0994190619d434198ea0895630a9f2e7a309ca7b679652b8ee8c562466ffa026

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e2090adafa37d4ba74edd8200c1f3c0_NEAS.exe
Size

1020KB
MD5

0e2090adafa37d4ba74edd8200c1f3c0
SHA1

92381ca1f82dd7f1a182da505ebe62b5e7b28f44
SHA256

0994190619d434198ea0895630a9f2e7a309ca7b679652b8ee8c562466ffa026
SHA512

c1fc8596339237bcdcdbe9f000a96fdd9ea0e8d0824bbc4c77665f46e7f1f5728d4c9726bc19706bc213003ef6a5156ad0d215c452bc24ab2277fdc521162693
SSDEEP

24576:T0fyvzecrHPh2kkkkK4kXkkkkkkkkhLX3a20R0i:T0fyvKcrXbazR0i

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakbckbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccaall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0e2090adafa37d4ba74edd8200c1f3c0_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Commqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe

Executes dropped EXE 64 IoCs

pid	Process
232	Chbedh32.exe
2440	Commqb32.exe
1384	Coojfa32.exe
1076	Doccaall.exe
1308	Diihojkb.exe
3420	Djlddi32.exe
1640	Djnaji32.exe
1416	Dpjflb32.exe
668	Dakbckbe.exe
4924	Ehekqe32.exe
2896	Epmcab32.exe
4884	Efikji32.exe
3560	Elccfc32.exe
1784	Eoapbo32.exe
2976	Eflhoigi.exe
444	Ehjdldfl.exe
3300	Eodlho32.exe
3832	Ebbidj32.exe
3216	Ehlaaddj.exe
3440	Eqciba32.exe
1264	Ecbenm32.exe
244	Ebeejijj.exe
632	Ejlmkgkl.exe
3940	Ehonfc32.exe
3992	Emjjgbjp.exe
4232	Eoifcnid.exe
4320	Ecdbdl32.exe
3344	Ffbnph32.exe
1636	Fjnjqfij.exe
2380	Fmmfmbhn.exe
4608	Fqhbmqqg.exe
4604	Fcgoilpj.exe
2204	Fbioei32.exe
4288	Fjqgff32.exe
3876	Ficgacna.exe
1032	Fqkocpod.exe
3424	Fomonm32.exe
4576	Fbllkh32.exe
2308	Ffggkgmk.exe
2940	Fifdgblo.exe
4552	Fqmlhpla.exe
5072	Fopldmcl.exe
3488	Fbnhphbp.exe
2548	Fjepaecb.exe
5056	Fmclmabe.exe
5032	Fqohnp32.exe
2472	Fcnejk32.exe
3592	Fflaff32.exe
3192	Fjhmgeao.exe
4728	Fmficqpc.exe
1552	Fodeolof.exe
4048	Gbcakg32.exe
4228	Gjjjle32.exe
1440	Gmhfhp32.exe
3564	Gqdbiofi.exe
3100	Gcbnejem.exe
532	Gfqjafdq.exe
2920	Giofnacd.exe
4872	Gqfooodg.exe
4804	Goiojk32.exe
2456	Gbgkfg32.exe
4584	Gjocgdkg.exe
2012	Gmmocpjk.exe
772	Gqikdn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Kibpam32.dll	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Efikji32.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Iifpphha.dll	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Elccfc32.exe	Efikji32.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Ehekqe32.exe	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Commqb32.exe	Chbedh32.exe
File created	C:\Windows\SysWOW64\Dfifda32.dll	Chbedh32.exe
File created	C:\Windows\SysWOW64\Ehekqe32.exe	Dakbckbe.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Hbiklpin.dll	Doccaall.exe
File opened for modification	C:\Windows\SysWOW64\Ebeejijj.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	Ebbidj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6708	6600	WerFault.exe	252

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inomojol.dll"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efikji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnbbnj32.dll"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhilofo.dll"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coojfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0e2090adafa37d4ba74edd8200c1f3c0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gqfooodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 232	2176	0e2090adafa37d4ba74edd8200c1f3c0_NEAS.exe	83
PID 2176 wrote to memory of 232	2176	0e2090adafa37d4ba74edd8200c1f3c0_NEAS.exe	83
PID 2176 wrote to memory of 232	2176	0e2090adafa37d4ba74edd8200c1f3c0_NEAS.exe	83
PID 232 wrote to memory of 2440	232	Chbedh32.exe	84
PID 232 wrote to memory of 2440	232	Chbedh32.exe	84
PID 232 wrote to memory of 2440	232	Chbedh32.exe	84
PID 2440 wrote to memory of 1384	2440	Commqb32.exe	85
PID 2440 wrote to memory of 1384	2440	Commqb32.exe	85
PID 2440 wrote to memory of 1384	2440	Commqb32.exe	85
PID 1384 wrote to memory of 1076	1384	Coojfa32.exe	86
PID 1384 wrote to memory of 1076	1384	Coojfa32.exe	86
PID 1384 wrote to memory of 1076	1384	Coojfa32.exe	86
PID 1076 wrote to memory of 1308	1076	Doccaall.exe	88
PID 1076 wrote to memory of 1308	1076	Doccaall.exe	88
PID 1076 wrote to memory of 1308	1076	Doccaall.exe	88
PID 1308 wrote to memory of 3420	1308	Diihojkb.exe	89
PID 1308 wrote to memory of 3420	1308	Diihojkb.exe	89
PID 1308 wrote to memory of 3420	1308	Diihojkb.exe	89
PID 3420 wrote to memory of 1640	3420	Djlddi32.exe	91
PID 3420 wrote to memory of 1640	3420	Djlddi32.exe	91
PID 3420 wrote to memory of 1640	3420	Djlddi32.exe	91
PID 1640 wrote to memory of 1416	1640	Djnaji32.exe	92
PID 1640 wrote to memory of 1416	1640	Djnaji32.exe	92
PID 1640 wrote to memory of 1416	1640	Djnaji32.exe	92
PID 1416 wrote to memory of 668	1416	Dpjflb32.exe	93
PID 1416 wrote to memory of 668	1416	Dpjflb32.exe	93
PID 1416 wrote to memory of 668	1416	Dpjflb32.exe	93
PID 668 wrote to memory of 4924	668	Dakbckbe.exe	94
PID 668 wrote to memory of 4924	668	Dakbckbe.exe	94
PID 668 wrote to memory of 4924	668	Dakbckbe.exe	94
PID 4924 wrote to memory of 2896	4924	Ehekqe32.exe	95
PID 4924 wrote to memory of 2896	4924	Ehekqe32.exe	95
PID 4924 wrote to memory of 2896	4924	Ehekqe32.exe	95
PID 2896 wrote to memory of 4884	2896	Epmcab32.exe	96
PID 2896 wrote to memory of 4884	2896	Epmcab32.exe	96
PID 2896 wrote to memory of 4884	2896	Epmcab32.exe	96
PID 4884 wrote to memory of 3560	4884	Efikji32.exe	97
PID 4884 wrote to memory of 3560	4884	Efikji32.exe	97
PID 4884 wrote to memory of 3560	4884	Efikji32.exe	97
PID 3560 wrote to memory of 1784	3560	Elccfc32.exe	98
PID 3560 wrote to memory of 1784	3560	Elccfc32.exe	98
PID 3560 wrote to memory of 1784	3560	Elccfc32.exe	98
PID 1784 wrote to memory of 2976	1784	Eoapbo32.exe	99
PID 1784 wrote to memory of 2976	1784	Eoapbo32.exe	99
PID 1784 wrote to memory of 2976	1784	Eoapbo32.exe	99
PID 2976 wrote to memory of 444	2976	Eflhoigi.exe	100
PID 2976 wrote to memory of 444	2976	Eflhoigi.exe	100
PID 2976 wrote to memory of 444	2976	Eflhoigi.exe	100
PID 444 wrote to memory of 3300	444	Ehjdldfl.exe	101
PID 444 wrote to memory of 3300	444	Ehjdldfl.exe	101
PID 444 wrote to memory of 3300	444	Ehjdldfl.exe	101
PID 3300 wrote to memory of 3832	3300	Eodlho32.exe	102
PID 3300 wrote to memory of 3832	3300	Eodlho32.exe	102
PID 3300 wrote to memory of 3832	3300	Eodlho32.exe	102
PID 3832 wrote to memory of 3216	3832	Ebbidj32.exe	103
PID 3832 wrote to memory of 3216	3832	Ebbidj32.exe	103
PID 3832 wrote to memory of 3216	3832	Ebbidj32.exe	103
PID 3216 wrote to memory of 3440	3216	Ehlaaddj.exe	104
PID 3216 wrote to memory of 3440	3216	Ehlaaddj.exe	104
PID 3216 wrote to memory of 3440	3216	Ehlaaddj.exe	104
PID 3440 wrote to memory of 1264	3440	Eqciba32.exe	105
PID 3440 wrote to memory of 1264	3440	Eqciba32.exe	105
PID 3440 wrote to memory of 1264	3440	Eqciba32.exe	105
PID 1264 wrote to memory of 244	1264	Ecbenm32.exe	106

C:\Users\Admin\AppData\Local\Temp\0e2090adafa37d4ba74edd8200c1f3c0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\0e2090adafa37d4ba74edd8200c1f3c0_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\Chbedh32.exe
  C:\Windows\system32\Chbedh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\Commqb32.exe
    C:\Windows\system32\Commqb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\Coojfa32.exe
      C:\Windows\system32\Coojfa32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1076
      - C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:244
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        24⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        26⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        27⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        28⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        31⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        36⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        37⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        46⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        49⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        50⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3100
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4532
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        70⤵
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        71⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        72⤵
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        73⤵
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        74⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        75⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        77⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        78⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        79⤵
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        81⤵
        Drops file in System32 directory
        
        PID:1700
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3268
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        83⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        84⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        85⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        87⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        88⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        101⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        105⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        106⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        107⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        108⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        109⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        110⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1172
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        115⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        116⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1588
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        118⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        119⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        121⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        122⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        123⤵
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4580
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        125⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        126⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        127⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        128⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        129⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        131⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        134⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        135⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        136⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        137⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        138⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        141⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        142⤵
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        143⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        145⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        146⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        147⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        148⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        149⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        151⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        152⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        153⤵
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        154⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        155⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        156⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        157⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6204
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        159⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        162⤵
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6488
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        166⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 408
        167⤵
        Program crash
        
        PID:6708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6600 -ip 6600
1⤵
PID:6664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Chbedh32.exe

Filesize
1020KB

MD5
1dd8c4f5a249f182e4a36bdf65c35c98

SHA1
b1339517a37665f040109ca720f5053ccfbb7555

SHA256
a6095eaa775e5558f37e968d77a1e298cf72a59e55f78665d35be07836fa9cef

SHA512
fc502a629408feb2434e6fb9c24e6a10f14e087a0b0cd1b6793cb1fc24389bfd34700427762906914317edcc4050e7dc1f9d446a3a401ca7eeb5752892687d69

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
1020KB

MD5
ce0db4c96b8abec0b069fe584814107e

SHA1
abe2690e6e05e6eee81bd3f81ef081af4c688233

SHA256
09249344d4ee112d1d3cc22d889d78d25a6c223f7dccf8de5c088dc6c1dd4ccf

SHA512
467077f28765d6c38225fa928a44ed625cc6dff097b97931200214018b38924c32037ee16bf2e9844c3ad273d049260e1360ba0de8be402e9e14633497d05fc5

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
1020KB

MD5
f319d4b77b4434e8593bf131f553553f

SHA1
5c1e422e60803fb22085fdabee030141e11a1612

SHA256
7b4027459cf208f83fb251b289d10316c4787318b71f03f772cb59144978d140

SHA512
e8991c59fa8e3a844d3de3a084b9bd0a707f5b219c11ace8a71dc3f248588d16b599ae2367b5de0d7bda2f17f930bd15f817727476d17afb1eadb330e03dcc48

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
1020KB

MD5
2c5d2a9adceaa33bcf2a6f61a97c6d16

SHA1
fdd5c697639c3dea97287ae8b53ed1c98d55255a

SHA256
5734767678025cbbe6259dc7365ccd8be903a449f6f7e08a806c89e0b3fa8e57

SHA512
6656ad79615fd61d05b30716430215c82fc00b6ba48dd7efba440861fb50d0ce90052892f6c634cff117459c766a79e42a5984a4bb81a94ec454e2f09a2b911c

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
1020KB

MD5
8a15ed4fc70108a31af929c532934cf6

SHA1
edf1ac77b141af211f814461688f3982baffcf87

SHA256
5b4c80355656992beb33997a93462a7d08b5cc95b665c92904c8a9ec46430415

SHA512
3c49022a595e73b634b027d804d4a900567fcb61ce37dc761f88de8c44404237e99cfc5c5dfc5732cf3be6d05b9928b3e181d4f061fcfece8f216792774ed15a

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
1020KB

MD5
f50459e50a963b2bacabce1e47c60b0d

SHA1
8dae46a9a0f570602d8287a6d50ee328ea3cc770

SHA256
029ebb80356fae8db4219ee128b70eb47de1c22975dc2579fd8a23817408a0cc

SHA512
655df3a3d505c447ad190f515a7927744e039027a466dd7fa6c525ed60b3fcc230370f1871df6660754b6a2f99c80e5ff81ff89dc81ea626c5b7ea135dda8339

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
1020KB

MD5
448854d85b35e018a7442d03b6b5b819

SHA1
104b2f3e3b48cfc1f4a34d056a4b3ca537c7c874

SHA256
384dabb8df1bf36aac5f6a12cc464d0881c41a0cd177f8837cdf31744bc89add

SHA512
4aa00edab642279ee80faa7bf6aae83e1ac0f7fbab6505d5f1839205ef3e205b7c8d76924e055844d15d39029abe65248aee6b5487313d603fbf429309c38df9

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
1020KB

MD5
b2e1cdf3eff419d85bf6b177d079e125

SHA1
6ae858d7bc707595e10937423ec9a79359f6c8e9

SHA256
4f1c3e7df975b0ef876751032b0a1f338287897e570eb827e8d25bcc7aab242a

SHA512
755850f46478ee1737d998d4e1032e6054ac94a99ab5d5995b37c24b790610c6eeda5e254a7e8f2bf507d80c13fa66b71a35052ccfffcb4372d5a6552944fdce

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
1020KB

MD5
0bd470612468ce4e12f374f465cf733c

SHA1
21bef6bfac5cb19df7c70f01e397c8f40df4e9bb

SHA256
62a13c69b2b39046f038e77bbf25612417d3d5e4f3a97292ede33c3ca9dc85de

SHA512
435d1f1fb76008ea699fc8bf7619e57a8696ed514521d2b12ac5c55c85226c06b156826392261004b424eacb4958b8eeda52e4dd7cea4ac2ee9f9f496aea0fb6

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
1020KB

MD5
84634f85d1cb99e3c435a469edc1b100

SHA1
f23cce60250691485c272481daf4013990aa482c

SHA256
befdcc86e44491f7a5fdea3efb6cc6b578a184296a7c471c09280c873dfbca17

SHA512
d69a55595b930e618328a475ab28fea3d33cf37161bf551e5542bcdd85de810b5afe4fea945a3c155208c1666e60d625fdd2ea6ad2b6e48e965d989b18461080

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
1020KB

MD5
eedc0d1467917abcc1fdd32ba21137e2

SHA1
e8c92d71ed4d227ad3bdf91a277045440471de5b

SHA256
3b5ec352ff00fd76552c2540795f554794f2826dccbb361bc5d4c6408a0df99a

SHA512
d4b431fd21def3db60eb769703181265667545ad5595edb526d97b3f9208fb874bcf07f12b0d9f591218bd63078363e300bdf932bbc4034d41dc35f1e0c4605c

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
1020KB

MD5
c51eab458512ad97e4dd4d3328b76bc6

SHA1
4831bba58f48b7a572bc96e462a1e9765f41d023

SHA256
8272db6f9377e92d00af0c7e4dee3f2e2d6ea872dd167f1891fcad1cbf3ce22d

SHA512
4c086543753174e720a811b4bbc78a22934d4e15b652f804429a9ad1b976a3487aa7f5b2ee97eea8f8a2262be7b76309057edf5430de63246a2a7a1e72d0dc01

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
1020KB

MD5
9a895571afce817a7290beb274fb3742

SHA1
00870f571c972141d82cf96a2edefb860f1ee269

SHA256
9e60614a7fe9c407d638049c6ba47968ac8267213a79ec6e669303a9997e1b01

SHA512
fb30fb6b76a2e1bf5d5679d61133e7e6c757110959896bee4dda608ef05c093dccb5cd412f7f9122635e8b58010257af21035c8c0f34ac7d5fceb4816533bb3c

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
1020KB

MD5
afca44cd3ad268ebbb04057fa5073de9

SHA1
7aa36bd4e5758785320d46fcc0c775265accebb1

SHA256
33d76e8780495cb3b44bfd4d23ace9fcd546ece51ed8022459a8d000f317029a

SHA512
4cc8213d585117150ac3c03c84649420938ab5885923e3931a6b3ac516cd8d07fe638f88b35b81c16a87e9d75ee3f274713cf3ffcaee8293fa5e2bfb76bcded0

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
1020KB

MD5
d546a5e212c9a6d4a8a5d3e314e4eb9f

SHA1
17334402e8a6ccc2d1143a0c7483da61380376f1

SHA256
c75a4b9eff22deb32846ffd91fd4baf3beda7fdd327fe06c49eaed5c67676be3

SHA512
13ff565ef9a00b8672dc9d8bb2420a79de82b11d3fe41f3237099434591028f03caff4b2762602cf04e7a598f928129e39b15d188be3b8b49f956abebe61aa72

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
1020KB

MD5
71a78326ea5bf2c4937c07bae6a94ae4

SHA1
7bfd45179366db6825f8e3e2e6355b294649b9c2

SHA256
c588d66cf21b0a95ee56c7324ca909684ef442420034df3d3b42c0e7069e08cf

SHA512
9b0a118eb2b0da0fa7e86599683d4d977498997cd7ca2e149092919f936ff5dae11682b73c0ddd6c82576506bc3f528f0d5aed81fbf9e5703975696f34211cab

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
1020KB

MD5
8a48f0a0514602507c257758306f20f6

SHA1
06f978b703477a74b672052b6595d300a55c6cfc

SHA256
21a30c35d4f2e779e0b79249b4440c3563301a44a751154943797a4a412a2ba3

SHA512
5b2619843f6d08dbb9d11be44e39a8883d6c820c7b1b0f208530f5db91d505bc3f5292b0d268d4bd1a2a9dbfd7bfbe1ff96d0a7f79a400cdd337d2a22c833a6b

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
1020KB

MD5
dbeed90f16cb1a150a0242a6d7e6ae5c

SHA1
7adf044cd2053d2bb34653e7ca7c3efc178743eb

SHA256
ba79d7e34b2ff325fc81cc1dd53501124e463fe9162aa0a639dae0509f4a2491

SHA512
74b74000e67a15d61daf91f10583b1fa377c3b22c8f3299c3c8973e30125a8229eb535fa33f87d655492733df570f04bb13548e4e4013f8dd57d3530784701f6

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
1020KB

MD5
d39184eeb7f025ef85af4f75ecf45481

SHA1
7fe9695bfadd170092e4f2b720614416f5f53f9a

SHA256
cd3a6bbee029404a07bfe2e7f2da8273c987843ace567e65360727bb3ca1b777

SHA512
a8c360ebddf3986e3594d4ef1d8f73795e6ca7ba909d82d92e21816397c6035c3c4bc55c88fc32508eaf29d976a1e35fd8abd0c9d2660eea974eafb7f4560bf2

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
1020KB

MD5
b6d91638304f446d5ec9f7a1a634ef8d

SHA1
6f93732c99e3ed0afc26c64f3249299f15279d59

SHA256
50ea32411fa41cbf73036947f94c9e090331fe83e80c0d1e35e80bf776f35f5c

SHA512
739b657baf50ffd9702e7beb5d3c3927a4e646b7387272158c87bcd170a6f6428f66de440e65eb9ed1a5eefec39575e03089e4314c2868a1e928fbc6acb7d4ed

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
1020KB

MD5
a3747594d7ae02efd5c159f03cadf76b

SHA1
2fbfac9e4e88e964f0787e6bcf63db32cdd99b55

SHA256
314be72f31a1511467ac2778d398f1f4ce905a4daa415c42beda86b909f66b3e

SHA512
e69fa7d81f3a353e3a8b57cd30a83452e6e4048e7a388747eb5476129e0f3b724c359f880854263312da5d8108fe6feab772eea35fcb118036f974e687c20d55

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
1020KB

MD5
8fe0e427a23cda018ad9b1597c01e449

SHA1
603df6739aa9c2eb155d1d34829741815a277225

SHA256
7e7e2d29a5d6bb3bf70e694c73c19d7caddbb4352104798ab63aceb1c8fcfb6d

SHA512
d9c3b4a64aa990dcf2e419ad8e60ed3acc7b7ee4518bfd46b1c46f9cd303955f0f80c88c2f44ac8064541f1488c3bb1115220ff90a24fc86513fdbac773bd004

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
1020KB

MD5
daba8b6ce299670c57a922ee1453e93d

SHA1
febad13097acf1f9c27635db44ece7b792337cb0

SHA256
c03f3825bbbb703d7163d8cc7ee86ead816ad7566a1ad71d39fb195ad8aa9339

SHA512
39183d3ff01c570142c258348358a5609e84cc55803b5994de5ab3a037b78e337e73dac07264441f49c17ffb56dfa3fa2d9100955525d416cda5d3e47dc13646

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
1020KB

MD5
8753128feb1ef40228abedf9a5406edc

SHA1
f7c953689f94478d23146aacb094aab391c2bc23

SHA256
41b5f9e742a05222e72f239fd1d99e805ed346c7726c79ebdaf9aabbb38d44e3

SHA512
1197c6c5cfe33c7996c4d47240f92d54785aed87b6443c25d2cc481601cf167d5417a402bdd212d9ca68b06612f0d8eff08652bb55966b322bb585e1d23262e7

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
1020KB

MD5
ef4a4a362361eeb7540932b243c9724f

SHA1
0f2f5e2c7273b05d71e5bc631f1cef96dac9b145

SHA256
8b41aa11cdc2ce738e07124f5fc975b88be3c69f296d974b11876f095201bcfc

SHA512
b5e735a97a7da4d4ed9f3e867b879a73891d20e9bbc96d39b9baf75b9c8e07499b9b96115834cab080c34313bb3a4c6635a0fea964a39323d915c574d0e99144

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
1020KB

MD5
768c5611d22a9a5e971cc194ece5f660

SHA1
7acb6923f64e12713792465e543a190a9991d367

SHA256
19102db7aca5249b5e3c585d048934888b87f1d160f431fbe6e3fb84c8d77a80

SHA512
2b37b1e6debc1bbd3b6c74b6e0bdce4c18a9f3df2bb470e21c4bb68fe691a5ec471403cb6d96abb58d32a8b322018bd0aae16a408fc635c65b78ffd12b748c25

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
1020KB

MD5
2b0ad3228694dfd01ea985a94946d6ff

SHA1
bd439bcd7ba8c0861a123dca3e64574c8557633f

SHA256
46ea5f7ebaf888a1948b892f8b148698427e1facfc5db852865b161353c51384

SHA512
ccf98d747705af28cca0f3b0b3c19ac1b348e6ce481c357f60d9d1fa6673e20ee5aa7e78f6cfb4022df68cd6f409c44aa77721e1bcc6fb64149ba85ab89244f0

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
1020KB

MD5
f11d640c2610df6d22c1d1b942496112

SHA1
78930d83f39efe020cbc60b062116507efc81ce9

SHA256
ac1602ffe2c1d83d011a6c94646e066094f7712076c12fb97859e100757ecf74

SHA512
1d8aba6f370b118c2a35d44d763c4d01ecf76922f7d050775f3774f73cdb75681a7e0b356573f7c1347274632624e2671c18a9f439552d0b39ece0fc03a041d1

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
1020KB

MD5
45f28ae00d3b518214e90b4ba01b6730

SHA1
eb5a1e1421ba3dc722c8c101d9b787951dd0753a

SHA256
6672dd2d9aacf627aec7b412cdefed3aa6b093101bc196714802b548e430f57b

SHA512
9dd3eef041ed5ae25bb0f180919808a236dacedc5bd372061ced7decbcf505c88234087131863f47b187b1fba3afcc6534a8a957b941fd480a52d32ac04654d7

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
1020KB

MD5
ed85efb4b161c6541d8d69bd8dcd3f49

SHA1
711af25dce543698277a242d872604834bd84901

SHA256
9370a8331a5f3c19b16dd6e6ad60e8424a223639d1a5858b2a79fcc949cf765b

SHA512
97672016f6ad965ec33af257e1371f482ab9a903028f763b696357d2f5fb66586ff077cfe78cc5606df6a241f677d017ec0b959caf49afa1908e3af541bd5262

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
1020KB

MD5
44a8564232d0f06c42873c5c28e99bba

SHA1
6d20e12fda8391fb8b72f5c173eafd6b31d70748

SHA256
a41e83427eb537123bd15d89f392a0d3024d64f37817bcf18bacf79bd5838879

SHA512
5f4f36b6ea69cd048f291e1a06847bcec3e86285aac05eacffe9c0987644069059fc33f2a8585dd18b4a70d37354ea8fb41b229d7e4dbb12ad4dc1535d5a4888

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
1020KB

MD5
2be478fbbde6d2a7c4eabcb796615042

SHA1
7493571ecdaf93941b0ab346b83b4894c09cf80c

SHA256
d2d05f9c3a261ca7e44fa0248fa826cba24e0956fa8e928c3342c4eb71ce1a30

SHA512
f0adf3dab161e066d31d2f2cfeb611d4b6a187e34851d269426d7fce1cb1cca9dfce72717e14a6b57d68f4c4f2f537c68d6d749190dba5d458a0c15eac5c1cbe

Download Submit
C:\Windows\SysWOW64\Kajfig32.exe

Filesize
1020KB

MD5
ce71f2ba2bf05aab108ecfadc12da9d9

SHA1
dad561ce9c3cca710ac50672e5c9db37e52590b9

SHA256
a965de3c82a56feafceecee247369d738441aa73c10799275231f03c13143dee

SHA512
90cfb5cb3b937b239ec01aa78d2338bbfe117e300eec897a8e3166790d2eb39405c58adda414f5a6f752bb36aa4b4c5d3510b21ac5126c572766538ffbeddfba

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
1020KB

MD5
fe8c296f62ec2b3e8623a0b60ea5f795

SHA1
16262634e8271ec08a77fa7fb9398b21c815aa5e

SHA256
e800620eed2fc23da3514c5189ab8ded06ada721f7d283ec44197ebb19d7ee16

SHA512
fc99ca6f0aa83adfa68c9e0f8889907a37d59a58db637117b8312bd0d98f6e1f6aa1dd5f38e550859aea64ecafb3eaf26c866513c7a302af012dba0330712a78

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
1020KB

MD5
0dc6f159077fd7cc0a0e8567fb8aa970

SHA1
bd281b123d8d2dd3a59e6710ddd50b572d33bb84

SHA256
1572fc5008551c142111d80a703c9a48f1c3c72395a88358da593d8384879cf0

SHA512
086f5ab6733734743637698978b38493b57dcf5d58a275d4f2c9ff0eb98fb944d2bd5891c4c3cdd0dc8d081d88c4dadee18beb44ce21358b3b01bc41913b8bb2

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
1020KB

MD5
773a898ca0c4f9aeb1541d6b126104d1

SHA1
aac43f1c9fff2e1c1795c80721ef0df83f1e4168

SHA256
a30ef8d75c7a47d26be10d29134e4cbb244da5c161461b47f05fd9be0f91decb

SHA512
295b8999b857647f5681df0649a818960536a798838f272fc5339cc81d82380813d035137167a709c70963a8aa9fd299ad766ce8af35cc2872d64f0b2ec43f19

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
1020KB

MD5
bca4723b9d9c0bccd2daef683019804c

SHA1
093e9335173a2ab1d61852ff5e313e31608fc054

SHA256
35147a69bf04a9015cf8742cf01842e85e97d1a866bea3f231df285084191aa3

SHA512
445386dccd0bc78aafb130f5437fee478c847726409213a098364a69aa82440e949d14ebf6dc298ef1a658155b926d031e15bd8c3a94423d6d1909be9ca09356

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
1020KB

MD5
6a22caf185234cab34e85db170f35247

SHA1
215ce0499c931bc7b6a4d53f0f22493f5f9a0cbe

SHA256
f165d688dc80837eda7f5d6838308992c54410a9ed3cb03b4c907e37ce4e0e9d

SHA512
b426492ba5b08f19ef8e40e009cec71d552041b05c33eb15aee52f4594a8f76782c92df2518267f2b7418442ae52948a7af3005aba5fb93f508f0170dbdad0f2

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
1020KB

MD5
3d3d9eb601d4e5168231cc2eee32aa37

SHA1
8e1f69efba122183e92933b5d4e577599d544d03

SHA256
0357c15a702c99fb9d493270d3e2e47508263579582eb4b2131280241159f6b4

SHA512
d309638ec076afef3b861c09ee33a28d18bec3cce03a400d021a98ee9961afa13548978d67e2ab39b66e7c01c78458ba53e47dc5d62e936ced0f819e1f43f6c0

Download Submit
memory/232-631-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/232-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/244-643-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/444-637-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/452-698-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/532-678-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/556-699-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-644-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/640-700-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/744-690-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/772-685-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1000-696-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-657-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1076-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1164-693-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1264-642-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1308-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1416-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1440-675-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-703-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-672-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1572-686-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1636-650-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1640-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1700-701-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-695-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1784-635-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-691-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-684-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2176-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2176-78-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2176-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2204-654-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2308-660-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2380-651-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-694-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2440-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2456-682-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2472-668-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-665-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2896-632-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2920-679-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2940-661-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2976-636-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3100-677-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-670-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3216-640-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3260-689-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3268-702-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3300-638-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3344-649-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3424-658-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3440-641-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3488-664-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3560-634-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3564-676-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3592-669-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3620-697-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3832-639-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3876-656-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3940-645-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3992-646-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4048-673-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-674-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-647-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4260-692-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4288-655-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-648-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-688-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4552-662-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-659-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4584-683-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-653-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-652-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4728-671-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4804-681-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4872-680-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4884-633-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-687-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5032-667-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5056-666-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-663-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5160-704-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5192-705-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5228-706-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5264-707-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5300-708-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5336-709-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5372-710-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5408-711-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5444-712-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5480-713-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads