c03b5307f7d6950c9f17dbfb5912c1aa54334293bef17ac30ed462739ec5a087

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1da1bbf894feec0a922a090e8a8ca330_NEAS.exe
Size

64KB
MD5

1da1bbf894feec0a922a090e8a8ca330
SHA1

857dc52137092547be903f2c7ddb59c59bc4896f
SHA256

c03b5307f7d6950c9f17dbfb5912c1aa54334293bef17ac30ed462739ec5a087
SHA512

6ffd9d1cd3e02b008b7d7de7cab3bdf2c8e19dd24364b3ef92c23e289736cc807aeae7a26b7b7e1636362ce1bf25023512977f09d5458c750d5ee0d993e1c2cc
SSDEEP

1536:r1uw0ZQGO+4p3btw5i5jgILU17tA2LyAMCeW:rMwF1Pbq+a7txypW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1da1bbf894feec0a922a090e8a8ca330_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe

Executes dropped EXE 64 IoCs

pid	Process
2916	Dhnepfpj.exe
1420	Dohmlp32.exe
2532	Dagiil32.exe
2428	Dhqaefng.exe
860	Dcfebonm.exe
4504	Dfdbojmq.exe
4264	Dlojkddn.exe
4384	Dakbckbe.exe
3972	Ejbkehcg.exe
1732	Epmcab32.exe
3144	Efikji32.exe
5092	Ehhgfdho.exe
4796	Eoapbo32.exe
1428	Eflhoigi.exe
3088	Ehjdldfl.exe
4692	Eqalmafo.exe
1936	Ebbidj32.exe
212	Ejjqeg32.exe
884	Elhmablc.exe
2912	Eqciba32.exe
3876	Ecbenm32.exe
3344	Ejlmkgkl.exe
3564	Emjjgbjp.exe
2840	Eoifcnid.exe
2984	Fbgbpihg.exe
4136	Fmmfmbhn.exe
4012	Fqhbmqqg.exe
3592	Fbioei32.exe
2872	Ffekegon.exe
4076	Ficgacna.exe
404	Fomonm32.exe
2304	Fcikolnh.exe
4324	Fbllkh32.exe
1364	Fjcclf32.exe
1212	Fmapha32.exe
544	Fckhdk32.exe
2640	Fjepaecb.exe
1496	Fqohnp32.exe
1396	Fcnejk32.exe
3672	Fflaff32.exe
624	Fqaeco32.exe
4684	Gcpapkgp.exe
4704	Gimjhafg.exe
2800	Gogbdl32.exe
3512	Gjlfbd32.exe
4720	Gmkbnp32.exe
4896	Gcekkjcj.exe
1280	Gfcgge32.exe
1228	Gjocgdkg.exe
2588	Gqikdn32.exe
3584	Gpklpkio.exe
4828	Gfedle32.exe
4660	Gjapmdid.exe
4556	Gmoliohh.exe
3960	Gpnhekgl.exe
4328	Gbldaffp.exe
556	Gifmnpnl.exe
4044	Gameonno.exe
1004	Hboagf32.exe
2092	Hihicplj.exe
1104	Hmdedo32.exe
3724	Hcnnaikp.exe
2040	Hjhfnccl.exe
4632	Hmfbjnbp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Fcikolnh.exe	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Dhnepfpj.exe	1da1bbf894feec0a922a090e8a8ca330_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Ehjdldfl.exe	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ggmlbfpm.dll	Dlojkddn.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbpihg.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Gddfpk32.dll	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Fbgbpihg.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Jdmaid32.dll	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Fagmapfi.dll	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gameonno.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Gimjhafg.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6276	6184	WerFault.exe	283

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cniohj32.dll"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1da1bbf894feec0a922a090e8a8ca330_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2916	2688	1da1bbf894feec0a922a090e8a8ca330_NEAS.exe	83
PID 2688 wrote to memory of 2916	2688	1da1bbf894feec0a922a090e8a8ca330_NEAS.exe	83
PID 2688 wrote to memory of 2916	2688	1da1bbf894feec0a922a090e8a8ca330_NEAS.exe	83
PID 2916 wrote to memory of 1420	2916	Dhnepfpj.exe	84
PID 2916 wrote to memory of 1420	2916	Dhnepfpj.exe	84
PID 2916 wrote to memory of 1420	2916	Dhnepfpj.exe	84
PID 1420 wrote to memory of 2532	1420	Dohmlp32.exe	85
PID 1420 wrote to memory of 2532	1420	Dohmlp32.exe	85
PID 1420 wrote to memory of 2532	1420	Dohmlp32.exe	85
PID 2532 wrote to memory of 2428	2532	Dagiil32.exe	86
PID 2532 wrote to memory of 2428	2532	Dagiil32.exe	86
PID 2532 wrote to memory of 2428	2532	Dagiil32.exe	86
PID 2428 wrote to memory of 860	2428	Dhqaefng.exe	87
PID 2428 wrote to memory of 860	2428	Dhqaefng.exe	87
PID 2428 wrote to memory of 860	2428	Dhqaefng.exe	87
PID 860 wrote to memory of 4504	860	Dcfebonm.exe	88
PID 860 wrote to memory of 4504	860	Dcfebonm.exe	88
PID 860 wrote to memory of 4504	860	Dcfebonm.exe	88
PID 4504 wrote to memory of 4264	4504	Dfdbojmq.exe	89
PID 4504 wrote to memory of 4264	4504	Dfdbojmq.exe	89
PID 4504 wrote to memory of 4264	4504	Dfdbojmq.exe	89
PID 4264 wrote to memory of 4384	4264	Dlojkddn.exe	90
PID 4264 wrote to memory of 4384	4264	Dlojkddn.exe	90
PID 4264 wrote to memory of 4384	4264	Dlojkddn.exe	90
PID 4384 wrote to memory of 3972	4384	Dakbckbe.exe	91
PID 4384 wrote to memory of 3972	4384	Dakbckbe.exe	91
PID 4384 wrote to memory of 3972	4384	Dakbckbe.exe	91
PID 3972 wrote to memory of 1732	3972	Ejbkehcg.exe	92
PID 3972 wrote to memory of 1732	3972	Ejbkehcg.exe	92
PID 3972 wrote to memory of 1732	3972	Ejbkehcg.exe	92
PID 1732 wrote to memory of 3144	1732	Epmcab32.exe	93
PID 1732 wrote to memory of 3144	1732	Epmcab32.exe	93
PID 1732 wrote to memory of 3144	1732	Epmcab32.exe	93
PID 3144 wrote to memory of 5092	3144	Efikji32.exe	94
PID 3144 wrote to memory of 5092	3144	Efikji32.exe	94
PID 3144 wrote to memory of 5092	3144	Efikji32.exe	94
PID 5092 wrote to memory of 4796	5092	Ehhgfdho.exe	95
PID 5092 wrote to memory of 4796	5092	Ehhgfdho.exe	95
PID 5092 wrote to memory of 4796	5092	Ehhgfdho.exe	95
PID 4796 wrote to memory of 1428	4796	Eoapbo32.exe	96
PID 4796 wrote to memory of 1428	4796	Eoapbo32.exe	96
PID 4796 wrote to memory of 1428	4796	Eoapbo32.exe	96
PID 1428 wrote to memory of 3088	1428	Eflhoigi.exe	97
PID 1428 wrote to memory of 3088	1428	Eflhoigi.exe	97
PID 1428 wrote to memory of 3088	1428	Eflhoigi.exe	97
PID 3088 wrote to memory of 4692	3088	Ehjdldfl.exe	98
PID 3088 wrote to memory of 4692	3088	Ehjdldfl.exe	98
PID 3088 wrote to memory of 4692	3088	Ehjdldfl.exe	98
PID 4692 wrote to memory of 1936	4692	Eqalmafo.exe	99
PID 4692 wrote to memory of 1936	4692	Eqalmafo.exe	99
PID 4692 wrote to memory of 1936	4692	Eqalmafo.exe	99
PID 1936 wrote to memory of 212	1936	Ebbidj32.exe	100
PID 1936 wrote to memory of 212	1936	Ebbidj32.exe	100
PID 1936 wrote to memory of 212	1936	Ebbidj32.exe	100
PID 212 wrote to memory of 884	212	Ejjqeg32.exe	101
PID 212 wrote to memory of 884	212	Ejjqeg32.exe	101
PID 212 wrote to memory of 884	212	Ejjqeg32.exe	101
PID 884 wrote to memory of 2912	884	Elhmablc.exe	102
PID 884 wrote to memory of 2912	884	Elhmablc.exe	102
PID 884 wrote to memory of 2912	884	Elhmablc.exe	102
PID 2912 wrote to memory of 3876	2912	Eqciba32.exe	103
PID 2912 wrote to memory of 3876	2912	Eqciba32.exe	103
PID 2912 wrote to memory of 3876	2912	Eqciba32.exe	103
PID 3876 wrote to memory of 3344	3876	Ecbenm32.exe	104

C:\Users\Admin\AppData\Local\Temp\1da1bbf894feec0a922a090e8a8ca330_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\1da1bbf894feec0a922a090e8a8ca330_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Dhnepfpj.exe
  C:\Windows\system32\Dhnepfpj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\Dohmlp32.exe
    C:\Windows\system32\Dohmlp32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\Dagiil32.exe
      C:\Windows\system32\Dagiil32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        24⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        28⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2872
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        34⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        37⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        39⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        42⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        44⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        57⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        60⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        61⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        65⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1188
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        69⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        71⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        73⤵
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        74⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        76⤵
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        77⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2576
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        79⤵
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        80⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        81⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        82⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        83⤵
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        85⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        87⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3244
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        89⤵
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        90⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        91⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        93⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        95⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        98⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        99⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        100⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        105⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        106⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        107⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        109⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        111⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        112⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        113⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        114⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        115⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        117⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2684
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        123⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        126⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        129⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        130⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        132⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        133⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        135⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        137⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        138⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        139⤵
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        140⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        141⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        142⤵
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        143⤵
        Drops file in System32 directory
        
        PID:6364
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        144⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        145⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6504
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        147⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        148⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        149⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        150⤵
        Modifies registry class
        
        PID:6680
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        153⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        155⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        158⤵
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        159⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        160⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        161⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6172
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        163⤵
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        165⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        166⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        169⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        171⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        172⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6952
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7028
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        175⤵
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        176⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        177⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        180⤵
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        182⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        183⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        184⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        185⤵
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        187⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        188⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        190⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7128
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        192⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        193⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6184 -s 408
        194⤵
        Program crash
        
        PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6184 -ip 6184
1⤵
PID:6164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dagiil32.exe

Filesize
64KB

MD5
fc4d71b48cb353be21fd3031cad94dde

SHA1
b88b4be3a16ab73809b4f51e743ce6ac08f2cddc

SHA256
d0a32e269c559f13120c60c75006a8e4cfc30a9e24d46e43a55b71c39dcd1545

SHA512
e92e359be3bbcca734a2c83242cdee678ba4e6ed4aac3b6d35578372af47e88e39bd187243677e31cff019a974632ee354c423876c5d85c165bb80a7f0f27dca

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
64KB

MD5
aec7a028b41dcb320e1c99ebc5babb6f

SHA1
2f5915748c9c2727bf3126a3e979ccd4e7064ee0

SHA256
bc12444999f2e84961a07a3e936cd74c689c5a4e81fd15dfa25796adc8a2f02a

SHA512
0e42ef41468a75d366118adb3ffa4ff30a69d1866157a452e865d207e6b9191a59479dc42f7da0f0e54f7f02f7e7b5d919be1cb0cbf76b5a74fed4625d69fb95

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
64KB

MD5
e45bac6d9309219c2397a58ca2741323

SHA1
cae541d6a7fb1d94181d7d9e3288e41e88fd6486

SHA256
2b425a05d5cd0b4caa0d66ff3b00f3338d73355f8ef64f77a403241abbcf3486

SHA512
fd0177fbb6f84cd1ad873224f2c96327550ef609fb3a203b7c3deec11a0e5676b79e2876b5d431a87b1922daccae408bc0af368c737769b3351cf2f6a48d37ea

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
64KB

MD5
c10ae0c69a0d33a04ba6c0003071d0fa

SHA1
93d13d0591460d5d145646371f2c4da65f3876f3

SHA256
869c1facc4ab39560dcd21c9eb812db4515410af7bb08c644ca333cdee26d1c6

SHA512
5da57f22364baf70180a5466b63d52b24fd0b7c5969fef9a03ec2dc293cfcf248e75373aa126c47864816737494e6aff28ffa9bf7cae4f94eebfd88dcec83236

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
64KB

MD5
b643a2d70e52d23ea2b1010cd98c16ea

SHA1
ea2570fd8b272a49a7c8a0b01ce199c5494c2a44

SHA256
0480459eeb46197f44abbbb769c4dd02bbabc0f982f92af149032acd4505f14d

SHA512
4cefc7e0e584ee22e451bdf354b06841164f47e9e11dfca5ca41866800ea14b37cde9ed85bcc6fb1f0843d7c234e429bedf993bd883c183b407c1b3516db38a0

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
64KB

MD5
7b3e843659f5509d859ec87dced29e25

SHA1
fbed0401a7f21ee2731d9aabf4e08c90e3490fc0

SHA256
7ade412ba333f1a0eb963d18fd3dd7632a08092bcb077e25709bbbc6898e1462

SHA512
7e39f894cde15bd5c1369941e5a4ba53f498d1c5fb82573db3341485c335f2a58984c7c03d8ed3facdc8567f886e27fada02376b2d8b56b6797134565d9deb89

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
64KB

MD5
98f09d35b48fe81e15e769ccd5d38569

SHA1
d69771a6a9a66c735cc262586a68690266272c22

SHA256
1fd356f6521d6aebce66a835740bd5b9336b37c91b6726b04604bf4b8f841a99

SHA512
10b4e63fa55c4ecb5918759661ab9cc411f0ed2fca1c8e39a2c205106d8d89be660caa417225a4337f0d3c2c6915207e9e04f29961ab5f04481f5eadd6360b7b

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
64KB

MD5
d05826fe5fe83310ebe537af95b502ad

SHA1
360487af5ef29862064f17a46cb7ec00fe9209ca

SHA256
2de4f3951ecb734248b43a1cc1159cc9871154993bba45e7d12cffcf5db5eef2

SHA512
93b720e7170b37bb683354bb27487f675919f9c0140363ff8a0a503dd1189c6c40fa28f884f97261c1df84faf31b9cff751013c7cdee8fa8564a5e43443d60d8

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
64KB

MD5
33a59500ed78f5e1a7ba91f6efaa828b

SHA1
3a2f883308bf4accfc00f6c8296bb372d7b8bc8f

SHA256
944ca7651f02d4d63bd46c2096569f080fe6f97e5f86f99e6ff0743568b9dbb6

SHA512
056a3448c299351aa53ac0e39da766c32cdeeec9f8b6ab3c052d8ed8596fdd2a9675922f4bc49b881de2222f8f3338992a7f6210be4a0c9087cf3e328d0cb3d3

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
64KB

MD5
2bca023e4d332157a401ee212db85480

SHA1
5d6fc7f7a0d3508eec70e5bbd8e4c29bd3279832

SHA256
87e8ce94115dfd4ddfbaaa7c9df9f2a9c2b5d3eed69a6897c3bb92e8afc84f2f

SHA512
ff85973280e2eaac91f15ce2ed281d8bcc4df2569a8c4e5fdbda4c4bd4df51842ca8a06bf4339bf66f0aa3b0b4bc09092582191c62168895c8a440bd4c7e763a

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
64KB

MD5
5e51a501774b0d9f107cf32ec2413d2e

SHA1
892095ab9b2549c6f393d1143089099be937e05b

SHA256
ae37c09aa0e21ae6c8234c27645c60c22593a8cdafea802b0b0559ebf8c46360

SHA512
5ce0792341fa3548c87d7ae3573ad8ddeabb62907029c759407172c77305632aec95088e2ea3b6acef2e1500f5c2fa76fc184f64fa02f6b7f6cf091663e36767

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
64KB

MD5
cf3c9f43104308bf6c08a8a6afd3ffb7

SHA1
6c8169995e81a68982e90b8aec9239da06c75eda

SHA256
3b929f8cabb8af006d0e60073b75ac10ff296644747ad198646974f66f94a91e

SHA512
bcad2949c1423c877ebe3e2c357d498237a0a7c42db5e2b353a987b8dd9542d991622b436f59748dcbc23332ddac6a3273e2323bd878513769eb49ca20df2eae

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
64KB

MD5
c1e44b9d3d8b6b433f2bf00e635a8c26

SHA1
a4c6eeeeb576ec431eb0054407ca64926c3aadae

SHA256
1ed77bcc8299ef6485d2980dc0c61dae5b4accc2236cf0d4947b446f7f5bd9c3

SHA512
9b0494380745a4db080f7e4037716b1eb28fb99d3ff42f334bbc62f8a5eab2ccbd94575070bc468c1715d8d982e719f6ef265514ded9a9727e75266a6e59477e

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
64KB

MD5
9ece2f6ae987f1a4035e4fae5168a876

SHA1
f1bc4e4e79ed91fc510458380bdde41aede6ccc3

SHA256
fc33f08a14f7887f7c23948020b09bfc6c68c486c803c32202478465448a2967

SHA512
fc0166d9ceddcd674f662bb4c468b21ec8519549c1a908c27f39603e82cba9400e620d0d98d7857ada176feec911b1370a842074ff302e27cc62cd08ef1588e4

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
64KB

MD5
cc526199b7c58ddf5a813686a15ceef5

SHA1
824f20c532acf0d52689026b3c7d5ba45cff418f

SHA256
3a8766ded6fbc4a533d4d2cc9a8c9dc32814a51c3a3c8cf1582b812bee1029e8

SHA512
8c3e7a967f20b24eb98dbf513673916a885a3bb7dd55c5075343a89600b600e514937a3d392ead8a56101a13805f9123e696f5b2b195c40f8f2e8c6337c29d14

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
64KB

MD5
8f64185d5e8fb61b284e5bf12f31e5ad

SHA1
5d521dd8b353aec250d25c4819ca0d72923a71ec

SHA256
f6fa859ec42b35492c15de3c9943c26145fb534af255ca611cd4dcbdb48ee641

SHA512
a9ca2d485c4ee51f950c481096b874d0754e592f20d23d068b78bcc9fb217eca7e2bc1220c2a5f64d2c13db0984a3fb7b7fb0cf3ab9106b741536bac1337c812

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
64KB

MD5
f1930eabeb6d8f0200332d68b2ac16c1

SHA1
21387ffeac9d6d1dfce318af8a339ee39bc71a73

SHA256
0bce5a503415c1dc38fbfa25aa37e7c7906b419c9dfe7a1fab5312ffb5b86371

SHA512
3772d59e7eb7a81824888ab037b3664a0dcc74ba72dc045ab6bcbaf98184398b66f4d92ee7f89d0d0f50bd043e0d5623749e396222bba9d3a8d50cc5c88abe1c

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
64KB

MD5
381eed94fe06c5dc9141567b9aeae09c

SHA1
12f28ed6536240ebad42a5a8da16f2e50d9f0cab

SHA256
b466a8425aa58e20933a27497825d2cf515372fb8a853173021943911e930b28

SHA512
ccc7b25a3afbd6de64c60308983378a27c1b5530c3a90c5c437fffb67c8e7324e733f72553af7555d05a783bd42a9e724dba626c95d6188261807ff6d084ec47

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
64KB

MD5
176fa8ff43cb5362921809037ce6b5ff

SHA1
b50f5819f64be8b80952eb9295e5c3f8e064fad1

SHA256
64504db05034e5e8b2a3146294ee8f8880d11016cfa2120d16383e2e40c499bd

SHA512
1aa32031601c3cf08b19e6ecc646bb22f99109bf3a199b8a74a9d5bdafd755bab65b9d3e2ab67d0216a049cf8ecd54309520dc6a9979f55e38d2ba7e9a26e5ad

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
64KB

MD5
1e2cac4cca1b1445116af798f026b01c

SHA1
2b1e2e85fad100808675983acf02c820b18d0744

SHA256
c413ef516ff0b90babec7b2fd91cbc6279f7825fc061bd5983ffae3417767378

SHA512
d78dab894753305a261b6bfa2c1ddae0e5ec63a6dc6099369ea263eedfabb55fce1c51f288fcfa5ef2fcfa6e2a51d47a5decb89b2ce8f7b12fe87e554ebe6e30

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
64KB

MD5
e130304c32eb0acddfaa37a397a66ae0

SHA1
d7d6db6e8725b24d6740c1db086d73ba85356972

SHA256
c0fbfd586ffaa274952c8ef9d8c1c9456aeceb4a961cce8a277eb60c170d1441

SHA512
0efcfb1ee32be3d3dfa1ae7956fcee6ab67e3122333d79c94ff39b4ee139c447bb4aa1e45bb81e51f468fdf01e9effc32b13d82fbe885ce0700ff76288c5b3e9

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
64KB

MD5
c69360d3b4672a044085323168c74bbc

SHA1
744c23fc863e42ab68cc7ff0cecfc946eb5cc9b5

SHA256
5f451297f80c29d582768c83793cc37114f2422e7de8a763f62ba762a6c21e77

SHA512
1fcffe1b55c92ad8a15c5e17d2d3950315eb1453352a9a67813e441be2fb4bdbf4e17d651e31a5c0269279bb215b3543b01559c445243ee4775f38dd94b0c1b2

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
64KB

MD5
60b38b73176e454b804400b4528b9600

SHA1
ad451c725e203bbaea2354a893ae0cebb4fa861c

SHA256
22bbc6a2b9c241771c6bd0ecc500e384f7fa4c94eb8b1581545842a3fb9d0c0a

SHA512
76d4b5806fad93d28dc7fda8e71622f21ec4173283103398a4aafe98650570ae326d5d6e1f53f74954785c8c87b6949eb5ddfbcdaf88b52fa86049c0ffdc80f0

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
64KB

MD5
ba55013bced217ca165971eb5a0d1ae5

SHA1
e730a23f969ab010943e068d6d228d02932c0e3d

SHA256
69c2c2963152826c02e023bf32605d702f7a131f50f2bc72e93b6179a9e96c13

SHA512
4889b97ee34f6e1229573595680fcba22fb1f6fd58f824d9e8879b45c86b3ed172489d4136b83442f75880267fc345bf6b2de7a0c01b5bca4282d43f267de07f

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
64KB

MD5
ef42ac52fd86f3fd87ea2f5e2f53a893

SHA1
04c00ca6566467e58bc1434a4fcd64502180d809

SHA256
9f0afcdd3c0c42a2d745966cd845c7cb1b07ea7acb7c0a05a0fd3f178e45a746

SHA512
aab1ce5051ddb42f3e46ca7dd1c272fc05f878b65bfb4dac99eaab11128f7a35cce21a80d1c77d86a5f70cf7fa96ef02618937c92a0883aa57ea7fd016e6cc23

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
64KB

MD5
0bf74d5f09387f2011b550f4f469a18d

SHA1
c7bf7ab8700dfbb0c95a538fbdb4f743621e9d20

SHA256
99e835975c44471e3393b52fd73848b45787a38573448ea1ad0988ebbfba6ea3

SHA512
8cb12215e29b32b149ca6dc07824711b3a0d5422383bfa15058ac3b0f0d5707378cd4647f37a0c5c523574435ee913f746323c4d1e78682db8cb22e9d7047db7

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
64KB

MD5
a42840112da1a0a730369166ef115073

SHA1
a2cf6b7798852b55ec7f92c9b9a1268b822ffd51

SHA256
10ba865ff5a6d6cb147c73251c06303b213584ea25d7d1ef04477cd07281e1f3

SHA512
d07e5f381c5b1a50ae46d67f7ff5b94b6f68f637a0a41928df903944114917d0e9de7c7e26689b735aab16cc738d8ab602f71b8a2175e78d5aa5769b5a1d3af2

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
64KB

MD5
c37ca13babcaa4b570706781686f53e8

SHA1
5fd316ea4172252b26b7526ac7777c1a4910b058

SHA256
56e853c6ffe878d38b9c13a38635bb8a79eddf4eee77e7e4072306a54b3b4226

SHA512
5d70afe58449ced5903018c9c6a748a08eeab804f134affa843ec75d511bfba60260688ba9f405258c041e613d519d476e7290a33743be1944d6e168f8b98999

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
64KB

MD5
e9f1de97ce7cab259d3ec68f809ba0d5

SHA1
0965e06fe068bc6c98e90a858ed4d437c2368460

SHA256
499961a52be3b9159e944dc46cf6575d3713654872579175d6d5c5e670a693b4

SHA512
946febaa91627627eff60649ba46b484cfeee9649cb49dc5f3ed985befc6359490eea9a0ae1441ae7f7105341aaf3740057bbb5d21281fa8780e7f82b3554ec5

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
64KB

MD5
6e8973454331ade9750aea02fbeeecc1

SHA1
a0f112a3684ab3814cc4f6bf2022bb481772b0c2

SHA256
0681b3cee0ec07799e2dd48647aab1dc65d889a41c723d0ee17aeaeb1a56c734

SHA512
987acd274b988bd3c3cef94e0b0ac08f1d88e7c34bb7b8050dc303792bb97f983dd0cd5d3a2445a6483da6f206e1e9f7983392c247720443442178bf1a4ca780

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
64KB

MD5
cf5316d14360729de81bbc83294198df

SHA1
f2f36c8123c009206f5c5aaee9ec8303df8df82c

SHA256
c1c07778dfefeb3dab8ff62a07b064bdc2f7726be08d75a3cb423640d3099b32

SHA512
317a30ee2f6d3d1e2f84e36da7b25c85c67afbe5d6bbbb7c3e589feb61b6ce7641e4bf4cf0c7b3e7436354a3258d3c62915902e5131299da508719475d53ba18

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
64KB

MD5
fe048f28d66f35ef8145658afe7f74dc

SHA1
472a155cc47287fb99345c7e91eb0e31ca2e72b3

SHA256
dbd084f549785dec3e37318757d376172e681e3d85279c5f25633c342a4ea5f9

SHA512
9cff679c5f07fae02fe3a50873553a2a86b82305364d915af601fbfb13e301ed93b9074bb15fc56a8a2ac85ee2688f7b153114af57ebccec121e76421d4f18e1

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
64KB

MD5
cbdfcd21f4dcb667e966b32c03ac4a3f

SHA1
d18999a78935b6cdb56f575a60a200b473448dea

SHA256
b43d7c6747b35069315b82efe07883ac67f2c191a474349ed10c9237026d8bf6

SHA512
a258650ca34bcea4018921d99a28dc035d2a00836dff1aca94aab852da613cf1b1c9f947bd7bd54314c34eb048c3308c5d2c0759e90d0a33400288e0b020f74d

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
64KB

MD5
03d5ee75ce51d5b5fed6ef84dbe9b772

SHA1
edeb9a668740c69d82333a35113cd5f5dcb81b32

SHA256
177c9766910fe7f1a2870271e6fe1e9be3ffc59eca3c8e01a18526e4b277bfab

SHA512
acfe766accebbd27094f44d855e84aa7f8a75c9b6d7112651a83a84cb28ab08a42bfb5aa7e1a84aa2c634aab0ba2e273447da460e67f9e2ee99ee4536f471574

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
64KB

MD5
55df2e7805dd643446e64081c8b3424b

SHA1
1f23bbbe380b921474f89140d193fae30569b443

SHA256
080d3b3ff97ba3b1dcfd57e5f1323e547e57ac0167f1bd5341e1f9105419d415

SHA512
4fe6856fb3a810ab96158d1bd3991b7196651c0c4867668a720db2b91cfe348100938600de39f68b56e52d86362ae2a2c4c1257a72c9bb34c8234a4c1e39842f

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
64KB

MD5
fc9546ad15690f1ab723a6397ad32c76

SHA1
ca8fcadb9b50ef6c77f0db6e4fb8247a98152c1c

SHA256
9ff7fc2772a12c833bebd7f012c352b023f4dbcc23aa5a22b00c55e121101707

SHA512
d9e27946a51101f7616cf3189084148cdfbb7da3f3d8ad0fb146c9d6b65ab01874965efc7f9864cb49a679a70154658e7e338e52676ebe86ca38bf69eacbd796

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
64KB

MD5
24d63fe2ff88c282e36a6c5b70f32c27

SHA1
d2c00a21ff77385f7fab75499b2b74822d592ab9

SHA256
0530319f43d9a2bcff087bc4de2f986bd6fe7f85bdeff51122a1fb8e4e2f487d

SHA512
722f2049ac22933930ba7a2c41b9ef7fa2c1e428418ee222eb1be790aecbf7f603f6d8cd6805eb19c5a294941cd534a9e9de884e62ef28f29fb57932bec77e87

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
64KB

MD5
b43eaf965952ad047fa46f7cd1a5e4ca

SHA1
e0bd0065b6f14862aeea74345af11cbae672ab40

SHA256
9523d74ad541feeded28eb35e8463f822e6d81db852267084dc20b450196fadc

SHA512
39e2673f28001c582a5d5686335ba710495bf13ef6b2adb077f8f7cedb6a85c86dc0da8b79fd2f6c1b7872556da8e138d1599264f42a773f778acec99c82427f

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
64KB

MD5
d72dc9e34f7a63fe9493130d49a2c600

SHA1
3ba34a068f240d34be3ff8824758b65ec1fba9af

SHA256
553d88813630d96f05412e2bbea96ebe4d829081b8329d4c71ecee16681d289b

SHA512
f93b0897734b4c3257a71943ef2de05038f164cefdd70d952cd6ae3cafa50366f9fb8211002c8b5ccb6f51d877534ac9e7d698611fb3e0c6c7bc57a7097925a4

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
64KB

MD5
4d4dc424e7ac5e9a7870a99fa840b080

SHA1
1c4feabfc7cc0a13dbcb2365912b3d9e896b7ffc

SHA256
bc36b435fb47db59e1ba743949b73eea0f4e344a5b7812accad07cff97dfafd7

SHA512
a858778682b491f7a99b44dea658ae07fa57a1a66352b5aa952a8a8dfda0c90b01ffcb7580724685060b31919385e120fea143d17c35ee460005c4e8f8ec405c

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
64KB

MD5
4cd0a8c7fe39df2f400811951a58f072

SHA1
95909e6e8bd1d6a5d0b4d9d7609eaa70007d2029

SHA256
41ef2ef69b2abef1311f2306634a10a769d9479fb669376c906755555b1758f7

SHA512
52203d0215f12b8f40b6188d2812b1037081c02a18b2c0966951151fe38a1b027ea422036316949bef910ff38540275260f290da8ced21a21d1c3602ac66c53b

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
64KB

MD5
afb54ab6c44897f24d3a7ce01c32146a

SHA1
58dd558307779f5eda4348b0bef66b71af74c1b4

SHA256
45efd6576acb9c1f39740d3fe6d8a09b35598c39dbdc19ae97a054076139f0e1

SHA512
7e9774a691c8b3d5ec9f3a73645ce12cbfea93c7f7993d2ce65fa168e4e3b5f4ee8ccaa27b6667e5edde83ea40695e7b7462b339ecbc422eefee9c4d68019194

Download Submit
memory/8-461-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/212-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/404-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/544-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/556-411-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/624-311-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/860-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/860-593-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/884-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/908-528-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1004-419-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1104-431-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1188-455-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1212-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1228-359-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1280-353-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1304-573-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-504-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1364-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1396-299-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1404-557-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-572-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1420-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1428-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1496-298-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1556-516-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-503-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1732-81-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1892-467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-447-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2092-425-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2428-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2428-586-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2532-579-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2532-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2576-522-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2588-369-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2640-287-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2688-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2688-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2688-555-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2800-329-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2840-193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2872-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2916-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2916-569-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2972-534-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2984-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3088-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3104-540-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3144-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3244-587-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3300-580-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3344-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3512-335-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3564-188-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3584-371-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3592-228-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3672-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3688-473-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3724-437-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3876-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3960-400-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3972-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4012-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4044-414-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4076-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4136-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4224-510-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4264-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4324-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4328-401-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4344-484-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4384-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4416-546-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4480-485-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4504-49-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4556-389-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4632-449-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4660-387-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4684-317-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4692-129-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4704-323-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4712-490-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4720-341-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4796-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4828-381-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4896-347-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4920-571-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5064-559-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5080-492-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5092-97-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5164-594-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads