ec0413788b97ed7250c44fbe3f9138a07d2fc0c1110599206eb41675680f4d95

Analysis

max time kernel
141s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0273bebe3ecc503704dd287c876579b0_NEAS.exe
Size

69KB
MD5

0273bebe3ecc503704dd287c876579b0
SHA1

d4f418783b83b72dba093224fece0811f2afa927
SHA256

ec0413788b97ed7250c44fbe3f9138a07d2fc0c1110599206eb41675680f4d95
SHA512

2095c56d524fd2ce831c5a60f8f4fae28d896d0d67fe4f0ad5510f5ff4be6746460840fce5a52f71fc1521934d234f0fd98e110c090557840932047d6441fc34
SSDEEP

1536:YT70CGakgqwrJMwxDUREy7TngNein/GFZCeDAyY:YhhbPLQR97TngNFn/GFZC1yY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe

Executes dropped EXE 64 IoCs

pid	Process
4968	Efneehef.exe
876	Ehlaaddj.exe
1812	Eofinnkf.exe
3588	Ebeejijj.exe
4832	Efpajh32.exe
4152	Emjjgbjp.exe
4708	Ecdbdl32.exe
2036	Fjnjqfij.exe
1156	Fqhbmqqg.exe
2660	Fcgoilpj.exe
4512	Ffekegon.exe
1656	Fmocba32.exe
4168	Fcikolnh.exe
556	Ffggkgmk.exe
1720	Fjcclf32.exe
1216	Fmapha32.exe
4020	Fckhdk32.exe
1608	Ffjdqg32.exe
1860	Fmclmabe.exe
4172	Fobiilai.exe
2004	Fjhmgeao.exe
1840	Fqaeco32.exe
3620	Gbcakg32.exe
3680	Gjjjle32.exe
2688	Gmhfhp32.exe
2040	Gcbnejem.exe
4612	Gfqjafdq.exe
4480	Giofnacd.exe
4076	Gqfooodg.exe
4692	Gjocgdkg.exe
1672	Gmmocpjk.exe
4064	Gcggpj32.exe
2996	Gjapmdid.exe
3140	Gqkhjn32.exe
1336	Gcidfi32.exe
1420	Gfhqbe32.exe
4956	Gifmnpnl.exe
2460	Gppekj32.exe
4752	Hboagf32.exe
4496	Hjfihc32.exe
1436	Hmdedo32.exe
2324	Hpbaqj32.exe
1548	Hcnnaikp.exe
1020	Hfljmdjc.exe
4588	Hikfip32.exe
1256	Habnjm32.exe
3952	Hbckbepg.exe
4632	Hjjbcbqj.exe
4444	Himcoo32.exe
2156	Hpgkkioa.exe
4388	Hbeghene.exe
3536	Hfachc32.exe
4284	Hippdo32.exe
2620	Haggelfd.exe
4532	Hpihai32.exe
4628	Hbhdmd32.exe
60	Hfcpncdk.exe
3300	Hmmhjm32.exe
816	Haidklda.exe
3448	Ibjqcd32.exe
2704	Iffmccbi.exe
2852	Iidipnal.exe
1108	Iakaql32.exe
3032	Ipnalhii.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Bjikbh32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6592	6368	WerFault.exe	268

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4968	552	0273bebe3ecc503704dd287c876579b0_NEAS.exe	84
PID 552 wrote to memory of 4968	552	0273bebe3ecc503704dd287c876579b0_NEAS.exe	84
PID 552 wrote to memory of 4968	552	0273bebe3ecc503704dd287c876579b0_NEAS.exe	84
PID 4968 wrote to memory of 876	4968	Efneehef.exe	85
PID 4968 wrote to memory of 876	4968	Efneehef.exe	85
PID 4968 wrote to memory of 876	4968	Efneehef.exe	85
PID 876 wrote to memory of 1812	876	Ehlaaddj.exe	86
PID 876 wrote to memory of 1812	876	Ehlaaddj.exe	86
PID 876 wrote to memory of 1812	876	Ehlaaddj.exe	86
PID 1812 wrote to memory of 3588	1812	Eofinnkf.exe	87
PID 1812 wrote to memory of 3588	1812	Eofinnkf.exe	87
PID 1812 wrote to memory of 3588	1812	Eofinnkf.exe	87
PID 3588 wrote to memory of 4832	3588	Ebeejijj.exe	88
PID 3588 wrote to memory of 4832	3588	Ebeejijj.exe	88
PID 3588 wrote to memory of 4832	3588	Ebeejijj.exe	88
PID 4832 wrote to memory of 4152	4832	Efpajh32.exe	89
PID 4832 wrote to memory of 4152	4832	Efpajh32.exe	89
PID 4832 wrote to memory of 4152	4832	Efpajh32.exe	89
PID 4152 wrote to memory of 4708	4152	Emjjgbjp.exe	90
PID 4152 wrote to memory of 4708	4152	Emjjgbjp.exe	90
PID 4152 wrote to memory of 4708	4152	Emjjgbjp.exe	90
PID 4708 wrote to memory of 2036	4708	Ecdbdl32.exe	91
PID 4708 wrote to memory of 2036	4708	Ecdbdl32.exe	91
PID 4708 wrote to memory of 2036	4708	Ecdbdl32.exe	91
PID 2036 wrote to memory of 1156	2036	Fjnjqfij.exe	92
PID 2036 wrote to memory of 1156	2036	Fjnjqfij.exe	92
PID 2036 wrote to memory of 1156	2036	Fjnjqfij.exe	92
PID 1156 wrote to memory of 2660	1156	Fqhbmqqg.exe	93
PID 1156 wrote to memory of 2660	1156	Fqhbmqqg.exe	93
PID 1156 wrote to memory of 2660	1156	Fqhbmqqg.exe	93
PID 2660 wrote to memory of 4512	2660	Fcgoilpj.exe	94
PID 2660 wrote to memory of 4512	2660	Fcgoilpj.exe	94
PID 2660 wrote to memory of 4512	2660	Fcgoilpj.exe	94
PID 4512 wrote to memory of 1656	4512	Ffekegon.exe	95
PID 4512 wrote to memory of 1656	4512	Ffekegon.exe	95
PID 4512 wrote to memory of 1656	4512	Ffekegon.exe	95
PID 1656 wrote to memory of 4168	1656	Fmocba32.exe	96
PID 1656 wrote to memory of 4168	1656	Fmocba32.exe	96
PID 1656 wrote to memory of 4168	1656	Fmocba32.exe	96
PID 4168 wrote to memory of 556	4168	Fcikolnh.exe	97
PID 4168 wrote to memory of 556	4168	Fcikolnh.exe	97
PID 4168 wrote to memory of 556	4168	Fcikolnh.exe	97
PID 556 wrote to memory of 1720	556	Ffggkgmk.exe	98
PID 556 wrote to memory of 1720	556	Ffggkgmk.exe	98
PID 556 wrote to memory of 1720	556	Ffggkgmk.exe	98
PID 1720 wrote to memory of 1216	1720	Fjcclf32.exe	99
PID 1720 wrote to memory of 1216	1720	Fjcclf32.exe	99
PID 1720 wrote to memory of 1216	1720	Fjcclf32.exe	99
PID 1216 wrote to memory of 4020	1216	Fmapha32.exe	100
PID 1216 wrote to memory of 4020	1216	Fmapha32.exe	100
PID 1216 wrote to memory of 4020	1216	Fmapha32.exe	100
PID 4020 wrote to memory of 1608	4020	Fckhdk32.exe	101
PID 4020 wrote to memory of 1608	4020	Fckhdk32.exe	101
PID 4020 wrote to memory of 1608	4020	Fckhdk32.exe	101
PID 1608 wrote to memory of 1860	1608	Ffjdqg32.exe	102
PID 1608 wrote to memory of 1860	1608	Ffjdqg32.exe	102
PID 1608 wrote to memory of 1860	1608	Ffjdqg32.exe	102
PID 1860 wrote to memory of 4172	1860	Fmclmabe.exe	104
PID 1860 wrote to memory of 4172	1860	Fmclmabe.exe	104
PID 1860 wrote to memory of 4172	1860	Fmclmabe.exe	104
PID 4172 wrote to memory of 2004	4172	Fobiilai.exe	105
PID 4172 wrote to memory of 2004	4172	Fobiilai.exe	105
PID 4172 wrote to memory of 2004	4172	Fobiilai.exe	105
PID 2004 wrote to memory of 1840	2004	Fjhmgeao.exe	106

C:\Users\Admin\AppData\Local\Temp\0273bebe3ecc503704dd287c876579b0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\0273bebe3ecc503704dd287c876579b0_NEAS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\Efneehef.exe
  C:\Windows\system32\Efneehef.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\Ehlaaddj.exe
    C:\Windows\system32\Ehlaaddj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\SysWOW64\Eofinnkf.exe
      C:\Windows\system32\Eofinnkf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
      - C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        23⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        26⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        30⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        36⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        38⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        40⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        47⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        51⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        52⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        54⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        58⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        63⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        67⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        68⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        69⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        70⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        73⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        74⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        75⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        76⤵
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3500
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        78⤵
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        80⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        81⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        83⤵
        
        PID:776
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        84⤵
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        85⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        86⤵
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        89⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        90⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        92⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        95⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        96⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        99⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        101⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        103⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        104⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        105⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        106⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        108⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2240
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        110⤵
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        112⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        116⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        117⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        118⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        123⤵
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        128⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        129⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        130⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        132⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        137⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        141⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        143⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6480
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        146⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        148⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        150⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        151⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        153⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        154⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        155⤵
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        160⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        162⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        164⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        166⤵
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6536
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        170⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        171⤵
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        172⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        173⤵
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        174⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        176⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        177⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        178⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        179⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 408
        180⤵
        Program crash
        
        PID:6592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6368 -ip 6368
1⤵
PID:6516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
69KB

MD5
0b7d07a698dade276a68969201085f6b

SHA1
c2024f0573387d050f89e4c326f1d34f14927891

SHA256
96257e771697e363892d2fdc8e1f0f1f8612fe9fe85342aebcc21199a456bbd5

SHA512
49c992059a1e3fde21a0b9fdbfee745caa742ecfef78c49312b9cc8ce1624f7628f9d1160c6378074e55531538a64e247f85ad57154c2ade824d82f95636da1b

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
69KB

MD5
10b70ce570910ccf5f4f3de99f4d972c

SHA1
9e366e511851c6d9bc2052844e922442ef1ed8b3

SHA256
74396ed31c2f9d3bcc57a4a586bde0b3a6da794386f44ce6ceedb4699645ef63

SHA512
cb20e525ffb4f5b92fb2b7db2127a5ddaf33f56aa721b01c3124ca7e3c8eb7d99a0e4ecd10eeeadbe5f286904454080a85bdd5e5942d92b4fd61678b331a506f

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
69KB

MD5
c1296efef2cb881bf4e3edcf76403ad8

SHA1
4896fdcf66ba8f987488397a5ba4d854d28a9900

SHA256
fdf8fa6148041319c2a802dcd6d9e1c2945250129552b0a394d2b65138d1ef84

SHA512
b6646b1aeeff0b7dc0057ac948f6e340d822f082f08e2b27f58ffe6d352470e8a553b8fe4c71d2d9c08cabd8723c9c619505d6ee7b47b9118cad775fd25fb5ad

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
69KB

MD5
b6e7e2d5bb36a4fdd205fe0480f46cab

SHA1
6f9e6f19fcdffdc5d48d4169e37ff7c852d2a459

SHA256
5aa1664faba487e5b17fe6c17dd820856dc01ff6039af39db7f3c61a04d22507

SHA512
9ace3fb7148919149c6970416a71f6a81c8b03bc0967e54b5e3e1f6907e01e3e9058497daaa821353ac882642cca32625658c257d7ac94cb64f964a41477cdf9

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
69KB

MD5
d92d808fb1357776c5481a8c568ad94f

SHA1
2f9ffd963853d9d904beb93a7280c195b646ee2d

SHA256
925e46415e7c8f8da986444b168ad218f912bb95f5a4941e9b8bcf16d04daf7c

SHA512
efd664025c1456f1149ab33bc2f05dddb3fda187b1ba6c788e901e741c78d3410b25b0a9bea7b4a3ba74ad6df4555f9f5e1d71bdf01fad7aea3989b72ea64dd8

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
69KB

MD5
65f5e2a9c8e753d52432f651b0327335

SHA1
3c4dfaa455bf59e6d63fc5c729fdd2a0707457f6

SHA256
3f9935867d879fd7c9bf1d2d0b1cd2292a45cd391648a6928bd91100c694195b

SHA512
a1247ce9d61cab042a56537a96dacae32aabbeecd39d8b85770ab543b40061867b4e1edd10fd82b2a489e5f280492f03444180f8108d4af82d6eb17c1146ad0d

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
69KB

MD5
ea2260eced07585dbd5902f222d90a9b

SHA1
f6ca7757d64b0d05fe85fed3e33c4a22e5554d6e

SHA256
0150ce5c0179f1bcbed46f4878411f63d3bd9d3ac2bcaf87b3d91e8fb1bf0499

SHA512
3a191837f49bf4424fa6a23dc37683a8ac431eb91a17806e013969601762515a027c211e6676457b44ff6ac2f3488879db349735bc5a84e8ab694534400d0704

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
69KB

MD5
92407c9dcf4a2a5ad53fe8a7659ea1d6

SHA1
209c08d0df40340f8ba64c6c9d9b65afcbff85e8

SHA256
ff825352428f871b0ac3c7046530c12033de5579799cf9efa0ac499a2dd00eb6

SHA512
1295c9f7a97c9e9eec553b054e22027d882caf1e8a5a7499d055654835fe831d3a8db396fa2a1a3532c944a7500988e1aed53fa3bec69ad03e752dfd75f6036f

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
69KB

MD5
77d61d9b8036e0356fd9f33c68e82342

SHA1
6887b49e13c065921a525f03f008fa68d76ff604

SHA256
27eba83b893ed6142fe8488d04466dbb12ee75e701f3266813ad4652b1b34c83

SHA512
dcf66fbbe7b4efca0c6e987ba1014099246b4c65790d7ec523211985311647d464d2a8ebc4b0a56f03a1bcfcdb539e2748a551853ce0c7840ac2f8e94544540d

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
69KB

MD5
78890d1a98ef14e3bf5b3eba766a2747

SHA1
fa516872d4a94da35145b8997d406a5cff58e949

SHA256
97c165a344ff3c2e9777d332fdf50b8d142216c60df1863a083b0cdade5f5455

SHA512
3d457c64d1a30656e0423462f69b56ffc5931b9687f2f3f1a06d1d1e0f05d7251523f1de5c949d25585e301074274a716948a5ea90d513db738951ec672456bc

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
69KB

MD5
07dfb936399a4a3ecf1047bdbd0a0f07

SHA1
34c02eefd4945061c5fb886634c96ae74d5e587a

SHA256
c811bddc907631fb5eaf84fd195d582c3df7d97396bb090b4f96cdc7764847be

SHA512
019d8c8e30f5fed0c126ed321ff96e46ce435ac417039e431acfd8a33e602b85217965e9e70322a1dfd3e4470168fbfa1db0442e3141ae7921429ec7545c117a

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
69KB

MD5
f74615bd75063fe5786ece7683c1f81c

SHA1
af811344c829acddf96affe5c73c6869a9e3002e

SHA256
0afbfc9263709fa29bb6227ad921587a243985700de51dac68365a20556e77a1

SHA512
5bb561ec5a4456775a120cd37f758ca1ad536413bc27a89d82f3b9c31dbfdeb309ed39a47094de8aab755bf7767638e2c8f7dba66329a94ae4e1e01ff9d0f06c

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
69KB

MD5
151babe52ee81765f34ae390c9e71f87

SHA1
3f9ff8f28c7466017740b6740f90de5d4bcb5905

SHA256
e62b54c89e0375c72ad5505cd032764b05e33848a2915b5befbe5fe432ca942c

SHA512
b26ff0d88704be317b143d739945854417508bba79feb9512485d59b427a53f0f1958acaf000bb009cbfff954cb1a05961f40633d3c043dcfeeeea13f6f77d31

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
69KB

MD5
fc1d052535874dd344c7e947503db684

SHA1
304122656498d0c092ce78d0baff1d7ce0454a37

SHA256
16f4d5aafd5b50780bdb55f5222aae33ce2ca9e5f3c33cf6fc7051b59cfa61cb

SHA512
5e16ab05ab3eb6d20c6038eb0402825a137a802033ec53aada84858f17f6d6df81297b710c904b2f9130ba0d640d0f8cd545dcf378743418cd934cd814fabb92

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
69KB

MD5
17097510a264fdaa04c487cf5d4d5a13

SHA1
327947f2a6cd9f44e362a2bce4987fd24e0d9eb7

SHA256
1931822870f51f7b0231ed4e5da27a08322c6f39b6784ca95edacb3a960adf14

SHA512
daa3c53806990b2d7f660d442c46b68ab30b72d7445a32537ceb2834a917adf2b8dc9456afcb7c3e3891963ec56faac83090337901fd46f3833f7140d72f2e52

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
69KB

MD5
cbf1ebf1789399c7b4d97d6c17d26987

SHA1
4dbd4555ed1ef427e535211c57961ae6e3bd95b1

SHA256
86bf9d89f0272773007967842b06416414e2d5db53e4de4fcbba08b14a87c466

SHA512
21d4e375589886eefdc62b526ab0bbf927837e7606fefedc0dbf0646408e0726fad3ea32fd24e421824f1be7c7e3121cd75a2c528aef659f8d64ea38f6ca7246

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
69KB

MD5
b1c7d9a99bd905fb7b8e5a08491c3e4f

SHA1
41cc9cbf5d4c4fd3face3b8455c177af072bf7e2

SHA256
85be7af7ebef25e25018be3a16f282f238c7bd2bf57560064b1bbcc75d2b6e37

SHA512
204a6c8fdea3070581a0e32f2463d45a7b6148e6e29ae72b26578c33c751c250c596f5888c0051876a530ddbe54ede97af8fd37f51717ebe83867c61a29e4682

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
69KB

MD5
e5d085b4795896ef3d18b1223825b043

SHA1
f39b97b36dd601ebb4b47a553d987e21b25382d4

SHA256
91aaeea8400df1d304300dcf547f7765d2dce33954f6bd5657a45fd9b0b078e9

SHA512
acb801b1bbbf18b966f0f588b94bcb46e57cf5c690c246533076fd4a1a572540e64ee5efdae2e9fdfb1086482ed726153ea95c3be3b9ad8c9816be787090022a

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
69KB

MD5
c2a5929a9cee752cede20e91839a810b

SHA1
81d0695b3f68268a2580501f8823deb740185853

SHA256
f535ce2f243c7250c4532b15189043ce5be12c993f137a28b18d0b7a52ed145d

SHA512
4deb439091196cc2e81be276ae2acb64dd951d3614a3d09f2d24515c5472c9682b7fa803ee72557434a4b781985abcc8655cf0887736e5ec9c177a76e5cb16cb

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
69KB

MD5
58b1bf50557c2ead23dc95ebf315fedc

SHA1
f43eb5e6cc3467945ec3e56036b5ce28855f81bc

SHA256
e3df95e51509e3f405eb39e3cbcaa4ac96d3798b6f8f6c7d4d1222869cad9cde

SHA512
0ed42364662bc28e8f36787e69700b9a99fb2b9d21800148720f3fd281fdcb8bdcd96993ff43298e6a4675ab10e80c5236e776ab6c59ac41741819727851babb

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
69KB

MD5
aaa43486685b1326973c79ebc2553941

SHA1
77cd0b9eeed9c4b8958c0c228ee91799863d7f45

SHA256
9d656703140d4918e8db6f09e1e3f3dba208a49eeb2c84c71385cb38cc094290

SHA512
d03c69bfe5a344f4a2cea610e993e9a6c4be697d89bfaa8ac9c73f50f3791377244ec0855ed30f83febee560a901b5e770ab557d7ea923954ec2651f06405313

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
69KB

MD5
b747ec64f9c541de125a3a55542c00bd

SHA1
c458f6cd2fbe234c86f912cf003098fb9662f47c

SHA256
8be3054011488c659d07dd75d4429b80cb0ef50cbe24c5a5510e1cbfa008a9a9

SHA512
a31e24e6fae691726895fc4081e9442e114e813a44f3255df5037d4cb883e59b3d35ef2e14bb76ea1d730da1be2b84d31867037c83afcbf3ddf7fd3447cc87a9

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
69KB

MD5
781d21b1600933d6425ba4f326af9867

SHA1
94fb150c232e8322e064050070ea077ef87d7cf2

SHA256
edb9dbf0655aeefeadc60075cf86a9514855c33875c8e75afa28f8b5f7b221b4

SHA512
5f63989232c20ec45abba7ae4b702a2ec1260ea9ee37dfeed24d69ad55a65435fcd0a3a4d158e17a11d160944b887ae47e3eaf21be88d8da543e7e9e6609dcc9

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
69KB

MD5
aa7852a9dcea570aa3623f6fde58233d

SHA1
a4b8ec4dcdef3dda1a2aa408d541c8f28b273f63

SHA256
23eecbe801dfcae77b2700ee04bd43bb654802ae031fe977a98ec570903f3688

SHA512
2c693e870ae7030308df598a80202b2d83e5f02fffd7a92979164eb028d10e605b8bf481c37211248850e7ce1c9f6fa07d3ae504346691f5d6988ebe20a42acc

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
69KB

MD5
752004c52eb9338bd4a55bd89be0be32

SHA1
90ec67c89dbcae99d6e1cb89d13afd358e8ff61d

SHA256
084cb9dec3e0de8bd2a03d43590d1011e82e1f1c6844c5830603c94cd91722f0

SHA512
cf43b5b0f9db3b365603405e2d7f71ec3bca9680a5284dc7f60bbf76966ca90d32473bf2c1c315259e8a3d4de870679872321d48da01ffe7b596a750eeb092cf

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
69KB

MD5
694df87daa087a4c4a0538a9838b0b39

SHA1
33303967117161766b24543780068e6b49d4470a

SHA256
2cdb6065aea3560d6ec260fbd0bf1ca9bae5b290eb7d56104fcbd2e86c265d0d

SHA512
618cd346d84e62c39b6a9d686c3f462a40025124f9bea76f599ab90c73ff20840ca9660d7d84a3930f829cf639346e5e7b8391f0993b5fce505b4b1fcd13d9f4

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
69KB

MD5
760dde9edbeee25d24c3d7283e3adbd3

SHA1
1cc90632c7069decd5a3a2f7d7711664ce6172fe

SHA256
c275684e2910336df6ba45ce9a5f8db8dacd4d7126b4f72c1f6a1844cfbeac03

SHA512
e25aa8029aa8c8c5f75613adf224c526ce1e1db7424dc2af3673649df156d54531662a6530b32bdc8519d2c9de45f57e231a9af9dc95625fe1d9d4adc6ab4fd5

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
69KB

MD5
9d6dc7fb7d1cfc94df8da8e5c6237cab

SHA1
352235623a01ec1f301ef29960830de7a70a8fdc

SHA256
055ca91962510f8295fd6aeb06f17db008094a5d7ee4e2f4f1467ff512bcd674

SHA512
a78c0f20a818aecde6a4a995e09c053b73fe6ae48db0e67ab8dd30939692fdbebd9cecff1f17fc7b8aee868d1eead048eff6b6beec13df545587ccd03fc84dc7

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
69KB

MD5
49fb87defc4161a1dff35e4e5f3c76da

SHA1
b0337ef4c6cc164a8d70ca9a302e129e36a01efe

SHA256
8801670a8d1edb65a2bc771fad1e7eba024d3ed7058a8de0c7d33e274bc2de5e

SHA512
c87659dcc39f990ae959e80a4584f3c9e602593715be3fb614db374fa350a0fd20d774fac5ab1bde019b9e0ce8a19e582f2b2f9353938b1f6b01afa8ace445f3

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
69KB

MD5
1427db7fc460fc6c5c9a5749cb0a37b9

SHA1
11982abfe2146a1c82d3e16b62d7af34c638934b

SHA256
de8d34a709215dcde96a0f87a3e5667853d0f0eafec093a9f18bc59463e548d8

SHA512
f016d51064bcc7e0711073a3e0cbf4dca0ae27f231b64a246b5f7c8e750585c208b5b422d4725b84fc5d6886ca3bd78909b569caf5726644592194ee2389afd5

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
69KB

MD5
17d6e1bf44c686838c32f9f9c6b0a6ae

SHA1
9dc0bf35558e00aaba300cb66b5daa705adc3f8a

SHA256
7f0b5e7bd6682197046dbb9f2a9d6c2df04bb7b3be387a0306abb8c029f0853e

SHA512
7dd5c33881afbf6a88a63117d97cffe5f896c0cafdbbbb605ab27ca7b13ed87779b56c4a6465c0b2bf2e8814200459433dc1e4bc2cac8c888bce9121fb8ebb94

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
69KB

MD5
cdde07843cb890949369bb34f7ef71e3

SHA1
1c20b952f9062acc40cecafadb6b8048baa2e357

SHA256
d978bce8578257f1bee42333d6c89e46d6f95798d91f3bcec78d8d353f7bf9fe

SHA512
eb455b649133174e0fd4689a2e694e3b4e898bd023d0e32b2d06baefd146ef7dad16c91b14f86201260614c55718ca72da66c31f7be60bc3cb1eae0432024614

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
69KB

MD5
3a9922bd2a28f321df673887c30cceb5

SHA1
257eb0a8d93abac29e149cfe44e65cdf51c40434

SHA256
d3c3eb7c6057121fad3c61d64ff7f4585943e4a27ad0868e0f64ea0b99a8733c

SHA512
24e2da0a7bda99fcc307419db27135a24ff73e82134b1beaf34513d873d29985008e6187f5a3a89df42383ac3e27e9f73a188aff7ffda93c4f4d0321a8fe6d0a

Download Submit
C:\Windows\SysWOW64\Ifhiib32.exe

Filesize
69KB

MD5
d5a37208c08abcc10b5940d991554109

SHA1
919724079948e1a08e9eba9953442cda7db85ba9

SHA256
04e97717b79b409fef7e5acf8f791d1b5f083bab50f51cf2a23e569752f688c6

SHA512
d98bf796aaea9afc8bae5c46a9292e0c988523f0624a6a42ca27e1ad27690d0b95145ecc0a55a3b1d7c1bdb6103b5b926107647c93847a5ad6f0d714d8081561

Download Submit
C:\Windows\SysWOW64\Jjpeepnb.exe

Filesize
69KB

MD5
6ecd1141e98f6ff7642feea1f7ea05d3

SHA1
e53fc88c71762a56edcacd9efea977ffa24ff96d

SHA256
c8c5108ba381bf51d34dfd99b336a833b5d9e95404ab89ff42f56837be562645

SHA512
cb20bcc435ecb5acffcc2d22d0e7ca9ea3681b8bf9612765183e1147ca90fc63ba7f983647be3bce643030da97135308c7a626cc648fd8e2fa47ff9c9c72be71

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
69KB

MD5
acb2b4020cf926a0748c131bbebdce0e

SHA1
005d7ff41cbc3619ad09c7a7d33046118ffddc1d

SHA256
05da5604d44ea8331aca6acba7e5b3c63966972d425e6ab6562af2c78f913ab5

SHA512
9921613176c795f9770a483b234ae251ac9c5150e4305271148f9ce09cc4d6b49b264a831b7f7151d14ce6fe39fee1f08bd5f95cb8cc19e351aa0825e4b608d4

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
69KB

MD5
48c005232939ceb2ce0408228616f91e

SHA1
a7ad610202c03a23c356c55ab39e3d324b28e39b

SHA256
58e1c42b624f3daea7ae6f8c4f18627bf9d7f20a883c80980132f5c69b2f0f47

SHA512
e46698bfcacd183de6d85f87f359ce21d2188f66e29eeacde02504828e644e2f23ec78fdb765f9c4690b8932af2cf142ca8690da6feb5278773f887c3baed909

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
69KB

MD5
fcf6441ab4a13438455870df5d26ee32

SHA1
5b0e5ab177e5979f36b4979a8f1bacbd7a8507c1

SHA256
9db25d8488c2c45e28dafc6dd91033e72cf6d43a0fc3e09223054b65fde071f5

SHA512
a3baf9bcb9f68573f6f566bc5d24634bb466232d4a9133366422200497fba6c59f3c78c23a51b516f4cd4cb6540f0dca73039ae8e8ef3cbf264b5d21c85ed65b

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
69KB

MD5
d5093012a5813199d128dad089a4d5cc

SHA1
4f7d5f92fc501e4b708afc8fe065d4a1f7dfa361

SHA256
87c0f0118a61da36020f6675916cbe8a9c5958ff72af5f8ec3dc90bdd8f2c25d

SHA512
f976953026b3c2f0874e632fc2e7fdf1379bebb039a2f2625053d1d437df23ac7f085386db0f68233ed456841b0e3d2dcc7d74e10e8a320f71cadc832fe342b8

Download Submit
memory/60-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/116-579-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/552-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/552-548-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/556-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/776-559-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/816-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-558-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1020-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-447-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1216-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1252-508-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1256-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1336-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1420-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1436-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1608-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-458-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1720-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-572-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1812-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-156-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2004-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2036-603-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2040-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2156-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-514-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2324-321-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2460-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-506-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2660-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2688-204-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2704-434-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2812-552-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2852-441-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2960-565-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3032-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3076-481-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3140-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3300-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3448-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3496-501-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3500-520-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-571-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3620-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3680-194-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3952-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4020-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4076-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4092-472-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-52-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-585-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4168-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4172-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-526-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4320-460-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4388-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4396-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4444-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4480-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4592-484-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4612-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-356-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4692-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4708-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4708-592-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4728-536-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-578-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-551-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4972-490-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-538-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5048-550-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5132-586-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5180-597-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads