c9b8827bbd4e8c2bb6f83a68564ef539cb93c01069c0eaf5848b80ae090544e5

Analysis

max time kernel
129s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ceecef0a7b2a7b986f7f10f620e7cf0_NEAS.exe
Size

208KB
MD5

2ceecef0a7b2a7b986f7f10f620e7cf0
SHA1

ba2334a4bf9645327411058ffdb58efb69d353f8
SHA256

c9b8827bbd4e8c2bb6f83a68564ef539cb93c01069c0eaf5848b80ae090544e5
SHA512

c112bf8a1852b822a87c3264c4ca0317e3cb11c111630a2f0be8c2e2f0510d8f8e942a2d353d6772f391f9695ea66c45ef0e912a167d1133ade7f7c67b87c55a
SSDEEP

3072:IpWW4DN1P1F8RynSYh6+oXO56hKpi9poF5aY6+oocpGHHQnNJuIb:094Z1P1FsySY0+Eu6QnFw5+0pU8b

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2ceecef0a7b2a7b986f7f10f620e7cf0_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe

Executes dropped EXE 64 IoCs

pid	Process
4836	Epopgbia.exe
4960	Eflhoigi.exe
532	Ehjdldfl.exe
1640	Ebbidj32.exe
1648	Ehlaaddj.exe
4624	Eofinnkf.exe
984	Ehonfc32.exe
408	Eqfeha32.exe
448	Fbgbpihg.exe
3232	Fmmfmbhn.exe
768	Fokbim32.exe
4244	Fcgoilpj.exe
720	Ficgacna.exe
3244	Fqkocpod.exe
1036	Fcikolnh.exe
4064	Fifdgblo.exe
968	Fckhdk32.exe
1168	Fihqmb32.exe
1456	Fqohnp32.exe
3512	Fjhmgeao.exe
956	Fodeolof.exe
4896	Gbcakg32.exe
2248	Gimjhafg.exe
3608	Gogbdl32.exe
2504	Gbenqg32.exe
3136	Gqfooodg.exe
928	Gcekkjcj.exe
4948	Gjclbc32.exe
4428	Gmaioo32.exe
2500	Gppekj32.exe
2144	Hfjmgdlf.exe
2584	Hihicplj.exe
2040	Hapaemll.exe
5040	Hcnnaikp.exe
4072	Hfljmdjc.exe
412	Hikfip32.exe
4952	Hpenfjad.exe
1544	Hbckbepg.exe
3448	Hfofbd32.exe
4440	Hmioonpn.exe
1780	Hccglh32.exe
2764	Hfachc32.exe
212	Hjmoibog.exe
4004	Hmklen32.exe
2860	Hpihai32.exe
1216	Hbhdmd32.exe
2756	Hfcpncdk.exe
3812	Hjolnb32.exe
3900	Haidklda.exe
1804	Icgqggce.exe
3840	Iffmccbi.exe
1452	Ijaida32.exe
2904	Impepm32.exe
1260	Ipnalhii.exe
3096	Ibmmhdhm.exe
2224	Ifhiib32.exe
2484	Iiffen32.exe
5112	Imbaemhc.exe
2492	Ipqnahgf.exe
5044	Icljbg32.exe
4052	Ijfboafl.exe
4132	Imdnklfp.exe
4020	Iapjlk32.exe
3172	Idofhfmm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Eofinnkf.exe	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Dofqcl32.dll	Fokbim32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Onkhkpho.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jcgaen32.dll	Ehonfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbpihg.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6380	6220	WerFault.exe	250

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2ceecef0a7b2a7b986f7f10f620e7cf0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 4836	4040	2ceecef0a7b2a7b986f7f10f620e7cf0_NEAS.exe	83
PID 4040 wrote to memory of 4836	4040	2ceecef0a7b2a7b986f7f10f620e7cf0_NEAS.exe	83
PID 4040 wrote to memory of 4836	4040	2ceecef0a7b2a7b986f7f10f620e7cf0_NEAS.exe	83
PID 4836 wrote to memory of 4960	4836	Epopgbia.exe	84
PID 4836 wrote to memory of 4960	4836	Epopgbia.exe	84
PID 4836 wrote to memory of 4960	4836	Epopgbia.exe	84
PID 4960 wrote to memory of 532	4960	Eflhoigi.exe	85
PID 4960 wrote to memory of 532	4960	Eflhoigi.exe	85
PID 4960 wrote to memory of 532	4960	Eflhoigi.exe	85
PID 532 wrote to memory of 1640	532	Ehjdldfl.exe	86
PID 532 wrote to memory of 1640	532	Ehjdldfl.exe	86
PID 532 wrote to memory of 1640	532	Ehjdldfl.exe	86
PID 1640 wrote to memory of 1648	1640	Ebbidj32.exe	87
PID 1640 wrote to memory of 1648	1640	Ebbidj32.exe	87
PID 1640 wrote to memory of 1648	1640	Ebbidj32.exe	87
PID 1648 wrote to memory of 4624	1648	Ehlaaddj.exe	88
PID 1648 wrote to memory of 4624	1648	Ehlaaddj.exe	88
PID 1648 wrote to memory of 4624	1648	Ehlaaddj.exe	88
PID 4624 wrote to memory of 984	4624	Eofinnkf.exe	89
PID 4624 wrote to memory of 984	4624	Eofinnkf.exe	89
PID 4624 wrote to memory of 984	4624	Eofinnkf.exe	89
PID 984 wrote to memory of 408	984	Ehonfc32.exe	90
PID 984 wrote to memory of 408	984	Ehonfc32.exe	90
PID 984 wrote to memory of 408	984	Ehonfc32.exe	90
PID 408 wrote to memory of 448	408	Eqfeha32.exe	91
PID 408 wrote to memory of 448	408	Eqfeha32.exe	91
PID 408 wrote to memory of 448	408	Eqfeha32.exe	91
PID 448 wrote to memory of 3232	448	Fbgbpihg.exe	92
PID 448 wrote to memory of 3232	448	Fbgbpihg.exe	92
PID 448 wrote to memory of 3232	448	Fbgbpihg.exe	92
PID 3232 wrote to memory of 768	3232	Fmmfmbhn.exe	93
PID 3232 wrote to memory of 768	3232	Fmmfmbhn.exe	93
PID 3232 wrote to memory of 768	3232	Fmmfmbhn.exe	93
PID 768 wrote to memory of 4244	768	Fokbim32.exe	94
PID 768 wrote to memory of 4244	768	Fokbim32.exe	94
PID 768 wrote to memory of 4244	768	Fokbim32.exe	94
PID 4244 wrote to memory of 720	4244	Fcgoilpj.exe	95
PID 4244 wrote to memory of 720	4244	Fcgoilpj.exe	95
PID 4244 wrote to memory of 720	4244	Fcgoilpj.exe	95
PID 720 wrote to memory of 3244	720	Ficgacna.exe	96
PID 720 wrote to memory of 3244	720	Ficgacna.exe	96
PID 720 wrote to memory of 3244	720	Ficgacna.exe	96
PID 3244 wrote to memory of 1036	3244	Fqkocpod.exe	97
PID 3244 wrote to memory of 1036	3244	Fqkocpod.exe	97
PID 3244 wrote to memory of 1036	3244	Fqkocpod.exe	97
PID 1036 wrote to memory of 4064	1036	Fcikolnh.exe	99
PID 1036 wrote to memory of 4064	1036	Fcikolnh.exe	99
PID 1036 wrote to memory of 4064	1036	Fcikolnh.exe	99
PID 4064 wrote to memory of 968	4064	Fifdgblo.exe	100
PID 4064 wrote to memory of 968	4064	Fifdgblo.exe	100
PID 4064 wrote to memory of 968	4064	Fifdgblo.exe	100
PID 968 wrote to memory of 1168	968	Fckhdk32.exe	101
PID 968 wrote to memory of 1168	968	Fckhdk32.exe	101
PID 968 wrote to memory of 1168	968	Fckhdk32.exe	101
PID 1168 wrote to memory of 1456	1168	Fihqmb32.exe	103
PID 1168 wrote to memory of 1456	1168	Fihqmb32.exe	103
PID 1168 wrote to memory of 1456	1168	Fihqmb32.exe	103
PID 1456 wrote to memory of 3512	1456	Fqohnp32.exe	104
PID 1456 wrote to memory of 3512	1456	Fqohnp32.exe	104
PID 1456 wrote to memory of 3512	1456	Fqohnp32.exe	104
PID 3512 wrote to memory of 956	3512	Fjhmgeao.exe	105
PID 3512 wrote to memory of 956	3512	Fjhmgeao.exe	105
PID 3512 wrote to memory of 956	3512	Fjhmgeao.exe	105
PID 956 wrote to memory of 4896	956	Fodeolof.exe	106

C:\Users\Admin\AppData\Local\Temp\2ceecef0a7b2a7b986f7f10f620e7cf0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\2ceecef0a7b2a7b986f7f10f620e7cf0_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\SysWOW64\Epopgbia.exe
  C:\Windows\system32\Epopgbia.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\Eflhoigi.exe
    C:\Windows\system32\Eflhoigi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\Ehjdldfl.exe
      C:\Windows\system32\Ehjdldfl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        25⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        28⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        37⤵
        Executes dropped EXE
        
        PID:412
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        42⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        44⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        46⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        47⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        52⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        56⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        60⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        65⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        66⤵
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        68⤵
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2980
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        72⤵
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        74⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        75⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        76⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        78⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        79⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        80⤵
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        82⤵
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        83⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        86⤵
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        87⤵
        
        PID:324
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        92⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        93⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        94⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        96⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        98⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        102⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        103⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        104⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        106⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        108⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        110⤵
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        111⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        113⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        116⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        119⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        120⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        125⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5724
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        129⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        130⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        132⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        133⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        134⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        135⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        136⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        137⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        138⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        139⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        142⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        143⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        146⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        147⤵
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        148⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        153⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        154⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        155⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        156⤵
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        160⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 232
        161⤵
        Program crash
        
        PID:6380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6220 -ip 6220
1⤵
PID:6332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
208KB

MD5
e5a46340b6b30ed0ebf8ff0e105b2206

SHA1
9236c930a76b6725cc6a72e05214a8e488acdb3f

SHA256
14169375c096d0ff4f156bd1f89c7fd0ce0127489dd4c2c2df7cc9f96d144b4f

SHA512
7f69e3f77fb2078eb75d1e726c32fb55601be046c76e604451a7ac39b1ebb8d6944b36042af9305f4df23cc1cf12bf99cc1cf8aa9a5365484b25429da2e9a1fd

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
208KB

MD5
edec360b9c99a2597b1249019f0844b1

SHA1
c71c1c86525b35071809ba8fc54bf0e93fff252d

SHA256
88507bf89a8efc8ba13f0deb56bf2b92bb6dc47bcba0b4988a1bbf035b45604f

SHA512
8b61e2ddbc5a50eef44ca45935f844c53ab1437ad3dece4356991ba5d64467eba05f2b33d40f03944a6ef93a0b72cf1c39789c412ab88724b66b9f7e6a4a9c73

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
208KB

MD5
f2d5f51ee0062e29ab5850aee6bc21ad

SHA1
01698a6ce2d584468dfdb03a4a656f037e4237ec

SHA256
d5a041008289368fe82c0d67da2a4daa86c4f1446b717dfc00dfa4ba85312b54

SHA512
bba2cfbd805134712ab04df1f7ee76683808d6f89dad4263ca0cc460d3b6703cd5cd23360ef71e5993da1176e6414329d0dfc4da0ba2a31a8aeda4538357be1b

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
208KB

MD5
a142afbda7a6208b603d436ecaa1af0b

SHA1
ae4b0fd3e0763ffc912b886f2bea24bdb13a7342

SHA256
e4c8bb260ddf20b952d830a0404315c8b741341d802b358e54e6f02e3e9218ef

SHA512
f047c7dd362dd8343c703e468fbc32e33c2b77f306f0699bc963763164faa92530331b97b2369c00e18bd99a885a7209e884ccdaf839b181ab56da388b505837

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
208KB

MD5
2cd17265b8c644b752e15e3b3df4f7d4

SHA1
7a3247bdc0dab645523649d46aeeebc026dc2e29

SHA256
a7e0d9344eb6d1cd17410c514a0a5ca1c34ff8727b42e816fd0e9886dab48e10

SHA512
52e98ee07a916ea077cac9725f141f95c29c5fdbb419173058bf74d3a0848d047d8474ad2dedc36fbaadb97740e81889e93454aae8b98865ab1a2d866f24ef22

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
208KB

MD5
5cd162a22efae8a297c0fcb56063446c

SHA1
c691b24c7f33e11d56fe72302b4f08e3af7e8b13

SHA256
9589dfdb402a2551749dd50340a8d5be27f6b9c4ef7032c71fc1075ff8a76433

SHA512
331c8325262264eff943c57c6c1a73a36b5b1f3dac5a354f547bbd28eaf395b829d34826848bf357e407156e9c679df86c7cd8a62f17f86164b15792a41c9900

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
208KB

MD5
889cf34240fd0461e4af8b8b28a4494b

SHA1
2f03c82da66b0d7cc0d5412906cf9002b9a0d1a8

SHA256
ff413672fdd8501f8fc092eb77bf41dfbb88ad9e934ca0f90f23feb62f75eaa4

SHA512
5e6e4ca673a48df02f4cdd490bcec5ecee11f68c89bc22e7c6efa2dd76b34d76233e12829ec9344b6a2bdd4df178becec5a0555668904435d9ad1ffe26e331f3

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
208KB

MD5
29d987043364ad416f0149bed87ec6c5

SHA1
52a31591485ea43db2bbe89b9d2bed04a748775c

SHA256
38c1f03304e4e5662104ec70bd1e43ce28814638c997ee13789bcbcca5bf7e33

SHA512
43395fa20d5539b249cd3a7ed8be966568098dd72007674b8171d40c88be9f335cbebcf50dc4a452f0750202013906bb2e36d31be9e926c17edd1fbd0451f196

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
208KB

MD5
3d7a9b82e3ac1a897389bc9bd46cfc5b

SHA1
f0056013dde7d9fe210a4c8995daa9871f735405

SHA256
6384d6e01aef509abcfb19be239ccd8b25dc88d86618083286718f5e732e75e6

SHA512
bbf90832b092eb38beacd67d689b0342e10c68b0f3f344b8540a18814609f1427f325a1e2e9b888f000edfa6d8e9749ba909ebe2599343c2e272e4c476d33277

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
208KB

MD5
6747d61b15be862346dd7af6be5f1103

SHA1
2ed2c85f8b6431447a8b71dc910e22705da467f0

SHA256
b038c1f87c52049a490be02bf8ef28b1a6f541ffd2d01956b86b9273b1578efe

SHA512
de412eb1678dfcc436fe9da55c1c35741c32dcb1a4408c717941a88de61c9ab2e34cbbab7cdd523facf57a6e111d3782faca8f652fee3c94a0f1be67cd27ab3b

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
208KB

MD5
ed85a94c438a93deb7a22c94d22d94f6

SHA1
65d37e10970167b06ec67f40b83390b5c987e46b

SHA256
fb4b7a4a2710b9413c3851add3fc14ecefc51d8ede6d93fd8b52f915c4ad6c90

SHA512
774caaf319be957e51827c8f27cd4cf6afa91c3d1cc2187021658c45f683800594ec7e8def4fbc42a3deffaaf777e5a04804f0b043712b048df74aeead6861d6

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
208KB

MD5
3aca090b4333f334ca7373303cbe0a2d

SHA1
f399f8070801d083363568e86d83c6ee9de25380

SHA256
672d46a8aba4681812551d10bbe9d6d094453c2c4d444489113a823e761bd530

SHA512
2a8164d2c96f37ea117f6b4c300103ddb6049839b592b4b3cfd8ce946c06ad1977d95b523d71e9e0aace21e96082c8596cc4c8d11557e26fdb022241a75d7f1c

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
208KB

MD5
6383266f965329196e4e8e9e5cbdc9d3

SHA1
a68d54e3a382df93716dff3dcb65443d49bca5d6

SHA256
2a49aaf7d9fed94e2f94d56e199c40eebfb9735cd4ea9dcceac9706edd93dbe7

SHA512
1ad0efd4eb36709a7f8bcd571b509f5cadf0660c336747638779733d6b1dcd652d4cd54babf784a6754c0faa36797d1926a53c070e05abd7d80b96f5b7434f65

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
208KB

MD5
1fc09167eaf8e86899e466eac46f3005

SHA1
d25b809e27c92982fddd561af5658dedbaa009b1

SHA256
f1141437a1f0ab1da06351e3976fd28b528d3e82f2b7a05f45c47982f40e238b

SHA512
1d3015d6c6586c1fe9ada816f92e665c664515e055c4e97aaa106f524e107778f0b167904b3d8af499272de1c1f075fe1b46a1deeca69e4f55d3731de63fe1b5

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
208KB

MD5
094bdbd87c8e7f78130ea0b156627323

SHA1
b529807d6bf1b1fc4fee75a9f333891b55919e45

SHA256
b9bf26712b22be415ddef5f2057f27655ae23c0f196cea82fc8105e973a46483

SHA512
4a04d8ec9ef587653653d9786b60011a688113cfa9ae76279cd9551bf9c66178cb3d208e87c3a6b4dfdfb8556523d2da33ae9318900d662713c1f38e8a77d04b

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
208KB

MD5
a8b458c63220e0b43a6c2f6660ca1e6d

SHA1
8573fbc2c486968aaa16b20c7814dcc1ff6deddd

SHA256
921b0f4c7ad08b40ea009abdf16d8d9dc5eb1bb10fc67e7b6e1e9e91fffc71a6

SHA512
b07d8f1cbc3281853da598d121a4069289507e096644dbb649c9b79f26ed16fc5d7b47cef3a70f7d430861671828767e2dbd312f3ab934701a8f491979e4146b

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
208KB

MD5
31f5cbb3ef2025df862c4e69d481aa68

SHA1
3141c5a0e757231b41894549c85172e109e3893e

SHA256
6c0c82cf8440b6a12048c882f0948add241881efa08362615e090f987895a036

SHA512
53028597bd285413eae960ca04f5ba8e51d5e4efea35fbba34804a8fe8cc174647bc4a98147614890252d149ae3b9e166beb4cd058bcf5354aab74f6cce33252

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
208KB

MD5
df8355baf936fde06403d1b95e62026a

SHA1
0d25290171e67a6df794bf53afae9fd3fcb5416a

SHA256
09b2b7b41c07662bb0a9abb6a3c9dae5080629e6a16b57e14b80f39385141ea4

SHA512
21651f9b3176fa2dfaf37de285a7b4fa6dd7ad6c8632bf28fecdbabf64891e6dce76421137e2b9e4cdf6f80540fc39158ef3385f7ee7681ba47a393a81ff5022

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
208KB

MD5
a89fa8bd0e75e4d555d80460b7a55880

SHA1
8b810a9565cadb9c8fda4712ff3bbae8a2dfe990

SHA256
a2ef71e29589d1957df34940e0cfab9012a0656c348c10a1cf7179be36a63a76

SHA512
f8144063709efc5c4cbc04fb701ef1960c94f0faf990f1ca4f531c82b6bce10ebb5c646c0b93a98a3f0d4f3a5b0f33c3306c7913adea662a4e8f351321b8dbcf

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
208KB

MD5
4ae4fceeacecb3f552d923ec268b404d

SHA1
5b92ae16b54398bc9d4833d424c13ed680d32511

SHA256
2c2f8f46debc9c53a847d14d5fef5c4b73f706da3a01090102800e19c48da734

SHA512
8a8f097d7fac20908d91d2bab43bb2f244c75d3584b7e82c60e64cdc50d4f6a3e61bbe59d543343b3c6023e910b9b1ef8170957c3c3add934b1f6fa3197cac58

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
208KB

MD5
86731350d0b99c591b5d905c35c477ad

SHA1
4347d032976b10df7dc575865ca3bc62c6307bfb

SHA256
27d821c1ef2c42c711280d91db266a030bf1aea44e269a84442a6b553b41f5fa

SHA512
9fcd873fb6e2b74f1787bb300068b2b9f6ce580b152b030f3ad9847bf094eef331c798b996794b456f2c7cb5a343aaab7f9450837d0463892e9d796fc4413957

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
208KB

MD5
a46c47605ed73e4ea413a21cebd73bbc

SHA1
5ab0390ff85f5a1213b4032f0fc85786fec2421d

SHA256
129599ed22cab3769bf4df99d1f3e414c21d5ab4397213a6519a0a984e90fde8

SHA512
bdf4d904fc165e49a51482d1803ab10d8de4035c5ed0dfbf59fbdf73dc2fac3bd76409ba5cefbda1de933c696d7c267577b1693dcca4f683c3d308d86f4eef40

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
208KB

MD5
0c9da953469aa5a4dffafa7d0dc7e950

SHA1
c08a0afba0451f0a5168af29c73d87b0e4f2b463

SHA256
6e91d5a23f106d8581e03dbdfd396edf8f28d141e451c3d2adb390ec00c1b390

SHA512
8d2d6a48cfd287c8c9e0e132342d1d7f04b2c80440ff9d4b031f3a32e43a602193d9069ec8d51d90f71b367698b8a49bbb9d0f43260b4513129b154a77a8d83c

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
208KB

MD5
54047b1a225affe48ff263d92f667de4

SHA1
957bd945dca3a89cd7a567b6ab851f763210c038

SHA256
4a94837c34ebfde27518ff086e82e8453645a058f2cff76b7bc4666711c8f33f

SHA512
0f9f3127deecdaa19f97fc236d9fabfcdfa0494b4f2ba75fe72dfce001fae9e91f2f839d85c9052f9beca730d3ace468f9dcada9ca5f8b8211a9c69394a71bbc

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
208KB

MD5
08490cd79f6928462a4e5edd44b56473

SHA1
4bdb0172727688503ad0852ba2ec633f6eb21a0e

SHA256
fec7622872f6664bbdfdb189a112b283adf8905dba0886e1a671360e568de4b8

SHA512
081dd34074b09bdc502f8f10f605aae0a80f7e43c1dec6fe4c9c5066fec838a4810fa94241d5f183671e73c516c7d91e582bf30dfde6f250b292a8de9770c524

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
208KB

MD5
8a85d565a0faf9e2b5aaf07086dbb4ae

SHA1
ba22505d9b0cb557f4b65bbfb889b68fad880df0

SHA256
6d3da50a85531d5f8395f4508c3d389ca8076a4bbcb52ae5faf60fbca77d1734

SHA512
346c780c168eb101f7727ecba918b05b9c235022c0ccb5ead0a57464bd51cff433061b46e1488fc5681a88454c58966e1fd4bf06cc77020e9296932409458779

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
208KB

MD5
5b159ccc4b58ea0bfc542c7598467d24

SHA1
ba747742238f7b5acef29b169e19c9a6912ee0a7

SHA256
3428f37860448dcdd3bce579f84d2706a860174abc54f40e4f87b64c68dbcfaa

SHA512
1ac963867b66c764af0eaf25ea8b246bc37a8c3fc32a99a6ef7182a399983c5768bf0e66aea2549d56ba1c9678b2372771daa0bcfc66ec4fb4148da01799ac48

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
208KB

MD5
bf7b63475e3f1cfd479ec8f01b4f7daf

SHA1
f4b03b176fe0820841408910ec3cdd0f58802996

SHA256
19e995d464255d3d5a1f6c9932edad9ef204b5c68b7e81c405393c9b720ac32a

SHA512
b92f8eb07576e9cac402e6c604acd3cae2b5b800cac6a92d25793f4b1bbf3c34916c0b9869538096027e0e6d9423e96901dd2e51fcb69482679e64104cd9f947

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
208KB

MD5
81b234ec4d5e2d4b656755c22783ae72

SHA1
bff2cdc98959f26df6c27bfb318b5808a0577d32

SHA256
6ddc2ca1ab2eb9ac0bd7da23ca03938008942faf0cdfa7307988e849d88da505

SHA512
873a7476002fb263ed3e2eb404898023525221fe3cc3e0ee890a631c1c47b2ab14faf0793e6977d8834a91dfcedd5e267eb1c4d05705856baa98d7d9b2de1741

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
208KB

MD5
267e541e7b4eb3d795fad4a471d19f39

SHA1
79aeefec7927b6366a162e474288aaeb7503ca79

SHA256
e5fc46173fc6dd123b5330820e9286073530d1b848c8559e169b8ed9ad05d430

SHA512
757cac66e3d691ba7949082bf22dcc51af13019aa3c7d222337149e83d57788aa9c5e38f90b95ddad6b2a1a6c210e1a81f949ead9b264cca2862963d12ec1e0f

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
208KB

MD5
10b0089437b96080b903620d81d7ee8b

SHA1
504e9e6343d00cf794c94bc983103d226861839e

SHA256
2f26406db701f8253851f675a67d0313ac49388a3b06d1baeedff5be56a94394

SHA512
2f5f12c218865b00ea8f778cf292d1e82c918e3e209fae4e0a36da1e83851c805016b8e1f91b559b4a2bbd0074bdb17edfd2e47e8eaf662ebf4954e106fa89c4

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
208KB

MD5
8fee06c5ca71b1f7bd8bfa875a8fd3dd

SHA1
86468ffd0ca3b16bc4b28a192c9f17393dd00f31

SHA256
9b103a26aa59918a262cca972192b11b561fb392afce22461a556dcc34dbe3b5

SHA512
75f794bf80214ad76bfba28f0f2535a1b8b983d417c55b8277d4bb7ea3f8915a89a41438086b4ce6a5882b24dfc3b5cab1909bc00322419ddb5054a4079b1dd5

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
208KB

MD5
4efd6c200ebc28c458d291cd054eb76b

SHA1
0b3629d766d2198821bd2162f14bd3ecef38aea9

SHA256
cb12b560093918d7b6566280dc66501eb8c385ee7230a4c4541f2cd87f52ea84

SHA512
a37988dd74e2f6a25c78f80ee149f7a59601fd2f21e0febc9ddd56f5fb2ebb7d2ea3abe0426c3423a3c6f1f0a2ff061b7cdd9514afac29c549f567fc48d3de07

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
208KB

MD5
bc5cca24af7acf743b1cb6d721577119

SHA1
dc400be7eeb6c41589b095ab7e17a2e1444c31c2

SHA256
94e453fe38bcd5988e5cb680911210b375729d9c637e596c38d13e286a923123

SHA512
741fb6b98949efbace9f6d561f9c489ca53e58f6aa582ade784a4f5d66c5dc6d0c1597c9ef833b751d0074da9f18a28ae7410c15409fce447f484ff5ea500b27

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
208KB

MD5
36730d3d0c6efa9970c1588cfb7c3d11

SHA1
309f40e4fe94a9cf0ca13dae290c01d78ad6db71

SHA256
a276c474b0e9668e472d08653551ade1d19f02e7e7fe9972a7fb43b6e0e3b608

SHA512
03ba709ec1a1d014b1604d216b9013e9a6fb722a0781d5aba8b8efd7623feed3d96a6ec3104b3404e1b727d57247deb8a56265643b1a22c2be00416fab1ded7a

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
208KB

MD5
2c8477f6f802d616b7b1df1032909742

SHA1
3b85fc120fc2369ea6069c5c92ea1b82f2af7439

SHA256
196455016c9c2f2447d1cc126b64a12b7aa284b1bbf97f14b0562716443d4f92

SHA512
6ffa98a61e6c70f6d2ea0588830eaaf630e1895a65248baef840c80b88d1b552c04deda3977e6f4aeb5e3b42cc96b2b57b831ebba0b25ec100ce3d6a85adf432

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
208KB

MD5
94e814f75624796ac5a50a19d940762c

SHA1
678993d353532b26c014cdb78b9b4d2a0ae4d4cf

SHA256
0c6bf7c7603d17d0198cebceae4ea3740331f7067ab7af7d271c1b9c79aaeb3d

SHA512
c3cd8b0eee9cc6bc42105843dc0b08f7990fea6449eb0ad298db093c88f49e9a9e9cc1453ce8922d6fd928dc8f2d1a6698d897cb8f2a0eb8f1796f1c87f3058f

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
208KB

MD5
aad3f0b80c5fe8b8bdaf28387f3deaec

SHA1
4c19c830072500043d1169795360858c8335f9ba

SHA256
706d1551930cf6479625e51949cbe4bb9f1874558ffdc871588e6cd2ccd63b48

SHA512
06db9afdee467bb9e7b3857a7eb241aacb40d40f9fe8ae4aa7fd59480459483501d90457b379979d76457243b029794692e4ae2393b05e7aa64d9ff80d61ba8f

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
208KB

MD5
2f292469b3903fcecb5c4354cd468ebf

SHA1
d8157cea5677487e96a446f11abd97ad455760e5

SHA256
fbc962e46221024d649c0994d1e6dbc54a044120f5b86014f0f5a78adb8364c0

SHA512
6adf36f94b890bfc26f1244750997b8d2209db3b9b1027539ffc2780c769c6e4f8f16c819fe534e44c1399128c6addb4fe93fc66f528904e886deac02a952e8a

Download Submit
C:\Windows\SysWOW64\Nkbkiioa.dll

Filesize
7KB

MD5
a6e515632681b8baef87a819b3706a52

SHA1
13bd943de9b0b1b7b14890934b93cdba9cfbd9dc

SHA256
8d82f5010aa54e5d72c5a8050c8bd9ec3af699fb83a56de2f64128bc52187ce5

SHA512
468396dbcf53cd3bef35d748c28e12d34e3c3d1071a5019f78e8e4f26db64057e49bed175279a3529f0790d132d1c2728c313d43a098eb897e7ee4dd6e76f3ec

Download Submit
memory/60-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/212-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/324-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-598-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/412-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/532-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/532-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/696-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/720-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/768-93-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/928-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/956-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/968-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/984-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/984-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1012-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1168-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1260-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1456-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2040-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2076-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2224-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2504-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-522-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2864-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3136-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3232-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3244-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3284-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3448-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3512-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3784-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3812-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3900-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3928-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4004-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4020-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4052-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4132-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4216-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4440-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4624-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4948-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4960-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-557-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5044-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5172-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads