608b1849ba37c687288e7d765303de1bdeb3acdb15449f5d84a2d7a826691a58

Analysis

max time kernel
132s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

378293d796da923dd600faeb1b0dd050_NEAS.exe
Size

71KB
MD5

378293d796da923dd600faeb1b0dd050
SHA1

8b09ebf1ea90b2994d73c02838d7cb8088826104
SHA256

608b1849ba37c687288e7d765303de1bdeb3acdb15449f5d84a2d7a826691a58
SHA512

1c2c4332de2557f6713f68300457f4d21175cf90b1c488a6d6506d18bdf2288168c5df1973bf65dc16233646376af9ce918ed1044cdf715aa62fb5d5dc4ef6bd
SSDEEP

1536:C+AFk6PFC6xmwvE+4d+gJGboI17FbVNVmSGl5F/9//ZZZ9wAS90RQRDbEyRCRRR:ZChPFC6lvE+4d+gJGbjBNVNVuf/t20e5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	378293d796da923dd600faeb1b0dd050_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgnnhk32.exe

Executes dropped EXE 64 IoCs

pid	Process
2080	Fomonm32.exe
4356	Fbllkh32.exe
3360	Fifdgblo.exe
3676	Fopldmcl.exe
840	Ffjdqg32.exe
2160	Fihqmb32.exe
2292	Fobiilai.exe
1536	Fbqefhpm.exe
4604	Fjhmgeao.exe
1496	Fqaeco32.exe
4008	Gbcakg32.exe
632	Gjjjle32.exe
3568	Gmhfhp32.exe
1092	Gcbnejem.exe
4624	Gfqjafdq.exe
2364	Gqfooodg.exe
2680	Gcekkjcj.exe
1436	Gfcgge32.exe
460	Giacca32.exe
3848	Gqikdn32.exe
1204	Gcggpj32.exe
1552	Gfedle32.exe
4328	Gmoliohh.exe
4416	Gpnhekgl.exe
4248	Gfhqbe32.exe
1892	Gifmnpnl.exe
2944	Gameonno.exe
2564	Hclakimb.exe
3016	Hfjmgdlf.exe
212	Hihicplj.exe
3592	Hpbaqj32.exe
1008	Hmfbjnbp.exe
744	Hcqjfh32.exe
4600	Hfofbd32.exe
1328	Hmioonpn.exe
1516	Hadkpm32.exe
1640	Hccglh32.exe
696	Hjmoibog.exe
4632	Hmklen32.exe
2400	Hpihai32.exe
4156	Hbhdmd32.exe
2304	Hjolnb32.exe
456	Hmmhjm32.exe
1360	Haidklda.exe
4272	Icgqggce.exe
4092	Iffmccbi.exe
4960	Iidipnal.exe
1660	Iakaql32.exe
2388	Icjmmg32.exe
5056	Ijdeiaio.exe
4848	Iiffen32.exe
4576	Iannfk32.exe
3336	Icljbg32.exe
4896	Ifjfnb32.exe
3484	Iiibkn32.exe
4264	Iapjlk32.exe
4812	Idofhfmm.exe
2036	Ijhodq32.exe
1644	Imgkql32.exe
2164	Idacmfkj.exe
388	Ibccic32.exe
4764	Iinlemia.exe
4952	Jpgdbg32.exe
2900	Jbfpobpb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Fbllkh32.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6736	6648	WerFault.exe	250

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2080	1980	378293d796da923dd600faeb1b0dd050_NEAS.exe	83
PID 1980 wrote to memory of 2080	1980	378293d796da923dd600faeb1b0dd050_NEAS.exe	83
PID 1980 wrote to memory of 2080	1980	378293d796da923dd600faeb1b0dd050_NEAS.exe	83
PID 2080 wrote to memory of 4356	2080	Fomonm32.exe	84
PID 2080 wrote to memory of 4356	2080	Fomonm32.exe	84
PID 2080 wrote to memory of 4356	2080	Fomonm32.exe	84
PID 4356 wrote to memory of 3360	4356	Fbllkh32.exe	85
PID 4356 wrote to memory of 3360	4356	Fbllkh32.exe	85
PID 4356 wrote to memory of 3360	4356	Fbllkh32.exe	85
PID 3360 wrote to memory of 3676	3360	Fifdgblo.exe	86
PID 3360 wrote to memory of 3676	3360	Fifdgblo.exe	86
PID 3360 wrote to memory of 3676	3360	Fifdgblo.exe	86
PID 3676 wrote to memory of 840	3676	Fopldmcl.exe	87
PID 3676 wrote to memory of 840	3676	Fopldmcl.exe	87
PID 3676 wrote to memory of 840	3676	Fopldmcl.exe	87
PID 840 wrote to memory of 2160	840	Ffjdqg32.exe	88
PID 840 wrote to memory of 2160	840	Ffjdqg32.exe	88
PID 840 wrote to memory of 2160	840	Ffjdqg32.exe	88
PID 2160 wrote to memory of 2292	2160	Fihqmb32.exe	89
PID 2160 wrote to memory of 2292	2160	Fihqmb32.exe	89
PID 2160 wrote to memory of 2292	2160	Fihqmb32.exe	89
PID 2292 wrote to memory of 1536	2292	Fobiilai.exe	90
PID 2292 wrote to memory of 1536	2292	Fobiilai.exe	90
PID 2292 wrote to memory of 1536	2292	Fobiilai.exe	90
PID 1536 wrote to memory of 4604	1536	Fbqefhpm.exe	91
PID 1536 wrote to memory of 4604	1536	Fbqefhpm.exe	91
PID 1536 wrote to memory of 4604	1536	Fbqefhpm.exe	91
PID 4604 wrote to memory of 1496	4604	Fjhmgeao.exe	92
PID 4604 wrote to memory of 1496	4604	Fjhmgeao.exe	92
PID 4604 wrote to memory of 1496	4604	Fjhmgeao.exe	92
PID 1496 wrote to memory of 4008	1496	Fqaeco32.exe	93
PID 1496 wrote to memory of 4008	1496	Fqaeco32.exe	93
PID 1496 wrote to memory of 4008	1496	Fqaeco32.exe	93
PID 4008 wrote to memory of 632	4008	Gbcakg32.exe	94
PID 4008 wrote to memory of 632	4008	Gbcakg32.exe	94
PID 4008 wrote to memory of 632	4008	Gbcakg32.exe	94
PID 632 wrote to memory of 3568	632	Gjjjle32.exe	95
PID 632 wrote to memory of 3568	632	Gjjjle32.exe	95
PID 632 wrote to memory of 3568	632	Gjjjle32.exe	95
PID 3568 wrote to memory of 1092	3568	Gmhfhp32.exe	96
PID 3568 wrote to memory of 1092	3568	Gmhfhp32.exe	96
PID 3568 wrote to memory of 1092	3568	Gmhfhp32.exe	96
PID 1092 wrote to memory of 4624	1092	Gcbnejem.exe	97
PID 1092 wrote to memory of 4624	1092	Gcbnejem.exe	97
PID 1092 wrote to memory of 4624	1092	Gcbnejem.exe	97
PID 4624 wrote to memory of 2364	4624	Gfqjafdq.exe	98
PID 4624 wrote to memory of 2364	4624	Gfqjafdq.exe	98
PID 4624 wrote to memory of 2364	4624	Gfqjafdq.exe	98
PID 2364 wrote to memory of 2680	2364	Gqfooodg.exe	99
PID 2364 wrote to memory of 2680	2364	Gqfooodg.exe	99
PID 2364 wrote to memory of 2680	2364	Gqfooodg.exe	99
PID 2680 wrote to memory of 1436	2680	Gcekkjcj.exe	100
PID 2680 wrote to memory of 1436	2680	Gcekkjcj.exe	100
PID 2680 wrote to memory of 1436	2680	Gcekkjcj.exe	100
PID 1436 wrote to memory of 460	1436	Gfcgge32.exe	101
PID 1436 wrote to memory of 460	1436	Gfcgge32.exe	101
PID 1436 wrote to memory of 460	1436	Gfcgge32.exe	101
PID 460 wrote to memory of 3848	460	Giacca32.exe	102
PID 460 wrote to memory of 3848	460	Giacca32.exe	102
PID 460 wrote to memory of 3848	460	Giacca32.exe	102
PID 3848 wrote to memory of 1204	3848	Gqikdn32.exe	103
PID 3848 wrote to memory of 1204	3848	Gqikdn32.exe	103
PID 3848 wrote to memory of 1204	3848	Gqikdn32.exe	103
PID 1204 wrote to memory of 1552	1204	Gcggpj32.exe	104

C:\Users\Admin\AppData\Local\Temp\378293d796da923dd600faeb1b0dd050_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\378293d796da923dd600faeb1b0dd050_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\Fomonm32.exe
  C:\Windows\system32\Fomonm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\Fbllkh32.exe
    C:\Windows\system32\Fbllkh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\Fifdgblo.exe
      C:\Windows\system32\Fifdgblo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        25⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        26⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        27⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        28⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        29⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        30⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        32⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        33⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        34⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        35⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        36⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        37⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        43⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        57⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        58⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        61⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        63⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        64⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        65⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        67⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        68⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        72⤵
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        75⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        76⤵
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        78⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1220
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        80⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        81⤵
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        83⤵
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3036
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:100
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        86⤵
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        87⤵
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        88⤵
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        89⤵
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        91⤵
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        92⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        93⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        94⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        96⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        97⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        98⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        100⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        101⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        108⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        109⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        110⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        112⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        117⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        119⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        120⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        124⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        125⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        129⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        131⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        132⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        133⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        134⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        135⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        136⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        137⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        143⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        144⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        145⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5548
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        147⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        148⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        150⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        152⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        157⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        158⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        159⤵
        Drops file in System32 directory
        
        PID:6392
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6476
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        162⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        164⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        165⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 420
        166⤵
        Program crash
        
        PID:6736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6648 -ip 6648
1⤵
PID:6708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
71KB

MD5
a5fa72dd1b0734b6af892252c43159ae

SHA1
b8762ca772568b53b5156b90c118e20d493351bf

SHA256
b202c5651707b1829943f093e4813642c4d2bef8b00140cda7cdc5eb8217edb8

SHA512
4b29935adeadfc00370f335ce06ef68bb6ae0db6ffb916f6baf325c1b41d33d58e87d039298c9dbc1e2362bf2fe48fbd73fbbb8059799504ed70e6de34440e9b

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
71KB

MD5
70a95654566904fc2e1db3882fc49858

SHA1
21a1d6c681fb8d0f6c814dff98a86907a953f8df

SHA256
2d7f17df1266989688c77e5cac2b891b976ef12254d775bb163eab5cb0f297b7

SHA512
2989f21f80e452caccd628713cb892bc98c096b0399a49fcfc2b6b0accca82a5e397552888f83c510979bb4ff867032c7c65791c471c98c0aa2177ed361e5ecb

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
71KB

MD5
abb7d4f99bde4f74e0c7dc494e32e7f3

SHA1
d9ad602c88f0c669572874a68dfff4c80ff80d03

SHA256
c72b87737e563f25d0969a6f6df57fbabb0d9956f7b495d3280bebc006b8f7ca

SHA512
571c495624596c787d8771ef30386ec5ba6c042ef16890d1dd7e2c82c6619f0d6a705b4947538d61011f7cb278f31b5811f30301afcc99943d095adc848c187d

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
71KB

MD5
173b836e7be60975ed4b87316a11fd88

SHA1
ee44bed5d406af2a13016a99d48399744657b7b1

SHA256
9508e71c368302fac111a8c7402632abd0d5a8b95713f077eedfbdfa842899c8

SHA512
18046e7516bbd895af2103c6424936afb284a88a3ad5df2f428535c5303b978d7acd4d9240dabe0fb5a94011dd564cef128d35ee0538413eff1e2a4c5fcf233a

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
71KB

MD5
38eeb58f5094b441838ec5717277515c

SHA1
c976e43bc328aa40d93b0c469bd2e22b493a1c76

SHA256
427a4c43314f361660b2c416ff8da6b04b4daa1b94809c19666ba94fba8e7e50

SHA512
92adc1f1c206f3421fc0612eee0fab4de41708ac935a5387e2237568088d17228d0d28ecd3772d290264cb3b6d99394a852e7d0081c34fd437f0db4732bce53b

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
71KB

MD5
7ab3180d7ad22ed996c093511b21f08a

SHA1
30583aba7e097b1e0a587c27721ed50e0b303c73

SHA256
b2a34f006c192535fb2981704138d7488e1f9014e9658844a731ab1beff654d7

SHA512
1d1ae069209f63770dba1ca7bc825d8e8b464704ed37109fa1a57b3bb452b50ac299701d0a8ed5413ae3f555249fce4f72fa4a03d08a78fc8ba9c2607100c4ec

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
71KB

MD5
7e04adc98f992ce89d2a825c01e92692

SHA1
f906a308898b68a73235b778dcdfb9db83b68353

SHA256
78188900fc0c1e30df029b7a9867856f8166a78502687708f96114cd56a9b96a

SHA512
39e33d5a20ef55a57fd8d70fe06ddd3359ec26abbf10845afaa996d681c6ffffd40e923c0e7f3329d2cb917b8fa15e5e5c08c5f5799dbe8a48d4298b47f5e65d

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
71KB

MD5
d9bb7b95f704300e1a9e641cc34f2754

SHA1
49b67638c9e0fa28b047f55b5f639487fb016cb5

SHA256
9c95fb02b64d97581624f058ee9cf2332b57c70ed0f0964c27be515fc9d4d025

SHA512
52ab6441af0c73a82f89d24b2927c3e31cdd5fde5a7bd4f146b7baa1ec91e69ddfd5b3f6c23456cda0f00dd40b6beab1ecd4619a1dbefae2d0d0a624a3edf9f3

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
71KB

MD5
779a18628428c59590db064f609023aa

SHA1
c53dc80fe9d665717f56dd7d2fae73e7ba3080b0

SHA256
ed58b07a8694ebe883faa6be3d3fcf7c8f3a523245756f56f9c589a9864e11b9

SHA512
7616e7bc4a9b94c88dc7be499cd334a2310ff034f70568aa725fc2f018353a1e5df547219e6d91c686c4e7711399d93c65cdceadb841a8c26824802025205c6e

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
71KB

MD5
09d81b34433bdc27626a9720ae917f48

SHA1
5d402999289c9b1ccb1312ef8f7dfffcf9c2e069

SHA256
b0f900d027596a861f0c2159f34d8a56ad5f7d4abc976e0bb1be02fdd5d57d91

SHA512
6c00021735dd48703383f9dc64fb28db7dae07e3a24207395083179d67c71f7b42e872686a72947d21c2f487665ce7903165b23152016036cef4d69208bed25f

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
71KB

MD5
0089bcf01d0e997efb12e7234254001b

SHA1
e01030a60411ec0d1671ef7367d7d71a07f45409

SHA256
f928db82cbebd0b3cd153bbdaa8f6c053c4fa5e245f8fc95d230d7b65c090a75

SHA512
9400db691be561138bd70dfa409681f35cfe4ff02bf03f2ab7d7880c1575869791340279cf19f70085109bff6d4c7da030fe406a2c70ae81249d19347a83c556

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
71KB

MD5
62f182d7d3249b45bc97e9a076446365

SHA1
4a0e6810dd6d794f3058eeb1872a849e1abb2e2b

SHA256
7fd4241905b59873c9fdc68103c367aeec78cfef7665010c34daaf237fb2fb67

SHA512
fe9b404f43beecb9a93016d04bf3618832c6b45ff72160220b9452dbdac1eadf6c307d4af63edea7dac2faea8f8c7ea4a92c299f0bba7bd57caffc6db31b04d2

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
71KB

MD5
2b91ce2500de3ea34ae7f0c795d85d12

SHA1
3a039524229403a0482ba1daa40e71d30717a002

SHA256
649018f08cab7fdb2e67204581bd3588a996fa80300c979ecebff492e3890a22

SHA512
771c2f0b8bbeb47950e50d1c70d9db3659968d6c08c2d632ad8dc7ab938d6a1bc285d780390a370d639bbc7f84ecf3dfecf92bbc5607700a221dc8e372a7fe19

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
71KB

MD5
9bb2515d5b2a20f8dc30ca70fbcf3d28

SHA1
817b7293da14ce944bca8145f8901d57a9d0f81e

SHA256
7bf2e64dd35837d2951557cba163e08854bd8e2ed98be8043eacda6b3af6a82f

SHA512
761568b330351d0c67810c40e013fcc506af8c37da19a8a259e7639b15915f1194ee177affa52d77916e23051f1ab39ad90c9aeda211d80db4f27a38e96727f0

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
71KB

MD5
e3a291003b8557d69db74854dd0dec04

SHA1
9cb6d16a8a8ba351f75e0bc0078d3486517a0dd4

SHA256
7da608b4234384ddb9881a9dca138414f697f5cd5be2763756bc6a0fc6db49d6

SHA512
7c9647198feebfb5deffc80cb6a795a68e0e7a6b4a849c2f37b4ddf68b716f5587a514b7b8f2b8000eb5e1f31944e03d7756d5f4fe5ee53ac0de3428cae80e4a

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
71KB

MD5
d09c6c3a95b5235580040cd7e506aeb4

SHA1
3a4a037f04cce5d1981a00314299164164c954f6

SHA256
5903f09f38062709f54f3129e1d5845e672d262821b46e43b40f4fcf39bb12b0

SHA512
6fa9aa97da83187d7274cae51d4087773553aab60b2dcb1aefe879339014dba5fc130d38264863686d3ee2b8bad44835e5f2838fc4ae7714e49b744672d592f0

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
71KB

MD5
e299c8afb40a3c7b06e3309124ae902d

SHA1
b70ab3b40c62387b7630a55f9fcfec0544278871

SHA256
e7018e61021d24e19b997e1312e6ed02e76a9252cb8253e4193ba82290244f29

SHA512
019b6fb96cfbe48e23e60f6c8d60d1d65ad118683b9e129abe8ca12aafaa97530883989595c85c6035f3050c72eea393be83c3232851c8bdc116538e2e136cdd

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
71KB

MD5
ca17b79373412d1df8d564559771d61c

SHA1
fdcc4d92e582aa6a50f1bc63247e9cc665574429

SHA256
27560ee50813cb03c1b74991655fcfe76ceec902a21fb713271955ae3fc85fea

SHA512
6891bf233f1db04927aaff2c8a8812ef6389678fdcfd271e50e512396adf0f8de3437ae54a014152418b2c804ade0131a1dc6fad786a69a459618d63509f6caa

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
71KB

MD5
52be01465780fd21389f8a1a08360aec

SHA1
0b8dac0286d5d6cedaa61be8cdc19ef79f121315

SHA256
638c1c25ba552007267342b80ffa44fbd4c9515f57e3be70b7ca5f975ba575bc

SHA512
38c6568a96853c801e690923b1436ac43d656c6b00c2ad9e98a30f23b5b027b6af50724b1b83ccc28b0c847faa1b3a6720ad7fbfb46c9d598d847f65345e0acc

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
71KB

MD5
024454841e3e36be9e2348ce19db0862

SHA1
4974719c8be41c74d3b423f69276aa151f70eb1e

SHA256
5726285f62366122df1239708cd927250a46587016f76e8fff738d381ac5c21f

SHA512
5d849d3c70cdb8b7c9c6f52dab224459efa3257b59eaf43aacd431a425941acc25581e617c57818996acb6adaf0e17e26e6899369c867f8d758cf7a095ee68fc

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
71KB

MD5
085e786b33c5928dc75eb6f8a2b652bb

SHA1
2a20ead71dd1052a0de24beed0c076f1072499a6

SHA256
d57a12b983fcb2f9341f1a5c97b2aad08b45deb700c29c1a125e5a7e8ce8393c

SHA512
8a81738683820b5cb1f103c6af2c8d0ea5caac404921ccb64ed57e8d325f4d47b9dcf78b1db4aad4e7acdd1ac7281fd06c97916a9aa4cb048139d1fed3f631e0

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
71KB

MD5
502d26761cd421665b106017319edc7b

SHA1
c47a49459146467d6a3882369d5698204e1db238

SHA256
3e4506e25cb1146bacc1c46f2fc4fbe6ef36f67cace0b4cc8c3463621149749a

SHA512
0ee181e97b9d4355abd0648a245495254426c34ce40ac54a1d3799ee1126a2eac25335df3528287940c75f819b0eff01bdfb381207d6b4eed4ddb4f7a13261b3

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
71KB

MD5
e1d9fbe3d309b00d05367bd2a7e478b6

SHA1
d84ce37a64c6154b9aa4557bfa9efeb9d31a4898

SHA256
5637723d5c1b2eccbfb090814762f78e71d03fe2d919ea92e880269b7af1fe1e

SHA512
274335c5e3ce1282def7c083123323e4e2efcad78ac99faef346234ca8166aec696558a64b3a2f20edb2638cfedfe451cf1052c12933fac248b466cd58b21e36

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
71KB

MD5
4fd9677f959fd10f7751f236ea513c23

SHA1
45b601d7aa2cf43f3a28a576f31c4e6a14adc671

SHA256
ecad1f1897284a82e34d67f950d942dea495f1faddfaaceb875719f170dc3b61

SHA512
bb9c1011b48f451ccdb9a9e45490a643b6c741ab23ebfca586e1f8cf99d124f51e98df87972cf99971a1a2803430b85d8ddfbc363f26193b2276a8dd77851e7e

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
71KB

MD5
4146a53ed2e1de06afbbc18e5653d68e

SHA1
4615bc821c9f7ceee2dd59f1298b9a0f5abaa169

SHA256
091361c4b42349e22f176e752cd06c61104a31209dd456c9faccdbfe3ad918f7

SHA512
c012a8cabb9d60af368ff53112d949e87c90de2014eb169e05d3d79ad8c30f6266ecdc759b0c8b64e2e683dbfc147eb5248e1806deb80d9964e278b28334f439

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
71KB

MD5
1f1053168baf73759b6b4f2a5dcb1575

SHA1
7ffeeae71b78b497d98cad2d46de73d5cc0d9544

SHA256
cc642a109991dff59b13c449615db830e0ea2e310f3ee9655d46df4e37bf1e97

SHA512
91886249135add8007ceaec9dc461f7183cb77d0c185a4122b55f59032025688d91c36c6dd3898be1dd993d5922a86db435cc7fd64d80f2538daa76c524db850

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
71KB

MD5
97be9815aa55515b4e6504ffa9b316d0

SHA1
140aea522a8fd256cdaa5bfa5dde940b4bbe2589

SHA256
3f8455121efa1dd322f334e3eb2b296b11e9ed511d295d4da06d9b5a4ff7a144

SHA512
13ec42ac1604b6cde555c5c87bea63cc5074ce707e0b8019b4830916f54a06f1dff20e8feb8d48d295955ef432992304486d581daee74b14190659b04ce48ff5

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
71KB

MD5
81cf228414b4e8be5527b21fe8dc817b

SHA1
b2415e896dae8eb7a049eba3b8653bc1a8893b64

SHA256
de10b2eed8ddba6f0d39669e9f384e07aa7dbaf5d8e5755046f378e730dbcf38

SHA512
6fb29a89b7da92806bbcc15ec58aefd167e75cb3dbb47b232068b65f770b5e873f23136584152ed5cb0b7f3d188e1cd0c671d4920d5899fe80e03e2c69c0549a

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
71KB

MD5
58e1456634c976c100631b517cf80f52

SHA1
4569b3a2a5e916c6d645b68be6a4d00883e7ca28

SHA256
56b2c82b72603855bc53859e3ef7b4ac1617214b20a7bf494819c6f94cf23546

SHA512
813a886624b4259f1e2d0f8c77cb608d9355ece279f1188f5ae89610214f161f351846662d872a7ef6c4b1b68afec23ec76cde95fdd0e7548963a75fe66c875d

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
71KB

MD5
e6201416efbbc9ad31f4df044d6af2d5

SHA1
afdac83a5e2a2bac933c39ce88ba003a27635117

SHA256
139128a5f0d4ef103735fc711b8ad3e09f0b21c88297af0b0ead6a5ac45b46e4

SHA512
70bdcca71c5e14d5c7acdc1cb64940131ddfe15980db4f9654189e3e5f8e84eeb11c1343a8253bd0e4109e81106b7c4fa1f9215b13455943a44e3efa07b19672

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
71KB

MD5
d1e1fd24472737740e86a46d5d2572e8

SHA1
b80ed906160563c6e842dc0ac78b725b2b37fc2d

SHA256
4e536d39ae82ff0249988aecb8846652f667dc0f506a153125477c6540d06aa6

SHA512
aa2b9acbb106de8b4308193c7e7966f6d6071f49e5009d48151735a376b915f46e49ab6b343ed4e41d244c7e6bb83175059b56e1e0bb9137d2e34d7d38b84d43

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
71KB

MD5
e93ed420357062c3bb54c2a090912f73

SHA1
b76c921839b6d775cd36c8c94b842dd58095d9af

SHA256
03058bd87241664543e70d586db5e244e550d32cab2fb762ff6b0d4672198655

SHA512
6908b1c3a7bbe9767e27f2663caf09b5ad799ce1967cba8e2ba9fbe99d1fc510bb128c683172da03f2683d6246afe8a5389fd5a08c4e8ce2ea7190163e341eb2

Download Submit
C:\Windows\SysWOW64\Hofddb32.dll

Filesize
7KB

MD5
96c759b422296fb3a83fb6b885cc7687

SHA1
617c6b2b21a57bb87f9da2794209371ad73cd299

SHA256
470bae77be434e03c9357ff14370576465eeebbfcc0f4049696ffbf39bd0d98c

SHA512
28f91d064935be0de72ef97ee9bf08e8996909835a11e93543abe08dde6ebd5446c2b3823ea925ee2520d913a347c2bab9ad4bb2aa0776b6be8ed9a36e07bbe3

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
71KB

MD5
eb087f0e941a6e3db33956ed09c540c0

SHA1
9f674e2180b7a2f05af700a6af7590ecbf7738f3

SHA256
c753130bbc25962c5601125191007978967792c41d7f9faa168e9f88583ead95

SHA512
6934dbcf0791429798baf7e0606cf2e8a5af89574c12a8b0e112cf5f07cb7557079d59460cccbdbc8e75f6eb6172144590c638d599839dac8c691cdf4f851d44

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
71KB

MD5
8335ebd2adab09327e358aaeaabb07d7

SHA1
283d76b55b03b6283896b18f0855580fc032d71b

SHA256
e73cb8c8695e929a75e696bb1357da692e97e0f994e8247a0bdc219b36af2b7c

SHA512
a90053d2a2996479e5a48a114b6d4e6d8347996387dd4ed2c868498c1cab855693cf0e00eddeb98c41b712837dafd75fa6da547eaba9ec4be4bfd2831d7234dc

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
71KB

MD5
67771e88a0dbe57b7bd18f0bdbf65402

SHA1
8d73b605239dea8fe0cdb0e49f701714bd233d9f

SHA256
f1a12cb551ce0e2e1fcd99bce2ebe3135c5eec5c58fc0dc1e66a57dcf0030902

SHA512
7a55bf71468e27d1a8d02d6112bfd4b8e19687ffbda731d809679e6c8160fa3c4671dd8e9718fab15c5f1c95812b17b4f9ee2b0e151b0442075f2e0c2e869017

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
71KB

MD5
92aad687d318de7eec44bea44f4accff

SHA1
f3d42942e3f4626e9e754274aad0814f1518de7b

SHA256
4ef2e878291b42be89dd622c33db5eaa227313df11e8146ffdcd6cd92899ee79

SHA512
13845c0d563484127c4422ace2356ac98b7f2fec9a3b124752a77cdbc9b596a11dab449409c70803fbd9626845e60a1f53d59a604c8d2899ec3fddc67a35a342

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
71KB

MD5
d9c460b73590ccc1a751e8f472f8ebda

SHA1
523ea4b56514c840bf786fdeb08006bf45395249

SHA256
62ba883899ab874e6221e1a585cfe7f47b25d03cdaabb324c45538d2e0390a2a

SHA512
e117f85bb191898f5ae3bdaedb7fed4babd29e193e83f016bc2abff2b36c91944985e96ca622c53be6afb2b73a08a65afcf2d0fb8b0d46011d5e4d4621b55c14

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
71KB

MD5
fe2e0e7d0e27175f45c57787f619a78c

SHA1
a22ff58494a8492b62d73dca8b9382c98488fa92

SHA256
e1cf12295a048f82b7a4988797bb45b860e19fd22a01cd30d14214012c941199

SHA512
1f06eeda4010fd70b4d37fd5039def2d865581690f795b284757191767f55e28d24ee3729c45b0794917ecafb06dfaf46faa39c8daf031787548ce937385d7d6

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
71KB

MD5
f46128b6b722ae8929ffd39f59f42def

SHA1
4ec58a6685f1bca27324ac80185e49365060e948

SHA256
793d850e7b29508f04ac832f3cc1109324c335abff74f7976573f1dd685ccccf

SHA512
b6b713d347617aa9716fac1acdac39d34fe11a706434dd8938b28258671476705df5dbfe26f9438a334fa56718b040b59833c6ae236070428b62320444729d0c

Download Submit
memory/100-577-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/212-245-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/224-490-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/388-434-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/444-592-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/456-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/460-156-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/632-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/696-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/720-514-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/744-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/840-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/840-579-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/944-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1008-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1064-580-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1092-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-172-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1220-532-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1328-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1360-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1436-148-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1496-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1516-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1536-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1552-180-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1564-496-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1640-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1644-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1660-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1892-212-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1980-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1980-548-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-551-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2160-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2160-586-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2164-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2292-593-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2292-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2364-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2388-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2400-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2448-550-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2564-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2680-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2900-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2944-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-237-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3036-570-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3064-543-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3100-556-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3336-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3360-569-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3360-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3484-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3568-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3592-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3672-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3676-572-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3676-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3680-464-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3724-513-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3784-530-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3812-506-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3848-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3900-472-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4008-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4092-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4132-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4156-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4208-488-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4248-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4264-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4272-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4328-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4356-558-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4356-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4360-559-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4416-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4420-520-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4576-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4600-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4604-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4632-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4764-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4812-408-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4848-374-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4896-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4952-446-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4960-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4988-594-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads