8e440951ef7155caa97f2b91a3507f889c87960610babd40c09dd5297284ed04

Analysis

max time kernel
131s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db9d52ae9902264da15e6f3506c733e0_NEAS.exe
Size

397KB
MD5

db9d52ae9902264da15e6f3506c733e0
SHA1

b56cd6a9744be5b33641d418782dc4d62c47bb5c
SHA256

8e440951ef7155caa97f2b91a3507f889c87960610babd40c09dd5297284ed04
SHA512

bc330c1bc24147c6c3391898ab352f6f68c0ec6c75d9a73fb793a795a312e71ba9dfef2b863b5279eaa1df29b36eff9bf5db2d3d31111b089df9dbd66224149d
SSDEEP

6144:TjGrIWv9UhPfaPFM6234lKm3mo8Yvi4KsLTFM6234lKm3pT11Tgkz1581hW:7W1UhPfQFB24lwR45FB24lzx1skz15L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbofkbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpedjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojqkbdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbofkbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cakjmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbioei32.exe

Executes dropped EXE 64 IoCs

pid	Process
4132	Bhibni32.exe
2504	Bbofkbbh.exe
4828	Blgkdg32.exe
4240	Boegpc32.exe
1188	Chnlihnl.exe
4620	Cpedjf32.exe
4344	Cojqkbdf.exe
2916	Caimgncj.exe
1596	Cakjmm32.exe
2896	Cibank32.exe
3488	Cidncj32.exe
4020	Coagla32.exe
3596	Capchmmb.exe
4356	Dcopbp32.exe
2376	Dlgdkeje.exe
2440	Djlddi32.exe
1672	Dljqpd32.exe
2936	Dphifcoi.exe
1688	Djpnohej.exe
4688	Domfgpca.exe
3768	Ejbkehcg.exe
784	Eoocmoao.exe
3324	Ejegjh32.exe
4596	Eoapbo32.exe
3136	Ehjdldfl.exe
4872	Eodlho32.exe
220	Efneehef.exe
3040	Eqciba32.exe
4996	Efpajh32.exe
3912	Eqfeha32.exe
3520	Eoifcnid.exe
4232	Fqhbmqqg.exe
2496	Fbioei32.exe
3704	Ficgacna.exe
1416	Fomonm32.exe
3412	Fcikolnh.exe
1480	Fbllkh32.exe
4208	Fjcclf32.exe
1680	Fmapha32.exe
2436	Fqmlhpla.exe
876	Fopldmcl.exe
3464	Fbnhphbp.exe
3728	Fjepaecb.exe
2100	Fqohnp32.exe
1896	Fcnejk32.exe
3936	Fjhmgeao.exe
3612	Fijmbb32.exe
4468	Gcpapkgp.exe
1696	Gimjhafg.exe
536	Gogbdl32.exe
2632	Gbenqg32.exe
1052	Giofnacd.exe
2336	Goiojk32.exe
4732	Gfcgge32.exe
5024	Gjocgdkg.exe
1464	Gpklpkio.exe
4800	Gfedle32.exe
1776	Gidphq32.exe
4904	Gqkhjn32.exe
4444	Gbldaffp.exe
5060	Gfhqbe32.exe
3972	Gifmnpnl.exe
5020	Gppekj32.exe
2020	Hboagf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Fqhbmqqg.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Inolmdgj.dll	Cakjmm32.exe
File created	C:\Windows\SysWOW64\Efpajh32.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Djpnohej.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Aamgnn32.dll	Chnlihnl.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Caimgncj.exe	Cojqkbdf.exe
File opened for modification	C:\Windows\SysWOW64\Fcikolnh.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Dbppbgjd.dll	Djpnohej.exe
File opened for modification	C:\Windows\SysWOW64\Eoapbo32.exe	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Jqqjmnii.dll	Eoapbo32.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mgidml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6928	6548	WerFault.exe	276

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljmpfbln.dll"	Cpedjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iindogea.dll"	Cidncj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Domfgpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamgnn32.dll"	Chnlihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cakjmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	db9d52ae9902264da15e6f3506c733e0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbofkbbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	db9d52ae9902264da15e6f3506c733e0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmlnbi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4132	3140	db9d52ae9902264da15e6f3506c733e0_NEAS.exe	84
PID 3140 wrote to memory of 4132	3140	db9d52ae9902264da15e6f3506c733e0_NEAS.exe	84
PID 3140 wrote to memory of 4132	3140	db9d52ae9902264da15e6f3506c733e0_NEAS.exe	84
PID 4132 wrote to memory of 2504	4132	Bhibni32.exe	85
PID 4132 wrote to memory of 2504	4132	Bhibni32.exe	85
PID 4132 wrote to memory of 2504	4132	Bhibni32.exe	85
PID 2504 wrote to memory of 4828	2504	Bbofkbbh.exe	86
PID 2504 wrote to memory of 4828	2504	Bbofkbbh.exe	86
PID 2504 wrote to memory of 4828	2504	Bbofkbbh.exe	86
PID 4828 wrote to memory of 4240	4828	Blgkdg32.exe	87
PID 4828 wrote to memory of 4240	4828	Blgkdg32.exe	87
PID 4828 wrote to memory of 4240	4828	Blgkdg32.exe	87
PID 4240 wrote to memory of 1188	4240	Boegpc32.exe	88
PID 4240 wrote to memory of 1188	4240	Boegpc32.exe	88
PID 4240 wrote to memory of 1188	4240	Boegpc32.exe	88
PID 1188 wrote to memory of 4620	1188	Chnlihnl.exe	89
PID 1188 wrote to memory of 4620	1188	Chnlihnl.exe	89
PID 1188 wrote to memory of 4620	1188	Chnlihnl.exe	89
PID 4620 wrote to memory of 4344	4620	Cpedjf32.exe	90
PID 4620 wrote to memory of 4344	4620	Cpedjf32.exe	90
PID 4620 wrote to memory of 4344	4620	Cpedjf32.exe	90
PID 4344 wrote to memory of 2916	4344	Cojqkbdf.exe	91
PID 4344 wrote to memory of 2916	4344	Cojqkbdf.exe	91
PID 4344 wrote to memory of 2916	4344	Cojqkbdf.exe	91
PID 2916 wrote to memory of 1596	2916	Caimgncj.exe	92
PID 2916 wrote to memory of 1596	2916	Caimgncj.exe	92
PID 2916 wrote to memory of 1596	2916	Caimgncj.exe	92
PID 1596 wrote to memory of 2896	1596	Cakjmm32.exe	93
PID 1596 wrote to memory of 2896	1596	Cakjmm32.exe	93
PID 1596 wrote to memory of 2896	1596	Cakjmm32.exe	93
PID 2896 wrote to memory of 3488	2896	Cibank32.exe	95
PID 2896 wrote to memory of 3488	2896	Cibank32.exe	95
PID 2896 wrote to memory of 3488	2896	Cibank32.exe	95
PID 3488 wrote to memory of 4020	3488	Cidncj32.exe	96
PID 3488 wrote to memory of 4020	3488	Cidncj32.exe	96
PID 3488 wrote to memory of 4020	3488	Cidncj32.exe	96
PID 4020 wrote to memory of 3596	4020	Coagla32.exe	97
PID 4020 wrote to memory of 3596	4020	Coagla32.exe	97
PID 4020 wrote to memory of 3596	4020	Coagla32.exe	97
PID 3596 wrote to memory of 4356	3596	Capchmmb.exe	98
PID 3596 wrote to memory of 4356	3596	Capchmmb.exe	98
PID 3596 wrote to memory of 4356	3596	Capchmmb.exe	98
PID 4356 wrote to memory of 2376	4356	Dcopbp32.exe	99
PID 4356 wrote to memory of 2376	4356	Dcopbp32.exe	99
PID 4356 wrote to memory of 2376	4356	Dcopbp32.exe	99
PID 2376 wrote to memory of 2440	2376	Dlgdkeje.exe	100
PID 2376 wrote to memory of 2440	2376	Dlgdkeje.exe	100
PID 2376 wrote to memory of 2440	2376	Dlgdkeje.exe	100
PID 2440 wrote to memory of 1672	2440	Djlddi32.exe	102
PID 2440 wrote to memory of 1672	2440	Djlddi32.exe	102
PID 2440 wrote to memory of 1672	2440	Djlddi32.exe	102
PID 1672 wrote to memory of 2936	1672	Dljqpd32.exe	103
PID 1672 wrote to memory of 2936	1672	Dljqpd32.exe	103
PID 1672 wrote to memory of 2936	1672	Dljqpd32.exe	103
PID 2936 wrote to memory of 1688	2936	Dphifcoi.exe	104
PID 2936 wrote to memory of 1688	2936	Dphifcoi.exe	104
PID 2936 wrote to memory of 1688	2936	Dphifcoi.exe	104
PID 1688 wrote to memory of 4688	1688	Djpnohej.exe	105
PID 1688 wrote to memory of 4688	1688	Djpnohej.exe	105
PID 1688 wrote to memory of 4688	1688	Djpnohej.exe	105
PID 4688 wrote to memory of 3768	4688	Domfgpca.exe	107
PID 4688 wrote to memory of 3768	4688	Domfgpca.exe	107
PID 4688 wrote to memory of 3768	4688	Domfgpca.exe	107
PID 3768 wrote to memory of 784	3768	Ejbkehcg.exe	108

C:\Users\Admin\AppData\Local\Temp\db9d52ae9902264da15e6f3506c733e0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\db9d52ae9902264da15e6f3506c733e0_NEAS.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\Bhibni32.exe
  C:\Windows\system32\Bhibni32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\Bbofkbbh.exe
    C:\Windows\system32\Bbofkbbh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\Blgkdg32.exe
      C:\Windows\system32\Blgkdg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\Boegpc32.exe
        
        C:\Windows\system32\Boegpc32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Windows\SysWOW64\Chnlihnl.exe
        
        C:\Windows\system32\Chnlihnl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        26⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        30⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        33⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        38⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        40⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        43⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        55⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        57⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        58⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        60⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        62⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        63⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        64⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        66⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        67⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        68⤵
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        69⤵
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        70⤵
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1020
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        72⤵
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1488
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        75⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        76⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        77⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        78⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        79⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        80⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3452
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5188
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        85⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        88⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        89⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        91⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        95⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        96⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        98⤵
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6052
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        100⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        102⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        104⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        105⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        106⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        109⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        110⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        111⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        112⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        113⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        115⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        116⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        117⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        118⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        119⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        120⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        123⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        126⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        128⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        129⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        130⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        131⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        133⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        134⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        137⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        138⤵
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6408
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        141⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        142⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        143⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        144⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6672
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        151⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7056
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        155⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        158⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        161⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6568
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        165⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6944
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        169⤵
        Drops file in System32 directory
        
        PID:7036
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        170⤵
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        172⤵
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        174⤵
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        176⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        177⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6860
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        179⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        181⤵
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        182⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        183⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6548 -s 404
        184⤵
        Program crash
        
        PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6548 -ip 6548
1⤵
PID:6812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbofkbbh.exe

Filesize
397KB

MD5
2c1ba2608d357676b664f3685c217262

SHA1
c752ce12854203813755b089395244d293c1e316

SHA256
8bfae1f15b010e5f3185c4c3c2ef0229ab5fbafb1e4d016c332db0b96b5c1af0

SHA512
35d53c215c9acf3bbba14681b091769573a353bf02680d5377700ece7d2b0f28e2d10a87c156694919cb19170fc26010d19b5c801e0ec3e805cb0b7ee927a653

Download Submit
C:\Windows\SysWOW64\Bdqdffoc.dll

Filesize
7KB

MD5
fbd504b6e4cf73bfdf2554ace1622f9e

SHA1
baf33fb8807490e513dfdbfba7fb41afeebb4aed

SHA256
8a48d2f9a26cdc16d422700d28826e106cc597139b358c03e1ce97d65f9be176

SHA512
5449182850cf8f08b464df1fd96ae17ebf8eeb04e6710be7bc2f22f259ade93d6a1b28182bacf3c34fd062cd756ecb7e46fa0c073e0049838e2f49c57ff6fcdc

Download Submit
C:\Windows\SysWOW64\Bhibni32.exe

Filesize
397KB

MD5
f55fd05cb8290e2c6e2446d1f6def0e6

SHA1
7e75ccceae7d501ca6ee567b7d50d4b54383dbea

SHA256
7c4bcf886013c7bdd2ec5d32d991ea9cf7cc852ababc1562bfa7b7d48ff4ba37

SHA512
51682d667d50ba318ca40fe1ea9796ad2a8400ddab2b5f25869aa31f4f8e156b7f2c48dfa45ea82ebbdf837d325206b1c81d3ac8c819e21e16bfd47a0adb8a8d

Download Submit
C:\Windows\SysWOW64\Blgkdg32.exe

Filesize
397KB

MD5
df1fec53e83dc5658ff06a87592ad5c2

SHA1
d52871c409624c31a7a11ee21a7a502ede449df9

SHA256
541a7637b987116e217885fb59faa7fd3dff7e680797bc21d3ef3ac2821e811e

SHA512
db21d25b48c79fff5ba5c0ff9e34c9648d869be4539f0acdd56f3d63670022a14b0898070085105b649d90319630703aa11b2e2f10966b4eb8af6d08b347b275

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
397KB

MD5
711a278bd7c1e3d2e9383437a63ccfa9

SHA1
2108fe07ba9b9ee39a4abe431ded814994c013a9

SHA256
b49665aa6f17243f1876d3bbf6c8ce0a1307a79613ec5ebb5f483b58878e74d5

SHA512
624489fdaf95838e4ece2670c7c6c6bba64b8edc6951400459ea3887cb63e60f518fd2c10f97166f7f867e9e059bf2d209438667a314e395000cf76db2d4597e

Download Submit
C:\Windows\SysWOW64\Caimgncj.exe

Filesize
397KB

MD5
d21801fc8b505f4beaa247baa8b46aff

SHA1
b4a1d9d2bc794c2c39ab7e22143f5945587f15b3

SHA256
ebb6fd3d2d72673f0ac15cea4bf6bd4b7363e253613594ac7d888b316df72a93

SHA512
c3e4a74cb9dd244e8afc7923fb6d4ea85f54cda143dd4aad72230f2c1e4f32b325c04e4cb486c6ccf032b367bc641c393a5f73168e8914efb89216d6bef49a42

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
397KB

MD5
f8e3a52ee0505e8e92f5c9c43f7bd8c0

SHA1
b1cb933762f85701417eabcbefd2a02f6967040e

SHA256
fc941e99c975b5f856e43b0185c8c52677d7a2d8bf2ea9eea17a839bce839b6f

SHA512
f7a885557a6a6ee22b7df6abebafaee14e7af2ec5c2eb2f2b79c65806998f62e2d5ac399ab1b2de1809081145449d527bc7eea34baf3972bda0890d95837c247

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
397KB

MD5
b8771071bf137c0dbd916babcf138a8b

SHA1
3fced5dce58901e5e0e2caf2b86bbffc05b6c0fa

SHA256
5a65ed6d4f1450199b319de81b28e316a441e868d2af2fc022a24f96682f6626

SHA512
5fe4392db8a4ff159d0de9ce82e7e123ffcc13082b5724da2d3f00aa38e2fd06e7a0e86bbb355807cb8ea83d918f7e24e87a6f03b22f5fa345d20595cf63916a

Download Submit
C:\Windows\SysWOW64\Chnlihnl.exe

Filesize
397KB

MD5
000114cc52138e999ab9cb1d695a9d1b

SHA1
0e2162db654e4639ec1f75d7c32d503e545be23f

SHA256
6ce9488afbfc3bd46ad749f8c71d147ac7cffb006fb559bdeeede1b588ef9ab8

SHA512
e09820d8cdc86990e7c55b1f44e1141dda68ad11ab3a6ffc1b2209e0cc5b8e4bfc75a171dd26feefd46b8a20157b5b41d5935bcaf2ced46647b29d361cd584d6

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
397KB

MD5
0381c24db43d6d551283e6341dbc4e73

SHA1
5c3de553442fff3a5ae0fa91f8e27b0db1472b29

SHA256
24f82a35b9eeab1e41e559fb8d1ab1815c62592bfd0d5f95482fc54e6af2aa8f

SHA512
7c6147003133db7cdf5a62937ef6be42d683b4e5e70e7bc2759983ca9f5a7bdead66cb71105efa0f659992e45591e7465a1e91ccb2780ae02da4bd5f6d22f3cc

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
397KB

MD5
b51067fdc1086672e06800e91c51546e

SHA1
6fa2bd555d52c3f65faf636b8e49935bbcc7153a

SHA256
0a72a27e47166b51a0033bb3070081f3dac58413f5a016beb889f96cdb436393

SHA512
fff8ccd5cb356646376169575909625137e8b3321211b6232fa6d0e3dab870ee4ec97c034ec6f6eae59627471e499b4033eed43e7c4b619cf65718975c433c3d

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
397KB

MD5
6b3bff9b4147dacddefeb0a9eda81bd9

SHA1
9d572ab14d4fc34aebb83220a5d0e49a4cad3f4e

SHA256
35b21d2659e82f79f422bddb658e0abf2e1753e19de8f344318fdb9e70010aca

SHA512
ce56abbf1cdbd3959ad9a9be862470dcde0609e75346ce69ed3a573fe9757f3b9beef544de3c0b5b96d8af62b527ac61156b0c0a99112c7ccac7e13ce43cd17f

Download Submit
C:\Windows\SysWOW64\Cojqkbdf.exe

Filesize
397KB

MD5
dc2e84bc5e449a7aef6d2b0752587bbb

SHA1
24e236e00faff7cc9e64178b9c19e779736264f4

SHA256
6f443c1c2dda23134b52eb035c94e3c1c5cdcc66864c0b21d3232b424973fc9d

SHA512
3917157c957b7a5483a9af50423038f184987f1ea5ce77e672bb0245c3a73620167d7374f2ee4739a876b5a5c34cec7572484535a2d93baab18e0baa7d75d3a2

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
397KB

MD5
629c76214c39d24a6f8d106ed71b39f1

SHA1
51de9c617976b4ee33daeeee1bfda31f8a74a2ad

SHA256
5e0c241b03e1b164141c4644b9f2dfb6d376953bc851e0c2fa2bcc85cca1415d

SHA512
680f8917996e5c7efbffa65437d2469d6370e3d4c3cee52ae9f6f25b02f4c68f1815c67ddc9b9b853de2e1f416b55d265211e3e5209ccbb32fc29d6947dca951

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
397KB

MD5
cd3c04d6efdfa4fa74d4ce3be52feafa

SHA1
ad3360aaf259b3937f11b20d513d7fa5bc02cfda

SHA256
07e244fae6905728d5bac9c1a8c78f952cb658ad778ba8505c60601f0d7e351d

SHA512
8b3cccc272df0608eeeba6df1183c0b707f101ac520e2e24e0dcf20e73ca63f0f058692a821f8add3c9e3105bb8ad9031f5240c3bebd6f9611adf9a90acee3f6

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
397KB

MD5
0be76092fdaa81e07b3c5d91acd96358

SHA1
04340afa379d4ac0cf38be60ca1bfae3efc0e8c3

SHA256
975d128c2d029b7fc02fed8ca933fc4d095f38a5fa4c8f1a6627cb39fa809f71

SHA512
17d2ef7fd9febb9ea274b1d36ad5adcfade85e3d76a9ce98f3b529104d24cb594a1a0590b36d1a56bcf6d610edfba557e2a02743a18b810df01568cd412c99f2

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
397KB

MD5
ad80558a6a6dbe7941dc724bed04d41f

SHA1
1efa642e6f07027611ff97f021fbed3d05334101

SHA256
5e0409274a7da7dafd32e1bf8f716e6c30ffa0323e70e82aa84e13ab867ab2b7

SHA512
07b1814a0aefd64aed789544803121c22379291131d17d310bfb4c0b1dd25b694990232cf8443bf1ca241956793ce6321c8e175aea3d4e2dc7ba57189b507498

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
397KB

MD5
e34f76579b3e859dee6c9217712358fa

SHA1
ca0ce2168378c6e369a718b79920dd64dbc10420

SHA256
f3d60dd894ce047dbe9ec80dbcaa7999f537a5807e4f23d3861f0504ec9f0d10

SHA512
87074d55a9fafdf04c9239078d10b99c15af73d085ae98ecdc2564952ea2d889fed42b1546c5d27b9db946ed8c49ab7fcda403a75893e43001534dc1912ecc83

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
397KB

MD5
d95cb660e745fad7008a31147d06f91e

SHA1
ec00c2f46020ee7a88c2f96405dff9b9f4a94ae9

SHA256
6a4d1c6268210b7966d5c68e6d8a2b74137cdedc1eac5060e4c00a46ffe122c4

SHA512
7fc82606530c6fe971e4bb036d0f9a49ebf2c4273d163a172a0b6a844d44fc20024844df65f41ac37995c5fa462e9cd391b0401c8648906dbbe543380eabc025

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
397KB

MD5
890cabb8e680d40dda3127b7266ad041

SHA1
108457429bf37c5bfbc9aacc8f7b8961aa37212d

SHA256
3a85ba0cf7b3dfd7a6fcaff0eae0c2ec27a350e0daccfcb39607ad53b34ec045

SHA512
207e28b894c10e4f35bf66c7400785fcd7f6518ea5bd406e2cb13ee216a0d99e98cbcf476bd89e0b8acd2fd007291aff786e0a484cf9945ecf09366b5b131fc6

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
397KB

MD5
dc513ed1d3ff3f865526c25896abbbcc

SHA1
44db88fff551241cbd57b7cd672b7d3b6e5fc54e

SHA256
e38b882c733e152939c5292b0e3216866cdef71ed3ec9445e6688b6b1be512f4

SHA512
4be5a0746179af9237d4451376833ca35eed31ae9fc819835d89913ff198978aa92838a0aa5cb7f4ad444ad420e77b05748a67d99202a825f4db6b887c948bac

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
397KB

MD5
7c9bfb908c5973820355ec28175f1b86

SHA1
93d9ec0a2e9c4931ecf250adfe55a4de324643ae

SHA256
3b0e7448b33147d6bef0fb47597673e9b224183ce3b004d81b88ed8b55c82452

SHA512
d5639d6a153b2bc18160d2f7ae0c5a4e0e109bd130785dec5ce014736ec2f14bdf1cb7d2d8071c4eee5785428e330c09ff5f88b9a349f623d9d72d0747359143

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
397KB

MD5
b11247594bfd9735ead14fc08dcbde79

SHA1
ff9f8c147649017da728eef4eddaac1508a8218e

SHA256
8c8c244d56b91f3f7330edd60b1498e697e25827ef349892794808eaddb19af0

SHA512
3e5da175f47219fb6347d8c4be28a8b99613d905b4b5ca4c8f889111e962e7b04e6e06eff92835b056bdfcabf213fb997e88e6c73c89121c5664f16c4f4f2326

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
397KB

MD5
5fb4e4510eb868d77d932a86d6d0bda0

SHA1
90a8086186c290a845cc055f8c868c2135c3a09e

SHA256
f7dcb10a5f36fdb49c6a81a3ad6d804998096a58fdb7bde347404e19f6748d82

SHA512
885bef2c93690ac2eef05da7fa00878161767b807f10b60a5bd05684e6437d19626c0f76a64bb0339d8ac13095111c43d1c3a37cce0fac4f510da1d51a65277b

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
397KB

MD5
490f9e5996d32c706fd9c16c4923b4c2

SHA1
5589118994632e244e65d2447e125430077ee5dc

SHA256
3c3b1de38f024c4b56ddca5c1e3ac7910a4dcf725ddf621b2a0a52b4dcab03a4

SHA512
f4a7c579c9632e3913a24546a73be1a97a8d4204ecc47f45b85b438817d6babee0ae2ff1b6458b7a4bd0d40d0442a3629ebc809aa06d27aadc2bf1f7a4755a7c

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
397KB

MD5
c0a8f0cedcd5eac6b37e2277827cc78a

SHA1
7bb2c0591a1587fc3abb98f3bdc4cd73a8613dea

SHA256
67b9f16525340164b63c4f2deecaa31c29dde6e7bef11023705fd90ba80cb86f

SHA512
70ae6d7a6646282d0c620291319aadbc108256463065904c16214e71d75d1894cbc9361a894c4ef35acfc8ab1ff344256b802fc63f2eea398f4b69c9079280ab

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
397KB

MD5
e238aa953fc2ba48ae7daecafd4c8e0a

SHA1
c73e7243e6334a7c37c470da46a3267b5ed36518

SHA256
16c9985ca3977559bfa17ed494a6eff279009c5a699057d54235cfa75dcc9a7c

SHA512
6bc0247e35d87649b886d5457f1a534155dcddaa8c2a71bfe8d04c320f2f60be1f0c18fc2bb1a8fb50ce30adb68e826fe79e5f29fca859b47df8dc2f0054b4bf

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
397KB

MD5
b66bf2a4e7509b8da71685f46a066224

SHA1
0b404f79a50b626c7a19725751a1f786b19de11b

SHA256
2780f458935af4607e588d3b117a231e5c1e79f4b058fb37a0d83db3464111c2

SHA512
6201b389ecb815b4dff5a0d45f0886a2d042dec2b8787c5c7d70e961c54a226c3995727c063db321efb7772042e2e5c9d4337207d30d5691b9c4ca3dce22bce9

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
397KB

MD5
d8d6c56dd8ca24e1e3e5c91f36c9841c

SHA1
854e3b4afb98615d2e1395645513c7d28826d3f6

SHA256
77df8630dde0a779a7bd92b95b0222362019628f351d603de9f13a04661b52e6

SHA512
b1e6f65b26350f3bee18a4727324b934db9f25ab396e6383c06b083d13b46e3edf1e9a215b16fb114637cbf8238f6959da7add9e6b2a0104b3523539e1b10508

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
397KB

MD5
66f7c1074a59fb74d6e9e947ea293bf1

SHA1
0070da2266423616f9a7702d9d3d68617691f5f1

SHA256
42f4e81a3096c15e693c12d97fef290822a035beb67750fec2fc040b307c0aa2

SHA512
8bd3a92e1bd8c6f71a2026e7889c8a3c5f7211385d10ff8efc29d7d7b0970548bc36d34d756dc17c801fe9b6a16fdb6a16e1429ce44ee548edbda5f0634067aa

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
397KB

MD5
b53937104b71add87e9de65c608ec418

SHA1
bc537290b3b3ef701f1c3044971948161db26686

SHA256
7bd10bce4979c70bfd4c4a0a79f25a8713ca3b6f58bdaef6ab54039f5c9b5c69

SHA512
fd5336dd6bca3abfa9368a8b625ebe4a2e76e222752f27d357c966ffd90ee2740bd6bffa7b4207f33de58b46776005478b223cee7504e14bd92cb2da15767aef

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
397KB

MD5
cffaba6e76c0d1b5cc5a2351a085f9f3

SHA1
9fa63534f216736e94b87da7f94f8b23583516cc

SHA256
e30ea36ae711c2e8b4aec2a82235dd58e126f3a35e81d6e587aef0c57c0ebbac

SHA512
c1327280e5d6ecfcf27ad8bf0deb6829e20ea3ddd82bc74bc8eb70a242b7fd2ee2c8054b5a9331fde5432d088e8f63a2717aba820b3d6cb66ab3f671dc582504

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
397KB

MD5
48d1fe505b2259078b6f8cf7ebf788c0

SHA1
b7d4ad6d8f8e68d4ab9ff5cab124f44a5e18a785

SHA256
ba7b74779040b283573e67d9ed8354b7aaf9e3a165f406c8acbb23df685824d9

SHA512
6dfd6368a7ee0a83329b3701e8f0cbc58ace3420847f258441de303f93fda4ce31026e4ccda89e837dc75abdbefc2ef87264007bb216b751c426d9b67faef8f6

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
397KB

MD5
d35d10b83689796053516ef6a0b72bc2

SHA1
3615c425e6ca355f1ed07ec1688c43956fafdf9b

SHA256
3f814d6b6b9649dd667d8384a83d9c0f918af9efaf4c2059b1aa4b8bb84d9541

SHA512
fe20a767ff2932b22d35a142b1700e455fecfda4da95872226429dc5a5e76563ac63b1e4f89157f83d5484e884866826289a35e1a8e6bc68ee4e44cf1df15d4c

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
397KB

MD5
cdb2be911919d553c45cef46e2af457e

SHA1
cf4f933fa08861cad06b0eebb12a9083cc43ba4e

SHA256
5522c808c8da867e96e1d16a71001d603d13bfeadbd8cd78f9769c3fabfd2c00

SHA512
6dbc8f6f1b366496d4e9c38798e321e614f93a13ed9ee26853b8c6fe1798c5a7ac0adb1bcd96cf79cb78783b7fb0f6c2c02015a857a2bdb02383319afabd77fa

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
397KB

MD5
a5dd6a852a63f6fd5317144a198e19c3

SHA1
d308972147076e3b608a6447fa0897a7f1512378

SHA256
abbd1c99043e8afdd02d041f9fcc6e2ae5c8a73594e0f6f3d8a12ca94b0fb5bf

SHA512
3b8c61c3fbb28fd4633d220c0b9c35ab5af3a35f1adede944fd98fa73444e73fec8879b095fa96253e2c2c1e409c0a2f4952056b7fa05fc48391febf89e745c2

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
397KB

MD5
607b0e9ec1f0a11e80ed7c8f77301cc6

SHA1
63b6ed62bf1500de28e5b6c5cb4b07691c372398

SHA256
e1e6b26c2954c28e13100808a383d91dab1be7a6f1a456fdced03c122f9ea6cd

SHA512
0e2cb29abffe626c1c5f50303fa8b5b46f8152378beb01c9888f11b9da2f957c9f7a19a383b287ca7d11aaa377a33dc14aedd57292b0bfc6d16bcb8974876c9d

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
397KB

MD5
6993373fbeb745c4f434e0b5c3ad9fb9

SHA1
c1fd78688499408089bb696c1dee1c9b2ab79b92

SHA256
99c6de2fb0386805947bc4f8c11d9596822211801b3c03c6ad5003228798a48e

SHA512
0362cd01fef453b3953dfcac21f5048e28c8f6cee0715f9640de2da0ff5bdd94e521abca237eb040077d106d7177124553b660e1855d11d7e1f196e99416518e

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
397KB

MD5
4b81b7a2570e89c086cdc43ad1736852

SHA1
37a24f910ae72291c8a345a65e38335ce40dc0a5

SHA256
ff4ee0c097f222d8c1c3631cfac1eb698cd6e5b691a2b1ea47f262d631f25a2c

SHA512
4cbda0f462ef06b9be6d7b28b028005d08cc71e203559380cad748d9f2683b275c75209501754744da3c3717fc07b1ccc7a40b0cae5af351bc241a1e31874587

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
397KB

MD5
627e308805cab4c31f9c5f556f8cca3a

SHA1
fc42fdb8b0372adf4a6dbfde7bdf7f157c23979a

SHA256
4a67116fd31b15346f2d42a21bd4af09d14b8a04bcc1534eba5d4360939df2da

SHA512
a0aad9713b0524c72b21295ffbd5742a8cb1763338fe6d846323b8e36f00156edadc81cc24c47248204bbf33cfe03e8c27d9e251076edfc413551b2087482a31

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
397KB

MD5
f9a4887bce9b51b4776dab2e5331fc1d

SHA1
367f022b6295560fa4c282ab3f3405dac823e705

SHA256
f633733a46ecc4b510ee2ed0685dd49d75ebf3cbaffe5e32180c2c5ff3c5927d

SHA512
7f1c465ab4c52e099e0a1193960ed2b6e0246ac7af7cde442fb9c755a453cc59e2feb0ce64fad43e76cdf0d713d3be227359f37f3307fb7e6ccc54387ebe0502

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
397KB

MD5
6d165e3b5d089a36c7d3ceb5ada3e178

SHA1
69d9184b7e3f548371fd91dff8f738b57133f632

SHA256
26334a05a7e3e35b1ec9332d20159fdf98741101c9b2d04cdd2d763fb649c49e

SHA512
37bc5f3c6062fa1cf6fd096a310e8b7e5a67216a855a2947157e31de2606436a1e9cdf433c2b1b1786f2af5a83fba11775649a5cc5ee7dd11670d5e4f0c42f66

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
397KB

MD5
70ab057ebfe5b314124e27a7524bea4a

SHA1
170340b608a5f0c5f3f8f365e11191e7df645b30

SHA256
fcc89314d342d5c091905d0bbca7d0d521b4f56bdb6b731aed26b7075afa5725

SHA512
2141fd4e2b922394ce3e6716457c88d1753faabe64c1e04e2ea7b0d359177a3f88fd2385579e38b93a992c58cf6b259463731d0241b392a4167ac17d3bd57fe0

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
397KB

MD5
fbe47a0795a91de371889b0e6fcfb7d9

SHA1
752798961a63ed94726305895aded0ea3cff1960

SHA256
4e0f7155a137720f4aa3a7a1ae15e18b656cc8306c694f7c4c1a1bda010c476a

SHA512
3cb98e95a63ffdcd20057d6cbd46270346f88c72e33c79f8d2f8cc84ab883d1e36239b745a5e7dc778e7c212b5a1e28e465ea747688809579790c1df612579ce

Download Submit
memory/220-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2936-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3936-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-571-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-597-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-585-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5148-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5300-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5344-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5412-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5460-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6540-1297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6568-1269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6716-1291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads