c50f9cdc3ddbc84b920ce02d1e54ef1d4bbe9818599bf9dea60db11fabf82ccc

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50373ae36b71d5136a2f394085984c40_NEAS.exe
Size

552KB
MD5

50373ae36b71d5136a2f394085984c40
SHA1

69e9b19cb8d36ba48aa650745d037083f1192608
SHA256

c50f9cdc3ddbc84b920ce02d1e54ef1d4bbe9818599bf9dea60db11fabf82ccc
SHA512

694cf91ef6d163354ab49691ed627ad6d785b47d4edba22abe8368e73c4bb2ea319a57eaee452bdedce09a3d78d1a61389c772fc7605c04b90abfecc63f761f6
SSDEEP

6144:Vkr0jzmITsuT8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqX:VU0jzT587g7/VycgE81lgxaa8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe

Executes dropped EXE 64 IoCs

pid	Process
2492	Dpemacql.exe
5080	Dagiil32.exe
3924	Dokjbp32.exe
3704	Dakbckbe.exe
4532	Ehekqe32.exe
1184	Ejegjh32.exe
1984	Eoapbo32.exe
3596	Ejgdpg32.exe
1172	Eqalmafo.exe
1592	Ecbenm32.exe
4736	Efpajh32.exe
3896	Ejlmkgkl.exe
4672	Eqfeha32.exe
3604	Eoifcnid.exe
2860	Fbgbpihg.exe
3120	Ffbnph32.exe
4420	Fhajlc32.exe
2968	Fmmfmbhn.exe
3400	Fqhbmqqg.exe
2748	Fcgoilpj.exe
1576	Fbioei32.exe
4276	Fjqgff32.exe
2248	Ficgacna.exe
4124	Fmocba32.exe
1136	Fomonm32.exe
3532	Fcikolnh.exe
1124	Fbllkh32.exe
4776	Fjcclf32.exe
2488	Fopldmcl.exe
3200	Fckhdk32.exe
556	Ffjdqg32.exe
1200	Fjepaecb.exe
4476	Fmclmabe.exe
4132	Fqohnp32.exe
1808	Fcnejk32.exe
416	Fbqefhpm.exe
1036	Fflaff32.exe
2036	Fijmbb32.exe
2832	Fqaeco32.exe
2432	Fodeolof.exe
4964	Gbcakg32.exe
3160	Gfnnlffc.exe
2604	Gimjhafg.exe
4472	Gmhfhp32.exe
3460	Gogbdl32.exe
4576	Gcbnejem.exe
1948	Gfqjafdq.exe
3092	Gjlfbd32.exe
4460	Gmkbnp32.exe
2724	Gqfooodg.exe
4924	Gcekkjcj.exe
4128	Gbgkfg32.exe
5004	Gjocgdkg.exe
4340	Gmmocpjk.exe
4852	Gpklpkio.exe
2368	Gcggpj32.exe
800	Gbjhlfhb.exe
2228	Gjapmdid.exe
4788	Gidphq32.exe
3024	Gmoliohh.exe
2096	Gpnhekgl.exe
1156	Gcidfi32.exe
4556	Gfhqbe32.exe
3636	Gjclbc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Dakbckbe.exe	Dokjbp32.exe
File created	C:\Windows\SysWOW64\Jdkhlo32.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fflaff32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Eoapbo32.exe	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ficgacna.exe	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Gfqjafdq.exe	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fbioei32.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7368	7276	WerFault.exe	295

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2492	2300	50373ae36b71d5136a2f394085984c40_NEAS.exe	84
PID 2300 wrote to memory of 2492	2300	50373ae36b71d5136a2f394085984c40_NEAS.exe	84
PID 2300 wrote to memory of 2492	2300	50373ae36b71d5136a2f394085984c40_NEAS.exe	84
PID 2492 wrote to memory of 5080	2492	Dpemacql.exe	85
PID 2492 wrote to memory of 5080	2492	Dpemacql.exe	85
PID 2492 wrote to memory of 5080	2492	Dpemacql.exe	85
PID 5080 wrote to memory of 3924	5080	Dagiil32.exe	86
PID 5080 wrote to memory of 3924	5080	Dagiil32.exe	86
PID 5080 wrote to memory of 3924	5080	Dagiil32.exe	86
PID 3924 wrote to memory of 3704	3924	Dokjbp32.exe	87
PID 3924 wrote to memory of 3704	3924	Dokjbp32.exe	87
PID 3924 wrote to memory of 3704	3924	Dokjbp32.exe	87
PID 3704 wrote to memory of 4532	3704	Dakbckbe.exe	88
PID 3704 wrote to memory of 4532	3704	Dakbckbe.exe	88
PID 3704 wrote to memory of 4532	3704	Dakbckbe.exe	88
PID 4532 wrote to memory of 1184	4532	Ehekqe32.exe	89
PID 4532 wrote to memory of 1184	4532	Ehekqe32.exe	89
PID 4532 wrote to memory of 1184	4532	Ehekqe32.exe	89
PID 1184 wrote to memory of 1984	1184	Ejegjh32.exe	90
PID 1184 wrote to memory of 1984	1184	Ejegjh32.exe	90
PID 1184 wrote to memory of 1984	1184	Ejegjh32.exe	90
PID 1984 wrote to memory of 3596	1984	Eoapbo32.exe	91
PID 1984 wrote to memory of 3596	1984	Eoapbo32.exe	91
PID 1984 wrote to memory of 3596	1984	Eoapbo32.exe	91
PID 3596 wrote to memory of 1172	3596	Ejgdpg32.exe	92
PID 3596 wrote to memory of 1172	3596	Ejgdpg32.exe	92
PID 3596 wrote to memory of 1172	3596	Ejgdpg32.exe	92
PID 1172 wrote to memory of 1592	1172	Eqalmafo.exe	94
PID 1172 wrote to memory of 1592	1172	Eqalmafo.exe	94
PID 1172 wrote to memory of 1592	1172	Eqalmafo.exe	94
PID 1592 wrote to memory of 4736	1592	Ecbenm32.exe	95
PID 1592 wrote to memory of 4736	1592	Ecbenm32.exe	95
PID 1592 wrote to memory of 4736	1592	Ecbenm32.exe	95
PID 4736 wrote to memory of 3896	4736	Efpajh32.exe	96
PID 4736 wrote to memory of 3896	4736	Efpajh32.exe	96
PID 4736 wrote to memory of 3896	4736	Efpajh32.exe	96
PID 3896 wrote to memory of 4672	3896	Ejlmkgkl.exe	97
PID 3896 wrote to memory of 4672	3896	Ejlmkgkl.exe	97
PID 3896 wrote to memory of 4672	3896	Ejlmkgkl.exe	97
PID 4672 wrote to memory of 3604	4672	Eqfeha32.exe	98
PID 4672 wrote to memory of 3604	4672	Eqfeha32.exe	98
PID 4672 wrote to memory of 3604	4672	Eqfeha32.exe	98
PID 3604 wrote to memory of 2860	3604	Eoifcnid.exe	99
PID 3604 wrote to memory of 2860	3604	Eoifcnid.exe	99
PID 3604 wrote to memory of 2860	3604	Eoifcnid.exe	99
PID 2860 wrote to memory of 3120	2860	Fbgbpihg.exe	100
PID 2860 wrote to memory of 3120	2860	Fbgbpihg.exe	100
PID 2860 wrote to memory of 3120	2860	Fbgbpihg.exe	100
PID 3120 wrote to memory of 4420	3120	Ffbnph32.exe	101
PID 3120 wrote to memory of 4420	3120	Ffbnph32.exe	101
PID 3120 wrote to memory of 4420	3120	Ffbnph32.exe	101
PID 4420 wrote to memory of 2968	4420	Fhajlc32.exe	102
PID 4420 wrote to memory of 2968	4420	Fhajlc32.exe	102
PID 4420 wrote to memory of 2968	4420	Fhajlc32.exe	102
PID 2968 wrote to memory of 3400	2968	Fmmfmbhn.exe	103
PID 2968 wrote to memory of 3400	2968	Fmmfmbhn.exe	103
PID 2968 wrote to memory of 3400	2968	Fmmfmbhn.exe	103
PID 3400 wrote to memory of 2748	3400	Fqhbmqqg.exe	104
PID 3400 wrote to memory of 2748	3400	Fqhbmqqg.exe	104
PID 3400 wrote to memory of 2748	3400	Fqhbmqqg.exe	104
PID 2748 wrote to memory of 1576	2748	Fcgoilpj.exe	105
PID 2748 wrote to memory of 1576	2748	Fcgoilpj.exe	105
PID 2748 wrote to memory of 1576	2748	Fcgoilpj.exe	105
PID 1576 wrote to memory of 4276	1576	Fbioei32.exe	106

C:\Users\Admin\AppData\Local\Temp\50373ae36b71d5136a2f394085984c40_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\50373ae36b71d5136a2f394085984c40_NEAS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Dpemacql.exe
  C:\Windows\system32\Dpemacql.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\Dagiil32.exe
    C:\Windows\system32\Dagiil32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\SysWOW64\Dokjbp32.exe
      C:\Windows\system32\Dokjbp32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        26⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        27⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        29⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3200
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4132
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:416
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        41⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        44⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        45⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        46⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        49⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        51⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        52⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        53⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        54⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        59⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        60⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        61⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        63⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        65⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        67⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        68⤵
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        69⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        70⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2988
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        72⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        73⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        74⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        76⤵
        
        PID:924
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        77⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        78⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        81⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5492
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        86⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        88⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        90⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        93⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        94⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        97⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        98⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        99⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        100⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        102⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        103⤵
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        106⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        107⤵
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        108⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        109⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5684
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        111⤵
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        112⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        113⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        114⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        115⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        118⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        119⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        122⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        123⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        124⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        125⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        127⤵
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        128⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3368
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        131⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        132⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        135⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4348
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        138⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        139⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        141⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        142⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4464
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        144⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        145⤵
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        146⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        147⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4740
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        151⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        153⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        154⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6384
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        157⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        158⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        159⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        160⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        162⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        163⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        164⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        165⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        169⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        171⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        172⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        173⤵
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        174⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        175⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        177⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        178⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        179⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        181⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        183⤵
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        184⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        190⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        191⤵
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        192⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        193⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        194⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        195⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        197⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        198⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6816
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        200⤵
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        201⤵
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        203⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        204⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        205⤵
        Modifies registry class
        
        PID:7228
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        206⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 420
        207⤵
        Program crash
        
        PID:7368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7276 -ip 7276
1⤵
PID:7344

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dagiil32.exe

Filesize
552KB

MD5
d3b9d210c7b3a3eb721eec44065318e9

SHA1
bfc541c382da50f720bf9d1c7f01d308f1f01ca6

SHA256
d7059815ba21dd17b9681388ae29eccb06b894e2e4efbf44b17dad240e188f0e

SHA512
a343a834e767af9985bf8d001e246018744dd0175c09fbbb875753a0e71d60ab5e06fab567125022b157ba3d5cdd909d302511c44f8f3138ef0d1383a4cc8963

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
552KB

MD5
e335ba9851caa0172f9491f8f2b06419

SHA1
0287678a3d4c5fabfbf253eb40cf8a3c8f7d43f2

SHA256
0385fe1b9fc9bf7bc95d9e487cc5ae7cb7439bb13650a7c673e53aca6f98b0b8

SHA512
65de9dcc4457ce52482396a71b86fd0d62fd5348bd6c25449f3a6f801f216554b11e8751cc9c15ea7a3ffb3a8abebeaf688e8025e24acc4bda369e58b8813ce5

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
552KB

MD5
e87b9d065c8c763f921b7733d28b449e

SHA1
6b78e9c8c6ace84d41881daaae6328831c04eca4

SHA256
e0563e87aa159ba37f3a625acdafad9606c44745fe0f8ad50e198bf5b3b28f68

SHA512
b3fe9acfc61df102309ca716ae0ad10544dd1edda89e0279dcf4559c31f52c5a5356f4b630e6d5ff8fd0f9d39fcee9b605719b9c1ed96e27ec49b0c1ead2d16b

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
552KB

MD5
62c5f654aa7603869a633494bac2387b

SHA1
dd133c6be6675c893df5aced88868eed6d9fca9e

SHA256
a179c111529d62043259a352de27478fb241a3e2625cd4279c108f721269a208

SHA512
816a8cb393e40e475940e79b46284c62c1274e2273d260efcf4a866f6ae84883d3bdfdebc59e8ac80eb7b88b261a53098442d269dc4abc48a870eaf6ed08a210

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
552KB

MD5
d6189e1c093dccbb70c071b8dc652517

SHA1
d53c56aa0359df5a7769c9cffa9943295538223c

SHA256
7cecec2d364c09953c90f56563785dad5326b9c8cd70d9bd19576555f2e37312

SHA512
1bde77a97861044e0075275ff05b86c55dc3e12e118106e9e446bf270422dcc1345d5e4dedb714c2d9c29d63a615f090e31178da89be46cd777bdd06d107b9e2

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
552KB

MD5
d9ca6cc766ea776e00c50af7a3219071

SHA1
f935fd40cd022caaca37e1e2dabb13b9ffc0d1bf

SHA256
a81eb1554750fc229f73a7e65c8231392ca75308c9d18f3090fef60b9fc9feec

SHA512
1b200921ae67d17852aaf8f7d6a7cf62c05d22157ec682fc12b1801359a75746e20e919b0d6cd27e6a7c4095d594163d4d316886e0df3199a58ac7baa37ad614

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
552KB

MD5
94edc35117351e972eb090002c501efc

SHA1
3dee58a2886c3fe353a4cfe2ced33f01e1295828

SHA256
e6b43a2804a909c7c3563fa330a3fe72326a5e8e593acf595d418a91417ab00b

SHA512
f01fb6a3865149605640be00db94ffe5afa05b4c9e73f05799d99dad1dc501eee5f44c508c8c08b2dc2454c6bb5d773d6f43ae5466ab2c05e5e5db76bd5093c6

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
552KB

MD5
4ea7223604384f2d903ab1805ef12433

SHA1
0703d5a41c037ca07413dddafe309ddafede7327

SHA256
f34cb96b47fd2fcb1268d7ba64d534340ef325ef62b84eb8a2882b824a12ab4e

SHA512
7e70074fc3fd5d5acfa83f4d99fcd417763ba6df7e46c55577d6286b74c39e6d18ff2702b3d2cfb73f9cbffbff1e2c086aa6354baf1644da756abc1bd5de7f0f

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
552KB

MD5
37e2de6f5bd1caf60b26aef7b445c88e

SHA1
c8824019853d3c9a749aec6418d00d2bdad5d492

SHA256
597ea9d11942d45815d58ee1a30b8c982d62e16fb6187bab6345e9dd3a00dd50

SHA512
37aa247f770c708b4b652ba3666bd4f0a9880c84afe470603a2af76f4cb103efe20eb9eb110fb9359fe36a7b187337ca6bbb9f85fc6d6be1983f55c75264be65

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
552KB

MD5
0dd18a0830c9426934a4958deecd42b9

SHA1
c8dcc03491016d557363193ba528baf695f8ce39

SHA256
f8c82d497c94778178a34020776a4c6c884c5f0c84ca3f80b33dfc4d136c0a35

SHA512
beba72f3114fdcd011d4edd2b72e29e658e82842907eeb1c4334e112987529f8828ee178566d84a7da7df587815b383ec352a3ae95fea87a40127b1a26e72a0c

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
552KB

MD5
253b7cb41955b413822f43210dcdfa77

SHA1
a84862778cec0a4eef5ec3bccd82d0cd292811d6

SHA256
7f80337f9f4650131959625af46e5ecc95f1bd7e299c184c194cc0d1edcfd122

SHA512
e135aceacac42b5773198c34ad2f6e459c1a775da5029f50f6f2e95fbfbbec114ea317725301a3c30683f0f115861da0feaba00f36b337836dafce512bb7ba29

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
552KB

MD5
7585ad5055615ade164c0bc99fa61509

SHA1
638e9fcbaac8de35b5fcaee5c2da71845d572f94

SHA256
2eeb75c6b4997b95f0018da39ca1d91c24c69cb9d6c7b0516d1fe438e858ae79

SHA512
d10cc3bcdb01ee44dc3d80d60bf933d43f89e5bd617ac803869a00cebf9710cd5e3e5aa5a3aaa45f79e8510c28f66fe281afc352a1a468683752492c55e9cda9

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
552KB

MD5
58a04e058a32cc9be5cf170eda3eea54

SHA1
defb5c29fab85f58b37ad5a64e10595aec47fc67

SHA256
7d148f7bd505c4e844c75b823500fff79193982bf8c459d027aeb2ef802c6a73

SHA512
0664a2796c3974dd400cc22dc0f57230558364cae4f2a5a0c3496ff6e651683d89a03b0d0a2b74756c5b709c6739db7f00eae5c5a1234b1da659b3da7db3b480

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
552KB

MD5
dc73680bf31bc4f383b1ed5a7592e7f0

SHA1
1ba73a28b8ca3e1c486245f6077f4ec4e0efc42c

SHA256
bea29093246a74efafeb83dfff41bb14a0a7f75cb835fb9aa2d62b4c1b03a7b2

SHA512
d1c749cdd09dab76260c7dcdb96910662d1628089b493ea3af9ae9432863ad306827fb3686ec33b8cee9119ece07d4070c7ac0024a442471553749739a91ef50

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
552KB

MD5
09947dcbbfba5d7993d6081d7f464a0b

SHA1
8229465c3929aa109444b8e6a8359b2c40620d94

SHA256
eef737a4608d31491eb659d4bcaabdca6986df3deded180d5bf1fbf711af9d0d

SHA512
1e4bca41d1b5868e573924060ff84e87cc6497dbd66dab0498cb0ec5880d39beb5f3ce2568fcd35ddb2a30277b8bbd1be2c745caf0fa95a05b7306afba422e85

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
552KB

MD5
64bbf4b716ecf6ca079cafdf8bf0f80a

SHA1
6fc5d2cb3ec1e594018d380a2eea7b7e5e0d4376

SHA256
7efffeb120cf01adb72fca40fdca79f063ecb5e196c1c481b7484b1ae9a5ee80

SHA512
a2d07b1664c429eb841156c66a64ade892b7583b6ed4fd546fb6a6d4e20bac3bbad0064fff47bef3fe6483bdaf06a679610759665303201ad7e42ee83d4e87fa

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
552KB

MD5
98a7b51e9a7d7c8fdfadee9b1a83a092

SHA1
1b362ffdf6fb14a296969b435f6ec35c202983f7

SHA256
be21084e783b5daf3c8480d28811db4bd5c0a9be74a93e337782d1d799b945d4

SHA512
7b6919fba7db86bc07de99f881aaab97a916826b62087001947dc392f6f39aa5bd1bbfa7d41a0ec7378b7372d5463df9538cc5b8d9f767deabdc5a454e9a72d4

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
552KB

MD5
027407ba8845a085f3f735235a395c9e

SHA1
53bda1690c3947c93359445d9435d9e473f12855

SHA256
f2127ef145c068855f714699a59f0e70ac5398ae328a0d3b029a7b55bf4f5396

SHA512
3eb022725cb71b584bcfa5d1c60285cc594c48e51a1661a120256bdc9947bf9793564f9ac884aa224c18196744fe0dd4eeaa7c5fb51c681ccfeaecafa633b126

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
552KB

MD5
27a398e0806d0bad171634dbfc647d6c

SHA1
3fe5d0b8ce8833b77c3a43090245d05c460adc81

SHA256
96a3dda29f96097417e04c1b4f7cefa5dda4ff154ca6bf0aa3ed50ca0b769109

SHA512
8d83ab6a01f671ed7eda9052def267278971f88bcad95da61b25470b1de47c89095d63549097b3ad6bb8d2bffefd743bb9b6f298655e4cbb964eb2e601adad65

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
552KB

MD5
67c55840f99d0363b0aef52f581daadd

SHA1
beb5eebcee923becc608f13489f7261783c7c686

SHA256
c7c0a4800ae6ba0208db38a5510e82822c38901f30dc5b7b65681b993b517a38

SHA512
139e240c51e334b060fd4889191e3f1aa2d20745fd16a60a64ed13cc782b2a9b5a37115b10098782dd437d8c942204cde7571409d78b22426de24cbf51ecc41d

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
552KB

MD5
9131964a20f0cb8fdbef75d2ac685c70

SHA1
726279867e961c528bc209783a644f5af830e9e8

SHA256
db2aa46fe71312ca6633ac8c1a1738f7bc92c8a396cd79f499cceb5c460bd743

SHA512
d82994afcb9acaae464fdc32e4933073b701357c4f38cf2897cfa832e78ad77a7c286214101cd56666b32c028b23fe9f9fa975b802b3b9156d3bc1c2bbdc7f80

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
552KB

MD5
4f124544a4734198ace4ba8400d26840

SHA1
7fd5f2a4742a290c1a946d92a8d14a20317cc3a5

SHA256
ef0dcc677221c33544a6bb236343a813e3ab5e56a54047238adb22fa47113d63

SHA512
76ad53578d21389d7fa05c7a9fc3e0f36311f6db5f09115399c30f130ad84cc73a764b91b4e9102c18d6a2263f7d6e05a428215548c3dc12b48063bca271db38

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
552KB

MD5
92c1c1f532bab72d8a9f53ad3ddd0b94

SHA1
d6e6382205d56f53d95bca3f814aa6c0adf8b735

SHA256
c1d3830c12b2b682b6b9a1c19f1609d30a0106a14296f8679929ef3d387e5b59

SHA512
57b685a139107fbb3bdab72984a31e703c97e84e1343165e13724736a439291253bed9a6922205e4173e3e8bd9dc9061e5f17350b134766cdd26f4512e721223

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
552KB

MD5
757f7824ea184c3b93aeb13735b38dbf

SHA1
2e35f1dd98efe9d9d31d98516a3a7b2705364bf8

SHA256
e796d4f01214e8cf86b7d644663633374dd63b50ff8fc1e86baf6f8cd044aa4c

SHA512
bd227bacfd63cecc977248ab8267d43fa15c307b9e587c62fa2cbcaf7604985e5a184291345f4e79a1b55e981e2943a5e984b16ce6d894ca11ba26b36b091030

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
552KB

MD5
a6e9a7633a19485283ef03ca51cdbc2a

SHA1
82c3a28980876a94f96d483b84e0e26067f2c065

SHA256
d00a32139eafc870b42e9ee29e2289a7163c93ec7847c4c73d900a37adf0520f

SHA512
53cc8124e8fc81326557c68f0e4dbc4ea2123eef4001d644a108f9fdac17464bcbbac7749b83a6c6e2f42928da431c0ea97f2fe2e889500b1836958fdbcd1cec

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
552KB

MD5
4580f92409de5e2b9442e03981002333

SHA1
040160e449844442fad22605e9722dc787b314dd

SHA256
3c8a98c0b16578ed01d7f1cf232b04b651edfc65f73a1e83d490ab08a46a7e71

SHA512
e1c1ee36ca105ecdaed70d17d51d82b6afaa9619aa65a7d05a5ceace436767c1145f46ebda61e48d66a234b427fb00b79a0371cb8e99c5ef67e27d9842cb23ee

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
552KB

MD5
8bce41e66c7fd8468ba2853867f57eb1

SHA1
75e91336791d4485bd7904635c83cc29ea64a767

SHA256
908b947bcedcdfc0ae422824d24c241e6267bb79bdd0525df7cf88890c446c2f

SHA512
d3ec810ef750d2d86fbf9be85da4da326f2f035cf1f75b8f87a4674a8915e22892f3627b763113bc0c9742bd9a670546bbb3cf42890bc4573559fc68c9067a2b

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
552KB

MD5
07df2cf887dd6c4efe53561caed8460c

SHA1
3a5d15b9ca9e98582c93127c8d18dda08f27a9d1

SHA256
19790c425549608d56822b25e4cc19c07b4ed4206a34a53d2272aa3429b539eb

SHA512
9799a954ad74838a7e9e4ebeb86f458d04686e6432d620acd0c6979776ac689e019a0f292d4733f81e66ef45b345b6d63b8d3b58eb585b70f4159bc493e0ae9f

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
552KB

MD5
51f5dffd4221c8ff5ae9a8538eb99c43

SHA1
2961a76d2d7013b2c70d42789cfcb68a35a2dd80

SHA256
579c64c8b1dca16ba6c210d17fa667a34b24cb16fe4656e446c38ed145bd6ebb

SHA512
504e1c2f47f7fa17cef14f4e9190ea369fc732a34b0feb5c77cf05b031b812e7baa45745e43f1de0495286f6db8ff35a4d041912139cd70b7006e9c348e7f5ac

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
552KB

MD5
e25186f21901a02826f6c657d733c81b

SHA1
1e754562b65fdf6bd5cf1ad8974b3c62264569e6

SHA256
a77a286b56133f48235b688368c729fbb5fe12c7d4592ffae945aec6e542ca4e

SHA512
b67ac6552b37dbc0e476f246d53ebf4282af28748afb8fa1ee31c3a3d182e9beceaa6ec49a77f2d3449ce0b6d69149b1bcb77fe183ecdc27863382c796eb057b

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
552KB

MD5
05c05619ce9c4176ea47d4babc04efd4

SHA1
ab3e58d6c3717ba719cbf9ea08663ec09125cf2c

SHA256
15e088c9bc83463b422837ed640bcef1b03ba2e2f4aefd826d326052e6cbe61d

SHA512
088bcf8804282ccc8fa13c78843fc3274ba0d87fb5f5ab90267f9f292b2575b726c2214ba4397059b7406fda9b14dd7be879332edf1e76e7bc094d19ae7bf502

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
552KB

MD5
74061929742fe934dc15f5d8aa4eab3e

SHA1
286d26a02ae0e675d3da63afe1f4f437b1c65942

SHA256
ae5cb9ab43d7e8a6fcb0c473045e5ca1156fa038f46808a528820575a1a04847

SHA512
97a3277b705c4856e4b2f8365dfd54e4d0472116ecc0d57ce4ca4161397f7104f491ff8ed7b7728a030e752c6404e71a601f0a4164a4ac67a375e930a0b9cbea

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
552KB

MD5
6b34c3e5b3918770b9c7bcb342fba716

SHA1
bbc2a2902e9c4cfa701e09b44a53b1d9115054b5

SHA256
4776b7dad95e619fa013432dbe2301c104a378daf502112d80f3f643db0f10cf

SHA512
0a018ed5124327419abfdc47a3513c0daab147d16920ab880d4cc8ee0eb1e9f68c157e51a12742fb7a6e4dbea604c1dc641709a08cc98beecf1b81a963112cf3

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
552KB

MD5
e69f4b917345cc101db7b0a1de9b4d98

SHA1
056e071d6679af37d7b16c1ff6f88cb6c1deb85b

SHA256
cb14481fb4ab2ea0c328553166c719815bf138c8c39b5a2aa945bb2e683f5507

SHA512
d350e6bfff8c245ac4767a7c6d47226f626957c7c6770445bd745229cb44ddb7d841e9286136c1d6176aabd7872c8e0e4e359bdf6a5e08fcadcb4f6284d59170

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
64KB

MD5
f32ed0ae7c933569d756f29a889e9eb2

SHA1
5fe8d68d3950d532a032451f1e765d6d2fb2272a

SHA256
b84e382fbfa694bfdb4edb1abe3add84da792e2cff315ee288c9dc50b6a998bf

SHA512
b3f40f96ff8b2f7f7bc939ba1561c71dd6d11deb6b1a3c3fe2a618714d488b1922cb60dc83cc6039db195a358067e7b2a1d0a3292fe9d719fb145dae30e4247e

Download Submit
C:\Windows\SysWOW64\Lfmona32.dll

Filesize
7KB

MD5
a48a0317ac41e456e37128524a99b602

SHA1
006bd85b5fbb0a8178e2b245083a6d2880d6b62c

SHA256
0e5abad434b16aa79b4507261bbd10b18945beb1130c4a2c5a3577e15de33a57

SHA512
b784d07707f5a3b194f81723483148664831bf34cf92c76427cd78e3a945ea90e51041dee4ed407ff73f62dc5987f2446f7d678dc1ec2ffc4fce8c5c438ddcfe

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
552KB

MD5
727c11ca286b9c756cac8b3c7f2d4c6f

SHA1
469aeadab162bc0ab313818d4598830334d29972

SHA256
3ffc4502f97d703e81a05ff436e2503b206e0f28dd72d87908cb430eb1b89222

SHA512
f782316f482ce24b48813d2c69bd1e63d6373fda0e9adead5f6177d21908efa0a3d8c795c6b930691388db5f6b42aee2b360d3f383bde61d2ac7131d6b8a44eb

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
552KB

MD5
89e9dfcaa1cad49e5e5f4cfc79589bcd

SHA1
9918cc8d05ec8925d613cbd574120cf7e57a5377

SHA256
cd5e370d3c42dd23a638bbace992c0b0bb9f42d73f537241738906148766d243

SHA512
e475fb12ab87a4492167893864eca4a9e8fc0307c159ff1a5505f6c1e9836f401acca402dd93834034312495bacf42779f1fe733cb05492f75219d3b61582b48

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
552KB

MD5
0a7341c2e790beb239d9af399bddf3e0

SHA1
5523f0f20f85e717390e3f670fb48498860fbedf

SHA256
9beada15bac0d1b96c7dedaaeb2cfa2bfa29c9e058128cbb8690d5ed466097ee

SHA512
63ad07c41cff268a6086b9ce721d0809d431b6bf3bb3e6bebc076a25797b15b17319ec9e0e9c84bcf89d039b40c6a22897311d9a0bf3bc04d014b73ce9587df7

Download Submit
memory/216-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/416-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/800-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-643-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-640-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-638-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-639-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3200-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-642-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-645-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-641-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-646-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-647-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-648-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5396-649-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-650-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5492-651-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5532-652-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5568-653-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5600-654-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5640-655-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5676-656-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5712-657-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5748-658-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5784-659-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5820-660-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5856-661-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5888-662-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5928-663-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5964-664-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6212-1324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6528-1322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7076-1346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads