60b2f501c337d048e504a5c1ffcfd5df3fc3b7720c64ff7ee41761e25af9569c

Analysis

max time kernel
138s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe
Size

255KB
MD5

ec65c4b30c739f829c7b3ac2414abf80
SHA1

475e5c0770f1d4aea1786b3a7306f8da90cfba72
SHA256

60b2f501c337d048e504a5c1ffcfd5df3fc3b7720c64ff7ee41761e25af9569c
SHA512

f79f2e1d570c305a119bbe70ce0a42cd8f7fba6178f3664cc1717c7e3ca6f4249bb5ddfb76a03315bca7080fcaf81b428e9cb41662321afd987079494c205aaf
SSDEEP

6144:fYC38/lEaM2xUS6UJjwszeXmDZUH8aiGaEP:fz38jj6YjzZUH8awEP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe

Executes dropped EXE 64 IoCs

pid	Process
3044	Epopgbia.exe
1068	Ebploj32.exe
5004	Eleplc32.exe
892	Efneehef.exe
2088	Eofinnkf.exe
2768	Ehonfc32.exe
640	Eqfeha32.exe
4888	Fmmfmbhn.exe
2564	Fcgoilpj.exe
2844	Fmocba32.exe
5116	Fbllkh32.exe
4056	Fqmlhpla.exe
1612	Fjepaecb.exe
1884	Fobiilai.exe
4208	Fijmbb32.exe
3776	Fqaeco32.exe
4960	Gjjjle32.exe
2928	Gogbdl32.exe
2504	Giofnacd.exe
4100	Gcekkjcj.exe
3564	Gjocgdkg.exe
3568	Gpklpkio.exe
3944	Gjapmdid.exe
4116	Gmoliohh.exe
2772	Gpnhekgl.exe
2636	Gjclbc32.exe
4428	Hboagf32.exe
4448	Hmdedo32.exe
5056	Hjhfnccl.exe
4588	Hmfbjnbp.exe
2888	Hippdo32.exe
4824	Hpihai32.exe
3868	Hibljoco.exe
2420	Haidklda.exe
464	Ibjqcd32.exe
2236	Ijaida32.exe
448	Iakaql32.exe
532	Icjmmg32.exe
2584	Ifhiib32.exe
4332	Iannfk32.exe
1632	Icljbg32.exe
2228	Iiibkn32.exe
5028	Ipckgh32.exe
4876	Ifmcdblq.exe
3292	Iikopmkd.exe
1364	Ipegmg32.exe
4976	Ibccic32.exe
3548	Iinlemia.exe
4868	Jpgdbg32.exe
2120	Jfaloa32.exe
1352	Jiphkm32.exe
2748	Jdemhe32.exe
4584	Jfdida32.exe
4956	Jmnaakne.exe
2660	Jdhine32.exe
1040	Jidbflcj.exe
748	Jdjfcecp.exe
4216	Jkdnpo32.exe
1852	Jdmcidam.exe
4752	Jiikak32.exe
3416	Kpccnefa.exe
2344	Kbapjafe.exe
3052	Kdaldd32.exe
4016	Kgphpo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Eqfeha32.exe	Ehonfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Efneehef.exe
File opened for modification	C:\Windows\SysWOW64\Fmmfmbhn.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ehonfc32.exe	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jfdida32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6000	5740	WerFault.exe	205

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 3044	1656	ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe	85
PID 1656 wrote to memory of 3044	1656	ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe	85
PID 1656 wrote to memory of 3044	1656	ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe	85
PID 3044 wrote to memory of 1068	3044	Epopgbia.exe	86
PID 3044 wrote to memory of 1068	3044	Epopgbia.exe	86
PID 3044 wrote to memory of 1068	3044	Epopgbia.exe	86
PID 1068 wrote to memory of 5004	1068	Ebploj32.exe	87
PID 1068 wrote to memory of 5004	1068	Ebploj32.exe	87
PID 1068 wrote to memory of 5004	1068	Ebploj32.exe	87
PID 5004 wrote to memory of 892	5004	Eleplc32.exe	88
PID 5004 wrote to memory of 892	5004	Eleplc32.exe	88
PID 5004 wrote to memory of 892	5004	Eleplc32.exe	88
PID 892 wrote to memory of 2088	892	Efneehef.exe	89
PID 892 wrote to memory of 2088	892	Efneehef.exe	89
PID 892 wrote to memory of 2088	892	Efneehef.exe	89
PID 2088 wrote to memory of 2768	2088	Eofinnkf.exe	90
PID 2088 wrote to memory of 2768	2088	Eofinnkf.exe	90
PID 2088 wrote to memory of 2768	2088	Eofinnkf.exe	90
PID 2768 wrote to memory of 640	2768	Ehonfc32.exe	91
PID 2768 wrote to memory of 640	2768	Ehonfc32.exe	91
PID 2768 wrote to memory of 640	2768	Ehonfc32.exe	91
PID 640 wrote to memory of 4888	640	Eqfeha32.exe	92
PID 640 wrote to memory of 4888	640	Eqfeha32.exe	92
PID 640 wrote to memory of 4888	640	Eqfeha32.exe	92
PID 4888 wrote to memory of 2564	4888	Fmmfmbhn.exe	93
PID 4888 wrote to memory of 2564	4888	Fmmfmbhn.exe	93
PID 4888 wrote to memory of 2564	4888	Fmmfmbhn.exe	93
PID 2564 wrote to memory of 2844	2564	Fcgoilpj.exe	95
PID 2564 wrote to memory of 2844	2564	Fcgoilpj.exe	95
PID 2564 wrote to memory of 2844	2564	Fcgoilpj.exe	95
PID 2844 wrote to memory of 5116	2844	Fmocba32.exe	97
PID 2844 wrote to memory of 5116	2844	Fmocba32.exe	97
PID 2844 wrote to memory of 5116	2844	Fmocba32.exe	97
PID 5116 wrote to memory of 4056	5116	Fbllkh32.exe	98
PID 5116 wrote to memory of 4056	5116	Fbllkh32.exe	98
PID 5116 wrote to memory of 4056	5116	Fbllkh32.exe	98
PID 4056 wrote to memory of 1612	4056	Fqmlhpla.exe	99
PID 4056 wrote to memory of 1612	4056	Fqmlhpla.exe	99
PID 4056 wrote to memory of 1612	4056	Fqmlhpla.exe	99
PID 1612 wrote to memory of 1884	1612	Fjepaecb.exe	101
PID 1612 wrote to memory of 1884	1612	Fjepaecb.exe	101
PID 1612 wrote to memory of 1884	1612	Fjepaecb.exe	101
PID 1884 wrote to memory of 4208	1884	Fobiilai.exe	102
PID 1884 wrote to memory of 4208	1884	Fobiilai.exe	102
PID 1884 wrote to memory of 4208	1884	Fobiilai.exe	102
PID 4208 wrote to memory of 3776	4208	Fijmbb32.exe	103
PID 4208 wrote to memory of 3776	4208	Fijmbb32.exe	103
PID 4208 wrote to memory of 3776	4208	Fijmbb32.exe	103
PID 3776 wrote to memory of 4960	3776	Fqaeco32.exe	104
PID 3776 wrote to memory of 4960	3776	Fqaeco32.exe	104
PID 3776 wrote to memory of 4960	3776	Fqaeco32.exe	104
PID 4960 wrote to memory of 2928	4960	Gjjjle32.exe	105
PID 4960 wrote to memory of 2928	4960	Gjjjle32.exe	105
PID 4960 wrote to memory of 2928	4960	Gjjjle32.exe	105
PID 2928 wrote to memory of 2504	2928	Gogbdl32.exe	106
PID 2928 wrote to memory of 2504	2928	Gogbdl32.exe	106
PID 2928 wrote to memory of 2504	2928	Gogbdl32.exe	106
PID 2504 wrote to memory of 4100	2504	Giofnacd.exe	107
PID 2504 wrote to memory of 4100	2504	Giofnacd.exe	107
PID 2504 wrote to memory of 4100	2504	Giofnacd.exe	107
PID 4100 wrote to memory of 3564	4100	Gcekkjcj.exe	108
PID 4100 wrote to memory of 3564	4100	Gcekkjcj.exe	108
PID 4100 wrote to memory of 3564	4100	Gcekkjcj.exe	108
PID 3564 wrote to memory of 3568	3564	Gjocgdkg.exe	109

C:\Users\Admin\AppData\Local\Temp\ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\ec65c4b30c739f829c7b3ac2414abf80_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\Epopgbia.exe
  C:\Windows\system32\Epopgbia.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\Ebploj32.exe
    C:\Windows\system32\Ebploj32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\Eleplc32.exe
      C:\Windows\system32\Eleplc32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        23⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        27⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        30⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        31⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        36⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        52⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        55⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2816
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        66⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        68⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        70⤵
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        71⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1836
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        75⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        77⤵
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        79⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        80⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        81⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        88⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        90⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        91⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        92⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        93⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        95⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        96⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        100⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        102⤵
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        109⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        111⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        114⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        115⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 400
        116⤵
        Program crash
        
        PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5740 -ip 5740
1⤵
PID:5952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebploj32.exe

Filesize
255KB

MD5
60a34e43649ec7f3be8f4741751d1eed

SHA1
c2540171de83cea15a39058fe051a7567683b608

SHA256
36847fe88642da7cf62a9536e2997e34bc0c8af91c1ce987a3578016045459e4

SHA512
54d787c560f7da98612f1e7048a5430f617a53d450ed69a443d436238377cc1f72f6371a21b3d52e7f67a175fdb5c9b69c13f96326f48da5322f5bfdfad3b883

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
255KB

MD5
3bb9dc8e35a2f89fbb26ac3a59644422

SHA1
8383faf2d09d2bfdff507a74c179e262a3de599a

SHA256
94b13da16d33a12eb4015005ae27dc0eed4def7c9809d946f89e86e8fab1a1c4

SHA512
f6e5325abc0ec1a65d47f89290330ac3cd675ee44aaac0cf51ffdfdc8cfd9c8a4695312fe19318ae54962bd9ca641f9ed4e5715e812027b5ee091bb74801ecdd

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
255KB

MD5
d164239ffd3007e87a17bf2171c56b75

SHA1
623318753c91c66eefc9a0b50ba3b9d41045cce3

SHA256
79e0885b0b89a39bcdcccf1fe2a54aafe2e07dbe768173620c9ada51a4d90dee

SHA512
cac6302820bae051d086a6d39b9b13f3dec14b7a19a6a185fcc61b4b79e778029130a6b510670f9a7b79ab5defc969d07d0aa2e1aad45e04e053e788d67acc13

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
255KB

MD5
489fe02051a02b647cb9b045daa0b893

SHA1
0f11aae91c8f6e0c1d99394ec22972f6f8e652fa

SHA256
2806eca721c2a2ce1332ab62f45c133e3009871bdd00dd4374d4d40f21ef1b21

SHA512
706e94e08a5d11f3ad5cb2a52f8173651a4cff90ff66dab5d66c36b6ae760c50b3d8825c1c5addc50d0e0baaa2b500ca31be85cf929c1602dc14b2abb004d448

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
255KB

MD5
859e2aedcf4b2a7e5306372c10082a8c

SHA1
6d8023c836a004e7555305b1c9948e769d0af572

SHA256
189c3be757fd3ec517e3cce8d2e77f75e97e007ee0142b5bc2438a1cb3b402e6

SHA512
149b094274091fc1f99239057743aee3dce40c514790dc6cb95a5ecbc69c9cdf9d3e364668b7490f2cff80c069f02a08fcc1da85797d4857bf72e4900256d411

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
255KB

MD5
1c2cb9356278f8e7b60cc72fff5b35d6

SHA1
98b9f3dbbe1d6d16056829013d9c1fca6cf6be9e

SHA256
dcedeafba4384fb04070f22ca21d8343f4c90e6a098694168f4aee7131405fc8

SHA512
e755a0c11717d878d54491546ab561c31b5dad15bf2ce99e48a16664a90f5bb709ecf1d67c376fc451bf50180ad2acc86080cf70efb9b6af7dcb7a5557b3a8f8

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
255KB

MD5
84ea2902d023f2d243c186fa7ba56380

SHA1
ad7e4dd4a4f7e48e8f3dc84af3322292a59dabc5

SHA256
30cd543b6723a4a4505d034777f239bbd79f2868a74ee4b7fa21ce35d48390f9

SHA512
939c06c40d11a91b83ad20d2a32b0f939ef4e37286216309b1e3fb9a0822e32e429be06784000e2316c88cc1153ebaa78eaeb2b0b529e180ecabb4bb77401a71

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
255KB

MD5
aa13a88e6ffa69bd76a66f06170780a0

SHA1
3441c4ce61a16a328b9709328eceb1990a303175

SHA256
9e0f7b12241f0814ca5a258c77ae5d6dd7d59a9000c653452434c7cd4a70d938

SHA512
d3d1b6719fadddf73ac76234aa67b61ebb601fe2ea051dd733d5b5a344c74b8d8d1a82cbd9846b8b0b06ed481c41bf42788b168208595d8a503f6a60bdf4f830

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
255KB

MD5
5fafaf10d77a15ff7fb0ccc6cfdbb1d7

SHA1
0a03b87a705d0721fc8cc2a9959cbad36e29cc6e

SHA256
956830e208976899be9bf6ae48466e9734bef476042d631a814fe1ece42eaa53

SHA512
47f6a3bc30ab582583e29322e0317410e98d6344dde171fd5d622d0126c6f6251d398c12797467e58b2ec2ba8e0e2a03e2c9b8b1b86c1a131332ddbd5b8e0a78

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
255KB

MD5
c0dd375f2dec8782fd400abc5a6c4b46

SHA1
d2a2689c8a35d3cf2efc2435a2891c05dafd6343

SHA256
1db791097f812f87263c87b487d07296f8301051cf1f5e1819a0e7b0b4c66f12

SHA512
dc143f8be6ee855c23598817a833ac010f4817b16fabbb808bc1f1917b96afbe292e0d84c541718fc2a5713e4918a0f0ac412596c702115833391749e24a4aef

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
255KB

MD5
cca4f4b9edab13ae5068e7651312c5cb

SHA1
06aa4d85723d9e588437ff93e78113bdc1e18e36

SHA256
7e6706549a21cc2e04c4b356aa364885bcf2de8cb70e08a61392ae5daf875635

SHA512
5aad13bd638ec3e9ceb011dcf511906d54d2656695e7f8b8537f0a2cda8309265c8df523444673ae9fb40d52ae0d295afc6290184643cd7f811d7b5b5933af40

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
255KB

MD5
5eb6ed7dfcb1bf4bf61e768d1990e35d

SHA1
3b622fd1e87dd58783951dfd2e2ea22054cb8fd4

SHA256
f108474f79ee354aa8d02346829c4c386e8d24b0cf2a1ad3d1cf1936e254d2d1

SHA512
0c8775012d2a25b2f6e0882306f8272be8782d21205b72e19aab6e86e17b3cda69e26560b8efbf1e0776b41cafd7c2df024a1c211a577b49c7cf321004f808f7

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
255KB

MD5
7a30ca746a3b1e63c4f2a761e6a009b1

SHA1
1bf1defc98b94c8c240fa6406c4f282b524a405c

SHA256
c4daa5a5a9f08d4bb7bfd52e7f549868334736efb0b5f5ec0c6c69e64271653d

SHA512
4cd05d704472a8c331b2e819de6970cd252c29580ed095df8b30c65bf0afaa77beed0fa3c9576183246b797ffbf131fe594885f8ee1a0abd177f562c70756ab7

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
255KB

MD5
f7594541096bbea17efa37f53a9d2427

SHA1
16177314ce79dc1d740dd2aa373e2aa015927585

SHA256
955c58cb08115baa804fe61fdf33995172b6b39c16097e4028fbad60b4dadccc

SHA512
4747c08f9d1a08ab35e9949ae2228b800127fd6e515af3dc9a7a34d1b719b0b8e4408e2fd2a51462e7e60cb2e9853e6e138282c434a37adb6beba1d6c545cea0

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
255KB

MD5
55aee0b75bee054f00d27b3cfd60fd2e

SHA1
c4bc5d1d43dbd0d8a72ef7796f9c282c27d3d600

SHA256
98806e77b7f1078f433d35afee06283846f9d91397bffabcbaeaa8f6a4cdd6b4

SHA512
de7a27fc08a56a17d589d220c98bae9c8725635ca7e6e5bd260bdc7480fae75300fccc1482b8066e78247fffb8c5843290b40fe3813093b50c97227491464d9c

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
255KB

MD5
fc341e84cfba8545ae5b1ac5d9b2df39

SHA1
137eb1a97981d2bbf86ff1d1c9bf92cd5f36e846

SHA256
52f78bc0e8f78a56857e4201283be37acb5388c4934e9259472a2a159a6e90ee

SHA512
5fa2bd6c0af8e62f2f826e8a4d41eb4758a8ee09d4b376fb37825e62ad4afb606ff47f38105c7165de5ca151a39a019c0fb60defb236ae1e045f00745d4b1ebc

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
255KB

MD5
69a6d0740c05666e4d9cec14f43c9be6

SHA1
a2c7b8a041c4a17a94fd1532c301a85109336375

SHA256
762c06caaca86984e52416a57ecabd7983b5da50ac89e57fe3b0ff8e09687787

SHA512
4e70085a594426ae4f5e2b6b360d8ffa2d1948c4dc29b03f551f5dc7b75784ff16c0815b859c2ff01af23c2383f187b9009391c3b12a60bbe1990c91f53a5e23

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
255KB

MD5
9d726c36824ca86120bd15603d5f366e

SHA1
a444080c0fc663a13d228a56c87486ef7e486e28

SHA256
1957d12d95ab7493f97f3e73cda833670b61a3cf542440b8f3c1a2bd644ad5ea

SHA512
396d2c66da62fa086addc2da4551aa114e16f55d3223a787c4d51ab96644ad43378d254a9aaa17fb35432591a2b86519142956aa00e48fb459d407d26520495b

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
255KB

MD5
01d6b052caa6f6a9dd00cd0d5f1bf7f3

SHA1
e96f67e4c2561d5cbc167b1987344231967fcd97

SHA256
0bd2e85dcc9bed9a3b286d5a20811dbddcf08cb0febc4a9414854bb53fe3fb0e

SHA512
1a458c89fbcc30b0ed7520f34477107e861a89ac270a99895cb2e0cb8a26d4547b6ad0495b15c371f4d9aeb50472f3f2a9a0d1e32e7076ed2b77e8acbbd40bfd

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
255KB

MD5
c4f376c9c41613a4385e06d3e1ebbb8b

SHA1
34e7d7eb67a9317cffd62f1afd913b39e93f9802

SHA256
c802fdc5cce889de466edcf1871f2f42d0879706aa20e11e67e68166ce4cbba2

SHA512
ebfdd9617c805c5857c6c04d65d3eeb7042e945ae6fb5b2510115740a49e1e46cfee95334dfca76a1a953e0579c96d89e5ae80e2d01b42b9283756632f8b8713

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
255KB

MD5
bc053f4b76c296cdeb748b24a7242cbf

SHA1
b348c4609cc0d0a91fdf10cceffa927c45b19df1

SHA256
12f542dca71b9c0c00fe9f3616fe3864dd40a63bfce5e66866ff56b35fbd8bb3

SHA512
6f49ad3ecf48c8bdaeb85ad8a0d7c61bafaccfbe77617b2404bfcec6a367d2492fc907cf0e8575cc115df5d541021b2f10cc7ec01d35f4a787b6332ec535a88d

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
255KB

MD5
3ab0e8f3584df9f244594928b342e8ad

SHA1
591c641c271ea8145bf1b2ee15a0aa61f82f7167

SHA256
8f316f66acc365c7d489eec4f551984596d8ac013955dd92bb71417770bdecf6

SHA512
93019ec2a771ba1d190b2684bae99bc0b4e381bc9f15702f57106c39122674e1fc05544074a810c76448cba88048124f27553c8cc803add593f7790d98f93bb6

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
255KB

MD5
0df06c308c1a4ce1f6d08c5ffba62397

SHA1
52d27d7ac171be9bbea0aba41bdd52d2b2789aa8

SHA256
4546d8698903adea17372f0df1bfe542d32e7b1873763b269537bfde48144193

SHA512
3fcce89ed03a84f3b8244f6be335d9f32f30fb4588ff5c36a19234122b879b167a7273edd88a565133efa2ffcd2784ed5a734c7b6f4ba3658e6f2b7321ccf3bf

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
255KB

MD5
8066ed39530fab7f878b5c587f3c4bc2

SHA1
948a68ff6c932dc095c65ed14651fe469eb67f96

SHA256
eddf14404505f29b5dfaa93114eeb74351b1ddaf249707932733bd5c0a1e4ad3

SHA512
71487bfbfd89af58ed021a622c952167c0ab35522e7f717fc7a8d49c0c81944dbe4d8703d3d89e4770d2aed9545bf509611a5d1063031d2054a849653c067c60

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
255KB

MD5
c48052d3766e0bae4b6ef2557a5ba5a0

SHA1
80544548b28a6ad0fc763a94d09415e481533034

SHA256
e8354fdcefce36c9f10c2a1502994b2e752f835bde782cfe982ccd47c85fc4fd

SHA512
e2e088526951ef8463e864133bb00978f58c92b15b01e5ad74c4dba73de4a4f6b3245ec837c089f96361e89b31f2a555ce795d50770bde1693b0e4984ae25fba

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
255KB

MD5
c5938e1b724a155482ab0f1cc8473ffb

SHA1
f3301d965f5d83fa2be896337846903ddb551f9b

SHA256
563334c04e196cd43adc42b11a5edad9ee9bc83daf3ecab169a1f658ef2e6240

SHA512
b27741e615dc5ac2de1868ba0775fbe2cc127c3e7a7b1719aefc5a78f614dc1081357f0959539053b221c9758ee9ac878a762e4842930f46e64ed9b0743da539

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
255KB

MD5
78d4d001ecafeea5b05e18755b5b70bb

SHA1
0439d426595666e0e99b8d6af15c7ee95dcee7c4

SHA256
02c8a9620e15d1cf39fa0a476247a40309454d3052db5f01cd9b6de849df4acd

SHA512
b58dbac2717947d2383bf34c646bd97a6e995e3d32936a845523e24992c464d024007b8592f85964afddcd38702d384d7e3d6f965a563fc791474b4464746b73

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
255KB

MD5
854785fc9c35d687c7dd8fd3da7a4ffc

SHA1
778a129ebf1153f6c42a65c7321ca0a5b48e98cf

SHA256
2054c018b516ceace8f79ab6f4dd8624b285c686d10fe0afc5575d2169418372

SHA512
3ba572802ffe3f709283b8770667911f5cc915e01667beed5483218382ebbc9aa94841d6fdd4d214d1e777e36797bd8abf9118c17546eab715e2a2dc086d5958

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
255KB

MD5
379bc835961e59f8047979e824732fd9

SHA1
457e1199d1f6d3891c33f66edaf4353a37faa509

SHA256
25f8fe61db2f70f91866bbb91d4145ad2bfc2252dcfb06fcb2891652d48ab419

SHA512
22094a1e4176c393758bab62a0f76394b6a4a8a6823b0ce4fe61c7b1c186a497d89d80c9ae12bcda577973df9d03bcc9f5d83071ed1cfaad7da53b9165294a4f

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
255KB

MD5
8ea5b1d191fa9451accf9459fd79494a

SHA1
9c823ca665d533c2493c8a85ac2a01894cb8e966

SHA256
35b7580ab8fe6fe6ef597dd30c38f73dc5b072950175c9c969ab2a14b88f64eb

SHA512
ef59ebc6eb76cf294a5552c0105b17da4a92067254c5b59478d667f310f80d19c38de923bf9034f93c34b0f1326312f963c0f415f3e5acb3807e8c50697dae7e

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
255KB

MD5
474eb9916131989e692001488d1ebcb4

SHA1
359d510d0b17e7e1f754afadbbc15e9742ea2f35

SHA256
84f6417356c2e25c30aa3fb05932323d8a04c70370e7e14bad34375aec797ff8

SHA512
9682ff46f134450775614f0d69eee39673f5e43b31185d4f483f490c3f5978b349412fa7a68bc2f2175153eb39d25682271df538cfcdd3a8874b1c65bb1cc6fc

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
255KB

MD5
f03d946b1a2710a0ddbbf447e56d7482

SHA1
7a4bb4456b79ca6c608d9c551ef7cd5fa8d2ff04

SHA256
7d222f962822016f630a8b251e99554082a112068ff22ae5f24752f83c6ecde4

SHA512
d30e870407b7ba073895883c0f170bc6a38304b4b10dca505ae0c45d90a221f241b4c1ee12bd1b6f814f3e71036746fcf385ab12c85afbaf526edf2697b959e2

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
255KB

MD5
96940d7feac51500f394ef0132ca25d5

SHA1
5485bb8732f8e2a1c1e9ec85ce2ea961942147c0

SHA256
bb8d3c84fed33feda65493ae1d8cf912df1a5b823afc258b5572523cd09c1479

SHA512
ea770a43eeba9c8723fa780aee8098b14865a7ad4cc7a7455ff6133710a88ba1c369839d429954ddc2217c1b8af232b00e79327531d587b27d7cf0b67f0e42f8

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
255KB

MD5
0ae6815e40b7d347cc4e1c557f142362

SHA1
e04246ece7a50f39db08519a0e3b099fa8cad837

SHA256
7788eef083e2e89e3073f5ee512de2ec1efef606f1cd39ca0024ccde0237db10

SHA512
9c61fca1f6bf760bdea1b1977040fc79084ab28acd9b790c76098bdbec88a4c83f3f606ea6153d7b86d97ec3f85fd2fc98b70bf80285e939db93093dbd6ef66a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
255KB

MD5
5e3657047728ee65a7b190c51b23f6bd

SHA1
887fcd8d19831f8502a56b463f2a027790d0183a

SHA256
8622dde0906b37d26370babe8dbbd9e7e91247e37d7af375aaf8f75cadb10df8

SHA512
1c60bfb0b93547cd12d92411983289e939eeb613eaa1f759738a2f1d78dc72b0c2c4b7bbb4c3dd0907c9feb7412e46da83e59e6c3f6cbaac8a12014c299ead6e

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
255KB

MD5
7b312f34d3fc124199025a743f8a8d00

SHA1
f50214a885c12e1820af6cdb35f1fee4fcaac182

SHA256
09d40110bdc9bb33ad5e241019b206593f52b9472c32cc8297fff5b364ae7cc9

SHA512
e153597e54710529c08cabc96b582348e1af7b7acb2d1f805ffaf6edb3c4d4b1fd70749c8214d8325bf43611cfda925cf7ec42d92f4b0caa51a6c3b5b216bb0a

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
255KB

MD5
d617c642fc142a2488393efb5ef04939

SHA1
60ef3aef517ae5acbbc368be89d3d670936885dd

SHA256
9bb1bf713c8fa7b784bb965255d2b19aa63d66021f488764af145e1034f0c072

SHA512
fe05f31dac6303bda2a775ae191127fda7db6b739d9e402edff74cad3a1778b03ad9c0b4ab925222f43f67ba3d21fd0fc10dfb9be2d01f95de3bf4e30fe56235

Download Submit
memory/448-291-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/464-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/532-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-587-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/748-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/892-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/892-566-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1068-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1352-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1364-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1468-520-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1572-498-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1612-104-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1632-311-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-534-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1656-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1704-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1836-492-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1852-419-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1884-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2040-510-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2088-573-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2088-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2120-369-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2228-317-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2236-281-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2344-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2504-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2536-486-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2564-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-299-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2636-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2660-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-381-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2768-53-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2768-580-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2772-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2816-438-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2844-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2888-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2928-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2936-522-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-551-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3044-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3292-335-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3416-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3548-353-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3564-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3568-176-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3760-474-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3776-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3788-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3868-267-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3944-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3988-468-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4016-450-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4056-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4064-508-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4100-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4116-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4208-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4216-413-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4332-305-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4428-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4448-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4452-462-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4584-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4588-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4752-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4868-359-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4876-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-594-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4956-389-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4976-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5028-323-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5056-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5116-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5168-528-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5208-535-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5252-541-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5312-553-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5352-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5388-564-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5464-571-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5512-574-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5580-581-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5624-588-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads