD5
648e989d405db5f1e02c2d9dd5c1b58d

SHA1
c9b1a7ed5c5f090e0cf0d2be32503329a1819af6

SHA256
d32d862bad529b34cceb5a0e830f4c53e20a377b823256086161790ab531aa9b

SHA512
db345c14015288da07668e20f2add6011ae143be94af83d37356eaa3d488e0c6bedbd8d480a93220b550554a475cea15e902da51407c7b038da97db049c6d2b1

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
272KB

MD5
28a591ca847c39154fc5e23fe8f36604

SHA1
c797fb28c244254b3980d184a32ef64b6d299dc5

SHA256
9b43bc2ace9bb0296fa815c4d2f9092c0a26912b226c76e40cf37b5f81bcd61a

SHA512
98de5c3b430d59598e0befbfceeccb15ef7b44f01d837c2bd1ca6b89686729777820636ddb7d3c4608b13f30ffc70f617708f24932930d792b2e3eff980bf788

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
272KB

MD5
28a591ca847c39154fc5e23fe8f36604

SHA1
c797fb28c244254b3980d184a32ef64b6d299dc5

SHA256
9b43bc2ace9bb0296fa815c4d2f9092c0a26912b226c76e40cf37b5f81bcd61a

SHA512
98de5c3b430d59598e0befbfceeccb15ef7b44f01d837c2bd1ca6b89686729777820636ddb7d3c4608b13f30ffc70f617708f24932930d792b2e3eff980bf788

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
272KB

MD5
10951eb807cd68c9f592b0c1caa9f6b2

SHA1
bf2971e46a9e37b75ddf44e9a011be5185a94a05

SHA256
324eba2b341bcf90745b96d80f36ffcfe70466d8bf48f9c3ccca355c66f4e3b1

SHA512
ea126798c1ad4b5766128e821a6f34e9442ed95b54f441bfacef1975133097de9bac54e0a26e2a2da840e6d202ad22e11665d28fd182ed80e87b0e4579161859

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
272KB

MD5
10951eb807cd68c9f592b0c1caa9f6b2

SHA1
bf2971e46a9e37b75ddf44e9a011be5185a94a05

SHA256
324eba2b341bcf90745b96d80f36ffcfe70466d8bf48f9c3ccca355c66f4e3b1

SHA512
ea126798c1ad4b5766128e821a6f34e9442ed95b54f441bfacef1975133097de9bac54e0a26e2a2da840e6d202ad22e11665d28fd182ed80e87b0e4579161859

Download Submit
C:\Windows\SysWOW64\Glipgf32.exe

Filesize
272KB

MD5
9627c6b1b61ebabf2aea96d2a2303218

SHA1
85c3d61953a3482e915fa0fd1f4a32ac59c15605

SHA256
0d32d6d71ecbd184b943d9788b7ab6a35fcba1dbbfa12f5c65f20084bea300ca

SHA512
720451e5a48fa0b7285fc08ddfbd956ace5def6fbc1d2dbf736550aeef7187a5651707b3094791ae900c9277ee6924ef969eebf34937067b6f1a9f1b493716c2

Download Submit
C:\Windows\SysWOW64\Glipgf32.exe

Filesize
272KB

MD5
9627c6b1b61ebabf2aea96d2a2303218

SHA1
85c3d61953a3482e915fa0fd1f4a32ac59c15605

SHA256
0d32d6d71ecbd184b943d9788b7ab6a35fcba1dbbfa12f5c65f20084bea300ca

SHA512
720451e5a48fa0b7285fc08ddfbd956ace5def6fbc1d2dbf736550aeef7187a5651707b3094791ae900c9277ee6924ef969eebf34937067b6f1a9f1b493716c2

Download Submit
C:\Windows\SysWOW64\Gmafajfi.exe

Filesize
272KB

MD5
9eb8cf0cee49e2428ebeef038c57e7e2

SHA1
a65e9066e696e80417e50857688998f7979682e9

SHA256
8d19a716e17f80c8e2ee73ddfac649455991edf6264511adbfb6a111b54ef041

SHA512
feb55ef31608306835816d25366b5291bdb7c369b6f94831ec6629661d74b4e6688b7d935d2ae6255cd0d53662f4c4f72a51a2128c817eb7dc7b8efc3502f4f5

Download Submit
C:\Windows\SysWOW64\Gmafajfi.exe

Filesize
272KB

MD5
9eb8cf0cee49e2428ebeef038c57e7e2

SHA1
a65e9066e696e80417e50857688998f7979682e9

SHA256
8d19a716e17f80c8e2ee73ddfac649455991edf6264511adbfb6a111b54ef041

SHA512
feb55ef31608306835816d25366b5291bdb7c369b6f94831ec6629661d74b4e6688b7d935d2ae6255cd0d53662f4c4f72a51a2128c817eb7dc7b8efc3502f4f5

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
272KB

MD5
0fb5d4cdd9aea53190b23352c96b74c3

SHA1
98f28d70422dae761597dbcfc63ccaf00940bf51

SHA256
ed1269617cba67caf2a692a725711164fc9a07f3eaaf810552a5a112c633ebdf

SHA512
75c684bf0bbf61dc57d09a2bb9b0b8326af57c4f7393e19c0df4e5e9a9eafc820dbf853118673594f81bbf232dacc91ff100639b07b6e06b99cfd251a08fd29f

Download Submit
C:\Windows\SysWOW64\Gnqfcbnj.exe

Filesize
272KB

MD5
0fb5d4cdd9aea53190b23352c96b74c3

SHA1
98f28d70422dae761597dbcfc63ccaf00940bf51

SHA256
ed1269617cba67caf2a692a725711164fc9a07f3eaaf810552a5a112c633ebdf

SHA512
75c684bf0bbf61dc57d09a2bb9b0b8326af57c4f7393e19c0df4e5e9a9eafc820dbf853118673594f81bbf232dacc91ff100639b07b6e06b99cfd251a08fd29f

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
272KB

MD5
cca23d1128c18260d3983145d708d21e

SHA1
177b875f54b4553e395aec9f9c393c6cc402d153

SHA256
fdb7e85eb8a78a41c0fc4e8e6164189d9bdc910a0f9a736e452d3c624cd82661

SHA512
53218721e8ba6255f1a2b79be727e3ad6983104ab2d30e867420a4f45dcbb220a546087cc52aaa776707d208c5e79d769e6d4f78e5ffda96ff260c187dad33d1

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
272KB

MD5
cca23d1128c18260d3983145d708d21e

SHA1
177b875f54b4553e395aec9f9c393c6cc402d153

SHA256
fdb7e85eb8a78a41c0fc4e8e6164189d9bdc910a0f9a736e452d3c624cd82661

SHA512
53218721e8ba6255f1a2b79be727e3ad6983104ab2d30e867420a4f45dcbb220a546087cc52aaa776707d208c5e79d769e6d4f78e5ffda96ff260c187dad33d1

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe

Filesize
272KB

MD5
3ea4a4c771cfb65d92f9374854145704

SHA1
11cb6126d63bb6ed33f5111570c8d38ee0d31d3b

SHA256
541a13ed8a0e6212bce6703701952bf7cb417f4950f48bbe9e8d0cad42821ed2

SHA512
ae9c58778893d02d76d63b078951f6cae1d03933e19cb02d0008e01b002c60b3e794f32c224200170f9e1b3dee4816aaa9f943202d9e9160632003a58ec2ee3c

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe

Filesize
272KB

MD5
3ea4a4c771cfb65d92f9374854145704

SHA1
11cb6126d63bb6ed33f5111570c8d38ee0d31d3b

SHA256
541a13ed8a0e6212bce6703701952bf7cb417f4950f48bbe9e8d0cad42821ed2

SHA512
ae9c58778893d02d76d63b078951f6cae1d03933e19cb02d0008e01b002c60b3e794f32c224200170f9e1b3dee4816aaa9f943202d9e9160632003a58ec2ee3c

Download Submit
C:\Windows\SysWOW64\Hhdcmp32.exe

Filesize
272KB

MD5
75fb1e7e0b0912302d99adfc154a11cf

SHA1
e8bd1c7304dfcf06b8c67c1b096893edf7fcc7e4

SHA256
fe07d40de92105b70981ea9ded71610e2fe4a02e0147ca2d63e66e3f512bbaa8

SHA512
b19dc88e15fb9800d9a3ead1833f241ffc690658212b0cfd5ab9233c5c13d0aeb1a870b0a806e5431e5de62ed53ed3dcc5417c53056c34b44db37a1ced4ecb17

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
272KB

MD5
0a3520c1d6564f5660848b50c639eb44

SHA1
292f8e52cc69fdf9b3ea64906a00bb62939efb1b

SHA256
d7d58db5d6d861875824937713db11aa300ec4fce6799b1fed54ed7c918cef2d

SHA512
998ddeba40e99e9bdaa160cc831b40123b71bc4f49e02d43d63898ad214fa453893f62b152aa4e142c7ce586cb81c7322cfed9410b56c29d100e22aded7e5e1a

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
272KB

MD5
0a3520c1d6564f5660848b50c639eb44

SHA1
292f8e52cc69fdf9b3ea64906a00bb62939efb1b

SHA256
d7d58db5d6d861875824937713db11aa300ec4fce6799b1fed54ed7c918cef2d

SHA512
998ddeba40e99e9bdaa160cc831b40123b71bc4f49e02d43d63898ad214fa453893f62b152aa4e142c7ce586cb81c7322cfed9410b56c29d100e22aded7e5e1a

Download Submit
C:\Windows\SysWOW64\Jlolpq32.exe

Filesize
272KB

MD5
192a1b68c3f75e6e365c0d15b08ae897

SHA1
631ba4834d8cb8997065895ccaec8ec540b1bf9c

SHA256
6d71f5be2dcbfa38988544ab0bd5eaa5bf473e4b656f88acf07f76a85197ea93

SHA512
4b7edc48dd9e3fef34535f7c727540a6d513ae74bf9eecda3df50278e23d483bd0f7fca5887dfc7cad3cc37f06a7b5a1f591d602cfccd1ab9ddb11581c0b6413

Download Submit
C:\Windows\SysWOW64\Jlolpq32.exe

Filesize
272KB

MD5
192a1b68c3f75e6e365c0d15b08ae897

SHA1
631ba4834d8cb8997065895ccaec8ec540b1bf9c

SHA256
6d71f5be2dcbfa38988544ab0bd5eaa5bf473e4b656f88acf07f76a85197ea93

SHA512
4b7edc48dd9e3fef34535f7c727540a6d513ae74bf9eecda3df50278e23d483bd0f7fca5887dfc7cad3cc37f06a7b5a1f591d602cfccd1ab9ddb11581c0b6413

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
272KB

MD5
854503fb5c4e3e07e270a3627ed78714

SHA1
0d3f2f464d0b23bea01bdb515de872f1334501da

SHA256
cd2ce8b932ea8cc500b19773a842c9176f18bfcdebcf9204e8f3221be3fcb13f

SHA512
1ca1b79cb49a371a727d7c6504b938540cfff499f547594a7adb1533bbd7885a0690ad9878b13603d43458d9e589a7ceda82a85cea61bfedc3c915158b1d2dd7

Download Submit
C:\Windows\SysWOW64\Onmfimga.exe

Filesize
272KB

MD5
cc0c528e903f20805da36a85030cfb69

SHA1
65324b7e0811c5992477a59abe59e62fd9d6e93b

SHA256
210c56609c649c2bbd0c4bee70388dd012ee048fa2cc49676ceb87402673d93a

SHA512
4069f16503475bb0248b0a33837681ecde300c468d81f44546baac797f00c3ef9466ff1cfa223f936fcccd85ffbfde4cba0d865c67bafc748ce2cb46be253dfe

Download Submit
C:\Windows\SysWOW64\Pcegclgp.exe

Filesize
272KB

MD5
7297b1d2a5733e17172dd8f5a6b7272f

SHA1
ff41192b294e0ac4e68d8448a36235b9556cf486

SHA256
8ac6c8d3320f1bab77ee636d94311e95daefde92c206b2531f94d1bf765a5ba8

SHA512
1aa14aa2af2dd079e4872af3ac3f5b6501e35179abf3136d1dd062fae2ed5fe89cf9ae828300f4e7eb646b4623477df5194e62b734d70b36ecac4f6e7b999589

Download Submit
memory/224-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4144-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7248-1785-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7360-1777-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7420-1784-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7476-1795-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7532-1772-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7544-1783-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7556-1794-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7620-1776-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7632-1793-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7676-1782-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7756-1792-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7788-1768-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7804-1775-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7948-1769-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7976-1780-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7996-1774-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8072-1779-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/8172-1767-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads