55698dd29d57ea600aeb4732821c50f3587ee6c1f35866f0b7d8b2746e470ea5

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bcec58341e5872573291a15ae1e072d0.exe
Size

207KB
MD5

bcec58341e5872573291a15ae1e072d0
SHA1

1d3c75eaa395323e9d04484dc0936073110219bb
SHA256

55698dd29d57ea600aeb4732821c50f3587ee6c1f35866f0b7d8b2746e470ea5
SHA512

c801cfcce3873d9b4e753fc12707f36f4f67d72ecfb1eaa78482c35e82a1281706c166b4925422dbdfbd64cb9cb60ab7439fbdd5458f7696454b8d500c247021
SSDEEP

6144:v+PJVFvHIcQ1KWk5Vjj+VPj92d62ASOwj:WpvEKhpIPj92aSOc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inebjihf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apnndj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gihpkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbgjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebifmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlblcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppnenlka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhifomdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbonoghb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhaggp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padnaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aimogakj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipihpkkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noblkqca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejjaqk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcaipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gihpkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckebcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jadgnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aagkhd32.exe

Executes dropped EXE 64 IoCs

pid	Process
3504	Mcgiefen.exe
1232	Mgeakekd.exe
1000	Nncccnol.exe
3972	Nmipdk32.exe
4996	Ojomcopk.exe
3048	Onocomdo.exe
4764	Ojfcdnjc.exe
3144	Opeiadfg.exe
4408	Pfandnla.exe
4156	Pdhkcb32.exe
1428	Pjdpelnc.exe
5044	Qdoacabq.exe
4940	Qdaniq32.exe
2092	Aaenbd32.exe
4632	Aagkhd32.exe
3912	Ahdpjn32.exe
2148	Apodoq32.exe
5064	Apaadpng.exe
3904	Bhkfkmmg.exe
4356	Bhmbqm32.exe
4100	Boihcf32.exe
3844	Cpmapodj.exe
4048	Ckebcg32.exe
2176	Cocjiehd.exe
2112	Cogddd32.exe
2504	Ddgibkpc.exe
1200	Dqbcbkab.exe
4756	Egaejeej.exe
4076	Ebifmm32.exe
4932	Eghkjdoa.exe
3480	Fndpmndl.exe
5076	Filapfbo.exe
1308	Fecadghc.exe
4992	Fiqjke32.exe
2792	Gbiockdj.exe
1132	Gpmomo32.exe
5080	Gghdaa32.exe
4248	Gihpkd32.exe
4276	Gacepg32.exe
1284	Hpfbcn32.exe
2228	Hhaggp32.exe
1448	Hpkknmgd.exe
724	Hlblcn32.exe
4972	Hbnaeh32.exe
1228	Inebjihf.exe
1464	Iogopi32.exe
3200	Iojkeh32.exe
3468	Ipihpkkd.exe
2484	Ipkdek32.exe
744	Jpnakk32.exe
1532	Jhifomdj.exe
3124	Jadgnb32.exe
5092	Jeapcq32.exe
4392	Khbiello.exe
4460	Klpakj32.exe
3348	Kpnjah32.exe
4576	Kabcopmg.exe
1684	Kcapicdj.exe
1656	Lcclncbh.exe
1084	Lakfeodm.exe
2180	Lpochfji.exe
4252	Mpapnfhg.exe
2656	Mcaipa32.exe
1640	Mjnnbk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjnnbk32.exe	Mcaipa32.exe
File created	C:\Windows\SysWOW64\Ilnjmilq.dll	Mcaipa32.exe
File opened for modification	C:\Windows\SysWOW64\Qbonoghb.exe	Pjcikejg.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Hfibla32.dll	Jpnakk32.exe
File opened for modification	C:\Windows\SysWOW64\Ipkdek32.exe	Ipihpkkd.exe
File opened for modification	C:\Windows\SysWOW64\Nciopppp.exe	Mfenglqf.exe
File created	C:\Windows\SysWOW64\Qbajeg32.exe	Qbonoghb.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bipecnkd.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	Ejjaqk32.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Opeiadfg.exe	Ojfcdnjc.exe
File opened for modification	C:\Windows\SysWOW64\Hhaggp32.exe	Hpfbcn32.exe
File created	C:\Windows\SysWOW64\Ipihpkkd.exe	Iojkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Lpochfji.exe	Lakfeodm.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Binhnomg.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Onocomdo.exe
File created	C:\Windows\SysWOW64\Pjllddpj.dll	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Ckebcg32.exe	Cpmapodj.exe
File created	C:\Windows\SysWOW64\Eibmbgdm.dll	Gihpkd32.exe
File opened for modification	C:\Windows\SysWOW64\Iojkeh32.exe	Iogopi32.exe
File created	C:\Windows\SysWOW64\Aaeidf32.dll	Kcapicdj.exe
File opened for modification	C:\Windows\SysWOW64\Noblkqca.exe	Nciopppp.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Pjdpelnc.exe
File opened for modification	C:\Windows\SysWOW64\Abfdpfaj.exe	Aimogakj.exe
File created	C:\Windows\SysWOW64\Ppnenlka.exe	Pmmlla32.exe
File opened for modification	C:\Windows\SysWOW64\Mcaipa32.exe	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Fohogfgd.dll	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Mpapnfhg.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Ejjaqk32.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Ipecicga.dll	Bdapehop.exe
File opened for modification	C:\Windows\SysWOW64\Dalofi32.exe	Dkbgjo32.exe
File created	C:\Windows\SysWOW64\Fecadghc.exe	Filapfbo.exe
File opened for modification	C:\Windows\SysWOW64\Fjeplijj.exe	Eqkondfl.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	Fglnkm32.exe
File created	C:\Windows\SysWOW64\Lakfeodm.exe	Lcclncbh.exe
File created	C:\Windows\SysWOW64\Opeiadfg.exe	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Pdhkcb32.exe	Pfandnla.exe
File created	C:\Windows\SysWOW64\Iojkeh32.exe	Iogopi32.exe
File created	C:\Windows\SysWOW64\Mdcajc32.dll	Mjnnbk32.exe
File created	C:\Windows\SysWOW64\Fopjdidn.dll	Mcgiefen.exe
File opened for modification	C:\Windows\SysWOW64\Hbnaeh32.exe	Hlblcn32.exe
File created	C:\Windows\SysWOW64\Ocgkan32.exe	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Binhnomg.exe	Bdapehop.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Ccblbb32.exe
File opened for modification	C:\Windows\SysWOW64\Onocomdo.exe	Ojomcopk.exe
File opened for modification	C:\Windows\SysWOW64\Fiqjke32.exe	Fecadghc.exe
File opened for modification	C:\Windows\SysWOW64\Gghdaa32.exe	Gpmomo32.exe
File created	C:\Windows\SysWOW64\Phgibp32.dll	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Gfbhcl32.dll	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fdkdibjp.exe
File opened for modification	C:\Windows\SysWOW64\Fncibg32.exe	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Jjjojj32.dll	Mgeakekd.exe
File created	C:\Windows\SysWOW64\Pfgbakef.dll	Pcegclgp.exe
File created	C:\Windows\SysWOW64\Cmnnimak.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Aepjgm32.dll	Nmipdk32.exe
File opened for modification	C:\Windows\SysWOW64\Filapfbo.exe	Fndpmndl.exe
File opened for modification	C:\Windows\SysWOW64\Hlblcn32.exe	Hpkknmgd.exe
File created	C:\Windows\SysWOW64\Lalceb32.dll	Bdocph32.exe
File created	C:\Windows\SysWOW64\Boplohfa.dll	Biklho32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6120	5184	WerFault.exe	212

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iojkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bigbmpco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.bcec58341e5872573291a15ae1e072d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmbbe32.dll"	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll"	Lakfeodm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjgbbnj.dll"	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Binhnomg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgm32.dll"	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dqbcbkab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpochfji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbajeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aimogakj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inebjihf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iogopi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipihpkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcclncbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panlem32.dll"	Hlblcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aiplmq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gihpkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nciopppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biklho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fdkdibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpmomo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlblcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeidf32.dll"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll"	Apnndj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjckodg.dll"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fndpmndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abfdpfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fglnkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjcohke.dll"	Jeapcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lakfeodm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmdfp32.dll"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnnfkal.dll"	Gbiockdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhifomdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlkbkddd.dll"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll"	Abhqefpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacdhhjj.dll"	Eqkondfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqkondfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.bcec58341e5872573291a15ae1e072d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfibjl32.dll"	Gacepg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll"	Khbiello.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqaqhbj.dll"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdeiqgkj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 3504	3564	NEAS.bcec58341e5872573291a15ae1e072d0.exe	90
PID 3564 wrote to memory of 3504	3564	NEAS.bcec58341e5872573291a15ae1e072d0.exe	90
PID 3564 wrote to memory of 3504	3564	NEAS.bcec58341e5872573291a15ae1e072d0.exe	90
PID 3504 wrote to memory of 1232	3504	Mcgiefen.exe	92
PID 3504 wrote to memory of 1232	3504	Mcgiefen.exe	92
PID 3504 wrote to memory of 1232	3504	Mcgiefen.exe	92
PID 1232 wrote to memory of 1000	1232	Mgeakekd.exe	94
PID 1232 wrote to memory of 1000	1232	Mgeakekd.exe	94
PID 1232 wrote to memory of 1000	1232	Mgeakekd.exe	94
PID 1000 wrote to memory of 3972	1000	Nncccnol.exe	95
PID 1000 wrote to memory of 3972	1000	Nncccnol.exe	95
PID 1000 wrote to memory of 3972	1000	Nncccnol.exe	95
PID 3972 wrote to memory of 4996	3972	Nmipdk32.exe	96
PID 3972 wrote to memory of 4996	3972	Nmipdk32.exe	96
PID 3972 wrote to memory of 4996	3972	Nmipdk32.exe	96
PID 4996 wrote to memory of 3048	4996	Ojomcopk.exe	97
PID 4996 wrote to memory of 3048	4996	Ojomcopk.exe	97
PID 4996 wrote to memory of 3048	4996	Ojomcopk.exe	97
PID 3048 wrote to memory of 4764	3048	Onocomdo.exe	98
PID 3048 wrote to memory of 4764	3048	Onocomdo.exe	98
PID 3048 wrote to memory of 4764	3048	Onocomdo.exe	98
PID 4764 wrote to memory of 3144	4764	Ojfcdnjc.exe	99
PID 4764 wrote to memory of 3144	4764	Ojfcdnjc.exe	99
PID 4764 wrote to memory of 3144	4764	Ojfcdnjc.exe	99
PID 3144 wrote to memory of 4408	3144	Opeiadfg.exe	100
PID 3144 wrote to memory of 4408	3144	Opeiadfg.exe	100
PID 3144 wrote to memory of 4408	3144	Opeiadfg.exe	100
PID 4408 wrote to memory of 4156	4408	Pfandnla.exe	101
PID 4408 wrote to memory of 4156	4408	Pfandnla.exe	101
PID 4408 wrote to memory of 4156	4408	Pfandnla.exe	101
PID 4156 wrote to memory of 1428	4156	Pdhkcb32.exe	102
PID 4156 wrote to memory of 1428	4156	Pdhkcb32.exe	102
PID 4156 wrote to memory of 1428	4156	Pdhkcb32.exe	102
PID 1428 wrote to memory of 5044	1428	Pjdpelnc.exe	103
PID 1428 wrote to memory of 5044	1428	Pjdpelnc.exe	103
PID 1428 wrote to memory of 5044	1428	Pjdpelnc.exe	103
PID 5044 wrote to memory of 4940	5044	Qdoacabq.exe	104
PID 5044 wrote to memory of 4940	5044	Qdoacabq.exe	104
PID 5044 wrote to memory of 4940	5044	Qdoacabq.exe	104
PID 4940 wrote to memory of 2092	4940	Qdaniq32.exe	106
PID 4940 wrote to memory of 2092	4940	Qdaniq32.exe	106
PID 4940 wrote to memory of 2092	4940	Qdaniq32.exe	106
PID 2092 wrote to memory of 4632	2092	Aaenbd32.exe	105
PID 2092 wrote to memory of 4632	2092	Aaenbd32.exe	105
PID 2092 wrote to memory of 4632	2092	Aaenbd32.exe	105
PID 4632 wrote to memory of 3912	4632	Aagkhd32.exe	107
PID 4632 wrote to memory of 3912	4632	Aagkhd32.exe	107
PID 4632 wrote to memory of 3912	4632	Aagkhd32.exe	107
PID 3912 wrote to memory of 2148	3912	Ahdpjn32.exe	108
PID 3912 wrote to memory of 2148	3912	Ahdpjn32.exe	108
PID 3912 wrote to memory of 2148	3912	Ahdpjn32.exe	108
PID 2148 wrote to memory of 5064	2148	Apodoq32.exe	109
PID 2148 wrote to memory of 5064	2148	Apodoq32.exe	109
PID 2148 wrote to memory of 5064	2148	Apodoq32.exe	109
PID 5064 wrote to memory of 3904	5064	Apaadpng.exe	110
PID 5064 wrote to memory of 3904	5064	Apaadpng.exe	110
PID 5064 wrote to memory of 3904	5064	Apaadpng.exe	110
PID 3904 wrote to memory of 4356	3904	Bhkfkmmg.exe	111
PID 3904 wrote to memory of 4356	3904	Bhkfkmmg.exe	111
PID 3904 wrote to memory of 4356	3904	Bhkfkmmg.exe	111
PID 4356 wrote to memory of 4100	4356	Bhmbqm32.exe	112
PID 4356 wrote to memory of 4100	4356	Bhmbqm32.exe	112
PID 4356 wrote to memory of 4100	4356	Bhmbqm32.exe	112
PID 4100 wrote to memory of 3844	4100	Boihcf32.exe	113

C:\Users\Admin\AppData\Local\Temp\NEAS.bcec58341e5872573291a15ae1e072d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bcec58341e5872573291a15ae1e072d0.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\SysWOW64\Mcgiefen.exe
  C:\Windows\system32\Mcgiefen.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\Mgeakekd.exe
    C:\Windows\system32\Mgeakekd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\SysWOW64\Nncccnol.exe
      C:\Windows\system32\Nncccnol.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1000
    - - C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
      - C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2092

C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\SysWOW64\Ahdpjn32.exe
  C:\Windows\system32\Ahdpjn32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\SysWOW64\Apodoq32.exe
    C:\Windows\system32\Apodoq32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\Apaadpng.exe
      C:\Windows\system32\Apaadpng.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3904
      - C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        11⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Dqbcbkab.exe
        
        C:\Windows\system32\Dqbcbkab.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        14⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        16⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Fecadghc.exe
        
        C:\Windows\system32\Fecadghc.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Gbiockdj.exe
        
        C:\Windows\system32\Gbiockdj.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        23⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Gihpkd32.exe
        
        C:\Windows\system32\Gihpkd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Gacepg32.exe
        
        C:\Windows\system32\Gacepg32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Hpfbcn32.exe
        
        C:\Windows\system32\Hpfbcn32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        30⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Iogopi32.exe
        
        C:\Windows\system32\Iogopi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Iojkeh32.exe
        
        C:\Windows\system32\Iojkeh32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Ipihpkkd.exe
        
        C:\Windows\system32\Ipihpkkd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Jhifomdj.exe
        
        C:\Windows\system32\Jhifomdj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\Jeapcq32.exe
        
        C:\Windows\system32\Jeapcq32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Khbiello.exe
        
        C:\Windows\system32\Khbiello.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Kpnjah32.exe
        
        C:\Windows\system32\Kpnjah32.exe
        42⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        43⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Lakfeodm.exe
        
        C:\Windows\system32\Lakfeodm.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        51⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Nciopppp.exe
        
        C:\Windows\system32\Nciopppp.exe
        52⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Noblkqca.exe
        
        C:\Windows\system32\Noblkqca.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        56⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Ojcpdg32.exe
        
        C:\Windows\system32\Ojcpdg32.exe
        57⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        59⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        60⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ppnenlka.exe
        
        C:\Windows\system32\Ppnenlka.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Pjcikejg.exe
        
        C:\Windows\system32\Pjcikejg.exe
        63⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Qbajeg32.exe
        
        C:\Windows\system32\Qbajeg32.exe
        65⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Aimogakj.exe
        
        C:\Windows\system32\Aimogakj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Abfdpfaj.exe
        
        C:\Windows\system32\Abfdpfaj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Aiplmq32.exe
        
        C:\Windows\system32\Aiplmq32.exe
        68⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Amnebo32.exe
        
        C:\Windows\system32\Amnebo32.exe
        70⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Apnndj32.exe
        
        C:\Windows\system32\Apnndj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        72⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Binhnomg.exe
        
        C:\Windows\system32\Binhnomg.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Bipecnkd.exe
        
        C:\Windows\system32\Bipecnkd.exe
        79⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        83⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        84⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Dkbgjo32.exe
        
        C:\Windows\system32\Dkbgjo32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        91⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Ejjaqk32.exe
        
        C:\Windows\system32\Ejjaqk32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        93⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\Eqkondfl.exe
        
        C:\Windows\system32\Eqkondfl.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Fjeplijj.exe
        
        C:\Windows\system32\Fjeplijj.exe
        95⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2896
        
        C:\Windows\SysWOW64\Fglnkm32.exe
        
        C:\Windows\system32\Fglnkm32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        99⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Fbdnne32.exe
        
        C:\Windows\system32\Fbdnne32.exe
        100⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        102⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 416
        103⤵
        Program crash
        
        PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5184 -ip 5184
1⤵
PID:5428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
207KB

MD5
d0d4600343543f07ab6d829c7fc05fc7

SHA1
bab64a7ba91bf38db28e012185c9f2edc7fa46f3

SHA256
4edb6891e5f3a00c99a11731b54e8915c9d2661c5a4b7ac7bb878f5d1c4dfe8f

SHA512
9891539148bef483b1d3ce5d77014883f51e8c9e4a894145eb1c63b64f6e851a0a05d192797bae96597390ccbeff41a43937217f375946b7ca88616437d6c946

Download Submit
C:\Windows\SysWOW64\Aaenbd32.exe

Filesize
207KB

MD5
d0d4600343543f07ab6d829c7fc05fc7

SHA1
bab64a7ba91bf38db28e012185c9f2edc7fa46f3

SHA256
4edb6891e5f3a00c99a11731b54e8915c9d2661c5a4b7ac7bb878f5d1c4dfe8f

SHA512
9891539148bef483b1d3ce5d77014883f51e8c9e4a894145eb1c63b64f6e851a0a05d192797bae96597390ccbeff41a43937217f375946b7ca88616437d6c946

Download Submit
C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
207KB

MD5
3d962c366b3bdd0214cc1e002d2f8449

SHA1
f24088ddfecd1a0b57a2c34b318bd654c88e9bd6

SHA256
803773b43f70aefaa9d6f8d1b64e65fc4ba70ca6b651d45bfafed987c0a18883

SHA512
ea5b04feb476434472d8f302bcb906d91f74555c80be1351cb8fd651eb26aa18e4b985b327d9fed88c235bdfb383da65aeef9ae935ca9f30e4cbdc74b38d7d4f

Download Submit
C:\Windows\SysWOW64\Aagkhd32.exe

Filesize
207KB

MD5
3d962c366b3bdd0214cc1e002d2f8449

SHA1
f24088ddfecd1a0b57a2c34b318bd654c88e9bd6

SHA256
803773b43f70aefaa9d6f8d1b64e65fc4ba70ca6b651d45bfafed987c0a18883

SHA512
ea5b04feb476434472d8f302bcb906d91f74555c80be1351cb8fd651eb26aa18e4b985b327d9fed88c235bdfb383da65aeef9ae935ca9f30e4cbdc74b38d7d4f

Download Submit
C:\Windows\SysWOW64\Aepjgm32.dll

Filesize
7KB

MD5
cc66d253c00e7d1f778f5a2d9a3d33dd

SHA1
30a51d11418bbf5664421e134dd0f11fd5c5c0c3

SHA256
54bb55f77ff8ac7130899c11401e171264889e6183c81410245121318b1af818

SHA512
04cdb0500691a2bb4e2d14f7a34455fb42463e3d366fbc17e47cfa261c8237ddc8a6e4f818eb0239bfd30442594a15d0bbca1e85fe3110e94171bd75cbc417c2

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
207KB

MD5
74aae446a82d5c821296410b6581d8f5

SHA1
80d9d559e03c2d00d9b8fd2d1175a86a6dff9cb3

SHA256
53c50a2648ec46bf8bfed61df81e359b1b69b81286e7f59e47600db915bcfe45

SHA512
f4d280c2425e8fa05dc1ae9370150b27c397a604761168d4aaf6973762b0aa2531986368bed590932b976be0909b31979a0551ca079fc0572246cf7dccbc975d

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
207KB

MD5
74aae446a82d5c821296410b6581d8f5

SHA1
80d9d559e03c2d00d9b8fd2d1175a86a6dff9cb3

SHA256
53c50a2648ec46bf8bfed61df81e359b1b69b81286e7f59e47600db915bcfe45

SHA512
f4d280c2425e8fa05dc1ae9370150b27c397a604761168d4aaf6973762b0aa2531986368bed590932b976be0909b31979a0551ca079fc0572246cf7dccbc975d

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
207KB

MD5
538da9e4a3ccfab997bc8c1b4ee8d8d8

SHA1
766b006395cee4eac7855c7bcacb5a8f9dcc767d

SHA256
2cb2190f7d1740ffbb3d5cbeea2ea8f28854d22af4da1b51b90c43df23607799

SHA512
5aba26be1ce950955abb3d043337410835135c329f1955bf5531d8be0f6072abbf1b9a07f4e2283e6e63f24858304a27afd644f9f70ee10ed05aa68d06dcf890

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
207KB

MD5
538da9e4a3ccfab997bc8c1b4ee8d8d8

SHA1
766b006395cee4eac7855c7bcacb5a8f9dcc767d

SHA256
2cb2190f7d1740ffbb3d5cbeea2ea8f28854d22af4da1b51b90c43df23607799

SHA512
5aba26be1ce950955abb3d043337410835135c329f1955bf5531d8be0f6072abbf1b9a07f4e2283e6e63f24858304a27afd644f9f70ee10ed05aa68d06dcf890

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
207KB

MD5
447628d9a0cc286401cea5a845941e2a

SHA1
85caf5fe97abf09a21b27724a8e042dc141f92a0

SHA256
be1dc499c33a1d6700c61454c7adc04fe5720d47a8617501dee0511a8faf7434

SHA512
5dc98a3040f44c6fd7bb9f020b324b6720e5fadb44b323f08105af908b8e3c3ee71de481e4c92903a48ebd7444a27f645ca300fb2e077493990b3723a6e3b613

Download Submit
C:\Windows\SysWOW64\Apodoq32.exe

Filesize
207KB

MD5
447628d9a0cc286401cea5a845941e2a

SHA1
85caf5fe97abf09a21b27724a8e042dc141f92a0

SHA256
be1dc499c33a1d6700c61454c7adc04fe5720d47a8617501dee0511a8faf7434

SHA512
5dc98a3040f44c6fd7bb9f020b324b6720e5fadb44b323f08105af908b8e3c3ee71de481e4c92903a48ebd7444a27f645ca300fb2e077493990b3723a6e3b613

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
207KB

MD5
0e7cb16d2c8c31e7bfb56a290327424a

SHA1
70ba3d95f3437c2b9e3d044aeac42451c86564eb

SHA256
064492b8dc66c620d9ebcc7834a006ba604c4103a625a8385d45ab1b51be4995

SHA512
b57af38662234b2fd96ca9151d9babf341099518449569bab0e5261a51122a3c4ce2f9d41ef2444eef132aa6ca51c0fa49a68db79a36c3e14158b2e39c762bbf

Download Submit
C:\Windows\SysWOW64\Bhkfkmmg.exe

Filesize
207KB

MD5
0e7cb16d2c8c31e7bfb56a290327424a

SHA1
70ba3d95f3437c2b9e3d044aeac42451c86564eb

SHA256
064492b8dc66c620d9ebcc7834a006ba604c4103a625a8385d45ab1b51be4995

SHA512
b57af38662234b2fd96ca9151d9babf341099518449569bab0e5261a51122a3c4ce2f9d41ef2444eef132aa6ca51c0fa49a68db79a36c3e14158b2e39c762bbf

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
207KB

MD5
684b2504f74d7b60373d77f75c8a6bcd

SHA1
7491aac5e48471f50c9fcd269c458302e0eb4b4d

SHA256
5654f3598ecec2902bc3c08de716e16bc7fb9dacdaea245834f1197e155d951b

SHA512
5e9f7758ef814a60146e8af0a32e424910618b008505151075cd1ae6e677939302bbed6097366bd235345f81722ebfe3a7ebab58ca3d16201dc7f24a42551185

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
207KB

MD5
684b2504f74d7b60373d77f75c8a6bcd

SHA1
7491aac5e48471f50c9fcd269c458302e0eb4b4d

SHA256
5654f3598ecec2902bc3c08de716e16bc7fb9dacdaea245834f1197e155d951b

SHA512
5e9f7758ef814a60146e8af0a32e424910618b008505151075cd1ae6e677939302bbed6097366bd235345f81722ebfe3a7ebab58ca3d16201dc7f24a42551185

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
207KB

MD5
aff43da705d975b1375a2ca9ce378edd

SHA1
63048aa2cd405aced498261a4accd4510c0c5e22

SHA256
99102333e26a1f049d1f91b15af0b6eb269c60647cbf7d2344e7993a3f2300fe

SHA512
fd11f6ca46c62ec9d5b6ab59517cf5b1117cc4cd5272971366136e5de6b8923a9c01c0ffb7e1f7c8cab33fe3eea2c0fc2883ef722fc479e1a1a07ba31db541ff

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
207KB

MD5
aff43da705d975b1375a2ca9ce378edd

SHA1
63048aa2cd405aced498261a4accd4510c0c5e22

SHA256
99102333e26a1f049d1f91b15af0b6eb269c60647cbf7d2344e7993a3f2300fe

SHA512
fd11f6ca46c62ec9d5b6ab59517cf5b1117cc4cd5272971366136e5de6b8923a9c01c0ffb7e1f7c8cab33fe3eea2c0fc2883ef722fc479e1a1a07ba31db541ff

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
207KB

MD5
9bd3c9b5aa59d23c8a92e45bf19490fb

SHA1
079b0ede6509e7ec9008c0297242e351ff9007bb

SHA256
8cc6755a763a306e462c54ad1bad1f0041e2ac12628c42579c9a000265268d67

SHA512
0afd647a7c8eba273e5fce37ef7108b30c9268033c8593fbf9b5d86c67a9991464a1d94023ee1b2aa8d6bf0e368c51c1aa4b094085a40a74cab52a48967eb11e

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
207KB

MD5
9d926b1e6286012862f6f5dff9ff6d6d

SHA1
60d30f56f71452a9484d4c44e8dec7c18cdf3b01

SHA256
3a367e5a9077ae2cf68dbd9b5038e51d1644ef5d30bc916d828881cccc2415f5

SHA512
258863a0a311ff7910b63a51d20c9c70f6e26596d202d34e21be1eac055e249037e7973e6a694b0260dc66651e2ff49fd76ad512c2b8ac1b2e3fd4e5336be458

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
207KB

MD5
9d926b1e6286012862f6f5dff9ff6d6d

SHA1
60d30f56f71452a9484d4c44e8dec7c18cdf3b01

SHA256
3a367e5a9077ae2cf68dbd9b5038e51d1644ef5d30bc916d828881cccc2415f5

SHA512
258863a0a311ff7910b63a51d20c9c70f6e26596d202d34e21be1eac055e249037e7973e6a694b0260dc66651e2ff49fd76ad512c2b8ac1b2e3fd4e5336be458

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
207KB

MD5
4791a888494e5e144c7acae0d8b9eb5a

SHA1
d6a1ecf63e331b373b221a40c3a3a23c673ab4c6

SHA256
b6d1cafb00b67e40b9bf41e33f66712ca64022762be22523fd4f558bde0db818

SHA512
a72dcdb84e6566f27682fd4ee33ba24387352dfa5a275c46284ad4e922e38a3e1fae265a9bd57e672fb49ac115eceb5d71480bb97ae916f67286beeab35525f4

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
207KB

MD5
b6e115b59e59cd508118c9f2eee482eb

SHA1
8320848909439816922feafdd8e8f7cefe407789

SHA256
e7de13d07960122af7c99f49ae727ba9976794096480ab7533d6a386a4a10d10

SHA512
6afb9ccd7972de814c92f392bbb67688de12f689cf7864ceecc7da2429b22bc839af33898797854f518e754b60b7ce7e6c7cc483467e9ab217b31e0af3f5ff29

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
207KB

MD5
b6e115b59e59cd508118c9f2eee482eb

SHA1
8320848909439816922feafdd8e8f7cefe407789

SHA256
e7de13d07960122af7c99f49ae727ba9976794096480ab7533d6a386a4a10d10

SHA512
6afb9ccd7972de814c92f392bbb67688de12f689cf7864ceecc7da2429b22bc839af33898797854f518e754b60b7ce7e6c7cc483467e9ab217b31e0af3f5ff29

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
207KB

MD5
428f1f2622c1dca2eb8f3b2420fab2c7

SHA1
fa9009a5bce852e9c3854986ceeecb8bf0d77b82

SHA256
41a1c7e3812fdad21a81647449a2e6289810f054a2b4ea3827643c53ea706287

SHA512
b59aec3638b6008a818298ee30e12b6d8be0409cc7ce4010e899124be80bb2ea3ce392ca9091420fccbc3dd67b734198f99582cbec11c5a20ddb74eb5436bd4e

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
207KB

MD5
428f1f2622c1dca2eb8f3b2420fab2c7

SHA1
fa9009a5bce852e9c3854986ceeecb8bf0d77b82

SHA256
41a1c7e3812fdad21a81647449a2e6289810f054a2b4ea3827643c53ea706287

SHA512
b59aec3638b6008a818298ee30e12b6d8be0409cc7ce4010e899124be80bb2ea3ce392ca9091420fccbc3dd67b734198f99582cbec11c5a20ddb74eb5436bd4e

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
207KB

MD5
538a2ba268a82b42f8a672170ec73920

SHA1
253f6a5712956ab6efe97c1ded97f130fcc2743b

SHA256
1041d6283f92dd4f09a1d8c88aa9d2b117e3bfe93c837ae2d88cf21aeae0ce39

SHA512
91663daff08b832dcdab2bc12fef40b8930a803ae048ebf995c167ca5f574214520bb1b68ad25324f431d7a487d710b4e156d9dcf50f16086a13cf331c5fad82

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
207KB

MD5
8bb0807c136b53d90337cb3c5ccb1188

SHA1
add2d192d1080ce86d727f94d67b10ddacb68df9

SHA256
08f68e961eb62c7ee22c35c03840a6e6313aeedecb642b59e847811de9c21b65

SHA512
68889c70f94b6267882d30870bf38cae3f496111576d64b2298daef8dd524a1402ef48284556c2383cac56e60c1925d1a3f43da0b4c1790f6c5d92ba5b102a6b

Download Submit
C:\Windows\SysWOW64\Cpmapodj.exe

Filesize
207KB

MD5
8bb0807c136b53d90337cb3c5ccb1188

SHA1
add2d192d1080ce86d727f94d67b10ddacb68df9

SHA256
08f68e961eb62c7ee22c35c03840a6e6313aeedecb642b59e847811de9c21b65

SHA512
68889c70f94b6267882d30870bf38cae3f496111576d64b2298daef8dd524a1402ef48284556c2383cac56e60c1925d1a3f43da0b4c1790f6c5d92ba5b102a6b

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
207KB

MD5
55bbdb176e396d09c78e1cbfe9a229b4

SHA1
0f5d9f3ead9489bb56c504c4f117de582646579b

SHA256
f94c7ac8ce0280d1ec9841d4f8bf7de09b4cd1bde72bccfd3fe0240a82be17fd

SHA512
dfd9491b1b04ded7ace0931faed2e543ac5b5162216ff2c91703ec2c2fb75fe53e421fcbd7d2c1dbb72c943b975f54f5e4e6de67677217adf3cf0e79c3a0d42a

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
207KB

MD5
55bbdb176e396d09c78e1cbfe9a229b4

SHA1
0f5d9f3ead9489bb56c504c4f117de582646579b

SHA256
f94c7ac8ce0280d1ec9841d4f8bf7de09b4cd1bde72bccfd3fe0240a82be17fd

SHA512
dfd9491b1b04ded7ace0931faed2e543ac5b5162216ff2c91703ec2c2fb75fe53e421fcbd7d2c1dbb72c943b975f54f5e4e6de67677217adf3cf0e79c3a0d42a

Download Submit
C:\Windows\SysWOW64\Ddgibkpc.exe

Filesize
207KB

MD5
55bbdb176e396d09c78e1cbfe9a229b4

SHA1
0f5d9f3ead9489bb56c504c4f117de582646579b

SHA256
f94c7ac8ce0280d1ec9841d4f8bf7de09b4cd1bde72bccfd3fe0240a82be17fd

SHA512
dfd9491b1b04ded7ace0931faed2e543ac5b5162216ff2c91703ec2c2fb75fe53e421fcbd7d2c1dbb72c943b975f54f5e4e6de67677217adf3cf0e79c3a0d42a

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
207KB

MD5
f59f6b09614307e9b0d7b7662fc17b7f

SHA1
dc61545b5e6556e24e32f6e9641958147d80f1dd

SHA256
f87d238359578c8b972a972b90669abcf057237e81d99a73df11d0d882837be3

SHA512
a0ff4044d2cd5cc992c9b79503ad35c4c69b66fbd4043fa71033dabbd30f5bab5def81dd914faf8ce87694e667eb43e0edc192307f631aeb4ea3d3d105551bd0

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
207KB

MD5
f59f6b09614307e9b0d7b7662fc17b7f

SHA1
dc61545b5e6556e24e32f6e9641958147d80f1dd

SHA256
f87d238359578c8b972a972b90669abcf057237e81d99a73df11d0d882837be3

SHA512
a0ff4044d2cd5cc992c9b79503ad35c4c69b66fbd4043fa71033dabbd30f5bab5def81dd914faf8ce87694e667eb43e0edc192307f631aeb4ea3d3d105551bd0

Download Submit
C:\Windows\SysWOW64\Dqbcbkab.exe

Filesize
207KB

MD5
f59f6b09614307e9b0d7b7662fc17b7f

SHA1
dc61545b5e6556e24e32f6e9641958147d80f1dd

SHA256
f87d238359578c8b972a972b90669abcf057237e81d99a73df11d0d882837be3

SHA512
a0ff4044d2cd5cc992c9b79503ad35c4c69b66fbd4043fa71033dabbd30f5bab5def81dd914faf8ce87694e667eb43e0edc192307f631aeb4ea3d3d105551bd0

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
207KB

MD5
1b6af35389e740b2d82c53e963eabd57

SHA1
c1c3ff9b37c9ce2400720dac6c1b5412fad75168

SHA256
a3dcaa76625059342ce5c26c9b980fe5bc6b425637afdc2ccc7a74cae84fb87c

SHA512
d03d6e7eb01cc92508af4ed6d21329e5bb3b09d3572f2b5452ee1e19e39e7375d078546acb2dc763b864adfe18246620dc0ce84dac1840fc84a042215055057e

Download Submit
C:\Windows\SysWOW64\Ebifmm32.exe

Filesize
207KB

MD5
1b6af35389e740b2d82c53e963eabd57

SHA1
c1c3ff9b37c9ce2400720dac6c1b5412fad75168

SHA256
a3dcaa76625059342ce5c26c9b980fe5bc6b425637afdc2ccc7a74cae84fb87c

SHA512
d03d6e7eb01cc92508af4ed6d21329e5bb3b09d3572f2b5452ee1e19e39e7375d078546acb2dc763b864adfe18246620dc0ce84dac1840fc84a042215055057e

Download Submit
C:\Windows\SysWOW64\Egaejeej.exe

Filesize
207KB

MD5
628183fa3a263b43bac6413e8a42b507

SHA1
8c4e2d807838da822b7157dbaca85589018d5856

SHA256
118429f3221270025a2bd452c168c52e48c41a9d4e4f5c60e48e5eef7ebd1cac

SHA512
a3d0a1f82a85165ae5d0ab657df6ae95aa4de204ed9856e29786fa1ad987c0c8654f35b409f7a550c4a54c6a8b31b55a8bf7f54fde412d6d6d11785dc2cdc973

Download Submit
C:\Windows\SysWOW64\Egaejeej.exe

Filesize
207KB

MD5
628183fa3a263b43bac6413e8a42b507

SHA1
8c4e2d807838da822b7157dbaca85589018d5856

SHA256
118429f3221270025a2bd452c168c52e48c41a9d4e4f5c60e48e5eef7ebd1cac

SHA512
a3d0a1f82a85165ae5d0ab657df6ae95aa4de204ed9856e29786fa1ad987c0c8654f35b409f7a550c4a54c6a8b31b55a8bf7f54fde412d6d6d11785dc2cdc973

Download Submit
C:\Windows\SysWOW64\Eghkjdoa.exe

Filesize
207KB

MD5
cc0593b4abd9c595b46c9fd6d35a2232

SHA1
7b7ba83d20b54477775e2daf3a71fe4068d81fe9

SHA256
18a5e8b438bca30c6d5cdb75d69d865cfcd279a9df0104809cf3ae7aa8cad104

SHA512
c730144f99ec88340e408fce8a786a9af77bc3069e1e87e6b04eecb773ac0266eb23e113322928638205768f53e55201d61c85dd29923e089d19c76a5956fba0

Download Submit
C:\Windows\SysWOW64\Eghkjdoa.exe

Filesize
207KB

MD5
cc0593b4abd9c595b46c9fd6d35a2232

SHA1
7b7ba83d20b54477775e2daf3a71fe4068d81fe9

SHA256
18a5e8b438bca30c6d5cdb75d69d865cfcd279a9df0104809cf3ae7aa8cad104

SHA512
c730144f99ec88340e408fce8a786a9af77bc3069e1e87e6b04eecb773ac0266eb23e113322928638205768f53e55201d61c85dd29923e089d19c76a5956fba0

Download Submit
C:\Windows\SysWOW64\Filapfbo.exe

Filesize
207KB

MD5
2cfa568d24cd80a6aa56c8ca0b6eb390

SHA1
0400c2b6922d9ed4be564df4d4619460f2a8471a

SHA256
bc75ed0d4788eb9b658da5afd50a8b129af90d2ecdde79d9cfb0d28aeacdc19e

SHA512
df93b85750bfe8adbe5c4a70bb4faffb0a0208331755fc97eb818bee97ae62491eba37c619e684313fa46f36445a969a94ddbe8c7b60a2f036feebe4bc2a5e22

Download Submit
C:\Windows\SysWOW64\Filapfbo.exe

Filesize
207KB

MD5
2cfa568d24cd80a6aa56c8ca0b6eb390

SHA1
0400c2b6922d9ed4be564df4d4619460f2a8471a

SHA256
bc75ed0d4788eb9b658da5afd50a8b129af90d2ecdde79d9cfb0d28aeacdc19e

SHA512
df93b85750bfe8adbe5c4a70bb4faffb0a0208331755fc97eb818bee97ae62491eba37c619e684313fa46f36445a969a94ddbe8c7b60a2f036feebe4bc2a5e22

Download Submit
C:\Windows\SysWOW64\Fndpmndl.exe

Filesize
207KB

MD5
4712a9d89d807e2d97f30b80efd72609

SHA1
e68abbd972f57756f7a8fe4778ca9aa4d8a0813e

SHA256
4c912fa0febee257bc4b2e1e5c81dddc0080d12fb95c4690bf8ead1fc31646bc

SHA512
4405995bc88b14f81cd82efb4c29ce8ed60f48322d7012c5184872632ec73632c684e2c9859ed3f7db5ef11cc538dcd4765f21f22c7e0cbd06bacc9b947e8d54

Download Submit
C:\Windows\SysWOW64\Fndpmndl.exe

Filesize
207KB

MD5
4712a9d89d807e2d97f30b80efd72609

SHA1
e68abbd972f57756f7a8fe4778ca9aa4d8a0813e

SHA256
4c912fa0febee257bc4b2e1e5c81dddc0080d12fb95c4690bf8ead1fc31646bc

SHA512
4405995bc88b14f81cd82efb4c29ce8ed60f48322d7012c5184872632ec73632c684e2c9859ed3f7db5ef11cc538dcd4765f21f22c7e0cbd06bacc9b947e8d54

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
207KB

MD5
751dbdb2fcaa14f1849f328037d1f21f

SHA1
bfe7fd72764174def6b997e8b3b09cc5ff48acf6

SHA256
965a019d16328a4dfe6a7448c2f301b14df679fd4c9d41f2d82aa39f378269c6

SHA512
9eeb8d66a2b2728a9fc2956c06c0647865f27685f385688392221f2f1275612dedc350e8225ac18404002f14bcc2cda5875cdedb5399ae45cd6e06964825d7c1

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
207KB

MD5
c7236a085faee45bea453626b4acc6a8

SHA1
775d67ec05f522b0f982d289a98e7345a66d8f74

SHA256
3a13b7ba55fbdd1d1d971e61bff9ff21705592bee2464d4aecf65a5b42d0d920

SHA512
ad616ddde5d557d56c1c007a6bf36a4c753143f467defb890975535491e771f563698b2ab867f90353c7ca88d2d6f8142117a912d310eebcfe919bda2ff8731f

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
207KB

MD5
c7236a085faee45bea453626b4acc6a8

SHA1
775d67ec05f522b0f982d289a98e7345a66d8f74

SHA256
3a13b7ba55fbdd1d1d971e61bff9ff21705592bee2464d4aecf65a5b42d0d920

SHA512
ad616ddde5d557d56c1c007a6bf36a4c753143f467defb890975535491e771f563698b2ab867f90353c7ca88d2d6f8142117a912d310eebcfe919bda2ff8731f

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
207KB

MD5
1ee660fcc6316e5e447a12dfd06d7ebb

SHA1
3beb50e9acfa69dd3dbee34efa5b3d84ce57608d

SHA256
87eed5799bf60afb9b3fffd7f6f6bc8fe5746f07fa2691b7938766fafa77a1ad

SHA512
7b7ce3ca720c995f69330bc9eba81ebabb7e7a05b54765c33894f736bd756d69bec11e5a36a2491ee64d19209c19fdc25d0d3c1a381c132847e01bb610884cc9

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
207KB

MD5
1ee660fcc6316e5e447a12dfd06d7ebb

SHA1
3beb50e9acfa69dd3dbee34efa5b3d84ce57608d

SHA256
87eed5799bf60afb9b3fffd7f6f6bc8fe5746f07fa2691b7938766fafa77a1ad

SHA512
7b7ce3ca720c995f69330bc9eba81ebabb7e7a05b54765c33894f736bd756d69bec11e5a36a2491ee64d19209c19fdc25d0d3c1a381c132847e01bb610884cc9

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
207KB

MD5
8b2bb37d5a73dc7bf3c22a23dc4d4a47

SHA1
4a0433829d3a0074767294601dbc07528b8463fe

SHA256
4e7b025d7848bb0c20f0e7c1a0ac7f9098a3988c885364b393b881f4d4b93557

SHA512
7b8e614d00fa1aa9397a51cd882b7b1e0acff66bfd3269e61d12d8c58f1b27aa1a37d87252b10b4ad2249473a3727713a89f5bda3386857b750d902d009834f2

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
207KB

MD5
8b2bb37d5a73dc7bf3c22a23dc4d4a47

SHA1
4a0433829d3a0074767294601dbc07528b8463fe

SHA256
4e7b025d7848bb0c20f0e7c1a0ac7f9098a3988c885364b393b881f4d4b93557

SHA512
7b8e614d00fa1aa9397a51cd882b7b1e0acff66bfd3269e61d12d8c58f1b27aa1a37d87252b10b4ad2249473a3727713a89f5bda3386857b750d902d009834f2

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
207KB

MD5
10e3ee47527a0ad8d07e8ebbddc0a591

SHA1
9aebbf669ad32655a8d1cdb6eb34f763754c6784

SHA256
705609d442fed601b3ff95298517686baa69718f6e5d7524baa83cef9c324717

SHA512
80c7fe020819dfe4f6fda5e915f5e0278fda43733580aaaf4567ea13182564f657f3408a69fb0c8278f9c005a1c496184e47173c64b0cd60c74b5f683b889223

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
207KB

MD5
10e3ee47527a0ad8d07e8ebbddc0a591

SHA1
9aebbf669ad32655a8d1cdb6eb34f763754c6784

SHA256
705609d442fed601b3ff95298517686baa69718f6e5d7524baa83cef9c324717

SHA512
80c7fe020819dfe4f6fda5e915f5e0278fda43733580aaaf4567ea13182564f657f3408a69fb0c8278f9c005a1c496184e47173c64b0cd60c74b5f683b889223

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
207KB

MD5
68296c757f4de91489f50d24cd06b4a9

SHA1
800bd88f134fd4ca217e1ef28a05f047724b6a37

SHA256
c49f3a94b8be303baea654befb06cdd7183d9389182d682dd6540a4270377990

SHA512
35aa52f62fb6335e52f72baed705cf8e12dcab1a796eabac40a4a98ec72ea6ce0e805e5bc6a4159a8ecf04fa1a9a78bdca1799de746cdc3eacd7250ab33d326a

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
207KB

MD5
68296c757f4de91489f50d24cd06b4a9

SHA1
800bd88f134fd4ca217e1ef28a05f047724b6a37

SHA256
c49f3a94b8be303baea654befb06cdd7183d9389182d682dd6540a4270377990

SHA512
35aa52f62fb6335e52f72baed705cf8e12dcab1a796eabac40a4a98ec72ea6ce0e805e5bc6a4159a8ecf04fa1a9a78bdca1799de746cdc3eacd7250ab33d326a

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
207KB

MD5
ebec3c87f66fda42ac6363db2a24c26b

SHA1
d331dd4a92d68721b1cce65c0556a376422c63f4

SHA256
cc249c832f901b46142f669f4c029581686e013f1326df490f4076c9fcab849f

SHA512
1385787f7cea200db6bc9be6867c07a864b6627bb54611aa02e0f4960140e38ab7f8b3f16d0cefcb259fe77049c958c2762bd85f6a13f4f8eabd47d3cc8b4afa

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
207KB

MD5
ebec3c87f66fda42ac6363db2a24c26b

SHA1
d331dd4a92d68721b1cce65c0556a376422c63f4

SHA256
cc249c832f901b46142f669f4c029581686e013f1326df490f4076c9fcab849f

SHA512
1385787f7cea200db6bc9be6867c07a864b6627bb54611aa02e0f4960140e38ab7f8b3f16d0cefcb259fe77049c958c2762bd85f6a13f4f8eabd47d3cc8b4afa

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
207KB

MD5
e8cd5c554ad448ef87679f8934511505

SHA1
4d2333828ef4c2e57df6b249fdcea5ed8578d1aa

SHA256
e24f4a20f3337f88c7da4770873fdddd64e647316a63565f0d4c94c19d8744fa

SHA512
f8b0eb476f8ba23231ff6ab90226eaa807400189405b33d21a94b08a07a97c727fa41af5bc7fbc9585be1b11bc91b1acde251b6b5f2980b5ef4e935e543c195c

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
207KB

MD5
e8cd5c554ad448ef87679f8934511505

SHA1
4d2333828ef4c2e57df6b249fdcea5ed8578d1aa

SHA256
e24f4a20f3337f88c7da4770873fdddd64e647316a63565f0d4c94c19d8744fa

SHA512
f8b0eb476f8ba23231ff6ab90226eaa807400189405b33d21a94b08a07a97c727fa41af5bc7fbc9585be1b11bc91b1acde251b6b5f2980b5ef4e935e543c195c

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
207KB

MD5
b1d6f0e71a799f88aa06a76e9711dd62

SHA1
c660f496e96f0b6238194ea62d641d640b16281a

SHA256
88f2f1fd5dc36a6b1db2aacdcf478131b2e88f5265369d1cbc6d3806e587b1e9

SHA512
1bc884718556bb2ac588dcee47702aa21f0a83807352385a9f435104ac3ba00910575221550aecf9c8cf00013bbcc3ce6f5146211568d6101304808336e46a83

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
207KB

MD5
b1d6f0e71a799f88aa06a76e9711dd62

SHA1
c660f496e96f0b6238194ea62d641d640b16281a

SHA256
88f2f1fd5dc36a6b1db2aacdcf478131b2e88f5265369d1cbc6d3806e587b1e9

SHA512
1bc884718556bb2ac588dcee47702aa21f0a83807352385a9f435104ac3ba00910575221550aecf9c8cf00013bbcc3ce6f5146211568d6101304808336e46a83

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
207KB

MD5
954698461a406d097c36ab7eab14a5f5

SHA1
3bc899edc45d1698bdeb5d67056a941f0b887826

SHA256
23b959af50963a57220bc86d83b7934ed33932ae45d79bcd03e5836e41fdaff8

SHA512
1b38876934cf07f582af551db43bd6f296e4b53a69631f072b2af65d8e4052c94651aed7c41491dfe3e9d326a2bebe46398db19c76e7b72ea06ef4a1e4379dc2

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
207KB

MD5
954698461a406d097c36ab7eab14a5f5

SHA1
3bc899edc45d1698bdeb5d67056a941f0b887826

SHA256
23b959af50963a57220bc86d83b7934ed33932ae45d79bcd03e5836e41fdaff8

SHA512
1b38876934cf07f582af551db43bd6f296e4b53a69631f072b2af65d8e4052c94651aed7c41491dfe3e9d326a2bebe46398db19c76e7b72ea06ef4a1e4379dc2

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
207KB

MD5
1ec2a127d43900923bee388024ea7a43

SHA1
9411fed698eca85e5308dbff24080356e12a5e8c

SHA256
44aa3300f0bbdbb8df62f9e108e2fab8ef6a5c91090b6562e82cb31d3c909706

SHA512
786a0d0bb2608e5ae115a4dbc41e5064132ac95e84f89d3069153ace6fcaf95168017ab0d07d9aecfa70a76e605c6e4d91d9e5e443c424313b7fbcdca441fc12

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
207KB

MD5
c7855b3846117534586d4e04c6b5008a

SHA1
3c5ae2f1df32b0fe347e79f33bce3f113cccca1a

SHA256
4d3a057941dfa38047e18e9f28b78ce8cac926420ee7afd426cf154cf0843cca

SHA512
3727c4802d4a1dc04e195229d01c694ff4da60d3ea355c6ed176d77e262b302f325546394932e3dd0323f499dcb72948a7ba1deebc0ddd656af33b18e549793d

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
207KB

MD5
c7855b3846117534586d4e04c6b5008a

SHA1
3c5ae2f1df32b0fe347e79f33bce3f113cccca1a

SHA256
4d3a057941dfa38047e18e9f28b78ce8cac926420ee7afd426cf154cf0843cca

SHA512
3727c4802d4a1dc04e195229d01c694ff4da60d3ea355c6ed176d77e262b302f325546394932e3dd0323f499dcb72948a7ba1deebc0ddd656af33b18e549793d

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
207KB

MD5
61d83f0778345784776458821988ab3f

SHA1
d942114afc0628e15d60fa22723c521f59fc36be

SHA256
7582505fbb37bb20ee1d3b533cee27e368189301c2c761a924db9d3b00d28334

SHA512
51a61296a4402c8868327d9f74525348a958da4925d76e282030a262e20f7f65941f2534154f431226e58fff4caa7f0ac91a4d98d180b68de59679f262ac42f7

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
207KB

MD5
61d83f0778345784776458821988ab3f

SHA1
d942114afc0628e15d60fa22723c521f59fc36be

SHA256
7582505fbb37bb20ee1d3b533cee27e368189301c2c761a924db9d3b00d28334

SHA512
51a61296a4402c8868327d9f74525348a958da4925d76e282030a262e20f7f65941f2534154f431226e58fff4caa7f0ac91a4d98d180b68de59679f262ac42f7

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
207KB

MD5
309aade319e58b13a576bd7601ba5c95

SHA1
ecf609de7837275b98c4ccb16197d6f3701a6a39

SHA256
0b83f07556000fedac63614ffcb0230d84f5dae59f4f3fee8b1c0386f2b6952b

SHA512
bb38d9fa0ea85b1f4312c61057fed74f4abea3be3ecea4c409e51258dcf7378789285a3c483e4d59c900985bf50bf71e640b0481899f2491e4af2fb4b76353ff

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
207KB

MD5
309aade319e58b13a576bd7601ba5c95

SHA1
ecf609de7837275b98c4ccb16197d6f3701a6a39

SHA256
0b83f07556000fedac63614ffcb0230d84f5dae59f4f3fee8b1c0386f2b6952b

SHA512
bb38d9fa0ea85b1f4312c61057fed74f4abea3be3ecea4c409e51258dcf7378789285a3c483e4d59c900985bf50bf71e640b0481899f2491e4af2fb4b76353ff

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
207KB

MD5
3de6704084b61ddd8ba72210be3ba083

SHA1
e1a5cfe5cd79089d83053336cea9d0d0a7c73759

SHA256
32b94af1ca3fe76330c68608c3f2862fbae2aba2a386c033722c97b041fec8f1

SHA512
5de8209dfa9b753936b37fee7ea0b629e1ffe05739e9abad2c1a60923c4121c7f875e73a55d5608e16dd828c6229a60ad43f9257bab7cbb93fa1d8c82492f906

Download Submit
C:\Windows\SysWOW64\Qdoacabq.exe

Filesize
207KB

MD5
3de6704084b61ddd8ba72210be3ba083

SHA1
e1a5cfe5cd79089d83053336cea9d0d0a7c73759

SHA256
32b94af1ca3fe76330c68608c3f2862fbae2aba2a386c033722c97b041fec8f1

SHA512
5de8209dfa9b753936b37fee7ea0b629e1ffe05739e9abad2c1a60923c4121c7f875e73a55d5608e16dd828c6229a60ad43f9257bab7cbb93fa1d8c82492f906

Download Submit
memory/724-322-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/744-368-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1000-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1084-424-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1132-280-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1200-217-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1228-334-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1232-17-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1284-304-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1428-88-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1448-317-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1464-340-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1532-370-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1640-455-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1656-418-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1684-412-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2092-113-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2112-201-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2148-137-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2176-193-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2180-430-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2228-310-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2484-362-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2504-209-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2656-442-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2792-274-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3048-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3124-376-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3144-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3200-346-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3348-400-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3468-352-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3480-248-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3504-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3564-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3844-177-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3904-152-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3912-129-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3972-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4048-185-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4076-233-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4100-168-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4156-81-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4248-292-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4252-440-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4276-298-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4356-161-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4392-388-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4408-73-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4460-394-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4576-406-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4632-120-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4756-225-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4764-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4932-241-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4940-105-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4972-328-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4992-268-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4996-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5044-97-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5064-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5076-261-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5080-286-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5092-382-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads