7f0d8abcf8c7f8b0bb60e899663e281240698d8da48e62cba76422d4a29ceb9e

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.07eb23c0c877019f4385dc99be22df2a_JC.exe
Size

130KB
MD5

07eb23c0c877019f4385dc99be22df2a
SHA1

d4c6906fd160e3b5febce0bc3169cf1606c268d4
SHA256

7f0d8abcf8c7f8b0bb60e899663e281240698d8da48e62cba76422d4a29ceb9e
SHA512

b527e99eac2e7e2efd551fdd607f1dbd778e56c872c857a737fb0e1412c4708d97e7ce40ded6b086d44d6f332f2b70c640afe15d2a5f2275c33edcde04787e8b
SSDEEP

3072:S1ZM3USnRSR7c/FvvsGn2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/4:B3UKSR7ctvEE4BhHmNEcYj9nhV8NCV

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plpjoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joahqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgnbdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dflfac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjgim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfaajnfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfnoqc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeheqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaqbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqafhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfjfecno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nopfpgip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nclikl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Joahqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdnbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlimed32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgphpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plpjoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aolblopj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emjgim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpimlfke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igfclkdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doaneiop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmenca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkpmdbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdpjlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdehni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfodeohd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnafno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jepjhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahpmjejp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hffken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjdho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddligq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgiimng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohkkhhmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgeakekd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/2868-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2868-1-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022c79-9.dat	family_berbew
behavioral2/memory/4832-8-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022c9f-15.dat	family_berbew
behavioral2/files/0x0008000000022c9f-16.dat	family_berbew
behavioral2/memory/2772-17-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022c79-7.dat	family_berbew
behavioral2/files/0x000a000000022d48-23.dat	family_berbew
behavioral2/files/0x000a000000022d48-24.dat	family_berbew
behavioral2/memory/3412-25-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022d4c-26.dat	family_berbew
behavioral2/files/0x0007000000022d4c-32.dat	family_berbew
behavioral2/files/0x0007000000022d4c-31.dat	family_berbew
behavioral2/memory/4896-37-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022d4e-40.dat	family_berbew
behavioral2/files/0x0007000000022d4e-39.dat	family_berbew
behavioral2/memory/1316-43-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022d50-47.dat	family_berbew
behavioral2/files/0x0007000000022d50-48.dat	family_berbew
behavioral2/memory/2352-49-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022d52-55.dat	family_berbew
behavioral2/files/0x0007000000022d52-56.dat	family_berbew
behavioral2/memory/3308-57-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022d5f-63.dat	family_berbew
behavioral2/memory/3000-64-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022d5f-65.dat	family_berbew
behavioral2/files/0x0007000000022d63-71.dat	family_berbew
behavioral2/memory/2868-73-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4224-80-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022d63-72.dat	family_berbew
behavioral2/files/0x0006000000022d73-79.dat	family_berbew
behavioral2/memory/4916-82-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d75-88.dat	family_berbew
behavioral2/memory/3208-90-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d75-89.dat	family_berbew
behavioral2/files/0x0006000000022d73-81.dat	family_berbew
behavioral2/files/0x0006000000022d77-97.dat	family_berbew
behavioral2/memory/4348-98-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d77-96.dat	family_berbew
behavioral2/files/0x0006000000022d79-106.dat	family_berbew
behavioral2/memory/4556-105-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d79-104.dat	family_berbew
behavioral2/files/0x0006000000022d7b-112.dat	family_berbew
behavioral2/memory/1080-113-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d7b-114.dat	family_berbew
behavioral2/files/0x0006000000022d7e-121.dat	family_berbew
behavioral2/memory/4564-122-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d7e-120.dat	family_berbew
behavioral2/files/0x0006000000022d80-128.dat	family_berbew
behavioral2/files/0x0006000000022d80-129.dat	family_berbew
behavioral2/memory/3472-130-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d82-136.dat	family_berbew
behavioral2/memory/3720-137-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d82-138.dat	family_berbew
behavioral2/files/0x0006000000022d84-139.dat	family_berbew
behavioral2/files/0x0006000000022d84-144.dat	family_berbew
behavioral2/memory/3284-145-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d84-146.dat	family_berbew
behavioral2/memory/2980-153-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d86-152.dat	family_berbew
behavioral2/files/0x0006000000022d86-154.dat	family_berbew
behavioral2/files/0x0006000000022d88-160.dat	family_berbew
behavioral2/files/0x0006000000022d88-162.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4832	Hdehni32.exe
2772	Jlkipgpe.exe
3412	Jjoiil32.exe
4896	Jqhafffk.exe
1316	Jjafok32.exe
2352	Jcikgacl.exe
3308	Kdigadjo.exe
3000	Kmdlffhj.exe
4224	Kmfhkf32.exe
4916	Kkgiimng.exe
3208	Kcbnnpka.exe
4348	Knhakh32.exe
4556	Lgqfdnah.exe
1080	Lqikmc32.exe
4564	Lmpkadnm.exe
3472	Lgepom32.exe
3720	Lqndhcdc.exe
3284	Lkeekk32.exe
2980	Mmnhcb32.exe
3420	Mkohaj32.exe
2728	Megljppl.exe
112	Nclikl32.exe
2896	Nmenca32.exe
1112	Ngjbaj32.exe
4780	Nmgjia32.exe
1704	Njkkbehl.exe
3564	Nccokk32.exe
1972	Nnicid32.exe
216	Nlmdbh32.exe
3876	Najmjokc.exe
840	Ojbacd32.exe
3400	Oeheqm32.exe
4380	Odmbaj32.exe
3364	Oaqbkn32.exe
2404	Ohkkhhmh.exe
660	Omgcpokp.exe
3848	Olicnfco.exe
3064	Pddhbipj.exe
4852	Pmlmkn32.exe
1392	Pkpmdbfd.exe
1516	Plpjoe32.exe
3380	Pehngkcg.exe
508	Paoollik.exe
4648	Pkgcea32.exe
3952	Qdphngfl.exe
4428	Qmhlgmmm.exe
3864	Qdbdcg32.exe
1888	Qlimed32.exe
748	Ahpmjejp.exe
2412	Aahbbkaq.exe
4520	Aolblopj.exe
5036	Bddjpd32.exe
1504	Bnmoijje.exe
1936	Bhbcfbjk.exe
3132	Bnoknihb.exe
3816	Blqllqqa.exe
4800	Camddhoi.exe
4660	Cbpajgmf.exe
3972	Cleegp32.exe
4476	Cdpjlb32.exe
5012	Ckjbhmad.exe
2140	Cbdjeg32.exe
1840	Chnbbqpn.exe
3164	Cfbcke32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Pkpmdbfd.exe	Pmlmkn32.exe
File created	C:\Windows\SysWOW64\Hfaajnfb.exe	Glkmmefl.exe
File created	C:\Windows\SysWOW64\Joahqn32.exe	Impliekg.exe
File opened for modification	C:\Windows\SysWOW64\Ahfmpnql.exe	Apodoq32.exe
File opened for modification	C:\Windows\SysWOW64\Ojbacd32.exe	Najmjokc.exe
File created	C:\Windows\SysWOW64\Ckjinf32.dll	Gifkpknp.exe
File opened for modification	C:\Windows\SysWOW64\Ncqlkemc.exe	Nmfcok32.exe
File created	C:\Windows\SysWOW64\Igcnla32.dll	Hemdlj32.exe
File created	C:\Windows\SysWOW64\Jlolpq32.exe	Jebfng32.exe
File opened for modification	C:\Windows\SysWOW64\Mqfpckhm.exe	Mgnlkfal.exe
File created	C:\Windows\SysWOW64\Cjibekmc.dll	Nclikl32.exe
File created	C:\Windows\SysWOW64\Nbenoa32.dll	Cdpjlb32.exe
File created	C:\Windows\SysWOW64\Akhkncql.dll	Dflfac32.exe
File opened for modification	C:\Windows\SysWOW64\Fimhjl32.exe	Fbpchb32.exe
File opened for modification	C:\Windows\SysWOW64\Imgicgca.exe	Ibaeen32.exe
File created	C:\Windows\SysWOW64\Bgkiaj32.exe	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Eehnaq32.dll	Boldhf32.exe
File created	C:\Windows\SysWOW64\Kmdlffhj.exe	Kdigadjo.exe
File created	C:\Windows\SysWOW64\Mkohaj32.exe	Mmnhcb32.exe
File opened for modification	C:\Windows\SysWOW64\Eiloco32.exe	Dngjff32.exe
File created	C:\Windows\SysWOW64\Hehhjm32.dll	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Fgjimp32.dll	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Qdbdcg32.exe	Qmhlgmmm.exe
File opened for modification	C:\Windows\SysWOW64\Lcdciiec.exe	Kngkqbgl.exe
File opened for modification	C:\Windows\SysWOW64\Lflbkcll.exe	Lcnfohmi.exe
File created	C:\Windows\SysWOW64\Cfbcke32.exe	Chnbbqpn.exe
File created	C:\Windows\SysWOW64\Gbnoiqdq.exe	Gifkpknp.exe
File created	C:\Windows\SysWOW64\Ibaeen32.exe	Hlglidlo.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Fenpmnno.dll	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Qmgelf32.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Ohkkhhmh.exe	Oaqbkn32.exe
File created	C:\Windows\SysWOW64\Mbnnhndk.dll	Pkpmdbfd.exe
File created	C:\Windows\SysWOW64\Mpolbbim.dll	Nnafno32.exe
File created	C:\Windows\SysWOW64\Hkjefc32.dll	Qlimed32.exe
File created	C:\Windows\SysWOW64\Fofdocoe.dll	Dmennnni.exe
File opened for modification	C:\Windows\SysWOW64\Ilnbicff.exe	Iedjmioj.exe
File created	C:\Windows\SysWOW64\Ljqhkckn.exe	Lokdnjkg.exe
File created	C:\Windows\SysWOW64\Aepjgm32.dll	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Lgepom32.exe	Lmpkadnm.exe
File created	C:\Windows\SysWOW64\Nclikl32.exe	Megljppl.exe
File opened for modification	C:\Windows\SysWOW64\Pehngkcg.exe	Plpjoe32.exe
File created	C:\Windows\SysWOW64\Pnplfj32.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Pnmopk32.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Ciipkkdj.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Ejlgio32.dll	Lgepom32.exe
File created	C:\Windows\SysWOW64\Kbopqlen.dll	Paoollik.exe
File created	C:\Windows\SysWOW64\Aolece32.dll	Fiaael32.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Ofmdio32.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Cjgjmg32.dll	Hibjli32.exe
File created	C:\Windows\SysWOW64\Mgbefe32.exe	Mnjqmpgg.exe
File created	C:\Windows\SysWOW64\Njhgbp32.exe	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Gbnoiqdq.exe	Gifkpknp.exe
File opened for modification	C:\Windows\SysWOW64\Aknbkjfh.exe	Aogbfi32.exe
File opened for modification	C:\Windows\SysWOW64\Cammjakm.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Fdnpclpq.dll	Jjafok32.exe
File created	C:\Windows\SysWOW64\Gedapeof.dll	Jcikgacl.exe
File created	C:\Windows\SysWOW64\Ddalgo32.dll	Pmlmkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jcoaglhk.exe	Jleijb32.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bhpofl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7876	7672	WerFault.exe	324

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeedjegm.dll"	Lkeekk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeqge32.dll"	Megljppl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnqfcbnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgflcifg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll"	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngjbaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmhlgmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iedjmioj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paeelgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paoollik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiloco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllfakij.dll"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Megljppl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhbcfbjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfodeohd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dheibpje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hknkchkd.dll"	Gmdcfidg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll"	Hlglidlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombnni32.dll"	Lnjgfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdphngfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdphngfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgmdnki.dll"	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcedencn.dll"	Qdbdcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfaajnfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefeek32.dll"	Igdgglfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jenmcggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmnhcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onpjichj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doaneiop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll"	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcccepbd.dll"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aolblopj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmacdg32.dll"	Kjblje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhboolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lejgpb32.dll"	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geohklaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocaebc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4832	2868	NEAS.07eb23c0c877019f4385dc99be22df2a_JC.exe	86
PID 2868 wrote to memory of 4832	2868	NEAS.07eb23c0c877019f4385dc99be22df2a_JC.exe	86
PID 2868 wrote to memory of 4832	2868	NEAS.07eb23c0c877019f4385dc99be22df2a_JC.exe	86
PID 4832 wrote to memory of 2772	4832	Hdehni32.exe	87
PID 4832 wrote to memory of 2772	4832	Hdehni32.exe	87
PID 4832 wrote to memory of 2772	4832	Hdehni32.exe	87
PID 2772 wrote to memory of 3412	2772	Jlkipgpe.exe	88
PID 2772 wrote to memory of 3412	2772	Jlkipgpe.exe	88
PID 2772 wrote to memory of 3412	2772	Jlkipgpe.exe	88
PID 3412 wrote to memory of 4896	3412	Jjoiil32.exe	89
PID 3412 wrote to memory of 4896	3412	Jjoiil32.exe	89
PID 3412 wrote to memory of 4896	3412	Jjoiil32.exe	89
PID 4896 wrote to memory of 1316	4896	Jqhafffk.exe	90
PID 4896 wrote to memory of 1316	4896	Jqhafffk.exe	90
PID 4896 wrote to memory of 1316	4896	Jqhafffk.exe	90
PID 1316 wrote to memory of 2352	1316	Jjafok32.exe	91
PID 1316 wrote to memory of 2352	1316	Jjafok32.exe	91
PID 1316 wrote to memory of 2352	1316	Jjafok32.exe	91
PID 2352 wrote to memory of 3308	2352	Jcikgacl.exe	92
PID 2352 wrote to memory of 3308	2352	Jcikgacl.exe	92
PID 2352 wrote to memory of 3308	2352	Jcikgacl.exe	92
PID 3308 wrote to memory of 3000	3308	Kdigadjo.exe	93
PID 3308 wrote to memory of 3000	3308	Kdigadjo.exe	93
PID 3308 wrote to memory of 3000	3308	Kdigadjo.exe	93
PID 3000 wrote to memory of 4224	3000	Kmdlffhj.exe	94
PID 3000 wrote to memory of 4224	3000	Kmdlffhj.exe	94
PID 3000 wrote to memory of 4224	3000	Kmdlffhj.exe	94
PID 4224 wrote to memory of 4916	4224	Kmfhkf32.exe	95
PID 4224 wrote to memory of 4916	4224	Kmfhkf32.exe	95
PID 4224 wrote to memory of 4916	4224	Kmfhkf32.exe	95
PID 4916 wrote to memory of 3208	4916	Kkgiimng.exe	96
PID 4916 wrote to memory of 3208	4916	Kkgiimng.exe	96
PID 4916 wrote to memory of 3208	4916	Kkgiimng.exe	96
PID 3208 wrote to memory of 4348	3208	Kcbnnpka.exe	97
PID 3208 wrote to memory of 4348	3208	Kcbnnpka.exe	97
PID 3208 wrote to memory of 4348	3208	Kcbnnpka.exe	97
PID 4348 wrote to memory of 4556	4348	Knhakh32.exe	98
PID 4348 wrote to memory of 4556	4348	Knhakh32.exe	98
PID 4348 wrote to memory of 4556	4348	Knhakh32.exe	98
PID 4556 wrote to memory of 1080	4556	Lgqfdnah.exe	99
PID 4556 wrote to memory of 1080	4556	Lgqfdnah.exe	99
PID 4556 wrote to memory of 1080	4556	Lgqfdnah.exe	99
PID 1080 wrote to memory of 4564	1080	Lqikmc32.exe	100
PID 1080 wrote to memory of 4564	1080	Lqikmc32.exe	100
PID 1080 wrote to memory of 4564	1080	Lqikmc32.exe	100
PID 4564 wrote to memory of 3472	4564	Lmpkadnm.exe	101
PID 4564 wrote to memory of 3472	4564	Lmpkadnm.exe	101
PID 4564 wrote to memory of 3472	4564	Lmpkadnm.exe	101
PID 3472 wrote to memory of 3720	3472	Lgepom32.exe	102
PID 3472 wrote to memory of 3720	3472	Lgepom32.exe	102
PID 3472 wrote to memory of 3720	3472	Lgepom32.exe	102
PID 3720 wrote to memory of 3284	3720	Lqndhcdc.exe	103
PID 3720 wrote to memory of 3284	3720	Lqndhcdc.exe	103
PID 3720 wrote to memory of 3284	3720	Lqndhcdc.exe	103
PID 3284 wrote to memory of 2980	3284	Lkeekk32.exe	104
PID 3284 wrote to memory of 2980	3284	Lkeekk32.exe	104
PID 3284 wrote to memory of 2980	3284	Lkeekk32.exe	104
PID 2980 wrote to memory of 3420	2980	Mmnhcb32.exe	105
PID 2980 wrote to memory of 3420	2980	Mmnhcb32.exe	105
PID 2980 wrote to memory of 3420	2980	Mmnhcb32.exe	105
PID 3420 wrote to memory of 2728	3420	Mkohaj32.exe	106
PID 3420 wrote to memory of 2728	3420	Mkohaj32.exe	106
PID 3420 wrote to memory of 2728	3420	Mkohaj32.exe	106
PID 2728 wrote to memory of 112	2728	Megljppl.exe	107

C:\Users\Admin\AppData\Local\Temp\NEAS.07eb23c0c877019f4385dc99be22df2a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.07eb23c0c877019f4385dc99be22df2a_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\Hdehni32.exe
  C:\Windows\system32\Hdehni32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\Jlkipgpe.exe
    C:\Windows\system32\Jlkipgpe.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\Jjoiil32.exe
      C:\Windows\system32\Jjoiil32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\SysWOW64\Jqhafffk.exe
        
        C:\Windows\system32\Jqhafffk.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\SysWOW64\Jjafok32.exe
        
        C:\Windows\system32\Jjafok32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Jcikgacl.exe
        
        C:\Windows\system32\Jcikgacl.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Kdigadjo.exe
        
        C:\Windows\system32\Kdigadjo.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Kmdlffhj.exe
        
        C:\Windows\system32\Kmdlffhj.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Kmfhkf32.exe
        
        C:\Windows\system32\Kmfhkf32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Kkgiimng.exe
        
        C:\Windows\system32\Kkgiimng.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Kcbnnpka.exe
        
        C:\Windows\system32\Kcbnnpka.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Knhakh32.exe
        
        C:\Windows\system32\Knhakh32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Lgqfdnah.exe
        
        C:\Windows\system32\Lgqfdnah.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Lqikmc32.exe
        
        C:\Windows\system32\Lqikmc32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Lmpkadnm.exe
        
        C:\Windows\system32\Lmpkadnm.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Lgepom32.exe
        
        C:\Windows\system32\Lgepom32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Lqndhcdc.exe
        
        C:\Windows\system32\Lqndhcdc.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Lkeekk32.exe
        
        C:\Windows\system32\Lkeekk32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Mmnhcb32.exe
        
        C:\Windows\system32\Mmnhcb32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Mkohaj32.exe
        
        C:\Windows\system32\Mkohaj32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Megljppl.exe
        
        C:\Windows\system32\Megljppl.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Nclikl32.exe
        
        C:\Windows\system32\Nclikl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:112
        
        C:\Windows\SysWOW64\Nmenca32.exe
        
        C:\Windows\system32\Nmenca32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Ngjbaj32.exe
        
        C:\Windows\system32\Ngjbaj32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Nmgjia32.exe
        
        C:\Windows\system32\Nmgjia32.exe
        26⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Njkkbehl.exe
        
        C:\Windows\system32\Njkkbehl.exe
        27⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\Nccokk32.exe
        
        C:\Windows\system32\Nccokk32.exe
        28⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Nnicid32.exe
        
        C:\Windows\system32\Nnicid32.exe
        29⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Nlmdbh32.exe
        
        C:\Windows\system32\Nlmdbh32.exe
        30⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Najmjokc.exe
        
        C:\Windows\system32\Najmjokc.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Ojbacd32.exe
        
        C:\Windows\system32\Ojbacd32.exe
        32⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Oeheqm32.exe
        
        C:\Windows\system32\Oeheqm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Onpjichj.exe
        
        C:\Windows\system32\Onpjichj.exe
        34⤵
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Odmbaj32.exe
        
        C:\Windows\system32\Odmbaj32.exe
        35⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Oaqbkn32.exe
        
        C:\Windows\system32\Oaqbkn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Ohkkhhmh.exe
        
        C:\Windows\system32\Ohkkhhmh.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Omgcpokp.exe
        
        C:\Windows\system32\Omgcpokp.exe
        38⤵
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\Olicnfco.exe
        
        C:\Windows\system32\Olicnfco.exe
        39⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Pddhbipj.exe
        
        C:\Windows\system32\Pddhbipj.exe
        40⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Pmlmkn32.exe
        
        C:\Windows\system32\Pmlmkn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Pkpmdbfd.exe
        
        C:\Windows\system32\Pkpmdbfd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\Plpjoe32.exe
        
        C:\Windows\system32\Plpjoe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Pehngkcg.exe
        
        C:\Windows\system32\Pehngkcg.exe
        44⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Paoollik.exe
        
        C:\Windows\system32\Paoollik.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Pkgcea32.exe
        
        C:\Windows\system32\Pkgcea32.exe
        46⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Qdphngfl.exe
        
        C:\Windows\system32\Qdphngfl.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Qmhlgmmm.exe
        
        C:\Windows\system32\Qmhlgmmm.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Qdbdcg32.exe
        
        C:\Windows\system32\Qdbdcg32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Qlimed32.exe
        
        C:\Windows\system32\Qlimed32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Ahpmjejp.exe
        
        C:\Windows\system32\Ahpmjejp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\Aahbbkaq.exe
        
        C:\Windows\system32\Aahbbkaq.exe
        52⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Aolblopj.exe
        
        C:\Windows\system32\Aolblopj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Bddjpd32.exe
        
        C:\Windows\system32\Bddjpd32.exe
        54⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Bnmoijje.exe
        
        C:\Windows\system32\Bnmoijje.exe
        55⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Bhbcfbjk.exe
        
        C:\Windows\system32\Bhbcfbjk.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Bnoknihb.exe
        
        C:\Windows\system32\Bnoknihb.exe
        57⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Blqllqqa.exe
        
        C:\Windows\system32\Blqllqqa.exe
        58⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Camddhoi.exe
        
        C:\Windows\system32\Camddhoi.exe
        59⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Cbpajgmf.exe
        
        C:\Windows\system32\Cbpajgmf.exe
        60⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Cleegp32.exe
        
        C:\Windows\system32\Cleegp32.exe
        61⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\Cdpjlb32.exe
        
        C:\Windows\system32\Cdpjlb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Ckjbhmad.exe
        
        C:\Windows\system32\Ckjbhmad.exe
        63⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Cbdjeg32.exe
        
        C:\Windows\system32\Cbdjeg32.exe
        64⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Chnbbqpn.exe
        
        C:\Windows\system32\Chnbbqpn.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Cfbcke32.exe
        
        C:\Windows\system32\Cfbcke32.exe
        66⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\SysWOW64\Dkokcl32.exe
        
        C:\Windows\system32\Dkokcl32.exe
        67⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Dbicpfdk.exe
        
        C:\Windows\system32\Dbicpfdk.exe
        68⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        69⤵
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Dnpdegjp.exe
        
        C:\Windows\system32\Dnpdegjp.exe
        70⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\Dheibpje.exe
        
        C:\Windows\system32\Dheibpje.exe
        71⤵
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        72⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\Ddligq32.exe
        
        C:\Windows\system32\Ddligq32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:812
        
        C:\Windows\SysWOW64\Doaneiop.exe
        
        C:\Windows\system32\Doaneiop.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Dflfac32.exe
        
        C:\Windows\system32\Dflfac32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        76⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        78⤵
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        79⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\Emjgim32.exe
        
        C:\Windows\system32\Emjgim32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:448
        
        C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:912
        
        C:\Windows\SysWOW64\Ekodjiol.exe
        
        C:\Windows\system32\Ekodjiol.exe
        82⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        83⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Fbpchb32.exe
        
        C:\Windows\system32\Fbpchb32.exe
        84⤵
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\Fimhjl32.exe
        
        C:\Windows\system32\Fimhjl32.exe
        85⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Fiodpl32.exe
        
        C:\Windows\system32\Fiodpl32.exe
        86⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Fpimlfke.exe
        
        C:\Windows\system32\Fpimlfke.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3860
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        89⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Gidnkkpc.exe
        
        C:\Windows\system32\Gidnkkpc.exe
        90⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Gnqfcbnj.exe
        
        C:\Windows\system32\Gnqfcbnj.exe
        91⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        92⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        93⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        94⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        95⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        96⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Gpelhd32.exe
        
        C:\Windows\system32\Gpelhd32.exe
        97⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Glkmmefl.exe
        
        C:\Windows\system32\Glkmmefl.exe
        99⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Hfaajnfb.exe
        
        C:\Windows\system32\Hfaajnfb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Hmkigh32.exe
        
        C:\Windows\system32\Hmkigh32.exe
        101⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        102⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        104⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        106⤵
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        107⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        108⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        109⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Hemdlj32.exe
        
        C:\Windows\system32\Hemdlj32.exe
        110⤵
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        113⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        115⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        116⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        117⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Igfclkdj.exe
        
        C:\Windows\system32\Igfclkdj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        119⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        121⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Jleijb32.exe
        
        C:\Windows\system32\Jleijb32.exe
        122⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        123⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Jenmcggo.exe
        
        C:\Windows\system32\Jenmcggo.exe
        124⤵
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        125⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        126⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Jepjhg32.exe
        
        C:\Windows\system32\Jepjhg32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Jpenfp32.exe
        
        C:\Windows\system32\Jpenfp32.exe
        128⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        130⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        131⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        132⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        133⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Kgflcifg.exe
        
        C:\Windows\system32\Kgflcifg.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        135⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        136⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Kgkfnh32.exe
        
        C:\Windows\system32\Kgkfnh32.exe
        137⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        138⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        139⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        141⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Lnjgfb32.exe
        
        C:\Windows\system32\Lnjgfb32.exe
        143⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        144⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        146⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        147⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Lckiihok.exe
        
        C:\Windows\system32\Lckiihok.exe
        148⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Lfjfecno.exe
        
        C:\Windows\system32\Lfjfecno.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6228
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6264
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        151⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        152⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Mqafhl32.exe
        
        C:\Windows\system32\Mqafhl32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Mfnoqc32.exe
        
        C:\Windows\system32\Mfnoqc32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6452
        
        C:\Windows\SysWOW64\Mmhgmmbf.exe
        
        C:\Windows\system32\Mmhgmmbf.exe
        155⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Mqfpckhm.exe
        
        C:\Windows\system32\Mqfpckhm.exe
        157⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Mgphpe32.exe
        
        C:\Windows\system32\Mgphpe32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6640
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        161⤵
        Modifies registry class
        
        PID:6800
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6844
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        163⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        165⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        167⤵
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        168⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        169⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        170⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        173⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        175⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        176⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6680
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        178⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        179⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6936
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        183⤵
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        186⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        187⤵
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        188⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6436
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7156
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        195⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        196⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        197⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        198⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        199⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        200⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7176
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        202⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        203⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7292
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        204⤵
        Drops file in System32 directory
        
        PID:7340
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7384
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        206⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        207⤵
        Modifies registry class
        
        PID:7468
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        208⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        209⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        210⤵
        Drops file in System32 directory
        
        PID:7584
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        211⤵
        Modifies registry class
        
        PID:7624
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7664
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        213⤵
        Drops file in System32 directory
        
        PID:7704
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7748
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7788
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        216⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7832
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        217⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7912
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7952
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        220⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        221⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        222⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        223⤵
        Modifies registry class
        
        PID:8112
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        224⤵
        Modifies registry class
        
        PID:8156
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        225⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        226⤵
        Modifies registry class
        
        PID:7200
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        227⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        228⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7392
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        229⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7448
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        230⤵
        Modifies registry class
        
        PID:7540
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        231⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        232⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 408
        233⤵
        Program crash
        
        PID:7876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7672 -ip 7672
1⤵
PID:7808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
130KB

MD5
2fd5294e3d74a4cdff3ceb6876885b64

SHA1
c37f9f3d9b16f2f7036ba46c5fe88d0c281a7d4b

SHA256
2475cd7ee7597cf04172b1f60a1d11b48c839ddef25a70baef399f593031009e

SHA512
512ee140aabf297c5806d6293205bb055cc833c52b2cae0640ca688a253a9a9d09734661537070084d5a37d41c439a91638cd0723a7434b0b6da274628e3122a

Download Submit
C:\Windows\SysWOW64\Aolblopj.exe

Filesize
130KB

MD5
c017f89642ac478148b134459ddcc0e0

SHA1
37bfd4553bfde6f4417ab42207d9b76abf9972e4

SHA256
0443f0d54796a9c28537c316cd68f7b948152df82fbe7f891b07298dcc57f6be

SHA512
e120163dfb53d0e2746a377feb5763f1afbd3fe49d6d82b8977c2471c8d9889a181dae075e85aacdc9ca6d86d5d27395d28aff52588583c5c55a8821bb8f27c3

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
130KB

MD5
acb6b83de8953d1088a482dff67d5be5

SHA1
8639aefed162956d9bfdfca1e352e855634cfb8c

SHA256
d5c77165e3d9c906341f0b1d3ddb75b5fb1b35a7676c4d8d6d857ffc2c053fe7

SHA512
9cb5da68eebd2871b7f14fc2505cb253159b86cf3d6ebdbb5d230561424bcb4de886bd2fe1c6e92482df8de7a2ce74ab0772cbd6856372a96e59213e76514f7f

Download Submit
C:\Windows\SysWOW64\Hdehni32.exe

Filesize
130KB

MD5
52d6559d3ccfff53f0de6559e8765fa6

SHA1
7db6b31421ff07221ae97e409f4303af2f7fb635

SHA256
828346a61201c52e366981b1482747696e9219fc127e372d1d5e7a5519cb3de6

SHA512
5b3416fbf7fc2d6e7860822008301ee954c798017ba6900c5539fbf7fbc118b6da507ec833503c6df7de837c6759d5c1e268312d4b72d2cbf0511d73c2b77e0b

Download Submit
C:\Windows\SysWOW64\Hdehni32.exe

Filesize
130KB

MD5
52d6559d3ccfff53f0de6559e8765fa6

SHA1
7db6b31421ff07221ae97e409f4303af2f7fb635

SHA256
828346a61201c52e366981b1482747696e9219fc127e372d1d5e7a5519cb3de6

SHA512
5b3416fbf7fc2d6e7860822008301ee954c798017ba6900c5539fbf7fbc118b6da507ec833503c6df7de837c6759d5c1e268312d4b72d2cbf0511d73c2b77e0b

Download Submit
C:\Windows\SysWOW64\Jcikgacl.exe

Filesize
130KB

MD5
d5a20f43fe86d759f013bb5688fc403a

SHA1
56c246b040495e5c125bd73dd709ac5e9624c138

SHA256
e78d2a8444637eff7aba219891fb2d2d648a1f87241139bbdf55b2d2e58f5b3e

SHA512
1eb62294f288d165b1aea04c1f476cf9f91c7db1c0dd96c1ae56720911ed9f1988fd3dab91ab41b6e6aaac76e61424833b2dc92bc93828871d3d110de81859ce

Download Submit
C:\Windows\SysWOW64\Jcikgacl.exe

Filesize
130KB

MD5
d5a20f43fe86d759f013bb5688fc403a

SHA1
56c246b040495e5c125bd73dd709ac5e9624c138

SHA256
e78d2a8444637eff7aba219891fb2d2d648a1f87241139bbdf55b2d2e58f5b3e

SHA512
1eb62294f288d165b1aea04c1f476cf9f91c7db1c0dd96c1ae56720911ed9f1988fd3dab91ab41b6e6aaac76e61424833b2dc92bc93828871d3d110de81859ce

Download Submit
C:\Windows\SysWOW64\Jjafok32.exe

Filesize
130KB

MD5
5a360b0f9d4b5f2f20be74cccf4f8aa2

SHA1
960106e321ed56ea7eeb3b3d73d399c253f9e9d0

SHA256
f602278a0805889d89427c6c8f52ba98936c2e24e0762da2827ab3785bc4f072

SHA512
14a7bb7ba08d7b4f78f51a7698d698bc7d5896afbebed40feef9ab968525c59ec4f1a32c84f007d1dd4e34613f31a5f3aebaea5ffebdc2b08f79dae6ebcb614b

Download Submit
C:\Windows\SysWOW64\Jjafok32.exe

Filesize
130KB

MD5
5a360b0f9d4b5f2f20be74cccf4f8aa2

SHA1
960106e321ed56ea7eeb3b3d73d399c253f9e9d0

SHA256
f602278a0805889d89427c6c8f52ba98936c2e24e0762da2827ab3785bc4f072

SHA512
14a7bb7ba08d7b4f78f51a7698d698bc7d5896afbebed40feef9ab968525c59ec4f1a32c84f007d1dd4e34613f31a5f3aebaea5ffebdc2b08f79dae6ebcb614b

Download Submit
C:\Windows\SysWOW64\Jjoiil32.exe

Filesize
130KB

MD5
80c754d348dc694dbcd68c43893f60e2

SHA1
a46f0284258e019a77c4d783d6dac4e85cc3623e

SHA256
ab190822cfacc42a87423bb6e05d36f26e45d30ae5120a4c04896f12280382fc

SHA512
47c54d1dfbc9101863b817a71487868cf03bf07c9b5776a4a7d5396b621bb99bd9624de45c0be9638280148dfe0fe5053d800d6dd375a704fc058ee248ecbfce

Download Submit
C:\Windows\SysWOW64\Jjoiil32.exe

Filesize
130KB

MD5
80c754d348dc694dbcd68c43893f60e2

SHA1
a46f0284258e019a77c4d783d6dac4e85cc3623e

SHA256
ab190822cfacc42a87423bb6e05d36f26e45d30ae5120a4c04896f12280382fc

SHA512
47c54d1dfbc9101863b817a71487868cf03bf07c9b5776a4a7d5396b621bb99bd9624de45c0be9638280148dfe0fe5053d800d6dd375a704fc058ee248ecbfce

Download Submit
C:\Windows\SysWOW64\Jlkipgpe.exe

Filesize
130KB

MD5
3171f6615313c9ef8a9f7a7ef1ea9b34

SHA1
7f3b6a3b6da4ae4ccd2d2b9ce5dab069ba2d762a

SHA256
9a92f758b7901a9e768be8e2e2cf0b493acf9702c522fd398a393c59db7fd870

SHA512
ff299a2362a0127f21dd0b1eb20114b9fecabeba3885f50a5d2352b378d4fb04c03467acdd7e6d1b00595d575dcddcfe962b00d44f23c478649ffe7ad4171ee5

Download Submit
C:\Windows\SysWOW64\Jlkipgpe.exe

Filesize
130KB

MD5
3171f6615313c9ef8a9f7a7ef1ea9b34

SHA1
7f3b6a3b6da4ae4ccd2d2b9ce5dab069ba2d762a

SHA256
9a92f758b7901a9e768be8e2e2cf0b493acf9702c522fd398a393c59db7fd870

SHA512
ff299a2362a0127f21dd0b1eb20114b9fecabeba3885f50a5d2352b378d4fb04c03467acdd7e6d1b00595d575dcddcfe962b00d44f23c478649ffe7ad4171ee5

Download Submit
C:\Windows\SysWOW64\Jqhafffk.exe

Filesize
130KB

MD5
73e286bc25b264feeca9cb860a58b08b

SHA1
4261b27181d08cce0c34cc48b6bf70cbe4b92629

SHA256
aa7b796dc372ae9d052f2b4461ef2b221c19419947f4baca7a99eca6e8397789

SHA512
5d044d448a1384b76d951f5bfc3c82c93ee95ef34c9ea11822d09ad5a2e2c8dd528cb5db798e473dc5678269db2484cf9cc2315d365cfc315b5d20f8c806ea7e

Download Submit
C:\Windows\SysWOW64\Jqhafffk.exe

Filesize
130KB

MD5
73e286bc25b264feeca9cb860a58b08b

SHA1
4261b27181d08cce0c34cc48b6bf70cbe4b92629

SHA256
aa7b796dc372ae9d052f2b4461ef2b221c19419947f4baca7a99eca6e8397789

SHA512
5d044d448a1384b76d951f5bfc3c82c93ee95ef34c9ea11822d09ad5a2e2c8dd528cb5db798e473dc5678269db2484cf9cc2315d365cfc315b5d20f8c806ea7e

Download Submit
C:\Windows\SysWOW64\Jqhafffk.exe

Filesize
130KB

MD5
73e286bc25b264feeca9cb860a58b08b

SHA1
4261b27181d08cce0c34cc48b6bf70cbe4b92629

SHA256
aa7b796dc372ae9d052f2b4461ef2b221c19419947f4baca7a99eca6e8397789

SHA512
5d044d448a1384b76d951f5bfc3c82c93ee95ef34c9ea11822d09ad5a2e2c8dd528cb5db798e473dc5678269db2484cf9cc2315d365cfc315b5d20f8c806ea7e

Download Submit
C:\Windows\SysWOW64\Kcbnnpka.exe

Filesize
130KB

MD5
cadc8b478865cf44ac7166db2c563e19

SHA1
aa7ee49df683a03e1b949ca8aec59caca9e483f7

SHA256
49e1fc9e1b1f0cf4fc294131e22e111470d143ee24932fbe59d52bd565a0ce95

SHA512
3e0c5a3a3454f745c76adbc76f34e0924ea343fa669e258ac8eac871e8433fb58b46265e1e4e747a444e0fa0b196b0a5a4e4fe7bbde2342d827ca479eaea64dc

Download Submit
C:\Windows\SysWOW64\Kcbnnpka.exe

Filesize
130KB

MD5
cadc8b478865cf44ac7166db2c563e19

SHA1
aa7ee49df683a03e1b949ca8aec59caca9e483f7

SHA256
49e1fc9e1b1f0cf4fc294131e22e111470d143ee24932fbe59d52bd565a0ce95

SHA512
3e0c5a3a3454f745c76adbc76f34e0924ea343fa669e258ac8eac871e8433fb58b46265e1e4e747a444e0fa0b196b0a5a4e4fe7bbde2342d827ca479eaea64dc

Download Submit
C:\Windows\SysWOW64\Kdigadjo.exe

Filesize
130KB

MD5
4114a60c4afd878fa30fa8a98fd3b041

SHA1
6b00ec96ca61da5ee355d88d9003a556fdd7c95d

SHA256
2de76a8f3b6787b0b44ace3c15e89b1979d13f44a4ccee4c5a9e871bd5763440

SHA512
fa466e291392e543676c6f4862d1f8af3f3d29d35b74ee9808969188ac68a734d4995ecb4a66234318458cdf3ecaa22c43becf88dfa3028a891bcc1adf9e522d

Download Submit
C:\Windows\SysWOW64\Kdigadjo.exe

Filesize
130KB

MD5
4114a60c4afd878fa30fa8a98fd3b041

SHA1
6b00ec96ca61da5ee355d88d9003a556fdd7c95d

SHA256
2de76a8f3b6787b0b44ace3c15e89b1979d13f44a4ccee4c5a9e871bd5763440

SHA512
fa466e291392e543676c6f4862d1f8af3f3d29d35b74ee9808969188ac68a734d4995ecb4a66234318458cdf3ecaa22c43becf88dfa3028a891bcc1adf9e522d

Download Submit
C:\Windows\SysWOW64\Kkgiimng.exe

Filesize
130KB

MD5
4a3e2219abd033ab01634872fb499b2a

SHA1
335536e30f478e2c6c742766692fd026841a2bcb

SHA256
7dced2ac0397633bb6e304bda687636e8f11278ca3d88a48d40254239477b27c

SHA512
ada4e6a7188737261e02dd51110e7f655163f6598f3cf4087aa92d8fc8bdd8acacbea83a7b1208049176b75a1e878765271831959de506e10e12f873700a522b

Download Submit
C:\Windows\SysWOW64\Kkgiimng.exe

Filesize
130KB

MD5
4a3e2219abd033ab01634872fb499b2a

SHA1
335536e30f478e2c6c742766692fd026841a2bcb

SHA256
7dced2ac0397633bb6e304bda687636e8f11278ca3d88a48d40254239477b27c

SHA512
ada4e6a7188737261e02dd51110e7f655163f6598f3cf4087aa92d8fc8bdd8acacbea83a7b1208049176b75a1e878765271831959de506e10e12f873700a522b

Download Submit
C:\Windows\SysWOW64\Kmdlffhj.exe

Filesize
130KB

MD5
c9169aeece7092a968058016f0d529e7

SHA1
bf3504d71aae6bba8c8208ba9308e9a093dbe5b1

SHA256
641e1df240f1a9f0231b0188fa74cc71d3376976c51459457563b6d73d9391f9

SHA512
cfd4d1322b3a28a73a9cf2a0d06fdd5aa2afb4e139c787d85daa6534a407023456cec2cfc671b1f0a94699fb4fcdad74b9e979f0aae9be30420a9af47f564e46

Download Submit
C:\Windows\SysWOW64\Kmdlffhj.exe

Filesize
130KB

MD5
c9169aeece7092a968058016f0d529e7

SHA1
bf3504d71aae6bba8c8208ba9308e9a093dbe5b1

SHA256
641e1df240f1a9f0231b0188fa74cc71d3376976c51459457563b6d73d9391f9

SHA512
cfd4d1322b3a28a73a9cf2a0d06fdd5aa2afb4e139c787d85daa6534a407023456cec2cfc671b1f0a94699fb4fcdad74b9e979f0aae9be30420a9af47f564e46

Download Submit
C:\Windows\SysWOW64\Kmfhkf32.exe

Filesize
130KB

MD5
893b8596cdd4d37b5c3fc68284f640e7

SHA1
be3c760cee52e0f5b9d715c21893920b97229144

SHA256
172315b1a4294122f4dab08cd5c2513eccca478a7789e281189f8608d337b2ea

SHA512
c4531b39ec391bb1edea061badb7f27ac29fd05bcdc2d547724fe2a2b85a1e771cf22cc4cfeac7659d89db546f692578ab8763a648c38ef48412782018eda408

Download Submit
C:\Windows\SysWOW64\Kmfhkf32.exe

Filesize
130KB

MD5
893b8596cdd4d37b5c3fc68284f640e7

SHA1
be3c760cee52e0f5b9d715c21893920b97229144

SHA256
172315b1a4294122f4dab08cd5c2513eccca478a7789e281189f8608d337b2ea

SHA512
c4531b39ec391bb1edea061badb7f27ac29fd05bcdc2d547724fe2a2b85a1e771cf22cc4cfeac7659d89db546f692578ab8763a648c38ef48412782018eda408

Download Submit
C:\Windows\SysWOW64\Knhakh32.exe

Filesize
130KB

MD5
59c15e285e7ce859315c671be667b041

SHA1
8d5e0ffcc0b15ca6a416d9712cd4551190fc2d7e

SHA256
c461402fa76b2fff02bc60645e0765954efcb98fbb0749966c8fc25d00dc9d6e

SHA512
743e6e10ed6868397728da745f3cf7686e609c5ad4aaf8c875cbc8d813126a3ca1b127e93803fddbd4f07753086e132d94c724a2a5fc97d0579c5b8ce08c8a72

Download Submit
C:\Windows\SysWOW64\Knhakh32.exe

Filesize
130KB

MD5
59c15e285e7ce859315c671be667b041

SHA1
8d5e0ffcc0b15ca6a416d9712cd4551190fc2d7e

SHA256
c461402fa76b2fff02bc60645e0765954efcb98fbb0749966c8fc25d00dc9d6e

SHA512
743e6e10ed6868397728da745f3cf7686e609c5ad4aaf8c875cbc8d813126a3ca1b127e93803fddbd4f07753086e132d94c724a2a5fc97d0579c5b8ce08c8a72

Download Submit
C:\Windows\SysWOW64\Lgepom32.exe

Filesize
130KB

MD5
b2cd80933f54da927c3ac3379b9ec255

SHA1
ccc62a59813ca8e1df5cbd528f665a8188bd5318

SHA256
e6c0a0a74b62b4c17d4b271e30bc22b2b65798c386b14c2cd5b5fbbbf9e62df3

SHA512
9a3b87691dc5d42e5e424732b36c915c32b93790f55b9ccedd60ab3747723f465da3accc9758e6eb1b9e472ab3baf4d8734cabea84ad29e4383f41428ca62894

Download Submit
C:\Windows\SysWOW64\Lgepom32.exe

Filesize
130KB

MD5
b2cd80933f54da927c3ac3379b9ec255

SHA1
ccc62a59813ca8e1df5cbd528f665a8188bd5318

SHA256
e6c0a0a74b62b4c17d4b271e30bc22b2b65798c386b14c2cd5b5fbbbf9e62df3

SHA512
9a3b87691dc5d42e5e424732b36c915c32b93790f55b9ccedd60ab3747723f465da3accc9758e6eb1b9e472ab3baf4d8734cabea84ad29e4383f41428ca62894

Download Submit
C:\Windows\SysWOW64\Lgqfdnah.exe

Filesize
130KB

MD5
92c8a1de5fec4fe873140d820a25e87c

SHA1
819aa8c7a697f43f5b47ae98c14cc5353034f99f

SHA256
01723b1007288b90b16c613f9b398816077f4a22cef93dc31a848e39a83aa121

SHA512
903ec8c3fc1737f75a5f0f90656ebb8c54bf0341e49ea908f700d725eb0751cdb7759e2065c93b3566e34c23112262ad69693e59285c6f6c9b7cbf17552b8102

Download Submit
C:\Windows\SysWOW64\Lgqfdnah.exe

Filesize
130KB

MD5
92c8a1de5fec4fe873140d820a25e87c

SHA1
819aa8c7a697f43f5b47ae98c14cc5353034f99f

SHA256
01723b1007288b90b16c613f9b398816077f4a22cef93dc31a848e39a83aa121

SHA512
903ec8c3fc1737f75a5f0f90656ebb8c54bf0341e49ea908f700d725eb0751cdb7759e2065c93b3566e34c23112262ad69693e59285c6f6c9b7cbf17552b8102

Download Submit
C:\Windows\SysWOW64\Lkeekk32.exe

Filesize
130KB

MD5
ac24a7b808c70b40ee0278060930e2ad

SHA1
158f3f33a451391858a22f44e5a06c3f7e0b2d2e

SHA256
2908cd5a935e67a050e3b808db17e5f12cac2ec0f97cdd552dbf9d89865ab225

SHA512
a8d90640060c4cf6dd353110a0be58ff64c06e4deb6ab1c54a95e809b865c662737f74e620fd05216ab7b4967c3232d26e94b34b6004e162ed24bd59ed5e13c8

Download Submit
C:\Windows\SysWOW64\Lkeekk32.exe

Filesize
130KB

MD5
73b3ff9f6bcd8f3cf6968e27d3ce5324

SHA1
f7bab1dd03948e29b298a7d57281770358c4a723

SHA256
ab23b75ac2af05bc4de22d7b3c6a57b88a6828991585250b68f97768340bf3a3

SHA512
5d9e43f0762ba945b1d7d7916203c4335eedf7bdffc54b02154d3b7fdc99e34adc3e40d6c8ff2f996d5a6ed554dd70a64f10013574154c5f4de433c64e5be59d

Download Submit
C:\Windows\SysWOW64\Lkeekk32.exe

Filesize
130KB

MD5
73b3ff9f6bcd8f3cf6968e27d3ce5324

SHA1
f7bab1dd03948e29b298a7d57281770358c4a723

SHA256
ab23b75ac2af05bc4de22d7b3c6a57b88a6828991585250b68f97768340bf3a3

SHA512
5d9e43f0762ba945b1d7d7916203c4335eedf7bdffc54b02154d3b7fdc99e34adc3e40d6c8ff2f996d5a6ed554dd70a64f10013574154c5f4de433c64e5be59d

Download Submit
C:\Windows\SysWOW64\Lmpkadnm.exe

Filesize
130KB

MD5
80e44d035f5fe93fc9755b694160d2e5

SHA1
7aaa4f25e3408370f1854829c035b0464b34dc8c

SHA256
39ba879117c5a3c47ac96ae64b250053ffa2001ce25a7c01d7801eb51098de4b

SHA512
03c9c51d1a9f82eafee3bab864398342fbd7423ff77fa7446447ac46df1be6e1967d10f1d1d543d1c12c81bc4f9112fd40b32854639dd0f43d7bec277cad4292

Download Submit
C:\Windows\SysWOW64\Lmpkadnm.exe

Filesize
130KB

MD5
80e44d035f5fe93fc9755b694160d2e5

SHA1
7aaa4f25e3408370f1854829c035b0464b34dc8c

SHA256
39ba879117c5a3c47ac96ae64b250053ffa2001ce25a7c01d7801eb51098de4b

SHA512
03c9c51d1a9f82eafee3bab864398342fbd7423ff77fa7446447ac46df1be6e1967d10f1d1d543d1c12c81bc4f9112fd40b32854639dd0f43d7bec277cad4292

Download Submit
C:\Windows\SysWOW64\Lqikmc32.exe

Filesize
130KB

MD5
713aa008da78b3fd125fc56b1aab7d3a

SHA1
c9a3f9bbbac194d91a643e8c0d3af537c810695e

SHA256
1d2c6d27fe96ed1a18db825df62385135d99de8fe6e0a9a38722e993000e7d4c

SHA512
a085f6b658afdb32fdbc258655d7046b990c998fd855dd2737026fb2594e944573ff56af1350c573f39fb85452f470520c2f676aba7864360e06b0aad71063be

Download Submit
C:\Windows\SysWOW64\Lqikmc32.exe

Filesize
130KB

MD5
713aa008da78b3fd125fc56b1aab7d3a

SHA1
c9a3f9bbbac194d91a643e8c0d3af537c810695e

SHA256
1d2c6d27fe96ed1a18db825df62385135d99de8fe6e0a9a38722e993000e7d4c

SHA512
a085f6b658afdb32fdbc258655d7046b990c998fd855dd2737026fb2594e944573ff56af1350c573f39fb85452f470520c2f676aba7864360e06b0aad71063be

Download Submit
C:\Windows\SysWOW64\Lqndhcdc.exe

Filesize
130KB

MD5
ac24a7b808c70b40ee0278060930e2ad

SHA1
158f3f33a451391858a22f44e5a06c3f7e0b2d2e

SHA256
2908cd5a935e67a050e3b808db17e5f12cac2ec0f97cdd552dbf9d89865ab225

SHA512
a8d90640060c4cf6dd353110a0be58ff64c06e4deb6ab1c54a95e809b865c662737f74e620fd05216ab7b4967c3232d26e94b34b6004e162ed24bd59ed5e13c8

Download Submit
C:\Windows\SysWOW64\Lqndhcdc.exe

Filesize
130KB

MD5
ac24a7b808c70b40ee0278060930e2ad

SHA1
158f3f33a451391858a22f44e5a06c3f7e0b2d2e

SHA256
2908cd5a935e67a050e3b808db17e5f12cac2ec0f97cdd552dbf9d89865ab225

SHA512
a8d90640060c4cf6dd353110a0be58ff64c06e4deb6ab1c54a95e809b865c662737f74e620fd05216ab7b4967c3232d26e94b34b6004e162ed24bd59ed5e13c8

Download Submit
C:\Windows\SysWOW64\Megljppl.exe

Filesize
130KB

MD5
0ed0b682a7ca012fb791164b6d3e3b30

SHA1
a496ab93f5df324784da93446f4706d94032f241

SHA256
5955c1c8af67ff2748910eee2ff247db28ccc8150a433a00e79c3ed52cd5c5db

SHA512
4d774862f7b4de66c42b038ce57c2dda2d28b48e1ba43bd11956eea954581e1be46a8efdec5ee0d3dd09acd01953036b57cd6e411a1546b7217143a2e073c513

Download Submit
C:\Windows\SysWOW64\Megljppl.exe

Filesize
130KB

MD5
0ed0b682a7ca012fb791164b6d3e3b30

SHA1
a496ab93f5df324784da93446f4706d94032f241

SHA256
5955c1c8af67ff2748910eee2ff247db28ccc8150a433a00e79c3ed52cd5c5db

SHA512
4d774862f7b4de66c42b038ce57c2dda2d28b48e1ba43bd11956eea954581e1be46a8efdec5ee0d3dd09acd01953036b57cd6e411a1546b7217143a2e073c513

Download Submit
C:\Windows\SysWOW64\Mkohaj32.exe

Filesize
130KB

MD5
3f044d9e497a3d4ca5788ca9f9700ad2

SHA1
5f4f0b3af080e9cded13d76459c3ce44add1e3f2

SHA256
0ce332eddd46a1d27ce4142f072ff2ef53663d1a87effdc01ccc8bf775316120

SHA512
4adb16fdf2efecb3508f4d50e6b9afed5de333cbeb20b08a40597ad04912ec80e89efc225c080b1da95241677238c5d5fe41254cf7217a4b8606ff7a23640657

Download Submit
C:\Windows\SysWOW64\Mkohaj32.exe

Filesize
130KB

MD5
3f044d9e497a3d4ca5788ca9f9700ad2

SHA1
5f4f0b3af080e9cded13d76459c3ce44add1e3f2

SHA256
0ce332eddd46a1d27ce4142f072ff2ef53663d1a87effdc01ccc8bf775316120

SHA512
4adb16fdf2efecb3508f4d50e6b9afed5de333cbeb20b08a40597ad04912ec80e89efc225c080b1da95241677238c5d5fe41254cf7217a4b8606ff7a23640657

Download Submit
C:\Windows\SysWOW64\Mmnhcb32.exe

Filesize
130KB

MD5
658acfb4bddbf2d105145746400775c2

SHA1
aea513b43aba0e0d5dfe471f8fb362c2db2b01da

SHA256
c6a99719971e27ae31ec0a4201bd005409e6deff4d990497fbe18c54a18f98e7

SHA512
760f8f74453ad0190484806c48ce915eb680bb099b1f7d4be6b88ce3ba509577b06329efe44e4574153db3e05bf54c344a153024badef76f515b1b245010a806

Download Submit
C:\Windows\SysWOW64\Mmnhcb32.exe

Filesize
130KB

MD5
658acfb4bddbf2d105145746400775c2

SHA1
aea513b43aba0e0d5dfe471f8fb362c2db2b01da

SHA256
c6a99719971e27ae31ec0a4201bd005409e6deff4d990497fbe18c54a18f98e7

SHA512
760f8f74453ad0190484806c48ce915eb680bb099b1f7d4be6b88ce3ba509577b06329efe44e4574153db3e05bf54c344a153024badef76f515b1b245010a806

Download Submit
C:\Windows\SysWOW64\Najmjokc.exe

Filesize
130KB

MD5
31502a81702d03e6fa7d9dc9899bdf5e

SHA1
36c529d5f0b9d36fd981f4e922c551740e061947

SHA256
fc29e7f5946df22887509648b9b8f708662ae340497e3fa9787a61cf353a9677

SHA512
dffba1c7ca610b0191d25bbd5eb912ea06cd160f1732b26c131552e7aac3bc9cb63a95f6cf616e043d09675cc8486f040cc263290d9dac04c2bf40fc5158f45c

Download Submit
C:\Windows\SysWOW64\Najmjokc.exe

Filesize
130KB

MD5
31502a81702d03e6fa7d9dc9899bdf5e

SHA1
36c529d5f0b9d36fd981f4e922c551740e061947

SHA256
fc29e7f5946df22887509648b9b8f708662ae340497e3fa9787a61cf353a9677

SHA512
dffba1c7ca610b0191d25bbd5eb912ea06cd160f1732b26c131552e7aac3bc9cb63a95f6cf616e043d09675cc8486f040cc263290d9dac04c2bf40fc5158f45c

Download Submit
C:\Windows\SysWOW64\Nccokk32.exe

Filesize
130KB

MD5
c041648cb4ad673c23e922e8f32f9738

SHA1
e50a7a00f7f4f42654fc1d6db2dba61c38dd13d8

SHA256
3606ebeea4a9aa6dd7948449b3829ed8eb9dbce21e1a70366537aa070ba5c72c

SHA512
f346f24b1d0f285bf03c291d7969da1af1939f4fa6223b074f3a7b2bd81a829820f4a45e0bb66afa5d5530a4b9822d197116630a2177dee8b7e60071097c09e6

Download Submit
C:\Windows\SysWOW64\Nccokk32.exe

Filesize
130KB

MD5
c041648cb4ad673c23e922e8f32f9738

SHA1
e50a7a00f7f4f42654fc1d6db2dba61c38dd13d8

SHA256
3606ebeea4a9aa6dd7948449b3829ed8eb9dbce21e1a70366537aa070ba5c72c

SHA512
f346f24b1d0f285bf03c291d7969da1af1939f4fa6223b074f3a7b2bd81a829820f4a45e0bb66afa5d5530a4b9822d197116630a2177dee8b7e60071097c09e6

Download Submit
C:\Windows\SysWOW64\Nclikl32.exe

Filesize
130KB

MD5
0b5b92159c1f15a10fff7f9bea7e25f4

SHA1
56884432fc76bffd6e7424c683c4c4ee6e6ae498

SHA256
facfa8e8166cf4b150215ef3f53030e120f73965bd8b67ae7313d6a005fc4ebd

SHA512
4cb540f6b121e0e8527aff686d994d1bb91d2efd7c9cf723fb16b2608c916c4b11b8b3942539a4f8777815e3dbe532aa8364ff930b00210564e147f6ac446169

Download Submit
C:\Windows\SysWOW64\Nclikl32.exe

Filesize
130KB

MD5
0b5b92159c1f15a10fff7f9bea7e25f4

SHA1
56884432fc76bffd6e7424c683c4c4ee6e6ae498

SHA256
facfa8e8166cf4b150215ef3f53030e120f73965bd8b67ae7313d6a005fc4ebd

SHA512
4cb540f6b121e0e8527aff686d994d1bb91d2efd7c9cf723fb16b2608c916c4b11b8b3942539a4f8777815e3dbe532aa8364ff930b00210564e147f6ac446169

Download Submit
C:\Windows\SysWOW64\Ngjbaj32.exe

Filesize
130KB

MD5
142bc9dfeabbf8dfa721365d9f384f12

SHA1
33e885ca233cf92347aa7d7f10ad854b95d91f3e

SHA256
d648833a317492a06bfbce7c66347381b90e980b2516fb3211a5a38b6d894d36

SHA512
1d0a9581ff314140ee247a0d447abd9438731d1e955fb3823173dcfc8820ec24424f570411772ddb6e831af2c5588178dcd2a9796c121ccf76db466275633988

Download Submit
C:\Windows\SysWOW64\Ngjbaj32.exe

Filesize
130KB

MD5
142bc9dfeabbf8dfa721365d9f384f12

SHA1
33e885ca233cf92347aa7d7f10ad854b95d91f3e

SHA256
d648833a317492a06bfbce7c66347381b90e980b2516fb3211a5a38b6d894d36

SHA512
1d0a9581ff314140ee247a0d447abd9438731d1e955fb3823173dcfc8820ec24424f570411772ddb6e831af2c5588178dcd2a9796c121ccf76db466275633988

Download Submit
C:\Windows\SysWOW64\Njkkbehl.exe

Filesize
130KB

MD5
b18ab01d5b72993cd496090a3ff9adc7

SHA1
e395ae75230ab43738df3b7cd640518bfa506c14

SHA256
49149aed0cecf69f04bb8233462161eb1e42d3a13ff3732fd1a8ed0181f4f719

SHA512
6db8e99e48bc697c055da5986e235c8a7d0fddcc15e808895a552f3134fd3be9fde14bad1d378d62d0120c9280521c7ef628375a77d10cec8f46f42202eea786

Download Submit
C:\Windows\SysWOW64\Njkkbehl.exe

Filesize
130KB

MD5
b18ab01d5b72993cd496090a3ff9adc7

SHA1
e395ae75230ab43738df3b7cd640518bfa506c14

SHA256
49149aed0cecf69f04bb8233462161eb1e42d3a13ff3732fd1a8ed0181f4f719

SHA512
6db8e99e48bc697c055da5986e235c8a7d0fddcc15e808895a552f3134fd3be9fde14bad1d378d62d0120c9280521c7ef628375a77d10cec8f46f42202eea786

Download Submit
C:\Windows\SysWOW64\Nlmdbh32.exe

Filesize
130KB

MD5
3f0cc3edc3dc5b0dacf1e3d39985ca9b

SHA1
796279ff3c9ad1b28caa1527f5c857494ff17023

SHA256
371cebe15523aa872c99e4d6a94bb8612249081e8cf17dd367970dcf766bc761

SHA512
24b987e17ebfa2891698cea68e11064713de7baadcdc60e9947dd71e643ed253a720d16506152bf40d437d05c1b41c6b9efdc94d01aead7eb85f36c7d480f60b

Download Submit
C:\Windows\SysWOW64\Nlmdbh32.exe

Filesize
130KB

MD5
3f0cc3edc3dc5b0dacf1e3d39985ca9b

SHA1
796279ff3c9ad1b28caa1527f5c857494ff17023

SHA256
371cebe15523aa872c99e4d6a94bb8612249081e8cf17dd367970dcf766bc761

SHA512
24b987e17ebfa2891698cea68e11064713de7baadcdc60e9947dd71e643ed253a720d16506152bf40d437d05c1b41c6b9efdc94d01aead7eb85f36c7d480f60b

Download Submit
C:\Windows\SysWOW64\Nmenca32.exe

Filesize
130KB

MD5
36997260c47a5105247fdab05f3b4778

SHA1
5b07641f936674edd94bd6fce15e9a69644b229b

SHA256
b1aa37ddd45c676b5a2d6e839b37380a08e7d648379172bc983edf1f6f61b3ca

SHA512
051cd788724d2dcae27030bd47e848523f7ffba90490be590836c840bb69257c2c944e2bd594f6b377968b65ae2a155ef828a3f135ab77610a204b6f8fe9e656

Download Submit
C:\Windows\SysWOW64\Nmenca32.exe

Filesize
130KB

MD5
36997260c47a5105247fdab05f3b4778

SHA1
5b07641f936674edd94bd6fce15e9a69644b229b

SHA256
b1aa37ddd45c676b5a2d6e839b37380a08e7d648379172bc983edf1f6f61b3ca

SHA512
051cd788724d2dcae27030bd47e848523f7ffba90490be590836c840bb69257c2c944e2bd594f6b377968b65ae2a155ef828a3f135ab77610a204b6f8fe9e656

Download Submit
C:\Windows\SysWOW64\Nmgjia32.exe

Filesize
130KB

MD5
e5a8f7beb75dcd2559681c3bbe86755d

SHA1
656ace74f45618e4105c7221656220d3c9dbb236

SHA256
b507a477221fa797b338a0badb98b0f65faa8fae2375445b829a7de1bbb7ae47

SHA512
b82b65c3ec78fefb130434d6fd4ccf06b551ce45ad83e2b5c006bf26640630e07adf830faf7dab3ae8c02bda704f1fff76830b28ba3fe87f03807870a625fe8e

Download Submit
C:\Windows\SysWOW64\Nmgjia32.exe

Filesize
130KB

MD5
e5a8f7beb75dcd2559681c3bbe86755d

SHA1
656ace74f45618e4105c7221656220d3c9dbb236

SHA256
b507a477221fa797b338a0badb98b0f65faa8fae2375445b829a7de1bbb7ae47

SHA512
b82b65c3ec78fefb130434d6fd4ccf06b551ce45ad83e2b5c006bf26640630e07adf830faf7dab3ae8c02bda704f1fff76830b28ba3fe87f03807870a625fe8e

Download Submit
C:\Windows\SysWOW64\Nnicid32.exe

Filesize
130KB

MD5
95e6e7a8438cccba81d2a561fa194b6d

SHA1
89a727282eb225902cfa4ed000583b1cd965a9da

SHA256
41d2449109433b5cde7c6172965de27911a7df6b6f60d65a57e98c80df01392d

SHA512
40d472d17b96500adffc6062d5a3c1dfec067c743806c1486ea5b54480f0290f91e3664b89d15b6b28b7c455e0fe4d7a34864a3058b5e9979543abb4cf8c7149

Download Submit
C:\Windows\SysWOW64\Nnicid32.exe

Filesize
130KB

MD5
95e6e7a8438cccba81d2a561fa194b6d

SHA1
89a727282eb225902cfa4ed000583b1cd965a9da

SHA256
41d2449109433b5cde7c6172965de27911a7df6b6f60d65a57e98c80df01392d

SHA512
40d472d17b96500adffc6062d5a3c1dfec067c743806c1486ea5b54480f0290f91e3664b89d15b6b28b7c455e0fe4d7a34864a3058b5e9979543abb4cf8c7149

Download Submit
C:\Windows\SysWOW64\Odmbaj32.exe

Filesize
130KB

MD5
6b4286bd08dbdb335918969ab0612d34

SHA1
eec569bd3234d6db717fbb852e66abe0545b4a94

SHA256
bad6765525dc3f6043a0c7da6b4335891eeda3d1b8b627a5908189eeaa0f1777

SHA512
05fc6a5f50b42ff94bd5eef4547f9367e0b32896df79bad5db5564f5011497ace54cbc2e3e4be54cfff716cbc1e095f5d536e9350f74639f5aa03f51e92de1b4

Download Submit
C:\Windows\SysWOW64\Oeheqm32.exe

Filesize
130KB

MD5
348d097f903a06b23ced60942a3c8b45

SHA1
301f50178671ea2e4c6a512e16e02654a44cbfda

SHA256
97b33f93f94b51f7f11af4e43df11cdee49a569e7398c78ad6a26e35c06c963d

SHA512
ebf78b055d7e6c0db343b4f77419d453ba74d8003036eee0f580ebbccb0a1db59f4f986d2d574e318838b7dcfe5fc327dad82418999233851f1cc48ae299fdfb

Download Submit
C:\Windows\SysWOW64\Ojbacd32.exe

Filesize
130KB

MD5
9779af8d4868f3c3fee35520b683a84b

SHA1
adc3693610f2b9bbc2be7451f29413b83fa9cfce

SHA256
e0dd08425b1b21f0bea3fba17c67851e54f4e5d9cdf65c164a6f82b40024f167

SHA512
18fab859d4902d7625fc979243f8c5be3d5c814131e096feb6b24515b1aa72209247a8aa741e6b29ff8027f2ed97c4bc6aee828f9ab210b4205fb3b4b8c47999

Download Submit
C:\Windows\SysWOW64\Ojbacd32.exe

Filesize
130KB

MD5
9779af8d4868f3c3fee35520b683a84b

SHA1
adc3693610f2b9bbc2be7451f29413b83fa9cfce

SHA256
e0dd08425b1b21f0bea3fba17c67851e54f4e5d9cdf65c164a6f82b40024f167

SHA512
18fab859d4902d7625fc979243f8c5be3d5c814131e096feb6b24515b1aa72209247a8aa741e6b29ff8027f2ed97c4bc6aee828f9ab210b4205fb3b4b8c47999

Download Submit
C:\Windows\SysWOW64\Onmfimga.exe

Filesize
130KB

MD5
6708b490c96deca2e007da9758c8d00c

SHA1
1f99b903a3500a15d258fce5cc817a1838c84ba4

SHA256
d955de055c199802a890a6ca8df9a00f4f7b8348c30a291585c840a46bbe24d6

SHA512
a1818ce72619d19ed5438666de8dd322ad311653c2b750530739e653cf8e9b6fb1b5b6b124fea46cfab7c722a5f5e867e7cfd42fceebf10792acb2739464622e

Download Submit
C:\Windows\SysWOW64\Pmlmkn32.exe

Filesize
130KB

MD5
a188b3e511a46d84f30bc7dc364e4a8a

SHA1
7f423cfd6174d5de6281767dc8cb5e709ee640e9

SHA256
52e976e39a93dcdac1275900b1a0fc5e4eb7bd37a6839a910b7c0d7c55feca19

SHA512
20dc072fbb85a41afc3d2f8c29a70da0a04632de30b2b7252c81ce60e5ceeb51314904b532d5b9daf78b5260b867d8ffc6709ac138b65d24967c330efe74ca2d

Download Submit
memory/112-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/216-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/508-325-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/660-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/840-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1080-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1316-43-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1392-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1704-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1936-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1972-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2352-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2868-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3132-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3308-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3364-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3400-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3412-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3420-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3564-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3816-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3848-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3864-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3876-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3952-337-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4348-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4520-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4544-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4556-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-331-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4660-415-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4800-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4852-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads