08513a91758a0021bde36a7bbb837a36433bc7eb6f9e81851362606396080f7e

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

084d6ba7ff86abb1cd460d73a7f469a0_NEAS.exe
Size

96KB
MD5

084d6ba7ff86abb1cd460d73a7f469a0
SHA1

0ba66fa40d7595d3ff4618c3a89eec14e393d54b
SHA256

08513a91758a0021bde36a7bbb837a36433bc7eb6f9e81851362606396080f7e
SHA512

84df49b433f10674762ff2416befa9096b36214f3647a3cb375bec89b9da79224138695e249ae74faa478732c0fd9d5969090fed43585c53104a9c86eb061824
SSDEEP

1536:YXXtk7GoOYOAYnQHvNTqBm/Dxq8Jo4iRVcdZ2JVQBKoC/CKniTCvVAva61hLDnem:YG3OYO1nQH0B3h4iRVqZ2fQkbn1vVAv7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe

Executes dropped EXE 64 IoCs

pid	Process
3620	Ebnoikqb.exe
804	Efikji32.exe
3504	Ehhgfdho.exe
2944	Ecmlcmhe.exe
1736	Ejgdpg32.exe
4652	Eqalmafo.exe
3616	Efneehef.exe
4648	Ehlaaddj.exe
4596	Eqciba32.exe
4304	Ecbenm32.exe
5064	Efpajh32.exe
2728	Eqfeha32.exe
4272	Ecdbdl32.exe
1980	Fmmfmbhn.exe
2800	Ffekegon.exe
780	Ficgacna.exe
3624	Fomonm32.exe
4228	Ffggkgmk.exe
1320	Fmapha32.exe
1160	Fckhdk32.exe
4628	Ffjdqg32.exe
1812	Fqohnp32.exe
3008	Fcnejk32.exe
1948	Fjhmgeao.exe
3784	Fodeolof.exe
4816	Gbcakg32.exe
552	Gimjhafg.exe
4552	Gfqjafdq.exe
432	Gmkbnp32.exe
3540	Gcekkjcj.exe
4496	Gfcgge32.exe
4792	Gcggpj32.exe
4140	Gmoliohh.exe
4916	Gcidfi32.exe
2664	Gjclbc32.exe
2880	Gifmnpnl.exe
2556	Hclakimb.exe
3080	Hjfihc32.exe
1672	Hmdedo32.exe
468	Hpbaqj32.exe
4384	Hjhfnccl.exe
5076	Hmfbjnbp.exe
2852	Habnjm32.exe
2080	Hbckbepg.exe
4144	Hmioonpn.exe
1892	Hbeghene.exe
740	Hfachc32.exe
4436	Hmklen32.exe
3932	Hfcpncdk.exe
1764	Hjolnb32.exe
2692	Ipldfi32.exe
2440	Ibjqcd32.exe
1104	Iffmccbi.exe
4920	Impepm32.exe
2380	Iakaql32.exe
1456	Icjmmg32.exe
1344	Imbaemhc.exe
4656	Ipqnahgf.exe
4572	Icljbg32.exe
3808	Ibojncfj.exe
3232	Ijfboafl.exe
4476	Iiibkn32.exe
3356	Imdnklfp.exe
4376	Iapjlk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Ehhgfdho.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Bejnmepn.dll	Ejgdpg32.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Ffggkgmk.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Eqciba32.exe
File created	C:\Windows\SysWOW64\Fmmfmbhn.exe	Ecdbdl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6216	7084	WerFault.exe	277

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	084d6ba7ff86abb1cd460d73a7f469a0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	084d6ba7ff86abb1cd460d73a7f469a0_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	084d6ba7ff86abb1cd460d73a7f469a0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejnmepn.dll"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 3620	928	084d6ba7ff86abb1cd460d73a7f469a0_NEAS.exe	83
PID 928 wrote to memory of 3620	928	084d6ba7ff86abb1cd460d73a7f469a0_NEAS.exe	83
PID 928 wrote to memory of 3620	928	084d6ba7ff86abb1cd460d73a7f469a0_NEAS.exe	83
PID 3620 wrote to memory of 804	3620	Ebnoikqb.exe	84
PID 3620 wrote to memory of 804	3620	Ebnoikqb.exe	84
PID 3620 wrote to memory of 804	3620	Ebnoikqb.exe	84
PID 804 wrote to memory of 3504	804	Efikji32.exe	85
PID 804 wrote to memory of 3504	804	Efikji32.exe	85
PID 804 wrote to memory of 3504	804	Efikji32.exe	85
PID 3504 wrote to memory of 2944	3504	Ehhgfdho.exe	86
PID 3504 wrote to memory of 2944	3504	Ehhgfdho.exe	86
PID 3504 wrote to memory of 2944	3504	Ehhgfdho.exe	86
PID 2944 wrote to memory of 1736	2944	Ecmlcmhe.exe	87
PID 2944 wrote to memory of 1736	2944	Ecmlcmhe.exe	87
PID 2944 wrote to memory of 1736	2944	Ecmlcmhe.exe	87
PID 1736 wrote to memory of 4652	1736	Ejgdpg32.exe	88
PID 1736 wrote to memory of 4652	1736	Ejgdpg32.exe	88
PID 1736 wrote to memory of 4652	1736	Ejgdpg32.exe	88
PID 4652 wrote to memory of 3616	4652	Eqalmafo.exe	89
PID 4652 wrote to memory of 3616	4652	Eqalmafo.exe	89
PID 4652 wrote to memory of 3616	4652	Eqalmafo.exe	89
PID 3616 wrote to memory of 4648	3616	Efneehef.exe	90
PID 3616 wrote to memory of 4648	3616	Efneehef.exe	90
PID 3616 wrote to memory of 4648	3616	Efneehef.exe	90
PID 4648 wrote to memory of 4596	4648	Ehlaaddj.exe	91
PID 4648 wrote to memory of 4596	4648	Ehlaaddj.exe	91
PID 4648 wrote to memory of 4596	4648	Ehlaaddj.exe	91
PID 4596 wrote to memory of 4304	4596	Eqciba32.exe	93
PID 4596 wrote to memory of 4304	4596	Eqciba32.exe	93
PID 4596 wrote to memory of 4304	4596	Eqciba32.exe	93
PID 4304 wrote to memory of 5064	4304	Ecbenm32.exe	94
PID 4304 wrote to memory of 5064	4304	Ecbenm32.exe	94
PID 4304 wrote to memory of 5064	4304	Ecbenm32.exe	94
PID 5064 wrote to memory of 2728	5064	Efpajh32.exe	95
PID 5064 wrote to memory of 2728	5064	Efpajh32.exe	95
PID 5064 wrote to memory of 2728	5064	Efpajh32.exe	95
PID 2728 wrote to memory of 4272	2728	Eqfeha32.exe	96
PID 2728 wrote to memory of 4272	2728	Eqfeha32.exe	96
PID 2728 wrote to memory of 4272	2728	Eqfeha32.exe	96
PID 4272 wrote to memory of 1980	4272	Ecdbdl32.exe	97
PID 4272 wrote to memory of 1980	4272	Ecdbdl32.exe	97
PID 4272 wrote to memory of 1980	4272	Ecdbdl32.exe	97
PID 1980 wrote to memory of 2800	1980	Fmmfmbhn.exe	98
PID 1980 wrote to memory of 2800	1980	Fmmfmbhn.exe	98
PID 1980 wrote to memory of 2800	1980	Fmmfmbhn.exe	98
PID 2800 wrote to memory of 780	2800	Ffekegon.exe	99
PID 2800 wrote to memory of 780	2800	Ffekegon.exe	99
PID 2800 wrote to memory of 780	2800	Ffekegon.exe	99
PID 780 wrote to memory of 3624	780	Ficgacna.exe	100
PID 780 wrote to memory of 3624	780	Ficgacna.exe	100
PID 780 wrote to memory of 3624	780	Ficgacna.exe	100
PID 3624 wrote to memory of 4228	3624	Fomonm32.exe	101
PID 3624 wrote to memory of 4228	3624	Fomonm32.exe	101
PID 3624 wrote to memory of 4228	3624	Fomonm32.exe	101
PID 4228 wrote to memory of 1320	4228	Ffggkgmk.exe	102
PID 4228 wrote to memory of 1320	4228	Ffggkgmk.exe	102
PID 4228 wrote to memory of 1320	4228	Ffggkgmk.exe	102
PID 1320 wrote to memory of 1160	1320	Fmapha32.exe	103
PID 1320 wrote to memory of 1160	1320	Fmapha32.exe	103
PID 1320 wrote to memory of 1160	1320	Fmapha32.exe	103
PID 1160 wrote to memory of 4628	1160	Fckhdk32.exe	104
PID 1160 wrote to memory of 4628	1160	Fckhdk32.exe	104
PID 1160 wrote to memory of 4628	1160	Fckhdk32.exe	104
PID 4628 wrote to memory of 1812	4628	Ffjdqg32.exe	105

C:\Users\Admin\AppData\Local\Temp\084d6ba7ff86abb1cd460d73a7f469a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\084d6ba7ff86abb1cd460d73a7f469a0_NEAS.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\SysWOW64\Ebnoikqb.exe
  C:\Windows\system32\Ebnoikqb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\Efikji32.exe
    C:\Windows\system32\Efikji32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\SysWOW64\Ehhgfdho.exe
      C:\Windows\system32\Ehhgfdho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        24⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        26⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        27⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        34⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2880
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        43⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        45⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1892
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        50⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        52⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        53⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1456
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        58⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        59⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        63⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        64⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        66⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        67⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        68⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        69⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        72⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        73⤵
        Drops file in System32 directory
        
        PID:548
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        76⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        77⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        78⤵
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        79⤵
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        81⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        82⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5116
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1952
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        85⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        86⤵
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        87⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        88⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        90⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        93⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        94⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        95⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        97⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        99⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        101⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        104⤵
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        105⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        107⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        108⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        110⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        111⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        112⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        113⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        114⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        115⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5796
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        118⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        120⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        121⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        124⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        126⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        127⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        129⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        130⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        131⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        132⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        134⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        135⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        136⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        137⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        138⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        139⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        141⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        142⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        146⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6396
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        149⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        151⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        154⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        155⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        156⤵
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        157⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        158⤵
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        159⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        161⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        163⤵
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        164⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7140
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6160
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        167⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        168⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        169⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        170⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        171⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        172⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        173⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        174⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6904
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7020
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        179⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        180⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        183⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        184⤵
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6960
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        187⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 400
        188⤵
        Program crash
        
        PID:6216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7084 -ip 7084
1⤵
PID:7164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
96KB

MD5
220e85f4ea8aa503c9999f7d01ceb403

SHA1
02cf15e13fb4231cf9bd2c9e665d30150e7e51fa

SHA256
27e94aed43ef5d9b1f0aaf96e611617b792ece3d1f2cdeb99c31b0d37532c231

SHA512
6520c6762f1f6d620f0ea42b2b3b3171646a66a380e7af9587d3d9d1048315e8f0a3c254a5b2f4bbf0a0e613c5fa1e74a1adc87d3c2b90be0fdd4231a7c6f981

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
96KB

MD5
1b3e895c2cfb5f0bba6f576cf316ba45

SHA1
60f92ef4464327135fba367645ce4305055e93d0

SHA256
ff133b642891d65bade83c4b35c49cd7059dcabe29cd046486f0ae70cd434fe0

SHA512
f07e47d59ea2fa539309031246bd0c9e1b4639c248269047c748a08c6082bec2f56237057ff7afcd3e9b239fe43095bbb9f31dcb82680d5392dd87f9ed47c8e2

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
96KB

MD5
5c09cba0e722a1217798421b6eb5e21a

SHA1
f92af9fcb6085351195ea8bf103d1a80984af7a4

SHA256
ae73ec7b53a1ac1865af23a7f64c9d29c401f8eef654367385390780ecc0fffe

SHA512
55dcb982825755bae7566e8f7a1715774b5aa0d813f016ee08741468d17bb780c1c9a3f34466a4013089c3e6b43d5d29f4c19bdf70e139d8a22f2a36df760ff6

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
96KB

MD5
f9e580f5bca63194cded13899749b68c

SHA1
fc5eff862c71abb56a4f1477930795eeaa3f5730

SHA256
fbc7b5200c2d49ded27ac19deb4ada477dff22997788ee371ec0fee983f31911

SHA512
5eddafe12763d95e8525fb5e9db21940522c173acc8179782ebc3a1ea333759ec99f60741630127884320df44d75b807011a0fad5d2f4a56aa1a59359ddc5616

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
96KB

MD5
9793a0733082e414a12c22305ff90249

SHA1
5df604f05f8f72db9d26701b48acf5b2038690be

SHA256
df6f4f1cea466f46a53f9022e7d9070cfbd6b7fecde58b086cafe2e550dd85f1

SHA512
7c324b0e9d561be97cfb68a504eb74312e058e525b3b415427ab20204964650004600449dfc18bd8fee3c6db6a845448a4145450258fa805e3aec0f84bf7a641

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
96KB

MD5
4162fb90b201188f0fbd9cd3db34cc53

SHA1
2df338ad7f872693fe6170b967c1209877ad98a5

SHA256
d249ae08dab725ba995cf0d78354331a82e7553fe84664d2443e039f6062783e

SHA512
757266c4d056100031ce7dbb5bad5c6b4f87a7891092b3aa6ed08b557beed010f1b6dd455fbf040c50e92cc7bb18480f4c9ec8b7092464525acd84417a9ec492

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
96KB

MD5
65893863ae1a30fcc99b9392072ea13e

SHA1
5731ae2c164598dcb237beaf6a743d8987824728

SHA256
9f7779bfb9d8e32d47be2331c9bdbd53d596f7fbbc758322308505c49e712c71

SHA512
a6114771d626e165574f6f75356a3239c106a920b5303aeeb3e79d12ce9af1c87755bd5137cbae79eeb6a6a05ae3f7c3b9ee4e79a464e98fda16059b1a2e4254

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
96KB

MD5
3a858531696a6758a36d97131919a3f8

SHA1
4d0c8ee22db8fb85093c8063d551898f46ef39db

SHA256
a31a7cab9d8b8d2d490368b6c08b1c337d1232cb00ccfe8367f27c59c355a812

SHA512
8af3fbcf6dcdd80e04f6c10e9660ffcb5bfc0d8365ba9ee2fc929d8fb1628fe8a461920c8a63fc4ad792a2cd536a61d337f368a5e0adb3d88d960f42676eea87

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
96KB

MD5
aba9a00a52aaea25b1d2d5dd4404b7a8

SHA1
2ce29aa3d808e4389d97ee29edba77a6ddc4817c

SHA256
5b8ee6374afef84abdc11edc023265bb6ae822a03b62f22fca2fd1da127049c4

SHA512
bac754f5457a98d1f0045df7611c1061e25e0a1ea7b64df7a163d89c4f0e77e82f8a036194708561b28235f729cf0228825a3bc862fc6546fba0e2e1e4b7c159

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
96KB

MD5
7134059d8dc5d35923a0b1af223d71fa

SHA1
c0a3be5057578be550c38c5e11a4a85c8a341933

SHA256
7e775b09fc8ffecc14c2b1537fbd6616e8a3c6f2d4a163fcda806e9bd897959d

SHA512
0481c6619dda54b22f6208fc00f1f056f1bbd6b9ce76a83944649981db43358b6df0090961bd8d09aa173ccd2d4500e5027facbcac2f3afd4ecf0b1cef424521

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
96KB

MD5
69ae2f13294f9091c42b7a8b3ab92262

SHA1
842d662148bbb41cfbb50a37606b5e78dd115d9a

SHA256
44f13a8aba2e48b8165e4cde70197aaf1ef723aa7fa7bf5da75be63dbe2a1a64

SHA512
74f24c6a889dd2e64504a6ab9d72b875d835ed7be8f87349fb3a6ec0d50e49a98894098afd5362de6c015ad9c83669bd6518b0024e2a1e8e400f5a783f5335c9

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
96KB

MD5
91e9238358e4273c995f0e69498215d0

SHA1
1f021d1934810904450cdf8763cc66ea73e14661

SHA256
2d1a5f9ea7140bfb47abcc23b5566d851a07a71e21841a392009f7d11bde99c2

SHA512
4906b647278b9064d1d2e9b8eede812850e5b6ae15cbe1a55c38a626b88eaa8cbca122923436eaa303c82b8cb82b4b8f252d14a12c2e9b422294e53fa6006a54

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
96KB

MD5
94295c7219da490c478f5f3657d82b90

SHA1
7d86efd9fffc3c64058b4f852b1a6af26b29ad8d

SHA256
61953cd08b37eace20bf4575d462dcca66768c7d8421ea6abded167e17c5a794

SHA512
146c3681125b0d4acc4432762c676ef9576651c05791bb49d61e2d24704cfb0259c2e423bc2a1b6cffb6e9b99f23888996e465a75ca262d2eed061fdbf94a540

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
96KB

MD5
c666f56f0e26384059022c747a96a1a8

SHA1
c693ab8bdd7921cc58185bc185782cbe0740b73a

SHA256
9b38ce95a645fb41bd0998d9f526bb65b2d092ab8b10d1db1c422391092f5bd6

SHA512
7b27df49bce18f51cc99654636910ca28d17b6e8e8c84649e04fa9cd329a19bba37f8049d93acb57f5be95f70d35337703fdf2c4d61455a53885f822b0548060

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
96KB

MD5
dd0e3e81b4292c377460fd5b0f184fc0

SHA1
f36cf390563cfe487101dc4de1cbe7432c36f30b

SHA256
d0d94e07b63758fedbcee1ba27dd16b9e6e4b76a9f06c3543607b52b070ff01b

SHA512
4d6aa4bac79a6f2e2c990a4b12f655f830dfa39f28cdf55b6a564c95dbb19f94bd91455568dfcb8eb6c5c2fcf7244841e7ee1cc9f7a5e40ace177810f6cf77cf

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
96KB

MD5
6a017e4a79af372ce98cef57cd251c6d

SHA1
065087153283401dea7deea135e4d86617a27f44

SHA256
ed5f41f56e5408daece549b1e785aae2192aa8f1b8330b9d285f3a53777d0ce6

SHA512
6e3e734f3db3f6816a111c10429af26761b2644d31407beb3d0a3f47bb659fee656d872fb82cea4f7df15f3cb960a2350d7353c4a2514eb77d4e743b7ce8d033

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
96KB

MD5
3f219cc00c6b7a62ccdd644dad8d9fef

SHA1
81c7c99250f1333bae2b0de8da248a8fba7eb97d

SHA256
2e8194eab865ca6ad74ddf6bcac8351f77eeb41e9cb71fee9d22954319b90ac6

SHA512
412222d9ca460763d946e92d1a3dfbe04e554c70efaacb729cd57f5edbea1278f372a10dcf10f83c3dffb3289db8894c6b1493599f422eee05536d0781935ce4

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
96KB

MD5
b2675c2c2d5db378f666738ce9857cd1

SHA1
1d19b2b4eb44a470648ff55d83d4b6919a7fdf22

SHA256
e603efdfab9cbe3bb2bf56aa20a55d62d39c37214ec1e6022c5f882ce72e2b5d

SHA512
24445a2b27fda03bb0bd7ff682d00f2ce14eb7c13d5e1aa21a9760fdf3198400aab6af2cdfbafdac192163cb323104f3b43ec315586a96a694b1501e5d2dab04

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
96KB

MD5
74e4a4f3bd6e7ba32a7ba2e8186345fa

SHA1
d23a99ff58cb08f4afd660bfa158db82f56e4cd0

SHA256
17b20883476e471276c702c840c19f06edd24ee202dd2730ecd209863b468e01

SHA512
c3af953e9024b43f99516ec3e0423405a45bdd58cbe58cbb0b99cdc726a9f9a398f27a5edf5129ce9ff5309df9931d0101e43edc09177571f2ed65ef3cd507fe

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
96KB

MD5
5cde84df600668083a5f4074ea65242e

SHA1
9215ddede9e894fc73075c42a10d185049a1f3c7

SHA256
fd9ed70826dbef2c63c148122497636ee761f4c754e9555dacc379f3772fd294

SHA512
150faf5e455cb0c09dcad6be04d2b4e291a2343f5fba282357c28982d0049eba381e9aef457ad7b50de331ada6beb878131930d2451a7523eb248d959da42df1

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
96KB

MD5
25ba7b354d3d54e1437dec7e1f234d2c

SHA1
057890238c35765168d7ebd235099980eea8b659

SHA256
cf15ab0e0a709e7a2a2a3c8d6a42c6d1cd7c462e97102d1b058ddaa4b3346f75

SHA512
478afdd83d07408e326e39cb6609d1d2a5c70660dbfbbdc3d15bacf34ca6fed6d6598e23c343249a9c98cba5b29984fc6be7de6518ac0f878b608f0167bec026

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
96KB

MD5
1f81d776177fa7027f39714171f389ee

SHA1
d5544b8c958ed99e33a04f5c704b8fdfc28aa135

SHA256
bb43fb3b5a2eee0b825b79791029600d5ededc7e9aa44718d63de115bc152f35

SHA512
7a9d7e1b1a498f0ba136e01efda0d68f00109307ac0f4c17a8bc618a0d8d0bcc76f457895064a639f61c3ad5280547fdc23d145dbe854ff4a129346d5b5365b4

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
96KB

MD5
4177bd82c0ba2a00e81e12cb62e6abe5

SHA1
7dc5af48ec0a3ca6119bafb3806a7eaca2bed178

SHA256
efee812bb35f2b6afb3107cb5dc3e4c74c7d0787970ce41816f4469b32aa2e1e

SHA512
47e012aaf69866d8d94cd92650f9406faa6a4dfa5a8677db8d86d6667d691ffd3994dc1975321276a3af2d9880bbcbdac87985293db2f25b1c15cb00d8b1a708

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
96KB

MD5
f15a90d3af7b157c8e162cb923dd3487

SHA1
3ca580e29d6a452c5d72093f27d59d9c32afeb8e

SHA256
6a2efd09ee5f31685a7c78398002a259bcef891f40db930e89b112c144f4e551

SHA512
33421b01f95947f515b8b02f91e96e9b3eeda560e8ef868c55516f231a31e78bb8ffbfb0f021cbc391fb97ed771622edc6c9af8a2211a801eb883ea2512c3512

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
96KB

MD5
38b70e09d3225d65ce3d1a30e8527ddb

SHA1
1ed18ea596c000557f91d2987ac327ed09178a85

SHA256
ec5af10a6934f68814f6052e24394a11326e9686b726246002e343899173ac98

SHA512
8bbb6a6c245bbc0fd66b9ffa267cfdd85fa089a7e6f165318fdf79090289e3ddc3b626e1351a7ea48e5f76c45ad134d71e9fa76d6d7aec15a9f0e2f21551212b

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
96KB

MD5
5db2556898c137725978cbe211589787

SHA1
8080584502ec556891d6e544f5b8a2e51b64f709

SHA256
de960a372851114b16a6f7db2f295d5c76182a06030ffa87f24dd4cbfd527e61

SHA512
be0769dc1cbc3994c2b2fbee2d229b4a20adc33998c32024821d32b845796827abf1e374f74c704dd620b62d3059b2b3fd619b976f7dcc7c6bffe13b1edda1f0

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
96KB

MD5
1aa68a10f2405e674243842dbadd293e

SHA1
24d67dcd54831f3533de5b0441d9a603ca3150c1

SHA256
0bada386098e6652c4ce6a40c4f6d5564f310def54c38d13ff70dd35ce41dfa9

SHA512
52bec0711ea449b5296236ecbefcc9195d39551f8fde96941fd1bac8050b7c76cb27b44ef8cb47eda3e9691e2aaeb67b5a8e22b728ee260eacec05ed4d49adba

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
96KB

MD5
d090dbc4b9362411d78c850d3b88f025

SHA1
1767f6fc63d6e0fdf170e9b4dd8b54fd129e5b0f

SHA256
dc0111f56d3fe3e4b26ded16c4ca69c9f1900f18b2bb23de332521057193c13b

SHA512
90e00db1f354747792752703423903019f67e9b0f8480ddd6ee015c709b3059ad9917484d2722de181a2c590ed97369255cb326329c783cdc535c4b7da8f4e58

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
96KB

MD5
f2098ad91ac4085ca8c46f1944693632

SHA1
9272f093977c7dacd7c18695775e84e52542352d

SHA256
d4407458a72a03a053e7af56d50c7958f6993b37436d7409904d307e271a4189

SHA512
48c1a109f38ef4daba6d8a4a6775c1dc6ebb46c6ca733823d6d456fe3330effd542960b9c372b703ea825e4d03f71e4897ef55d3ae4500cd9521958df881f238

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
96KB

MD5
967eb4fdff7194d41acf66db1cc7a28e

SHA1
797ce9a4a8ee583444aef1b8eea994e8ba5b6a17

SHA256
d71ead6ec10fca791628ebd9c8b840c0c78aae3a912c4a98a0d2c6c8ad20841f

SHA512
97dbe0e596e0371ff5091ca964f8743d4167288d3f403cb5f390b9eba3adab34051e25519327a79241e81100f07db670dbd35369f2b449529b5a568611ea2244

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
96KB

MD5
002a88a5b6e935d675d2acd4e1e17ec4

SHA1
69f353d73f8c41f1b23195e2e0ae5c7d5b6119a9

SHA256
bfcd53c412f1522abbd378076d19a9d8d5f937d7f5b7ebe31fa03859ad03a7af

SHA512
25732d79c936c0c22b596fca35ce01b12733e873f6adecd5da0f613f91581499dab41e0cf83909aef2dd3b767189d027bfbc89f5c7de546876b626f12722226a

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
96KB

MD5
a1b459c39ec3a177ccc2c65347177d67

SHA1
1b4665f3dfbe4ca60a2412d3df90ca3d10855cef

SHA256
47d36de85aa1428a5178876d849a98045e013d78fe44c8c58cd8a26e876c66e3

SHA512
4f7387866a223f9bfa0abb04b04c3c49d007e84e339636de599c83f2418c0cb92276222f3a4a73f79297088301194379a9e92b7853c1e010f19b0d759ed589b3

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
96KB

MD5
86f91b4ceaa39131539ef6f2a68e18a4

SHA1
17896247a59eec3a6e2cc6db4c04c62b8ebcacc7

SHA256
a87981485c000ca9e95094b6a0bfcde0d0d24260d8fa587d1aab2bb806daa4d2

SHA512
5ca1302ad6a5b4ced19e248feee20f0609c49790e45f1a4227d0a4aa33397290b7a285b06fa7e357503392aa9e86b2aa65ed4ee249f544f6f459df4eded4a413

Download Submit
C:\Windows\SysWOW64\Jaimbj32.exe

Filesize
96KB

MD5
9224bf7a66e3c40e953f63804be233ae

SHA1
1e3e4dc5e69c45181a9400975bf2f487214c65db

SHA256
944d9625a3f8957fcba87c27d870579f0527f6b14ecd3cdcc1604bd26e44764c

SHA512
fed415edd98b5d4f465ff968c448ffebad18cd14e52a290ec21d5adcb5b5a7e78063e370c697ad180abf94e051451acf661a2ae64aff213a8cd8d5ce32daa625

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
96KB

MD5
9a250363941ab5de47098b5767718237

SHA1
48c7d21f2d489efb0fc098b5fb9a3efac7623a60

SHA256
b04bc5ca206ca6cc9484901e50bfccf4e10db72820fcfde83560dcb70731bd61

SHA512
9b6dfa78c947fac85ce395efecb3cd9271986a794c15e598f436f4c81bdfa4f0b6f313345208e2cc09593ca1292c48fa55b588596f89915cca113a714a60d0b6

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
96KB

MD5
37a10ec43eae0f768b47504e7f2049aa

SHA1
085ed92224b7198865620755f2d17712d130b71a

SHA256
2910a342a416a4f48c44f14a82b2457ca02efcc9a0a09c30d47bb9b1b01cc301

SHA512
7c501d4878d46588b60a6b5c67fb59a195760bd7831d63a2ecaa4d185fd04e38d935d44af5a25e000cde1bc860325ade93f9f00351cd61843c34feb3680cb8a1

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
96KB

MD5
1726518fef86ee0166ece6f59f74a979

SHA1
7e01012658d188e52ba60e2a0205093d9544b7e2

SHA256
3e6cc968cfae4318963d6fc757d6e14f214ba380a4f7bbbb7c08cab30fccb58e

SHA512
acfd3460156cb422d1eb573ec7780b20ee6341dc6c155961b1c24f7ff688f21c05e7e0a250da60d192b45f335a00d0fb26c72060940ae18389cbf6041895c356

Download Submit
C:\Windows\SysWOW64\Kipabjil.exe

Filesize
96KB

MD5
415f0a455dd5ae6aa389df6f9ccdd294

SHA1
ef786d56548bafe9f95b03fd4c2f2d85a322c06f

SHA256
45afe21489f8d62b4af52d0312c0f3e202f764c19ef80e9b2ba5b8ef89c713b3

SHA512
8630d5dbd2c244e1081a2fb3cc3eed8118617f569abc6a63cfd916a1a37bb6474247fc66ec8b5dc477757bc9ca1b195f55413c3610a8241e39a20b88c89dc062

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
96KB

MD5
83e0cdbe742bef0d320e2be4feff91eb

SHA1
dee27126e0617e8cda42345ff731655b95ca9438

SHA256
4de4d4c43bc4f4d85acde14ddf2e4312c7bc2107bfcf4c531d2604e89c3c7afe

SHA512
3ad1233a7e2d5f4bfc851936280a420b27f55a42ebc05d0ecaf53841047396ddbfe467a48ace7f092a1e052297640d1565aff9ee5b5b7771929d6fbd1820f2cd

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
96KB

MD5
49ffc6b25103a364a714c01c3c47276e

SHA1
5ecbfe1906b7b00bd614aef72986d5d9974277ec

SHA256
cd9ee39ccc58f88992bf11e7f42a0ca4026363b5503f0f2b2167d502ee358f1f

SHA512
12b5a256234c42bffe8507d491c0183833aa9e96c4a6afa5673ce39339258f334dd66ab2b1775cfe11b19590bc71368dcf1329239dea23660e3e88902451aded

Download Submit
memory/432-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/432-327-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/468-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/468-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/552-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/740-379-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/804-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/804-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/928-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/928-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/928-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1104-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1160-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1160-263-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1320-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1320-250-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1456-439-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1672-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1736-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1736-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1764-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1812-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1812-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1892-438-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1892-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-291-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1980-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1980-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2080-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2080-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2380-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2440-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-310-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2556-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2664-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2664-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2692-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2728-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-219-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2852-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2880-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2944-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2944-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3080-385-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3080-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3504-25-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3504-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3540-264-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3616-61-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3620-13-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3624-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3624-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3784-220-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4140-285-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4140-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4144-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4144-365-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4228-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4228-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4272-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4272-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4304-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4304-169-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4384-337-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4384-405-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4436-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4496-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4496-336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4596-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4596-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4628-178-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4628-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4648-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4648-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4652-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4652-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4816-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-357-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4920-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5064-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5064-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5076-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads