3b549048e51f18e01964b3981aa82d8fef4ae284dc27e2fd2fef96e5ed4577a1

Analysis

max time kernel
138s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5449c90640d7df5b6feaddae511899a0_NEAS.exe
Size

208KB
MD5

5449c90640d7df5b6feaddae511899a0
SHA1

7952051650a18ddb61b312a7c2f410aabd92f533
SHA256

3b549048e51f18e01964b3981aa82d8fef4ae284dc27e2fd2fef96e5ed4577a1
SHA512

90ae262e2146188705528ae8a7f97ce230d96fd81710015d2efa8381f252bef3eacd6ec9f15a39d1ea9f4d06a8ce7b063329352c4925ec4e826d2f0bfe62884f
SSDEEP

3072:my4c0FfuvkO5qhhYBHOVMgu+tAcrbFAJc+RsUi1aVDkOvhJjvJ4vnZy7L5AuJk:ZT0Ffukfh6BulrtMsQB+vn87L5Az

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe

Executes dropped EXE 64 IoCs

pid	Process
3520	Ffbnph32.exe
4580	Fhajlc32.exe
4364	Fbioei32.exe
1368	Fjqgff32.exe
3316	Fomonm32.exe
2252	Fbllkh32.exe
4448	Fqmlhpla.exe
3836	Fbnhphbp.exe
3180	Fihqmb32.exe
1248	Fqohnp32.exe
3108	Fcnejk32.exe
3304	Fijmbb32.exe
1488	Gbcakg32.exe
4880	Gimjhafg.exe
2272	Gogbdl32.exe
1116	Gfqjafdq.exe
3248	Goiojk32.exe
3748	Gfcgge32.exe
1856	Gjocgdkg.exe
1032	Gmmocpjk.exe
4736	Gjapmdid.exe
3996	Gqkhjn32.exe
1852	Gbldaffp.exe
3544	Gjclbc32.exe
3788	Gmaioo32.exe
2420	Hboagf32.exe
2564	Hjfihc32.exe
2972	Hpbaqj32.exe
2004	Hcnnaikp.exe
3740	Hjhfnccl.exe
1228	Hfofbd32.exe
1304	Hmioonpn.exe
2664	Hpgkkioa.exe
4728	Hbeghene.exe
4960	Hjmoibog.exe
2596	Haggelfd.exe
4228	Hpihai32.exe
1808	Hbhdmd32.exe
2328	Hibljoco.exe
4220	Hmmhjm32.exe
2924	Ipldfi32.exe
2944	Icgqggce.exe
1436	Ijaida32.exe
3604	Impepm32.exe
2316	Ipnalhii.exe
888	Ibmmhdhm.exe
208	Iiffen32.exe
2132	Iannfk32.exe
2700	Ibojncfj.exe
1256	Ijfboafl.exe
2024	Iiibkn32.exe
4276	Ipckgh32.exe
5072	Idofhfmm.exe
2020	Ijhodq32.exe
4632	Imgkql32.exe
2260	Ipegmg32.exe
4720	Ibccic32.exe
3320	Ijkljp32.exe
1428	Jpgdbg32.exe
4564	Jiphkm32.exe
3184	Jpjqhgol.exe
4540	Jbhmdbnp.exe
224	Jaimbj32.exe
1556	Jdhine32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Fbnhphbp.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6592	6500	WerFault.exe	238

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5449c90640d7df5b6feaddae511899a0_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3520	2676	5449c90640d7df5b6feaddae511899a0_NEAS.exe	83
PID 2676 wrote to memory of 3520	2676	5449c90640d7df5b6feaddae511899a0_NEAS.exe	83
PID 2676 wrote to memory of 3520	2676	5449c90640d7df5b6feaddae511899a0_NEAS.exe	83
PID 3520 wrote to memory of 4580	3520	Ffbnph32.exe	84
PID 3520 wrote to memory of 4580	3520	Ffbnph32.exe	84
PID 3520 wrote to memory of 4580	3520	Ffbnph32.exe	84
PID 4580 wrote to memory of 4364	4580	Fhajlc32.exe	85
PID 4580 wrote to memory of 4364	4580	Fhajlc32.exe	85
PID 4580 wrote to memory of 4364	4580	Fhajlc32.exe	85
PID 4364 wrote to memory of 1368	4364	Fbioei32.exe	86
PID 4364 wrote to memory of 1368	4364	Fbioei32.exe	86
PID 4364 wrote to memory of 1368	4364	Fbioei32.exe	86
PID 1368 wrote to memory of 3316	1368	Fjqgff32.exe	87
PID 1368 wrote to memory of 3316	1368	Fjqgff32.exe	87
PID 1368 wrote to memory of 3316	1368	Fjqgff32.exe	87
PID 3316 wrote to memory of 2252	3316	Fomonm32.exe	88
PID 3316 wrote to memory of 2252	3316	Fomonm32.exe	88
PID 3316 wrote to memory of 2252	3316	Fomonm32.exe	88
PID 2252 wrote to memory of 4448	2252	Fbllkh32.exe	89
PID 2252 wrote to memory of 4448	2252	Fbllkh32.exe	89
PID 2252 wrote to memory of 4448	2252	Fbllkh32.exe	89
PID 4448 wrote to memory of 3836	4448	Fqmlhpla.exe	90
PID 4448 wrote to memory of 3836	4448	Fqmlhpla.exe	90
PID 4448 wrote to memory of 3836	4448	Fqmlhpla.exe	90
PID 3836 wrote to memory of 3180	3836	Fbnhphbp.exe	91
PID 3836 wrote to memory of 3180	3836	Fbnhphbp.exe	91
PID 3836 wrote to memory of 3180	3836	Fbnhphbp.exe	91
PID 3180 wrote to memory of 1248	3180	Fihqmb32.exe	92
PID 3180 wrote to memory of 1248	3180	Fihqmb32.exe	92
PID 3180 wrote to memory of 1248	3180	Fihqmb32.exe	92
PID 1248 wrote to memory of 3108	1248	Fqohnp32.exe	93
PID 1248 wrote to memory of 3108	1248	Fqohnp32.exe	93
PID 1248 wrote to memory of 3108	1248	Fqohnp32.exe	93
PID 3108 wrote to memory of 3304	3108	Fcnejk32.exe	94
PID 3108 wrote to memory of 3304	3108	Fcnejk32.exe	94
PID 3108 wrote to memory of 3304	3108	Fcnejk32.exe	94
PID 3304 wrote to memory of 1488	3304	Fijmbb32.exe	96
PID 3304 wrote to memory of 1488	3304	Fijmbb32.exe	96
PID 3304 wrote to memory of 1488	3304	Fijmbb32.exe	96
PID 1488 wrote to memory of 4880	1488	Gbcakg32.exe	97
PID 1488 wrote to memory of 4880	1488	Gbcakg32.exe	97
PID 1488 wrote to memory of 4880	1488	Gbcakg32.exe	97
PID 4880 wrote to memory of 2272	4880	Gimjhafg.exe	98
PID 4880 wrote to memory of 2272	4880	Gimjhafg.exe	98
PID 4880 wrote to memory of 2272	4880	Gimjhafg.exe	98
PID 2272 wrote to memory of 1116	2272	Gogbdl32.exe	100
PID 2272 wrote to memory of 1116	2272	Gogbdl32.exe	100
PID 2272 wrote to memory of 1116	2272	Gogbdl32.exe	100
PID 1116 wrote to memory of 3248	1116	Gfqjafdq.exe	101
PID 1116 wrote to memory of 3248	1116	Gfqjafdq.exe	101
PID 1116 wrote to memory of 3248	1116	Gfqjafdq.exe	101
PID 3248 wrote to memory of 3748	3248	Goiojk32.exe	102
PID 3248 wrote to memory of 3748	3248	Goiojk32.exe	102
PID 3248 wrote to memory of 3748	3248	Goiojk32.exe	102
PID 3748 wrote to memory of 1856	3748	Gfcgge32.exe	103
PID 3748 wrote to memory of 1856	3748	Gfcgge32.exe	103
PID 3748 wrote to memory of 1856	3748	Gfcgge32.exe	103
PID 1856 wrote to memory of 1032	1856	Gjocgdkg.exe	104
PID 1856 wrote to memory of 1032	1856	Gjocgdkg.exe	104
PID 1856 wrote to memory of 1032	1856	Gjocgdkg.exe	104
PID 1032 wrote to memory of 4736	1032	Gmmocpjk.exe	106
PID 1032 wrote to memory of 4736	1032	Gmmocpjk.exe	106
PID 1032 wrote to memory of 4736	1032	Gmmocpjk.exe	106
PID 4736 wrote to memory of 3996	4736	Gjapmdid.exe	107

C:\Users\Admin\AppData\Local\Temp\5449c90640d7df5b6feaddae511899a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\5449c90640d7df5b6feaddae511899a0_NEAS.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\Ffbnph32.exe
  C:\Windows\system32\Ffbnph32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\Fhajlc32.exe
    C:\Windows\system32\Fhajlc32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\Fbioei32.exe
      C:\Windows\system32\Fbioei32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        28⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2828
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        33⤵
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        44⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        59⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4540
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        67⤵
        
        PID:212
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        68⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        70⤵
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4980
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        72⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2056
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        76⤵
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        78⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3976
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        80⤵
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        81⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        82⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        84⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        85⤵
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        86⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        87⤵
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        88⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4576
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        93⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        95⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5264
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        97⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        98⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        102⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        103⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        104⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        106⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        111⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        112⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        116⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        117⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        118⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        119⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        120⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        121⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        128⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        132⤵
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        133⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        137⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        140⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        141⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        143⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        144⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        145⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6316
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        147⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        150⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 404
        151⤵
        Program crash
        
        PID:6592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 6500 -ip 6500
1⤵
PID:6564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbioei32.exe

Filesize
208KB

MD5
65e55083ee05a4771cb35f7d28c23a4b

SHA1
24d86abaad63efa3d607ad10c1248f1e2ea03c07

SHA256
a2b3cfd3843c8a7137fd9d25ed2621727bf4f221030ad366645b4b2d405432f4

SHA512
e6e76a914a763266e2d3fa122937ae25b34360cc017d3658563abac9f484bffd5d5017747bfde5e39dddfc4a248c84e5f2367a2979c95d1b23cd1a114b7d2909

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
208KB

MD5
6778ff91bc67921e6d736a46de27592e

SHA1
3337cb7bc2998aee89d5d4ff1d6343fc551c0364

SHA256
cb0f64a9c59ad3569a194595c1f416756b37db27acece67c4cf9ff3c46a4796f

SHA512
eb7ef949129f9470bcf2c402e17cca9ecd23da1006f3e0c32f41ca323d6afab5fb0181dcaeecb7e9c7a5f6d3ef12709802ab084bce36718304ff4ce7808e12c0

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
208KB

MD5
b09e6ae1aeb8ca0de2e4bdf288991976

SHA1
96008ca395c90feb9b4127d790de8fe3935b0479

SHA256
52d595a669f5562921a42777903259c6902699f7c8713987a8f410da2782977b

SHA512
c7c2523b96f75174a331442c4a21598ca30a832a7d92646ac069e316818bb0faad626902700b0e43c510203e9c77f1f14801ef25ddb6112c1fe245729bc91e69

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
208KB

MD5
f6ee1da4e23a512dd598bc2e77d491cc

SHA1
eb59f3c21f5a2a794a489d1840bf44dfa04f82d3

SHA256
8bb1f814591f7043d3f5990990165f06f3c58c0df1a64cb1e02df5c75438d614

SHA512
ea18add8881c895bb31ee3211f7715e93bd49a95dc43c38a91c0446932faaebd2d5200bde471e7ae2258d9eeffaf30ebd9ce300fcd33dd58dab6914dafeae104

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
208KB

MD5
974bd33aaf8038666d7c5cf27c8014da

SHA1
da2e264752de63e9a2454c64565996c15ecc69a7

SHA256
d752b0e99c5156f49351f0a3e483485b753c0657317e40a4e9535dff0e830e15

SHA512
8a5a5935de7c8aa65e868f262e3985af5fe3473e6ff0c5d2db1121a1c27c205e2bb3d9db7bdb80d07d3681a5c1e58542d4107e82fcf63f32983e0f17c9de5e0d

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
208KB

MD5
cdf713957c057760d121eaf1cb54adbf

SHA1
dfb6e877fede24a76fdc99aa77c0e9f3b7709f6b

SHA256
052b6616376a67b68e5982636684fdbf35357a33dfe19f11d24e9f5eb3abefe3

SHA512
a85095320c36dba9bc53b4e1b456d8681ff9f4667bb91e3ecf3039c762080a54d9ade0b531411ea4f9b3572ca367bee71d0edf6052e86e86859f32882b9a08b7

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
208KB

MD5
ae7d576fd2258040af18706363ed9d50

SHA1
a9ad4dd714f9b9e83ddbfb86ebba47b49e1acbbd

SHA256
ebb293e79b7c342acd9d4e08cfcc5b13c108a39c190b2c02b30dfe2434ebe373

SHA512
37025f3d4fe22a67cd259a94857707d12b213ddfaf4a50746a601733e8b29c2614d862e63fbc21d4fa5ba53d452df45b2d2b5c5fe50453539e2c108facef1af5

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
208KB

MD5
34119c0c67e88c6f3f34bdf42c0d4413

SHA1
c561c2da432c38f2ed145f35bd8bf23fcf65fd67

SHA256
0b7e3054fbe23e19d95df37a157e7eb4b72fd792256e75730ccf3142491789d6

SHA512
717742514b324ac09fb75d308946618bb3aeebbb1eca91a34481127a9a0a3af556216f747ffb2704181eae6c55976965a8a4bfa00a674d549595d5ddeb280b19

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
208KB

MD5
2f05c8663cbabf7a711d8dc654e85755

SHA1
8ea794dcbc21d303dfbfb5578807121f9279da0d

SHA256
cf8fe8e7a60ff0367e5c183c74f0c88eda2449a4aa93c6d2baddd88546024e0c

SHA512
66dbe61fe5ecde7ecf72f0addc02e959059e37e8186b7d1fa71d2df008d68e47f07a31eb562965fdbc0a262f7e16f093288ad3d9167262416e4e157e11f4ac60

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
208KB

MD5
c221668befacde81b2bebbfb87d731cb

SHA1
29387f9e1d87ce5c994b8749fee735ab5b0c9a69

SHA256
bedf16438ab779589c22a9a218e82f0487748a4abd4f372e91635aa4e0a288b7

SHA512
a37d2fa4e43ef6834b03f7eeae2476267c5389252e67427a559b443d5a34e5d6b12bf23529eae82daec6dad85574e066e670b2544a354948b8747ff52af4ecf3

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
208KB

MD5
4e77560e5c18bad01ed8b5f80da6fe56

SHA1
ada34bba2a0c71fc9366dfec48161cbf43c473c5

SHA256
49d2ac3b7ce515b0c8fede080d39d6f984fc215db6854e1ee01ed7db7790aa6f

SHA512
d108b0ab4685deb1c709b87b663202dce87dba6bbf11f302a4182ff05d1d5a935c9374330d82f237c4167895c80e09e08e509d30676374c28d67aa22efed505b

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
208KB

MD5
366d61f25e64fdb9f4386860711ae0e7

SHA1
75711b9ec274066376bbf2a8c04458d2653710e5

SHA256
f4ad33cc98eae5b8e7fb659bf677bd480b91b4629818c68489bf05e301ceddae

SHA512
2bd8b7ad8f34a9b7fb56a4404c5ea570d43e10e22c352d4a9a8cd970eb3709ad5a89771dccea8a2aca0657541643e0db02a684e31850f6c2b389d59927ecaaab

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
208KB

MD5
c37f2ac48c515fe301992248e0439c0f

SHA1
56d3037047e3c18217861f5cd2811db1a7219a49

SHA256
ebd0de7eb091037c46dee138ab58634dd6e84c7b3eb80e1ac90033bde0fc2b7a

SHA512
554b7b363744dae449da551be7b9f480440b3a1d24c90167bfb4098f412c8ae10447bcc109928c1cb0eeb5c2a972323234d02d06d1e716f5424e5c224fa24109

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
208KB

MD5
bb94e2edf4310bc8eb21ed763e2fffd8

SHA1
eb25a34e532af441d5308e51c5f8d9c406d735fb

SHA256
1974a25045e56ce861e505c2ed2c0bb4c38a42f697e7fb8e55f459b04a290ee9

SHA512
6cbcc338b33796a08c9df4b2b7ca879d75d96ef7998cad4be8f527a79e1352695c7657c668432708873ffac2221019e59d2c7d24897e1ac8dff99dcf96f8d2bf

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
208KB

MD5
07c0020eaf635c052d3fd0b2dc887f62

SHA1
b6b82115e3804b2480dbf4d59b625fd7bdcaffb6

SHA256
fc9d1c6568322b0760ab44e878380fd04aa5495befae67871db7c44cebdf7159

SHA512
b1bab28b8c383a3dac2a492e2668c43be4e524cf1c86c720eaf3aa6aa4dcb265a63b8ce183516ac2366dcea93dd9d5b4f3d340ab28f59a1b8441be8e0b02a769

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
208KB

MD5
b09d543675dc376fdbebd292f4b6e203

SHA1
eb1a3dbb68a87e86df6558026d261a41ef5a9ad0

SHA256
6cf788307c02c29da7ec5427f506f0498c9afcc6f29475bc72e66c069c807173

SHA512
ce09c3cecd19fbf1274a963541dcf33b7979aae91a4bfa13eabf57232536be2ca74720466a36b5e0ee0cc6351c5ff7a14bf7449bf48e31441fd9ba6b57fad089

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
208KB

MD5
4ab4ef895b1e9c6aaa12dcceb3ac7c16

SHA1
63a29069b84866b296ccd074e78098f9592b8549

SHA256
eedf1f98aa70217a2ad940127ff3161a612116a939e7e6b84db6e96b4a51a121

SHA512
a4d017b6c23cb971d8f0e7b0f8c13ebb8b8158389fd0a0e82636ad18cc1504d36c7db57388ecb5ec710dba8f0ae3485f09a4c5221ef9f2a5bdea0eba875e9f16

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
208KB

MD5
3a6c656d3a47bfbb8f67ab5742181fc1

SHA1
b80c101ce98f56828bb26eff6103bc61b07e7762

SHA256
80080d742598df275a2e8adfeb90eaed9a3a7c4ecd79d87cfb7082af36c20dbf

SHA512
16c1471ad62a4c3d443b6527199201b667c0cd8687896ac21b28f6a998df43f2aa36281dad90949a30dbf6bbb4bf8fe130db13b92f1a59575e2a63c8e4e47067

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
208KB

MD5
fb79bf30d6892013de30554cbf14ccdf

SHA1
b67d87e56729c643a07e1f2ce8c782904053b881

SHA256
e701bbe6bd68cfb9891ce175e8d2c521aa03f89b4268c3ca53758fd9156826c1

SHA512
052d2697accf09de98b26ea69aa19fb0155ea193eb25d108437ea3ae2fae157f1334e20363b7a32848647418723209c9299593649c75228598c4b2da8db263e8

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
208KB

MD5
ce22702341c3d04d2fc5d91445f0661a

SHA1
7050fae952b7a931b9abeecc784561a90ab26f3d

SHA256
bfaec728f44ad8834175e6ab31dd8275b8779dc2c7dfb03de2777b9093e3f8dc

SHA512
eb20da2830191e2aa95c87b3b7e7413e2e7c98aba76073b6508ca0f477b1be9b99ce3c737fe14bdf9faeb8bf3c6de12d7fc42be804685227ad803af95343cbd7

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
208KB

MD5
a2a1d044a2c171731759ae7e9420fac2

SHA1
b46ceec99d787b9675e19d9d31077d285e8c5a1a

SHA256
8180d9f7c1e28798a20a72608ac34618624b7165e13fd2be1e4b13f85250cdb5

SHA512
ced85d3871575565f7e0fb69b2388fb44896cef0392a0754dee513b2af874d01fa6e7bff6127a006f3f63ea792f6b7d5257213b4b046ab12b13ac71edb5c3b3b

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
208KB

MD5
2fb976ad2689af6e9933ccf7671e9390

SHA1
02a9ec5bb1e29d3ef06c7e18a317a2f9a4e36a77

SHA256
daa5bf252db7d21d571ca7c056b27bd4abdde1aaf64a8eaf9adc95e5fb7c8481

SHA512
9e77825639d55caca333d9d5b5f8a3ee47ac7683ce2d5b323a1095dc8e933bcf6f2c2577a1c9b903a95684edd8d5673ca102083047a0f5066146212e835f4064

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
208KB

MD5
ad0b300df9597647a144207f1de88587

SHA1
07555aa3b7f24ae0ff20449b346448542e6d273a

SHA256
048734e8ac01457adbda4dacc719680f5d8a1195e0704cf38454a3a06e19bab7

SHA512
02fdd304d63857f2ba898148ff1ab3688db8bc144d57fce5d0c8fb3757a1e48f1692ba33224a2e64f89ed05366d46219eac3aa81d75dac8dfa9b7f16e0953144

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
208KB

MD5
f3275efb8bd89faa0d9c875b0b048ae1

SHA1
4936aba3c3c25c99994e586154274f9722dee2b2

SHA256
cc1bed26ba2c086922b3461b1237257dabb890dfa7684d8d5d8865849d25aa96

SHA512
3c0eb1a1508aca7e392f20b06352245978d010099303d22a21e17a01ae63bbecd9d6bb68733bcc5fc1e57894aeeac0fd3a6636ed5a3d300b85c21ce2e4dec4e7

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
208KB

MD5
5d9ed8edbaabce5a0e21d6bd58af9535

SHA1
02930a92253f6a58a77303807a019a45bdce9b10

SHA256
1714ae0a7536794b59818366524f0770c309196f85132134d3455a1c81e4eb77

SHA512
d077d0eb8798f67377ba11294ef33499243082abc3541d5f858775eaebf0ab527bbebbd444f5ec64d4520c7619f5cfcf70b593a299e87c0651eb75b6845c52d9

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
208KB

MD5
9ccb194058344335d89eb1ce0e679e67

SHA1
5732bfdda568daf1835706b6ff06196dc3b00a15

SHA256
d16c4883df13b26eaa064e6aee42a94ca3cd8a6da8b9a34cde0d0efaa7f1ff91

SHA512
ea88a9bfd6d01416fc8c82ac0d37798f954c0ebc0ab8ce0f72c0f739821a434fe8e964ed7923f8d1c61f32a7d61528242cd1c8b9d8d95dc7cb264f4c672e5bb1

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
208KB

MD5
34a83f829b70556172837749e3640b05

SHA1
aafa6aeea18a447cfde7e5dc3b0c8ecfa9c9bde1

SHA256
028fa4ef75ac677fb37f5d83a4aa2600647fbcb445f65b954960e5a08cc010ef

SHA512
a12dd5a8cba34e443d40ca03c4d3702efedee9ebadce147d90624f2bd8af53ce5e184847dd674cc88b39e61c70d1634e7a2fb19682132cda686675420e5182ba

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
208KB

MD5
402e71cb5a166af45ebdc27a3467d45b

SHA1
f4710861d4abe51b805bcb51c275a65ff2418215

SHA256
c8e9ff8b1d56d1235dbd68c62d567e3f66716832d212b8f5f80874bc750d955a

SHA512
1e86ab2e7c1b697ffcbd4a66d13ceb859b2242f8432adf033b052ff4f1990e1bcf26e83aca5fab0c14651850b59d2067517ee51557c46f41f7e85056cf92fdd4

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
208KB

MD5
bfa8e936c67923e3068572da37da12aa

SHA1
b26bb319934982f67c545f69bfa5b703db9a9f43

SHA256
e17104532263066878a88236fe49af6d8dc7a97e7066a23462afe795eca3ed84

SHA512
983bb535f1ab38cf5a321d7eedde51ce9c130c077eebd72c7d27229cf29c513551bb06a10677e80c97a4a1d762b88a2c6d6e468430b985c129bde3e5ac9893fe

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
208KB

MD5
a51faf311b714a6beebc7cfaa6e5cd88

SHA1
214994306e0595089c293b43eedb31127947111e

SHA256
1fd7a939a373396eb6c7c1bb71a9c64676a2dbeafaa022e5e853a780c635f6fe

SHA512
3af612c53c7197aee3c5455b0a3d4495d2b2ea4714e80496a8fab5b361e6a8a0b46b8b0eb8e23918bfca97c4e224624ed491f80410ab4e9ff0e3a6521530f3da

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
208KB

MD5
991574eeff0a44a9e716931021f2fb34

SHA1
0d985b6f2cbb405ca5f74fc5358edb47d1d5314f

SHA256
c8f1a0dfe5924da8c9f88fd4026fe0d8d052ada2211604fe816ef498178a25c2

SHA512
ab52953355afb743b136a9c8d2ff2c7c8b768375df8e8e11f84bd23bb2c15d33cee44e63d17eb3b89f98dc6c293667f9be53e76170a91873ccc374b20bb5521e

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
208KB

MD5
d5e71b9b44f60891f74c67d78096d0cc

SHA1
01d0845c62bdfba3beece8ed7af0ba3f08cbb6c6

SHA256
59430d483c1d779e27798210893a9ddf07839ce079a92f2dbe40c776aa2478de

SHA512
6e3b4abea454694f92d414e731264464ed4d5e4ac43d5e9003424cb4382e887c6ce6e4a023d76657f81efe222ce2da0dc7a3d49eef88236287e4cfc44ff666ed

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
208KB

MD5
c72111c502e0f3c915158acc8aba66b8

SHA1
bd9efdc6ace365653e3b1a3e1b54aae10af92234

SHA256
77336152c91eb82e06adcb18d83e7cc3071345bc3cf5c7b325f8a3e83917b719

SHA512
f2eebb2f3e752e2f30acb5c9e0a09a4ef5f280dc0a591d79ac963b8a69b24603366935cbbd86d00963a7196272c055b4fe5c924cbe10c4b1608e00aaed7bd85f

Download Submit
C:\Windows\SysWOW64\Kpjjod32.exe

Filesize
208KB

MD5
dd55dc74b8729ccedff089e988ff00cf

SHA1
8d72b663533265568ce30f75675f8e5c10a9f84d

SHA256
20442ee6815583abb696091bb05e6a228f49897afc6f428e5441a78642e78c3b

SHA512
26effbd935872f7838cf805d443a071b5297201764818ffeda10da5d6d9beddfb1a72cc65ea88175fc65eb9f99e9ce8318961e80b82ce0031f8015d350d3a89b

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
208KB

MD5
73b1bd9da7c924e41f2d33965ae1c883

SHA1
35872d5d36cc72473931e818bae9e81ed332b604

SHA256
cb95d70f669dbd4b7688b19cf1974ff9e3e3b0f17f7b02bdbe1c515687e1e3d6

SHA512
5bdb38c86dbdae490edfc22135e3b40660694f0901c6a1b15080fbe4417a0bb471027eb9b8cb7316e365a6a7e5e0aa4bd5600f645152d297ca32e05dd74194b0

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
208KB

MD5
278b24bad8b9af62d317468f3237303c

SHA1
6043b27aa61878aea3163f6bebff52dac48f8b66

SHA256
6642107ecf596d62ead86e2202e8bebbc4e616978a42e894f0fb2832f2e42d3b

SHA512
ae72f56cebfcfe55408d1a1721e9d98bd1f8c25f71cfb72148ac089425898e8068abb5cf495fb456c978283fcac2ae826bbef9c01d15401dc8a13c93eee56f3c

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
192KB

MD5
1a17eaecde9e334a27b00c37f70d2c01

SHA1
73f46d519a057e33734bf13cb0cee60e78189621

SHA256
e17e95ee214e8fda4992874cd2d3290530d4f3299a0d7a19e9c97d70d3d63373

SHA512
ab583de4a2516ebf1ccac7aede4d0e86c9d9c97ad479909e5b8354e1c2efdcbc9413d3097d566fc2b442dcc6f83288c595bd1fd75c1cfbe8994941e32bb7aec6

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
208KB

MD5
a0980d7802afffe6d8ce8a78c850007f

SHA1
71a51dfaef58810dba2c94fd075661b4ed215807

SHA256
ecacf2372ceff960b0b61f241a21cbb0294f3f3149292e41ebbaea2a7b6dccf5

SHA512
c88ecf81a518a31cc3bec6c29b64d2dc8dd5f6e2c0ef37955705cefdfae90395054ff0ab7c449b8955ac8f3ab240e7973cff35788191790455a7767194881c1c

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
208KB

MD5
9196a08141d5b422b6c664d98ba5db3c

SHA1
209f30d19383104dc98699b9334a5cace495ffdb

SHA256
7677a4123dc4be76a9dee589a6b0551d234d2ce00766955f318128a778e72938

SHA512
9bbab22dc37219f5c6e82562f3780bf18a77425635248178c983af28aa6945c7aed93bdea0ddb72d1f972b0f50624a0de7737fbbfea2609c9989db75207f8356

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
208KB

MD5
fd2a0f621b3fa981fb9d27c4931c3795

SHA1
2c41068d3a9647941b245cd1607391d39e6c557e

SHA256
d375fb121eb0f460e97791861397f96d71dbf6d86f915544e9e5e4fd948a9351

SHA512
12e44925583dc60a2b6e21e1ff0c18962e805f47b5216e112e85e6bd07d21064133b15b2c524e76d86e05807db36ae1667db61f37c805e6dcc16eb30f24ae4d7

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
208KB

MD5
6c423aece17bbc05693a4963e3649346

SHA1
da9f1c8325e61633aea4d81bb5eaf451e4598176

SHA256
9bea88edbfbf761e84825e47ffb60ea5569110b8a29b663063c08b2d3f920c61

SHA512
fe20e1e29d44f60b6bfca9cfdebb4f0379e535c91ef0e1c303c6c5099bb12848aa683792130b70d97118351c2e95e2e3a22adfdeb3c7ded38ef8aadaace883c6

Download Submit
memory/208-348-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/212-456-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/224-444-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-474-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/756-566-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/888-342-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1032-160-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1116-129-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1228-248-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1248-81-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1256-370-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1304-257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1352-576-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1368-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1368-579-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1428-420-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1436-327-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1452-559-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1488-105-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1496-486-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1516-557-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1556-450-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1580-522-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1808-294-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1852-185-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1856-157-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2004-233-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-390-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2024-376-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2056-492-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2132-354-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2152-551-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2252-592-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2252-49-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2260-402-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2272-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2316-340-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2328-300-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2420-214-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2564-221-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2572-468-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2596-286-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2664-264-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2676-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-550-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2700-360-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2828-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2920-516-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2924-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2944-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2972-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3108-89-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3180-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3184-432-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3248-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3304-97-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3316-45-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3320-414-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3448-514-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3520-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3544-193-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3604-334-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3616-498-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3652-462-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3740-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3748-145-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3788-206-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3836-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3868-508-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3936-580-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3976-528-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3996-177-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4220-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4228-292-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4276-382-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4364-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4364-572-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4436-544-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-599-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4540-438-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4564-426-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4580-565-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4580-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4632-396-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4696-586-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4720-413-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4728-274-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4736-173-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4844-597-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4880-113-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4960-276-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4980-484-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5020-536-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5072-384-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads