5e283c460f948b978da8e86ea3417d982d742010b5ddc8eaa89f400e9662097a

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d628b1008ea77dfef413802fd9072f00_NEAS.exe
Size

51KB
MD5

d628b1008ea77dfef413802fd9072f00
SHA1

34ae9fd2ea1d43a28fa4b1685a91117ad6a3be97
SHA256

5e283c460f948b978da8e86ea3417d982d742010b5ddc8eaa89f400e9662097a
SHA512

05fd4ef5b8cd4ad79bde41bd869c76e25060f07a131967f77c2dfebb2f9c56ca331e1dc289a2b5d395af716d6363f264ca2b8f422651cf8db9be9dd75259bcaf
SSDEEP

768:VgxVczTqaontv53ljkzh2vMBU0UH1QHsiRAZBHOyPriJYYmDszz/1H5:VUEZ6v5lAT6PPZBHOyzfVYzB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe

Executes dropped EXE 64 IoCs

pid	Process
3104	Fcgoilpj.exe
756	Fjqgff32.exe
2552	Fqkocpod.exe
1412	Fcikolnh.exe
744	Ffggkgmk.exe
3320	Fifdgblo.exe
3876	Fqmlhpla.exe
4436	Fbnhphbp.exe
1152	Ffjdqg32.exe
2536	Fmclmabe.exe
3884	Fobiilai.exe
3700	Fflaff32.exe
1244	Fijmbb32.exe
1968	Fqaeco32.exe
3784	Gcpapkgp.exe
1188	Gfnnlffc.exe
4528	Gimjhafg.exe
632	Gqdbiofi.exe
3292	Gcbnejem.exe
2604	Gfqjafdq.exe
2844	Giofnacd.exe
1056	Gqfooodg.exe
4368	Gfcgge32.exe
2472	Giacca32.exe
1268	Gqikdn32.exe
3112	Gpklpkio.exe
2608	Gfedle32.exe
1868	Gidphq32.exe
3460	Gmoliohh.exe
3520	Gcidfi32.exe
112	Gfhqbe32.exe
3916	Gjclbc32.exe
1664	Gameonno.exe
5024	Hclakimb.exe
4076	Hihicplj.exe
3880	Hapaemll.exe
3716	Hpbaqj32.exe
2124	Hbanme32.exe
956	Hjhfnccl.exe
1500	Hmfbjnbp.exe
1196	Hpenfjad.exe
3488	Hbckbepg.exe
772	Hjjbcbqj.exe
4408	Hmioonpn.exe
3620	Hadkpm32.exe
4716	Hccglh32.exe
1132	Hfachc32.exe
3812	Hjmoibog.exe
2976	Hippdo32.exe
2104	Haggelfd.exe
696	Hbhdmd32.exe
408	Hjolnb32.exe
1788	Hibljoco.exe
4584	Haidklda.exe
4876	Icgqggce.exe
4344	Ibjqcd32.exe
2388	Ijaida32.exe
2256	Impepm32.exe
3312	Ipnalhii.exe
3076	Icjmmg32.exe
4936	Ifhiib32.exe
720	Iiffen32.exe
5052	Imbaemhc.exe
1208	Icljbg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fqkocpod.exe	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	d628b1008ea77dfef413802fd9072f00_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Iiffen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6148	6960	WerFault.exe	267

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibpam32.dll"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d628b1008ea77dfef413802fd9072f00_NEAS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 3104	1096	d628b1008ea77dfef413802fd9072f00_NEAS.exe	83
PID 1096 wrote to memory of 3104	1096	d628b1008ea77dfef413802fd9072f00_NEAS.exe	83
PID 1096 wrote to memory of 3104	1096	d628b1008ea77dfef413802fd9072f00_NEAS.exe	83
PID 3104 wrote to memory of 756	3104	Fcgoilpj.exe	84
PID 3104 wrote to memory of 756	3104	Fcgoilpj.exe	84
PID 3104 wrote to memory of 756	3104	Fcgoilpj.exe	84
PID 756 wrote to memory of 2552	756	Fjqgff32.exe	85
PID 756 wrote to memory of 2552	756	Fjqgff32.exe	85
PID 756 wrote to memory of 2552	756	Fjqgff32.exe	85
PID 2552 wrote to memory of 1412	2552	Fqkocpod.exe	86
PID 2552 wrote to memory of 1412	2552	Fqkocpod.exe	86
PID 2552 wrote to memory of 1412	2552	Fqkocpod.exe	86
PID 1412 wrote to memory of 744	1412	Fcikolnh.exe	87
PID 1412 wrote to memory of 744	1412	Fcikolnh.exe	87
PID 1412 wrote to memory of 744	1412	Fcikolnh.exe	87
PID 744 wrote to memory of 3320	744	Ffggkgmk.exe	88
PID 744 wrote to memory of 3320	744	Ffggkgmk.exe	88
PID 744 wrote to memory of 3320	744	Ffggkgmk.exe	88
PID 3320 wrote to memory of 3876	3320	Fifdgblo.exe	89
PID 3320 wrote to memory of 3876	3320	Fifdgblo.exe	89
PID 3320 wrote to memory of 3876	3320	Fifdgblo.exe	89
PID 3876 wrote to memory of 4436	3876	Fqmlhpla.exe	90
PID 3876 wrote to memory of 4436	3876	Fqmlhpla.exe	90
PID 3876 wrote to memory of 4436	3876	Fqmlhpla.exe	90
PID 4436 wrote to memory of 1152	4436	Fbnhphbp.exe	91
PID 4436 wrote to memory of 1152	4436	Fbnhphbp.exe	91
PID 4436 wrote to memory of 1152	4436	Fbnhphbp.exe	91
PID 1152 wrote to memory of 2536	1152	Ffjdqg32.exe	92
PID 1152 wrote to memory of 2536	1152	Ffjdqg32.exe	92
PID 1152 wrote to memory of 2536	1152	Ffjdqg32.exe	92
PID 2536 wrote to memory of 3884	2536	Fmclmabe.exe	93
PID 2536 wrote to memory of 3884	2536	Fmclmabe.exe	93
PID 2536 wrote to memory of 3884	2536	Fmclmabe.exe	93
PID 3884 wrote to memory of 3700	3884	Fobiilai.exe	94
PID 3884 wrote to memory of 3700	3884	Fobiilai.exe	94
PID 3884 wrote to memory of 3700	3884	Fobiilai.exe	94
PID 3700 wrote to memory of 1244	3700	Fflaff32.exe	95
PID 3700 wrote to memory of 1244	3700	Fflaff32.exe	95
PID 3700 wrote to memory of 1244	3700	Fflaff32.exe	95
PID 1244 wrote to memory of 1968	1244	Fijmbb32.exe	96
PID 1244 wrote to memory of 1968	1244	Fijmbb32.exe	96
PID 1244 wrote to memory of 1968	1244	Fijmbb32.exe	96
PID 1968 wrote to memory of 3784	1968	Fqaeco32.exe	97
PID 1968 wrote to memory of 3784	1968	Fqaeco32.exe	97
PID 1968 wrote to memory of 3784	1968	Fqaeco32.exe	97
PID 3784 wrote to memory of 1188	3784	Gcpapkgp.exe	98
PID 3784 wrote to memory of 1188	3784	Gcpapkgp.exe	98
PID 3784 wrote to memory of 1188	3784	Gcpapkgp.exe	98
PID 1188 wrote to memory of 4528	1188	Gfnnlffc.exe	100
PID 1188 wrote to memory of 4528	1188	Gfnnlffc.exe	100
PID 1188 wrote to memory of 4528	1188	Gfnnlffc.exe	100
PID 4528 wrote to memory of 632	4528	Gimjhafg.exe	101
PID 4528 wrote to memory of 632	4528	Gimjhafg.exe	101
PID 4528 wrote to memory of 632	4528	Gimjhafg.exe	101
PID 632 wrote to memory of 3292	632	Gqdbiofi.exe	102
PID 632 wrote to memory of 3292	632	Gqdbiofi.exe	102
PID 632 wrote to memory of 3292	632	Gqdbiofi.exe	102
PID 3292 wrote to memory of 2604	3292	Gcbnejem.exe	103
PID 3292 wrote to memory of 2604	3292	Gcbnejem.exe	103
PID 3292 wrote to memory of 2604	3292	Gcbnejem.exe	103
PID 2604 wrote to memory of 2844	2604	Gfqjafdq.exe	104
PID 2604 wrote to memory of 2844	2604	Gfqjafdq.exe	104
PID 2604 wrote to memory of 2844	2604	Gfqjafdq.exe	104
PID 2844 wrote to memory of 1056	2844	Giofnacd.exe	105

C:\Users\Admin\AppData\Local\Temp\d628b1008ea77dfef413802fd9072f00_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\d628b1008ea77dfef413802fd9072f00_NEAS.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\Fcgoilpj.exe
  C:\Windows\system32\Fcgoilpj.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\Fjqgff32.exe
    C:\Windows\system32\Fjqgff32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\Fqkocpod.exe
      C:\Windows\system32\Fqkocpod.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        25⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        29⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        31⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        32⤵
        Executes dropped EXE
        
        PID:112
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        34⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        35⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        37⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        39⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:956
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        43⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        54⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        55⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        61⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:720
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1948
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        68⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        69⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        70⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        72⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2044
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3528
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        75⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3176
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4472
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        80⤵
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4088
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        82⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        83⤵
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3848
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3220
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        88⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        89⤵
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        91⤵
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        95⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        96⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        97⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5396
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5436
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        101⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        102⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        103⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        105⤵
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        106⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        108⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        109⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        111⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        113⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        114⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        115⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        118⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        119⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        123⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        124⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        125⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        129⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        130⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        132⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        133⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        134⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        135⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        136⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        137⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        138⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        141⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        144⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        145⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        146⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        147⤵
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        148⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        149⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        150⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        151⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        152⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        154⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6720
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        159⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        160⤵
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6936
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        166⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        170⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        173⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        174⤵
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6856
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        178⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        179⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6960 -s 416
        180⤵
        Program crash
        
        PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6960 -ip 6960
1⤵
PID:7092

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:6328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
51KB

MD5
231a08a228337e0a334fabc3e259eae9

SHA1
7c5ca9373130b4c03b45a13492710bf946cc3871

SHA256
309a4e93ac73c88c78f4f76d1af68879d6955a7da6403e45e14d8de489efa3dc

SHA512
fb109089a45bd0e3abbb469ee768f453f27a3bd54f9b48d8304ad84b5fb0ddc02464499519af6e4225daeddbf7c3e879736445d18c8a0f9b0fa40bd8651af0fd

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
51KB

MD5
17614609aa0b30212a7d8f330109c211

SHA1
3eff4b93e8eb00c3cf70dac04ad557a1193a6938

SHA256
f3d14800ab733c42fb4d3c86b3ca0b788fde177ce93197f246816fc15037ad3f

SHA512
61e5fca9df775702fb58222c8dcd3b04b3919621fa22b7edf0e829744e2305e2b36dcaf1b295630f3299488620994c34007b539b349c1318ac7fdefb63819fcc

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
51KB

MD5
f9fcab7705a3f940b71ecda4cdea7166

SHA1
941d2cf79834357f8e9e93f648c847efb47f5851

SHA256
f2fc9efc4daa42b75908a01d2204cc3ed4bdb1f441b4ca3fb112f23e732fadad

SHA512
66824f91cd226771ee47a5a557fc538eab4bf262c026cc2c240324aebdf1ec0254d7614e76f1c1f9d9bbc99be16aed42281d0619926cf65c136b5d967919d3e3

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
51KB

MD5
cef4329b9cab9431d1dcb3b7bd0ed63b

SHA1
46960bf0466bbed3f70b9a663b9a24c402590ce7

SHA256
2d1c5c4116b010e00c1a485da38fe7efc0ec829adf83f5947feb90b83f7d7780

SHA512
374d64a5d0d43a3dae773dd31377b804f1354dad1b7789048e056815c594fa292860bb3ad65febd91745200f488a352e8fb5eccd61669b6653e611dd53a88bdc

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
51KB

MD5
2be61dbb0580306ba00bb008c427361b

SHA1
5e6d642d36f74d16179181da68113c839e226e25

SHA256
11d88cbd831def08fd953b55f7ae7ef030d4d535b058911dd6545a9cebed4d0c

SHA512
b9333b1fa8a6af44f89f3dabcd723158a029bad27339db7fe1144a78b4aefcd8e3d5479102ad486118642bdc81ad8ae7acfe5302f6968e7e36d7ed4cb768bbe7

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
51KB

MD5
87008a022bcc580ea64fcb4f4c330971

SHA1
e224013a7103a1e7ff58196a07c4c5f63d158fe5

SHA256
7321c4a857fa396bfe43e21ab3f63f36da27bcccc1c9ca6a1c65a573806c3a38

SHA512
42a06c7c3339cd51e08f2eea7dfd57e4bfbb08fdeb4e482c4ea71db23b94c138df8bf74d7e9935c88e83e2441fc3a3ef467562a2333b0acf0ffebf0594673d8c

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
51KB

MD5
28a60a2e71483f9d02fdbe80ed249f57

SHA1
9849b1d1b84ca9abd15d1e77dbd05cadf24530c8

SHA256
6f1341ceaf894d8999a26ca68c03879fd601db3458c49e9a63f6138e79022d5b

SHA512
cb8f80abab1d4c07bc36c3b8a2816dc69e0eb75b36ff3f09209e88f45a81c209b769ee2681d0930780f8195e89bb25481132f102c69c5b1fe46be730d6baf7f3

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
51KB

MD5
e00859744dfe498e5d70cad78821f47b

SHA1
4da7b2d28ac96d0e7a8e9e8a5e1aa7458bfaafb7

SHA256
c5a6314c34028a2ada30c2d49aa26bed3f41ead859886e406228e9ab639324b9

SHA512
2b0e27d0d297dae4f36d6c776ab4e2275fcb3e75fdfff7a8ad839f491f0263888166a6c848c1176068231b6b17dd49889055ad02ef7ff8dccb0711237d8746ea

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
51KB

MD5
4318c9b743337d7e8f368d4e85974a8a

SHA1
7c8d7bc30ed6f65f9689d75d58b04ae21cc9ae4e

SHA256
8f5c57af3aaf2e2bde4eb32689e70c78ba7d2df3231fecb08158566d077cbe9c

SHA512
87bf2c97b3b045220abf468159eb871144b8eacf0206e1859dc6d318b408d13a2c638f06d924ff1405139a5ccc18fa31fb3f3db4a49eaa8ccdd9416d0a61214f

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
51KB

MD5
c61cb0d9d091c1c9b468331bac277b07

SHA1
6290c0bb771c93facd17d03622a020582bc81aad

SHA256
242da16d70e50969508f3f5f4dcaba54d73dcc4046cdee26af56c082cdb2bec0

SHA512
138115eab38db4e914dbcc5793d63361b8b7c0cf8b98f73c2b50d1666bb92343115379dd9e6e02b00b3a86e8990271e1da4639ad887bd8a2a096192f1eaf2ef7

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
51KB

MD5
2e177286699cb544a45aaa80b25901d8

SHA1
e0dbfa29be445353eb55134705b50312889818b3

SHA256
94166a2fea2c6f77e4e485cdcdb441d400e0a6d96ed2ef8bc53b98be84b151a3

SHA512
f2c48c3fe985e5a64d4ecb9523f4210bc63c106cf8aa4ea757298889ebd1b54a6c0705e9841137e371cefd26308731e8e9350d80db0b5082bd377e06035c2096

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
51KB

MD5
6993254809f95ceba340707fb230ac06

SHA1
fa78a70fbf3cb41b6ffa4613cc923b48f01f5e66

SHA256
5d5440ca36a56ecb5f0fd83fc13b4be27cdf3b6586ba642c2a677fb037e53ffb

SHA512
2f92d468aae48fe6729535b888301e868695c7a49a5a1b6066f314826d56aa3b7f8212060e7d94f6656f43e97750d2f2f8aec612ae80d5fab065caa5740eaeb5

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
51KB

MD5
1fa3fb5dba9e3bf194673a8ee40d2926

SHA1
209c0e852a896617581ab40cd28f66966503d556

SHA256
7515f1e268742ab5550996f6fae715ffede17cb650bd7abe0d2c686de456239b

SHA512
b557abdc76e35612beb0c3cf2f1229409ceb3b8c3af6f7839a0a4d9b37d8b6e93b43aeddb70327c5fc01b10a6875a7e1f83135030d7c705c7501f7bb271a4a61

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
51KB

MD5
bbdcc5d43d9f5ad3d7819129323ea2ea

SHA1
757ba259fafc2ec903746a435cef8b838c3408f0

SHA256
bd1cbe8d6a579ecfce17113863b7e68c5c6452d82ef297f13eac49f822bc272d

SHA512
98666a9931a91c4ffe8bd89737c18a85846f81ece0484ce9db938342163792087ca39dd3c6158869731dd9f01040b0d2e0fad74016d48cce5eec435f96acf974

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
51KB

MD5
ff63acd5da9426aaa5fe96c9bbe70416

SHA1
9789ab5ef5460506d16e05287076aa948f563e4e

SHA256
602422f934022067558477706fe484ef7579439bfe19bc8cf4cc6f4cd242faa2

SHA512
ed0a2a97c2f35f13cc638d14865a831256f339e66b5f4895fdae4ff570fbe8430fce2251735e25e65f74f292fd1dd42bc8e86051dee5f2c9b370608d2d7fcd40

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
51KB

MD5
fc2ede691bd2bfa5a36d68891c0e9297

SHA1
c9fbb3bab76a71f46cbd4796903069c9ba1c879d

SHA256
41f5b17219fbf7a826a14d901f1439abfba4b84e78d6dd0ed31634c5b9effc59

SHA512
96f6ad02c944deb2ce1476a1668fee9eb441b5b13f689f5a27ff4d8c749cab5c73931ed7d1ee7f5c9253b4667012b493c1578af4253301f4dff3ccc670f60458

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
51KB

MD5
e10649bc9ccf3b9697a99334caa83113

SHA1
6ddb9795d17e5c6c71edd78b88e6aa9db8d9c7f4

SHA256
a0063a0b3193fd1bc295f793840b406badef213f704b8d0652302811c56b110c

SHA512
b6a4e654715ab5b3dbfda5e4ede8df73f9639f81fcda4fa98e20f05683ba53b951ac411edabe159f87bf22f335215d5af1b0d39fff025a6cd80e3978e306d09a

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
51KB

MD5
a4d3892fd3cf70c5295c8f8bb437aacb

SHA1
355e62b5c1b26b065f8604b28a34c68636986cad

SHA256
75a4c9883f0bbaed6047ee009217c843f05c6e34ecf9d7842b7a55a36834f7c0

SHA512
adbd974afae1d4e75dd2999c0c5006c3df3e9e0007c577b86b67e346d35ae91d2578684aabb7b8ce32446e5b9d03d52db0dea025c0d6ed3b63961aa21437db74

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
51KB

MD5
0af530f6b8710d0e2e10aca3b9cd5723

SHA1
3a7f62aa032a616249a6ff395bbb55e989233bfd

SHA256
fba076651e7b3806176364b4f275ca139678ff676c5fe44816c9fa5bc26bebd4

SHA512
427ddd7c736eb89bf8facd0187963ce185812f80b4df651f945327c2179ec02bc950b6d9871f52f263440282b31bbe485f570da6f1e3575ca5eac3be179177de

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
51KB

MD5
5c4366a580df5a8b5775080d527c4c72

SHA1
af52c2c671eeb2771eb1a1c49f7bd08160c4f742

SHA256
e0fcb9d79d429f8b8692fda6c2369a54d2422863e68d885ef348b9f53258f8e2

SHA512
7bdcb7b2ae647aff46e85e1d98991a8bb5c933d9ed723d72e9e17597e3dd2515222b0e7e224f28fa80430164ccee3a9bffd6caf8b5b2d4e70f6028267be1d704

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
51KB

MD5
1ce519eadbbf6019d789cc430db63d28

SHA1
728740dc818173cd7d37f1d3ede08ea01bdc44f5

SHA256
90132a7e6586e750efed12ae0b27694ed3e5af2773c8dc7dca44971e19557b54

SHA512
38666bfcf666926910cc83c2e45a31fecd5eb529db3c19c5de3db699dbb60bddd30a018ea2d653622877d7891d203a5f3be4eb0923900be7b64b22ac525449f9

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
51KB

MD5
c8cdeee30b516d15a987f80906eccb96

SHA1
f87a7b70ed2381f29678d258eb9df506ac5f8956

SHA256
700b14782c733c1670fc73c85a933b1d7906322f941848b1e5ae7a7268e0f803

SHA512
155cab40bec2df30efc564ae5694d2cf3c750a2d7daa8dc0ae4222a851cc9560d06b8c093f4d8d04d8e3f9ad7659347f2ccc151cdb29ebf71d0d3db5147e9de2

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
51KB

MD5
459256f0c8cd687d8bd10d16536d7136

SHA1
892e78bc784f2230f961ebb5b10072f404f4ce03

SHA256
d150a52e0f525fa604161746610c1773d45b7d4c105923d974d06087291413e0

SHA512
9c25c160ae3cf47751eea26e0ce5713937fa5ac6707727e9105c857378c33d97207ae3337c4cd39339c226d87a562951329a76d0ce55eccc19c8029f008c97b4

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
51KB

MD5
a92a1e653df0ec3d66e4af5397da9f75

SHA1
bd24ae1c8cfabe4184be6cef6c75bddab8788cbf

SHA256
470ac5a6309c46786d1e8b8560958354d97f71d5224a31ba6dff208f57bd0406

SHA512
fd8dabca7134e7923144b2cc4de6a00768b182aea3791dbdfa5932f0d3a9f30fbba8b0afcd54d66dc583f8ff63018321f816900a66a653243718f811c6334f55

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
51KB

MD5
e04de3d760d5c5143d71d9005246e7e6

SHA1
93e724d1262c46caaa996309fd05a1d25db6b898

SHA256
2878fcce222cf715ebe914e88d6b544007e937db30ccd32fc4e3309fc1881d04

SHA512
75537f752246ad822b2995d06c5caee15400e77826f83ff2fd7daf5469baa1f3fa2d8fddce45a1f5ca522b2536671e085e1cc7bc58f203f92f6a88b25677ffa0

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
51KB

MD5
242abb61d4ca663dbd8e701902a40f5e

SHA1
8e38290007f8ebcf10197effd8eafc9cdb715df1

SHA256
2fa9cd8f67a4c445a1f15d9d98fb9b9c20c621a8c38afe198ec00a64c4ed9048

SHA512
2668d1b03e4d31663cbc7a8ef289cf4f94687e4e18b6415b600bd3ad3c8f041f0ddcd0360a67dac5ebdfa8a560731029edee11f33e7a82d5ffd3f4d6fbc300ad

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
51KB

MD5
4b2fb249e4fcea5fda02bd213b9240a6

SHA1
0071b3906c18064a60ac9a5ab5fd5df744d9e29e

SHA256
66af19deba4674e25a1ad06cc7b1ffb64a62d23874844c903aa0acc29301de55

SHA512
3e1d1b45ef5cf8a04c8e677034313683aea8d2f3f33f5d9ae498ed492c063aee2b7791a029e0280fa27777b0f3423a0aac73db19fe954e2cea5eb4d98c45ea08

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
51KB

MD5
bbbd1ca6a55de40184e739a7491a1a87

SHA1
eb978c7b488a5d511d9ce4fb7b0ab420dd699d7b

SHA256
6ebc432016350242ab838c5118ad50f26d7e2e5ac6f20298c7471a2d7453deda

SHA512
d95314cc1b4be5d2ae1b6de6ac73325d11c419b67a8d3ce2e24b168ca064c8c2ba23a78e1c09248e80bee90babe4d9d5605819c0916952c86a17abd7cf826582

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
51KB

MD5
cc06c7fe93b6f69a446e8a2b67437fb4

SHA1
0dbf670d569cf1c34d6dadddd4f2a2e9460e43ea

SHA256
9f75ee28a07034931879ba1b8082535242e647229318f10df9ab0ae6ee770014

SHA512
5083ced64bb0fde0851ddccaa406a2e4e9cbc869b369855ad17eb10de7015e2414c0483c1ec643fa8d39a42fd09a197354c818fcf0252d0482c679dab854fd8d

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
51KB

MD5
fe7a155901924e153b8888ee06b51441

SHA1
9377f0bd00be8661486dc7a6455437f5de78f676

SHA256
853647d8d41e56bdacdcce234eee1982450698465de7a7cd2b22cfdfe2bf0956

SHA512
2ce6c91727846d6927e3e72860b328c0f15f83512a647e4afde2fa33b8fa57400583c1d7b835ddc38c3922583589e3ef495bf121630d6357f15261c34caee33b

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
51KB

MD5
40a55bb53c1ecf7eb7821dfcc914b3c9

SHA1
0986ca6c5f0ff94780fbc091e73a2d8b80a7d38d

SHA256
532b727fc20b1a60ed3fdc83b650b5b57aa85a8a65ecb1372dfe01771239d62e

SHA512
93573407eec6d90fcda4947902be2ec2591a299b3477b2982870aa961b11f5db0d8a2866e93ac2dbda7f74a83ca674168829272c9348ba912efdaa25db4208f5

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
51KB

MD5
fb6c71b5f34e126612c775b7ba1bcc42

SHA1
3d1538b9d6966af7b223634b4dc4d208dda94948

SHA256
9597e411a0235c98f1008bf0bbd21a10c49488703f05787cc475f1ef9dedbf75

SHA512
9d8b9068ae8c8729e8b2397947bfe363d9645fcdbda1dc8b01ec11d9c02d50b33e464a62bbb4bb5c281ad0c45eaefa00553f86e05b51a1b2387b153705943875

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
51KB

MD5
3f262c488d9a3e5ec9df44ba2e482f01

SHA1
d4a960ac6c985a58197b1016571b22f17bd84b00

SHA256
db40f6cabdaba2b6c4598bb54f976ed94c480c0aef2d4b8b79dddc6e875fa3ed

SHA512
527492bfcc23539b5e66b30eced8901ddf3646469ab56847bf3fd625270d5e1599380e52e5f0686c23c3914fb08553819e0f33a469e9aeaf96bbc8da03b6d641

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
51KB

MD5
ee0ad0202b61782e2d53e4032eb2aaf3

SHA1
f275fefda2816370a70ce6b3d8dfa490b5b3b9ea

SHA256
efa2be69ef10cb58f48ee433e1d634ba4ba8b53cc353f70970e1064f94560ecb

SHA512
1ad31f6c0d8c4ef2592913894e97ff134c803dc3977057fd4fb724b02d12d4a5ef8603b342c5138fe8670943316b36e52311e0c6c424cdb807a85c97450ed5b7

Download Submit
C:\Windows\SysWOW64\Jjbako32.exe

Filesize
51KB

MD5
e5746d614afe605b626ca6c46130ce18

SHA1
94beb5715adc49f51dc46e151277e30d80639ab0

SHA256
039d1916c27530da5109ca591fbee78a924d01629d46959c2abeed41bfabb01e

SHA512
56f3ecce0111b62376f7a7d3a3a60175e414a681d43f7f05a8e4a835a54db99c892a916165681397dd20da81bbd893dc0096ee6b71dada8fc39f578b5568265a

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
51KB

MD5
402d71cd6b60f3c83ae72ed800aa8a16

SHA1
068bbdb7da4bf5c4666acbd9f5bab4b0606abde4

SHA256
2bb9278b27ea10bd004860a88ce6bfbda87932d8b19e6a6c23c023305e2cbdb4

SHA512
88c1b13e0c64ede0e111f84982d964ee2feaf85534cfa52eb7bf6de243bde67020d334a37cad5a586e1f0a8e0df6148e39fedc23343c58fa0a8e1449d467ce59

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
51KB

MD5
bbb055ee1344524bd32b91a2a03b45f1

SHA1
c907198f85c2a580558a3f9a206c91b8f077ce7e

SHA256
eb2d2a6d57440a515f123e629e3fb9242c7a774b6394730200c9d370ac4263f6

SHA512
1b6c4c8109032fa37509e016efa31c6a17949d48d20ca62b3ebb999800509cf40029ef6371f1e17151a18377e15d8759ff0298e29f05c20cb5fe29ffd9b0dffd

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
51KB

MD5
5e14a413fc69b5baac852edcd4c13e0a

SHA1
e3e0bc3eb8812ff1e8b73cce05d4da5dffbeb173

SHA256
9fb26015acf308d8c1a56307cb2180150c27516500396e06c8d0507cc88f5424

SHA512
6b4cb7a9fda529b49288131b609af38fb59553a6edca78e259c5e4bd9c7aae41383f0d7f9896196aaa62b14a05dc43c0627307a0cefcc94550357adcd6a25554

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
51KB

MD5
02a724d4515cacd8424c922a03cc06e7

SHA1
d67d302b10ced6b595e0e292f5ffb75d3563cb01

SHA256
17b8e4eecefdab21931e07bc35485a5b1d141b071d6e1e891089e711e40bdc17

SHA512
47c805c1a75f2125cf3d0cf2adf694e3eba7ac96586a8486fcc8669a3d2b05b2459806024d650179ae54a5b37b1443cccddac625c1493d6729e3261ad83bebea

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
51KB

MD5
2335679ad03fbf73d1767bc4f558dde8

SHA1
bfe8656b557c3ae13987cdab040fd39393879982

SHA256
a9c92429295450745952b0c51652f4592fc9c53084de0e63239cd7a92a5761b2

SHA512
12464710ff74d6c42f2f96d7ea3218b211818e432594146a93335d97adbb459f021552a50fba6f51c828220004a61be054ef039d801490b7bf6dab16a01ed5c7

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
51KB

MD5
876440700a2fad2df1f46bc109140de0

SHA1
4d44dd5b8f15eabb6dc92a1966b607ffc8700645

SHA256
804d3b8f8accf68cd353fa65efa0d0b9be1f27d4e8a74c693330693468c94e80

SHA512
1b93eee99451d162650ca9a475dbd66c1004a64221a1d9ac734478f748150bac660f8563e4c2ba8042d7d96ac999d6c90b8e7447e8ce29dd6303a46dcc144c49

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
51KB

MD5
84c429750bbbdd58b333653caa3be400

SHA1
378f372ebaee2d5aebae28cdf5f888ce13612171

SHA256
568d863aeb6e1003443abaa3959b384937eb25b8a16de6109e3b4925108001c4

SHA512
453485fdfbd5ff208969b8311b3ebcfb9e31e0619e092329b922c0662a380d3541baa5957bb45a0907c27926ec208cd561ea03eff70c03e68bd221c6eccd69ed

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
51KB

MD5
d60377f22531456faa54fb9d532e6309

SHA1
5976842717bec9d0caa1a22ffb0d39bf52f19a1c

SHA256
2f4dc4aac18be49d261aa9c868b4a2dbcd73720bd9deae168052d6eac5ba7540

SHA512
7adacc916f6b5bb6491bc31a280311e7feb7add65055b51b695fdb45906bb537fb10f7d99dd2d960bac17eb8c02908607e4a1063a906581ee266e46afb93e64b

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
51KB

MD5
7c72ae37b8051ff92b9d6b76f175ca91

SHA1
bba18ef283de8a2c29383d99bc458554529507ae

SHA256
cba5baefd73505ea2a75e984cee376906a4c1e9d2f711fea2e0d3aed764b5aec

SHA512
d0aa9523527ac9795228f0e0fecc572607452d29d1409bbefe7858db27202bfde2f8aeac6711723caca5ab4a5ebbb47d38d0b88f733649981dcab0961b5fbde5

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
51KB

MD5
ddf798d4ccd99a8202182434b9662e20

SHA1
39a8b7836dd183d18ec662af0c9dbfb3719b37cf

SHA256
f3321cbf15f14ba7ccaefcbb69ca99b416616516ce3995f0d356ca26ab21624d

SHA512
d7c163e87d693e29484dd4ac7153c043e282ad382e8071d8aa380747796f2216f662be2cf106bd1b58a94cd493b7ac271cfff2661fb2ad7b006bb854f14d7148

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
51KB

MD5
7d465b5123d042233b7dd75e461fc67c

SHA1
598884c102fa940994947513c6e13bf1f70fe197

SHA256
f71608b24ada5aa52e1bd48f6fd90740ca8f2fa5cc98af40f3ac727d288b3238

SHA512
982ea88697b49b3c77422fba432c0d2d6689025d840dfb42c032d86987b5aff50427f90258d046f71ded7cec62f055e23c0c5aa2ac6c223bd8bf569fb3b3668e

Download Submit
memory/8-573-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/112-248-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/384-466-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/408-376-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/632-144-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/696-370-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/720-441-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/744-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/744-579-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/756-558-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/756-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/772-322-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/920-538-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/956-298-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1056-175-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1096-549-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1096-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1132-346-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1152-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1188-128-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1196-310-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1208-453-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1244-108-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1268-200-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1412-572-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1412-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1500-309-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1664-262-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1776-482-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1788-386-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1868-223-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1948-460-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1968-116-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2024-526-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2044-501-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2104-364-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2124-292-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2256-412-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2388-409-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2472-196-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2536-80-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2552-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2552-565-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2604-160-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2608-215-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2844-168-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2976-362-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3076-428-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3100-559-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3104-555-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3104-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3112-212-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3148-594-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3176-515-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3220-587-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3292-152-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3312-422-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3320-48-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3320-586-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3448-494-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3460-236-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3488-316-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3520-244-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3528-502-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3620-334-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3700-95-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3716-291-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3784-120-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3812-357-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3848-584-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3876-593-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3876-56-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3880-284-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3884-87-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3916-261-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3924-566-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3948-472-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4076-278-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4088-550-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4160-557-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4344-404-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4368-183-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4408-328-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4436-68-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4472-524-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4508-532-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4528-138-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4568-487-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4584-392-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4716-340-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4876-394-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4924-454-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4936-430-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4992-508-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5024-268-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5052-442-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5624-1277-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6372-1255-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6460-1252-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6500-1251-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6800-1239-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6936-1236-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads