fc47a7c5ff80453670fcd4b420da9627c8039e7f4db2b5fd4684caf59b4c9721

Analysis

max time kernel
205s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe
Size

121KB
MD5

ee8e1ebd96b492a9b603eaf8d7b15be0
SHA1

5642c2b23bb81d4d83c5c7a8ef9326a32eb9980c
SHA256

fc47a7c5ff80453670fcd4b420da9627c8039e7f4db2b5fd4684caf59b4c9721
SHA512

c5a6881d2af97fc2e7345d981f86297b0d8e0974102cdbc604307170dfd8b25145f6572132d6201fad427c9c5d7d191eb7a3b5faa7ba34058fda8663f8f4f4d2
SSDEEP

1536:voByD43ypZBeHeMGKPdtbv3zYC0h1euSn5VkZxzyCV19zQYOd5ijJnD5ir3oGui4:voBZOr2/jui5VqxbO7AJnD5tvv

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqnofkkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Colfpace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlckhig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpqjaanf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppgeff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoalba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agkqiobl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdihmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbgqnhpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmifdjio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagbdenk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjheejff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlialb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpnfak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgcgbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abjkmqni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apeagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnkioq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieknpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbecgned.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkpcdbko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkagndmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onbpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fpggkbfq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khplia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcaiif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjbjjdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agkqiobl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpchn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpcel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifadggi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keekci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlknbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obccpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opfedb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbjlal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcmqin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oeqagi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npighq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkagndmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oecnmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fipkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qibfdkgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Halmaiog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfnqdale.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obgofmjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaflag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnfak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmmadpea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmopj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnkioq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okhmnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belegj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpbaga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjlbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjofefp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djfckenm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmgmonma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjheaad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dibdok32.exe

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/784-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0002000000022612-6.dat	family_berbew
behavioral2/files/0x0002000000022612-7.dat	family_berbew
behavioral2/memory/732-8-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022de6-15.dat	family_berbew
behavioral2/files/0x0006000000022de6-14.dat	family_berbew
behavioral2/memory/3556-16-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022dea-17.dat	family_berbew
behavioral2/files/0x0006000000022dea-22.dat	family_berbew
behavioral2/files/0x0006000000022dea-24.dat	family_berbew
behavioral2/memory/1964-23-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022de0-30.dat	family_berbew
behavioral2/files/0x0007000000022de0-32.dat	family_berbew
behavioral2/memory/4564-31-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022de3-38.dat	family_berbew
behavioral2/files/0x0007000000022de3-40.dat	family_berbew
behavioral2/memory/364-39-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022dec-46.dat	family_berbew
behavioral2/files/0x0006000000022dec-47.dat	family_berbew
behavioral2/memory/2052-52-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022dee-54.dat	family_berbew
behavioral2/memory/3104-60-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022df0-63.dat	family_berbew
behavioral2/files/0x0006000000022df0-62.dat	family_berbew
behavioral2/memory/4516-64-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022dee-55.dat	family_berbew
behavioral2/files/0x0006000000022df2-71.dat	family_berbew
behavioral2/memory/2988-72-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/2284-80-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022df6-86.dat	family_berbew
behavioral2/memory/3224-88-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022df6-87.dat	family_berbew
behavioral2/files/0x0006000000022df4-79.dat	family_berbew
behavioral2/files/0x0006000000022df4-78.dat	family_berbew
behavioral2/files/0x0006000000022df2-70.dat	family_berbew
behavioral2/files/0x0006000000022df8-96.dat	family_berbew
behavioral2/files/0x0006000000022df8-94.dat	family_berbew
behavioral2/memory/5016-95-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000600000001e798-102.dat	family_berbew
behavioral2/files/0x000600000001e798-103.dat	family_berbew
behavioral2/memory/784-104-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/1480-105-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/732-109-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e01-112.dat	family_berbew
behavioral2/files/0x0006000000022e03-120.dat	family_berbew
behavioral2/files/0x0006000000022e03-122.dat	family_berbew
behavioral2/memory/3428-121-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/2156-119-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e01-113.dat	family_berbew
behavioral2/files/0x0006000000022e05-128.dat	family_berbew
behavioral2/files/0x0006000000022e05-130.dat	family_berbew
behavioral2/files/0x0007000000022dfd-137.dat	family_berbew
behavioral2/memory/2704-138-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000022dfd-136.dat	family_berbew
behavioral2/memory/4372-129-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e08-144.dat	family_berbew
behavioral2/memory/4292-150-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e0a-152.dat	family_berbew
behavioral2/files/0x0006000000022e08-145.dat	family_berbew
behavioral2/files/0x0006000000022e0a-153.dat	family_berbew
behavioral2/memory/2152-157-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022e0c-160.dat	family_berbew
behavioral2/files/0x0006000000022e0c-161.dat	family_berbew
behavioral2/memory/3192-162-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
732	Mahklf32.exe
3556	Dmifkecb.exe
1964	Kagbdenk.exe
4564	Cjaiac32.exe
364	Ieknpb32.exe
2052	Mpbaga32.exe
3104	Mjheejff.exe
4516	Mlialb32.exe
2988	Mjjbjjdd.exe
2284	Nlknbb32.exe
3224	Njmopj32.exe
5016	Npighq32.exe
1480	Obccpj32.exe
2156	Pmfldkei.exe
3428	Ppgeff32.exe
4372	Qipjokik.exe
2704	Qibfdkgh.exe
4292	Abjkmqni.exe
2152	Aoalba32.exe
3192	Amblpikl.exe
1012	Agkqiobl.exe
3148	Aofemaog.exe
4288	Apeagd32.exe
2788	Bcmqin32.exe
1672	Nkjqme32.exe
4548	Nnkioq32.exe
2644	Negoaj32.exe
4900	Nkagndmc.exe
5028	Nqnofkkj.exe
2364	Onbpop32.exe
3544	Oigdmh32.exe
4568	Oabiak32.exe
2188	Okhmnc32.exe
3636	Ongijo32.exe
936	Oeqagi32.exe
3944	Opfedb32.exe
3752	Oecnmi32.exe
1904	Ophbja32.exe
4864	Obgofmjb.exe
3028	Colfpace.exe
4396	Ickcaf32.exe
4624	Cmlckhig.exe
4348	Cjpcel32.exe
4016	Djfckenm.exe
4452	Halmaiog.exe
324	Aaflag32.exe
756	Cfnqdale.exe
1592	Fdqffaql.exe
572	Fimonh32.exe
1856	Fpggkbfq.exe
5016	Fbecgned.exe
912	Fipkch32.exe
2736	Fpjcpbdn.exe
3192	Fbhplnca.exe
2480	Gjohnkdd.exe
2400	Gmndjf32.exe
3908	Gbjlbm32.exe
2264	Gpnmka32.exe
2820	Gbmigm32.exe
1356	Gifadggi.exe
1384	Gpqjaanf.exe
3392	Gmggpekm.exe
3936	Gpnfak32.exe
4536	Jcanfakf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hpkbjffj.dll	Pmgmonma.exe
File opened for modification	C:\Windows\SysWOW64\Egfdhokj.exe	Dibdok32.exe
File opened for modification	C:\Windows\SysWOW64\Gbjlbm32.exe	Gmndjf32.exe
File created	C:\Windows\SysWOW64\Kekcjc32.dll	Gifadggi.exe
File created	C:\Windows\SysWOW64\Eaedbq32.dll	Fbecgned.exe
File opened for modification	C:\Windows\SysWOW64\Gpnmka32.exe	Gbjlbm32.exe
File created	C:\Windows\SysWOW64\Dmkcjjgl.exe	Dedkimfj.exe
File opened for modification	C:\Windows\SysWOW64\Obccpj32.exe	Npighq32.exe
File created	C:\Windows\SysWOW64\Nqnofkkj.exe	Nkagndmc.exe
File opened for modification	C:\Windows\SysWOW64\Aofemaog.exe	Agkqiobl.exe
File created	C:\Windows\SysWOW64\Copkcomj.dll	Fggdic32.exe
File opened for modification	C:\Windows\SysWOW64\Mlialb32.exe	Mjheejff.exe
File opened for modification	C:\Windows\SysWOW64\Fbhplnca.exe	Fpjcpbdn.exe
File created	C:\Windows\SysWOW64\Gpqjaanf.exe	Gifadggi.exe
File opened for modification	C:\Windows\SysWOW64\Lebiddfi.exe	Khplia32.exe
File opened for modification	C:\Windows\SysWOW64\Pohdamqh.exe	Pmjheaad.exe
File created	C:\Windows\SysWOW64\Fpngaa32.dll	Pohdamqh.exe
File opened for modification	C:\Windows\SysWOW64\Kagbdenk.exe	Dmifkecb.exe
File created	C:\Windows\SysWOW64\Obmbfpea.dll	Cjaiac32.exe
File created	C:\Windows\SysWOW64\Dhdgih32.dll	Khplia32.exe
File created	C:\Windows\SysWOW64\Ldbnjl32.dll	Lebiddfi.exe
File opened for modification	C:\Windows\SysWOW64\Pbgqnhpl.exe	Pohdamqh.exe
File opened for modification	C:\Windows\SysWOW64\Dibdok32.exe	Dgcgbp32.exe
File created	C:\Windows\SysWOW64\Mlialb32.exe	Mjheejff.exe
File created	C:\Windows\SysWOW64\Cjpcel32.exe	Cmlckhig.exe
File opened for modification	C:\Windows\SysWOW64\Bcmqin32.exe	Apeagd32.exe
File created	C:\Windows\SysWOW64\Fdihmh32.exe	Fbjlal32.exe
File created	C:\Windows\SysWOW64\Lqlmgg32.dll	Dibdok32.exe
File created	C:\Windows\SysWOW64\Flcmpceo.dll	NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe
File opened for modification	C:\Windows\SysWOW64\Apeagd32.exe	Aofemaog.exe
File created	C:\Windows\SysWOW64\Infanp32.dll	Opfedb32.exe
File created	C:\Windows\SysWOW64\Ophbja32.exe	Oecnmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ophbja32.exe	Oecnmi32.exe
File opened for modification	C:\Windows\SysWOW64\Gpnfak32.exe	Gmggpekm.exe
File opened for modification	C:\Windows\SysWOW64\Khplia32.exe	Pmgmonma.exe
File created	C:\Windows\SysWOW64\Negoaj32.exe	Nnkioq32.exe
File created	C:\Windows\SysWOW64\Onbpop32.exe	Nqnofkkj.exe
File created	C:\Windows\SysWOW64\Pmgmonma.exe	Jcanfakf.exe
File created	C:\Windows\SysWOW64\Keekci32.exe	Hmmadpea.exe
File opened for modification	C:\Windows\SysWOW64\Fimonh32.exe	Fdqffaql.exe
File opened for modification	C:\Windows\SysWOW64\Gmndjf32.exe	Gjohnkdd.exe
File created	C:\Windows\SysWOW64\Gjohnkdd.exe	Fbhplnca.exe
File created	C:\Windows\SysWOW64\Bmpdhk32.dll	Pmjheaad.exe
File created	C:\Windows\SysWOW64\Mlhahj32.dll	Pmfldkei.exe
File created	C:\Windows\SysWOW64\Oigdmh32.exe	Onbpop32.exe
File created	C:\Windows\SysWOW64\Ekckbldb.dll	Mlialb32.exe
File created	C:\Windows\SysWOW64\Kkomblep.dll	Ddcoad32.exe
File created	C:\Windows\SysWOW64\Qiilbk32.dll	Cmlckhig.exe
File created	C:\Windows\SysWOW64\Ecobcfhi.dll	Fpggkbfq.exe
File created	C:\Windows\SysWOW64\Ifjngf32.dll	Fbhplnca.exe
File created	C:\Windows\SysWOW64\Fkpcdbko.exe	Cgaiqian.exe
File created	C:\Windows\SysWOW64\Kjfdcbhf.dll	Lhbkkipn.exe
File created	C:\Windows\SysWOW64\Ppgeff32.exe	Pmfldkei.exe
File opened for modification	C:\Windows\SysWOW64\Cjpcel32.exe	Cmlckhig.exe
File created	C:\Windows\SysWOW64\Naoplkpo.dll	Nnkioq32.exe
File opened for modification	C:\Windows\SysWOW64\Oeqagi32.exe	Ongijo32.exe
File created	C:\Windows\SysWOW64\Oecnmi32.exe	Opfedb32.exe
File created	C:\Windows\SysWOW64\Pcmdcg32.dll	Cfnqdale.exe
File created	C:\Windows\SysWOW64\Jcanfakf.exe	Gpnfak32.exe
File opened for modification	C:\Windows\SysWOW64\Mcaiif32.exe	Lebiddfi.exe
File opened for modification	C:\Windows\SysWOW64\Mpbaga32.exe	Ieknpb32.exe
File opened for modification	C:\Windows\SysWOW64\Aoalba32.exe	Abjkmqni.exe
File opened for modification	C:\Windows\SysWOW64\Negoaj32.exe	Nnkioq32.exe
File created	C:\Windows\SysWOW64\Jphnld32.dll	Oabiak32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockqjkgb.dll"	Aofemaog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiebieom.dll"	Nqnofkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkbjffj.dll"	Pmgmonma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fkpcdbko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pohdamqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpnmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbmigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apeagd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlckhig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcanfakf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppgeff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oabiak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fipkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpkcp32.dll"	Qibfdkgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmgmonma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpbaga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fpjcpbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieknpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofocia32.dll"	Ppgeff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abjkmqni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddcoad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpbaga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlialb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qibfdkgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkkkif32.dll"	Negoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fkpcdbko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amblpikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfninn32.dll"	Bcmqin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpqjaanf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjofefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjcohn32.dll"	Dpjofefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeplecom.dll"	Hmmadpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ophbja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecobcfhi.dll"	Fpggkbfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbihep32.dll"	Mjjbjjdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obccpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppgeff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aofemaog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okhmnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doqpjoik.dll"	Abjkmqni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aoalba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqnofkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femcdp32.dll"	Fdqffaql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clddbd32.dll"	Mcaiif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnkioq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldafk32.dll"	Colfpace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Halmaiog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fimonh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Innlgj32.dll"	Belegj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfeodebg.dll"	Nkagndmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagqlkak.dll"	Gpnfak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbjlal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffnhai32.dll"	Dmkcjjgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qipjokik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnkioq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejmhi32.dll"	Onbpop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oigdmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obgofmjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npighq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lebiddfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpjofefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjbjjdd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 732	784	NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe	88
PID 784 wrote to memory of 732	784	NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe	88
PID 784 wrote to memory of 732	784	NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe	88
PID 732 wrote to memory of 3556	732	Mahklf32.exe	89
PID 732 wrote to memory of 3556	732	Mahklf32.exe	89
PID 732 wrote to memory of 3556	732	Mahklf32.exe	89
PID 3556 wrote to memory of 1964	3556	Dmifkecb.exe	90
PID 3556 wrote to memory of 1964	3556	Dmifkecb.exe	90
PID 3556 wrote to memory of 1964	3556	Dmifkecb.exe	90
PID 1964 wrote to memory of 4564	1964	Kagbdenk.exe	91
PID 1964 wrote to memory of 4564	1964	Kagbdenk.exe	91
PID 1964 wrote to memory of 4564	1964	Kagbdenk.exe	91
PID 4564 wrote to memory of 364	4564	Cjaiac32.exe	93
PID 4564 wrote to memory of 364	4564	Cjaiac32.exe	93
PID 4564 wrote to memory of 364	4564	Cjaiac32.exe	93
PID 364 wrote to memory of 2052	364	Ieknpb32.exe	94
PID 364 wrote to memory of 2052	364	Ieknpb32.exe	94
PID 364 wrote to memory of 2052	364	Ieknpb32.exe	94
PID 2052 wrote to memory of 3104	2052	Mpbaga32.exe	95
PID 2052 wrote to memory of 3104	2052	Mpbaga32.exe	95
PID 2052 wrote to memory of 3104	2052	Mpbaga32.exe	95
PID 3104 wrote to memory of 4516	3104	Mjheejff.exe	96
PID 3104 wrote to memory of 4516	3104	Mjheejff.exe	96
PID 3104 wrote to memory of 4516	3104	Mjheejff.exe	96
PID 4516 wrote to memory of 2988	4516	Mlialb32.exe	97
PID 4516 wrote to memory of 2988	4516	Mlialb32.exe	97
PID 4516 wrote to memory of 2988	4516	Mlialb32.exe	97
PID 2988 wrote to memory of 2284	2988	Mjjbjjdd.exe	98
PID 2988 wrote to memory of 2284	2988	Mjjbjjdd.exe	98
PID 2988 wrote to memory of 2284	2988	Mjjbjjdd.exe	98
PID 2284 wrote to memory of 3224	2284	Nlknbb32.exe	99
PID 2284 wrote to memory of 3224	2284	Nlknbb32.exe	99
PID 2284 wrote to memory of 3224	2284	Nlknbb32.exe	99
PID 3224 wrote to memory of 5016	3224	Njmopj32.exe	100
PID 3224 wrote to memory of 5016	3224	Njmopj32.exe	100
PID 3224 wrote to memory of 5016	3224	Njmopj32.exe	100
PID 5016 wrote to memory of 1480	5016	Npighq32.exe	102
PID 5016 wrote to memory of 1480	5016	Npighq32.exe	102
PID 5016 wrote to memory of 1480	5016	Npighq32.exe	102
PID 1480 wrote to memory of 2156	1480	Obccpj32.exe	103
PID 1480 wrote to memory of 2156	1480	Obccpj32.exe	103
PID 1480 wrote to memory of 2156	1480	Obccpj32.exe	103
PID 2156 wrote to memory of 3428	2156	Pmfldkei.exe	104
PID 2156 wrote to memory of 3428	2156	Pmfldkei.exe	104
PID 2156 wrote to memory of 3428	2156	Pmfldkei.exe	104
PID 3428 wrote to memory of 4372	3428	Ppgeff32.exe	105
PID 3428 wrote to memory of 4372	3428	Ppgeff32.exe	105
PID 3428 wrote to memory of 4372	3428	Ppgeff32.exe	105
PID 4372 wrote to memory of 2704	4372	Qipjokik.exe	106
PID 4372 wrote to memory of 2704	4372	Qipjokik.exe	106
PID 4372 wrote to memory of 2704	4372	Qipjokik.exe	106
PID 2704 wrote to memory of 4292	2704	Qibfdkgh.exe	107
PID 2704 wrote to memory of 4292	2704	Qibfdkgh.exe	107
PID 2704 wrote to memory of 4292	2704	Qibfdkgh.exe	107
PID 4292 wrote to memory of 2152	4292	Abjkmqni.exe	108
PID 4292 wrote to memory of 2152	4292	Abjkmqni.exe	108
PID 4292 wrote to memory of 2152	4292	Abjkmqni.exe	108
PID 2152 wrote to memory of 3192	2152	Aoalba32.exe	109
PID 2152 wrote to memory of 3192	2152	Aoalba32.exe	109
PID 2152 wrote to memory of 3192	2152	Aoalba32.exe	109
PID 3192 wrote to memory of 1012	3192	Amblpikl.exe	110
PID 3192 wrote to memory of 1012	3192	Amblpikl.exe	110
PID 3192 wrote to memory of 1012	3192	Amblpikl.exe	110
PID 1012 wrote to memory of 3148	1012	Agkqiobl.exe	111

C:\Users\Admin\AppData\Local\Temp\NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ee8e1ebd96b492a9b603eaf8d7b15be0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\SysWOW64\Mahklf32.exe
  C:\Windows\system32\Mahklf32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\SysWOW64\Dmifkecb.exe
    C:\Windows\system32\Dmifkecb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\Kagbdenk.exe
      C:\Windows\system32\Kagbdenk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SysWOW64\Cjaiac32.exe
        
        C:\Windows\system32\Cjaiac32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4564
      - C:\Windows\SysWOW64\Ieknpb32.exe
        
        C:\Windows\system32\Ieknpb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Mpbaga32.exe
        
        C:\Windows\system32\Mpbaga32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Mjheejff.exe
        
        C:\Windows\system32\Mjheejff.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Mlialb32.exe
        
        C:\Windows\system32\Mlialb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Mjjbjjdd.exe
        
        C:\Windows\system32\Mjjbjjdd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Nlknbb32.exe
        
        C:\Windows\system32\Nlknbb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Njmopj32.exe
        
        C:\Windows\system32\Njmopj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Npighq32.exe
        
        C:\Windows\system32\Npighq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Obccpj32.exe
        
        C:\Windows\system32\Obccpj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Pmfldkei.exe
        
        C:\Windows\system32\Pmfldkei.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ppgeff32.exe
        
        C:\Windows\system32\Ppgeff32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Qipjokik.exe
        
        C:\Windows\system32\Qipjokik.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Qibfdkgh.exe
        
        C:\Windows\system32\Qibfdkgh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Abjkmqni.exe
        
        C:\Windows\system32\Abjkmqni.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Aoalba32.exe
        
        C:\Windows\system32\Aoalba32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Amblpikl.exe
        
        C:\Windows\system32\Amblpikl.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Agkqiobl.exe
        
        C:\Windows\system32\Agkqiobl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Aofemaog.exe
        
        C:\Windows\system32\Aofemaog.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Apeagd32.exe
        
        C:\Windows\system32\Apeagd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Bcmqin32.exe
        
        C:\Windows\system32\Bcmqin32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Nkjqme32.exe
        
        C:\Windows\system32\Nkjqme32.exe
        26⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Nnkioq32.exe
        
        C:\Windows\system32\Nnkioq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Negoaj32.exe
        
        C:\Windows\system32\Negoaj32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Nkagndmc.exe
        
        C:\Windows\system32\Nkagndmc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Nqnofkkj.exe
        
        C:\Windows\system32\Nqnofkkj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Onbpop32.exe
        
        C:\Windows\system32\Onbpop32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Oigdmh32.exe
        
        C:\Windows\system32\Oigdmh32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Oabiak32.exe
        
        C:\Windows\system32\Oabiak32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Okhmnc32.exe
        
        C:\Windows\system32\Okhmnc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Ongijo32.exe
        
        C:\Windows\system32\Ongijo32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Oeqagi32.exe
        
        C:\Windows\system32\Oeqagi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Opfedb32.exe
        
        C:\Windows\system32\Opfedb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Oecnmi32.exe
        
        C:\Windows\system32\Oecnmi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ophbja32.exe
        
        C:\Windows\system32\Ophbja32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Obgofmjb.exe
        
        C:\Windows\system32\Obgofmjb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Colfpace.exe
        
        C:\Windows\system32\Colfpace.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ickcaf32.exe
        
        C:\Windows\system32\Ickcaf32.exe
        42⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Cmlckhig.exe
        
        C:\Windows\system32\Cmlckhig.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Cjpcel32.exe
        
        C:\Windows\system32\Cjpcel32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Djfckenm.exe
        
        C:\Windows\system32\Djfckenm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\Halmaiog.exe
        
        C:\Windows\system32\Halmaiog.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Aaflag32.exe
        
        C:\Windows\system32\Aaflag32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\Cfnqdale.exe
        
        C:\Windows\system32\Cfnqdale.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Fdqffaql.exe
        
        C:\Windows\system32\Fdqffaql.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Fimonh32.exe
        
        C:\Windows\system32\Fimonh32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Fpggkbfq.exe
        
        C:\Windows\system32\Fpggkbfq.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Fbecgned.exe
        
        C:\Windows\system32\Fbecgned.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Fipkch32.exe
        
        C:\Windows\system32\Fipkch32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Fpjcpbdn.exe
        
        C:\Windows\system32\Fpjcpbdn.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Fbhplnca.exe
        
        C:\Windows\system32\Fbhplnca.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\Gjohnkdd.exe
        
        C:\Windows\system32\Gjohnkdd.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Gmndjf32.exe
        
        C:\Windows\system32\Gmndjf32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\Gbjlbm32.exe
        
        C:\Windows\system32\Gbjlbm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3908
        
        C:\Windows\SysWOW64\Gpnmka32.exe
        
        C:\Windows\system32\Gpnmka32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Gbmigm32.exe
        
        C:\Windows\system32\Gbmigm32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Gifadggi.exe
        
        C:\Windows\system32\Gifadggi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Gpqjaanf.exe
        
        C:\Windows\system32\Gpqjaanf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Gmggpekm.exe
        
        C:\Windows\system32\Gmggpekm.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Gpnfak32.exe
        
        C:\Windows\system32\Gpnfak32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Jcanfakf.exe
        
        C:\Windows\system32\Jcanfakf.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Pmgmonma.exe
        
        C:\Windows\system32\Pmgmonma.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Khplia32.exe
        
        C:\Windows\system32\Khplia32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\Lebiddfi.exe
        
        C:\Windows\system32\Lebiddfi.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Mcaiif32.exe
        
        C:\Windows\system32\Mcaiif32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Cgaiqian.exe
        
        C:\Windows\system32\Cgaiqian.exe
        70⤵
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Fkpcdbko.exe
        
        C:\Windows\system32\Fkpcdbko.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Fbjlal32.exe
        
        C:\Windows\system32\Fbjlal32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Fdihmh32.exe
        
        C:\Windows\system32\Fdihmh32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:404
        
        C:\Windows\SysWOW64\Fggdic32.exe
        
        C:\Windows\system32\Fggdic32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\Jaljlb32.exe
        
        C:\Windows\system32\Jaljlb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1900
        
        C:\Windows\SysWOW64\Lhbkkipn.exe
        
        C:\Windows\system32\Lhbkkipn.exe
        76⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Pmjheaad.exe
        
        C:\Windows\system32\Pmjheaad.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Pohdamqh.exe
        
        C:\Windows\system32\Pohdamqh.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Pbgqnhpl.exe
        
        C:\Windows\system32\Pbgqnhpl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2496
        
        C:\Windows\SysWOW64\Dmifdjio.exe
        
        C:\Windows\system32\Dmifdjio.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3992
        
        C:\Windows\SysWOW64\Ddcoad32.exe
        
        C:\Windows\system32\Ddcoad32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Dedkimfj.exe
        
        C:\Windows\system32\Dedkimfj.exe
        82⤵
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Dmkcjjgl.exe
        
        C:\Windows\system32\Dmkcjjgl.exe
        83⤵
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Dpjofefp.exe
        
        C:\Windows\system32\Dpjofefp.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Dgcgbp32.exe
        
        C:\Windows\system32\Dgcgbp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Dibdok32.exe
        
        C:\Windows\system32\Dibdok32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Egfdhokj.exe
        
        C:\Windows\system32\Egfdhokj.exe
        87⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Hmmadpea.exe
        
        C:\Windows\system32\Hmmadpea.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Keekci32.exe
        
        C:\Windows\system32\Keekci32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4544
        
        C:\Windows\SysWOW64\Ngpchn32.exe
        
        C:\Windows\system32\Ngpchn32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4288
        
        C:\Windows\SysWOW64\Belegj32.exe
        
        C:\Windows\system32\Belegj32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abjkmqni.exe

Filesize
121KB

MD5
b82e36e460174d3354c06d5bc99c2301

SHA1
b0cddb19d2cd0e033e3db45fc3d4048ada2bf0d4

SHA256
4be694301721ff781476ebf359ea957b930270513a931d9d5bb626f91daf401f

SHA512
52c5e1826ee415670827c7ab94d04da7d199b328dfb46a9e2461cd474c3d0b80e84b937c17697b1a9bd5c2654d0c192b3de7d7d50e6d37a5e1f7a08096ecbdf2

Download Submit
C:\Windows\SysWOW64\Abjkmqni.exe

Filesize
121KB

MD5
b82e36e460174d3354c06d5bc99c2301

SHA1
b0cddb19d2cd0e033e3db45fc3d4048ada2bf0d4

SHA256
4be694301721ff781476ebf359ea957b930270513a931d9d5bb626f91daf401f

SHA512
52c5e1826ee415670827c7ab94d04da7d199b328dfb46a9e2461cd474c3d0b80e84b937c17697b1a9bd5c2654d0c192b3de7d7d50e6d37a5e1f7a08096ecbdf2

Download Submit
C:\Windows\SysWOW64\Agkqiobl.exe

Filesize
121KB

MD5
cedd99483dc996dcf5563322677c0e57

SHA1
0e1e9359078d6ca7d4fa83b26d83171e9a7bbbe4

SHA256
1df71f877b9e01e3a5e4a1295945eccacef5111e96934541712731fee8865750

SHA512
4717a79fce5ac90bb5b08799eef276c83c7af8e7b3993f4f82acac01d79062b47061118cea1f3e71be724c4601d66b835be8100ecfed1092f7383f3c078b574d

Download Submit
C:\Windows\SysWOW64\Agkqiobl.exe

Filesize
121KB

MD5
cedd99483dc996dcf5563322677c0e57

SHA1
0e1e9359078d6ca7d4fa83b26d83171e9a7bbbe4

SHA256
1df71f877b9e01e3a5e4a1295945eccacef5111e96934541712731fee8865750

SHA512
4717a79fce5ac90bb5b08799eef276c83c7af8e7b3993f4f82acac01d79062b47061118cea1f3e71be724c4601d66b835be8100ecfed1092f7383f3c078b574d

Download Submit
C:\Windows\SysWOW64\Amblpikl.exe

Filesize
121KB

MD5
8844d0fc9983d87c3aa29e2221e59633

SHA1
4a2274b12c356db69d80ba335f66329bb877caa1

SHA256
f96c0ee2c8b024cf61d5a5b16e7169971099ca30cbd09194e3a2785d5378fdc5

SHA512
9f3559d9346b362341cb17815ee2e4d815e2f112a6f3d849a0dedc4af224a15de7fced5666869287032c76ebb1c9076b6886af58c02a00d93d4e69fa75a4ae63

Download Submit
C:\Windows\SysWOW64\Amblpikl.exe

Filesize
121KB

MD5
8844d0fc9983d87c3aa29e2221e59633

SHA1
4a2274b12c356db69d80ba335f66329bb877caa1

SHA256
f96c0ee2c8b024cf61d5a5b16e7169971099ca30cbd09194e3a2785d5378fdc5

SHA512
9f3559d9346b362341cb17815ee2e4d815e2f112a6f3d849a0dedc4af224a15de7fced5666869287032c76ebb1c9076b6886af58c02a00d93d4e69fa75a4ae63

Download Submit
C:\Windows\SysWOW64\Aoalba32.exe

Filesize
121KB

MD5
90d2da41b1eaea0811df2ecb0d2e9541

SHA1
dbce2b987456733c3962317bf79ecd7a16ac0b55

SHA256
257af9f8ff16aebeef542a08a2146acf01eece8c4d7a00afda4c620deb6c146e

SHA512
20061582844829415a4e2bf8c8768c50c9856653e26a7b5358216c8a98090479ec6e14079e6b725cdd7f56eb98a1d3490a04b74c4366b2b7cf02e048ef22de6c

Download Submit
C:\Windows\SysWOW64\Aoalba32.exe

Filesize
121KB

MD5
90d2da41b1eaea0811df2ecb0d2e9541

SHA1
dbce2b987456733c3962317bf79ecd7a16ac0b55

SHA256
257af9f8ff16aebeef542a08a2146acf01eece8c4d7a00afda4c620deb6c146e

SHA512
20061582844829415a4e2bf8c8768c50c9856653e26a7b5358216c8a98090479ec6e14079e6b725cdd7f56eb98a1d3490a04b74c4366b2b7cf02e048ef22de6c

Download Submit
C:\Windows\SysWOW64\Aofemaog.exe

Filesize
121KB

MD5
ab119ff60f1d4df73e92c1334f436007

SHA1
458b956675bd30ec6c8cfb10e459f007f98ea19f

SHA256
dd71d13c4a03691f530492fe4d4021fe0bbf24783058326b982c94d8aa173ff8

SHA512
892948496748a835640952f6661a301afee072016d85c2081ea8bd7ee1a3f095f18f2a7022b54f159195bdbe5845947eef9732aec477662dd7d85030c95fa138

Download Submit
C:\Windows\SysWOW64\Aofemaog.exe

Filesize
121KB

MD5
ab119ff60f1d4df73e92c1334f436007

SHA1
458b956675bd30ec6c8cfb10e459f007f98ea19f

SHA256
dd71d13c4a03691f530492fe4d4021fe0bbf24783058326b982c94d8aa173ff8

SHA512
892948496748a835640952f6661a301afee072016d85c2081ea8bd7ee1a3f095f18f2a7022b54f159195bdbe5845947eef9732aec477662dd7d85030c95fa138

Download Submit
C:\Windows\SysWOW64\Apeagd32.exe

Filesize
121KB

MD5
ab119ff60f1d4df73e92c1334f436007

SHA1
458b956675bd30ec6c8cfb10e459f007f98ea19f

SHA256
dd71d13c4a03691f530492fe4d4021fe0bbf24783058326b982c94d8aa173ff8

SHA512
892948496748a835640952f6661a301afee072016d85c2081ea8bd7ee1a3f095f18f2a7022b54f159195bdbe5845947eef9732aec477662dd7d85030c95fa138

Download Submit
C:\Windows\SysWOW64\Apeagd32.exe

Filesize
121KB

MD5
b749762d3fca0f88c7a8b137e4e629d2

SHA1
e9267a87f00ced6687d30b795df6a8a568f9c3a9

SHA256
0a5aa098cad71b5762c95fdb4fb57928dfaf2f57b11c1dcf19537ea81ed83dd2

SHA512
2004f0053ada2b9a680a98d475a1e3720d2b12decabbe5c91911ae4458be25cce8c8ab0e250db11fcfc06b2ad3620a99b4c4f8ca29ca0c2487449f7405864c17

Download Submit
C:\Windows\SysWOW64\Apeagd32.exe

Filesize
121KB

MD5
b749762d3fca0f88c7a8b137e4e629d2

SHA1
e9267a87f00ced6687d30b795df6a8a568f9c3a9

SHA256
0a5aa098cad71b5762c95fdb4fb57928dfaf2f57b11c1dcf19537ea81ed83dd2

SHA512
2004f0053ada2b9a680a98d475a1e3720d2b12decabbe5c91911ae4458be25cce8c8ab0e250db11fcfc06b2ad3620a99b4c4f8ca29ca0c2487449f7405864c17

Download Submit
C:\Windows\SysWOW64\Bcmqin32.exe

Filesize
121KB

MD5
e0c0d5c4dd60283245ab953ecea52db9

SHA1
749bf4dfa1d1ff7c5a921f63eb0112e3b14240fb

SHA256
a0672c1d8a9a870b750c836ee9bcde5550c8edc7b0a7b0a9c7858826e66196c2

SHA512
48e642af0431ad099229db768ef1cbed82faca33ff64bb5a7c446840c50514895b0ce58af3678e35108afc1be2254c5f681efbf2b9da9a733a4600413e793598

Download Submit
C:\Windows\SysWOW64\Bcmqin32.exe

Filesize
121KB

MD5
e0c0d5c4dd60283245ab953ecea52db9

SHA1
749bf4dfa1d1ff7c5a921f63eb0112e3b14240fb

SHA256
a0672c1d8a9a870b750c836ee9bcde5550c8edc7b0a7b0a9c7858826e66196c2

SHA512
48e642af0431ad099229db768ef1cbed82faca33ff64bb5a7c446840c50514895b0ce58af3678e35108afc1be2254c5f681efbf2b9da9a733a4600413e793598

Download Submit
C:\Windows\SysWOW64\Cfnqdale.exe

Filesize
121KB

MD5
2cb53bcb1c9236ddba407990dc2dd23b

SHA1
14f4e8a6da0e1edc7153a3cce8bf02ff380ee94c

SHA256
60528869b4b5d56e874145d2e56e7f550c05d94eebd02ce01408f65aaf1a583c

SHA512
397ce3f06641cf99bce55347c13eb5d2f337c1d977ea401b6d05bd9662594f38550f6a40e840bccab25d775c6a9a0f504a965ab9b1d4d0b862d5cd953dc693e9

Download Submit
C:\Windows\SysWOW64\Cjaiac32.exe

Filesize
121KB

MD5
89d6c1a9b17947dbe818fb5c922c74d4

SHA1
6a1122e04ccf6856505abf5ddf2311c8b7c79f9c

SHA256
74cb0ed4dbd06f5536f6ee3dd63722808426f999ae641c9387dbb43cd10eaad4

SHA512
d389983e7f50ffab38447754b7ce386bf7caf114f61e52d897f3e956fcbcd41c4594f9ef2ebc4cb53a12c717526389fc48c3a0bf01865e224646efbeacf65f6a

Download Submit
C:\Windows\SysWOW64\Cjaiac32.exe

Filesize
121KB

MD5
89d6c1a9b17947dbe818fb5c922c74d4

SHA1
6a1122e04ccf6856505abf5ddf2311c8b7c79f9c

SHA256
74cb0ed4dbd06f5536f6ee3dd63722808426f999ae641c9387dbb43cd10eaad4

SHA512
d389983e7f50ffab38447754b7ce386bf7caf114f61e52d897f3e956fcbcd41c4594f9ef2ebc4cb53a12c717526389fc48c3a0bf01865e224646efbeacf65f6a

Download Submit
C:\Windows\SysWOW64\Cjpcel32.exe

Filesize
121KB

MD5
a77b33d54fe6eabebaaa51af5e9cd1af

SHA1
1eda03de4167c5aabe3f486c23a552ca37b3204e

SHA256
a7dfe8757682c1c1ab0cb4a736ee66f26a82f03d6c124c9e11373b5547a4f80c

SHA512
6ec11096754276eede352d197b63cda2811c6ee1734d07d81e7b808e1a24c8e7220a6f13f670654a7a41cb8d43c56078dbd5c812b3b37f5232f42f959a9491fe

Download Submit
C:\Windows\SysWOW64\Dmifkecb.exe

Filesize
121KB

MD5
16d59676eb9d8a092afd7565cac36ab2

SHA1
b8b700d6f9e27b3f2f83e2ed5d2863e418229360

SHA256
d0fe51b279eb1e19163cd5be542a431c4b4861741ef37949cedbd72014ed4aa0

SHA512
bc40b96aa0c6a015c923282d5ee0acef0f007cf1e43d5f5031ba59e07ffed4713e57ed7ae47522e7579dfb5a63b2764cca9f6652644136cd4954cbea9a6b6751

Download Submit
C:\Windows\SysWOW64\Dmifkecb.exe

Filesize
121KB

MD5
16d59676eb9d8a092afd7565cac36ab2

SHA1
b8b700d6f9e27b3f2f83e2ed5d2863e418229360

SHA256
d0fe51b279eb1e19163cd5be542a431c4b4861741ef37949cedbd72014ed4aa0

SHA512
bc40b96aa0c6a015c923282d5ee0acef0f007cf1e43d5f5031ba59e07ffed4713e57ed7ae47522e7579dfb5a63b2764cca9f6652644136cd4954cbea9a6b6751

Download Submit
C:\Windows\SysWOW64\Ickcaf32.exe

Filesize
121KB

MD5
e454774e3e9dae23f2cb446c41370e9a

SHA1
271116e8f896961048b1653dab73b0c8cdcf0d4a

SHA256
e07eee663e942957591dc0cbdab4f94ca002671734216cbfe342942cd5b63c8f

SHA512
512c010a12a6f11cedf9e91d90c3f82bb85b657a214066db710dbd8dcb7434332465f04ed0e62182e50d625544d77ced378ecd2a79650eeb518152dbdbc18a77

Download Submit
C:\Windows\SysWOW64\Ieknpb32.exe

Filesize
121KB

MD5
117354cdfecee4ffb08d12b4bc22b888

SHA1
18f3034a59d238fe245dfc31034010f0c16a2d8f

SHA256
17c60b7b48551bb5c64322d8fbdca16e272ad052af64430b43dbe93f3976d4e7

SHA512
dd5a452eb493282948e5c679947b00627b464101c23ca503da8a734340ed4af3e6b5df4f7c30426e064f964b73bac4815104c903583c4572ada759a702ca3528

Download Submit
C:\Windows\SysWOW64\Ieknpb32.exe

Filesize
121KB

MD5
117354cdfecee4ffb08d12b4bc22b888

SHA1
18f3034a59d238fe245dfc31034010f0c16a2d8f

SHA256
17c60b7b48551bb5c64322d8fbdca16e272ad052af64430b43dbe93f3976d4e7

SHA512
dd5a452eb493282948e5c679947b00627b464101c23ca503da8a734340ed4af3e6b5df4f7c30426e064f964b73bac4815104c903583c4572ada759a702ca3528

Download Submit
C:\Windows\SysWOW64\Kagbdenk.exe

Filesize
121KB

MD5
10918bba13e1758409d22f42745cb416

SHA1
289550c01b44f474c225cf812e2dee43c28dfe0c

SHA256
184b994c0d821e108380481d1e301841aa08923e77a6a50dda7fc7ba15dbd45f

SHA512
92018ca9d3b52fa04d2caf45037d6a09a83341cfd3727748d0b7fbf2de95d4b17c2fcd550d3b8ef1520ad2e8c406c6e665f23059541c8705874c539ddd142f01

Download Submit
C:\Windows\SysWOW64\Kagbdenk.exe

Filesize
121KB

MD5
10918bba13e1758409d22f42745cb416

SHA1
289550c01b44f474c225cf812e2dee43c28dfe0c

SHA256
184b994c0d821e108380481d1e301841aa08923e77a6a50dda7fc7ba15dbd45f

SHA512
92018ca9d3b52fa04d2caf45037d6a09a83341cfd3727748d0b7fbf2de95d4b17c2fcd550d3b8ef1520ad2e8c406c6e665f23059541c8705874c539ddd142f01

Download Submit
C:\Windows\SysWOW64\Kagbdenk.exe

Filesize
121KB

MD5
10918bba13e1758409d22f42745cb416

SHA1
289550c01b44f474c225cf812e2dee43c28dfe0c

SHA256
184b994c0d821e108380481d1e301841aa08923e77a6a50dda7fc7ba15dbd45f

SHA512
92018ca9d3b52fa04d2caf45037d6a09a83341cfd3727748d0b7fbf2de95d4b17c2fcd550d3b8ef1520ad2e8c406c6e665f23059541c8705874c539ddd142f01

Download Submit
C:\Windows\SysWOW64\Lebiddfi.exe

Filesize
121KB

MD5
2d50e1b994e9e103e9c2e5d13a08d309

SHA1
622074cf56c96423214e9343459ab175aaa68414

SHA256
062dfd33644c2cd81750447ce6d82c334919f4d09c31f9f88507aab425743f93

SHA512
1dc2a35ed94231a95caaa88cf37a9b0e478e641d47e26b15d16ecdf09aa9b91f20ced88bfdfa75436a1325dd9e5bc9d0fb9f1e7401fd6253cbf437a2108cbba1

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
121KB

MD5
2924e3c1811682ca952952932275adc0

SHA1
fd932345668ecb3a3ed5e14ada5880f39082773e

SHA256
e2d7a73d508f4bcf8ec9caaa22b345f89e106a55f23240dc9fa1dfae4c55484c

SHA512
b92a1f009cf5e92684d3cdb34e077d3cca99ceaf6f1aa4f37a7667dae6ec4b26d47bd3170a23edacafac901c679c8ab9ec971ec3ed7364d5681355782deb59dc

Download Submit
C:\Windows\SysWOW64\Mahklf32.exe

Filesize
121KB

MD5
2924e3c1811682ca952952932275adc0

SHA1
fd932345668ecb3a3ed5e14ada5880f39082773e

SHA256
e2d7a73d508f4bcf8ec9caaa22b345f89e106a55f23240dc9fa1dfae4c55484c

SHA512
b92a1f009cf5e92684d3cdb34e077d3cca99ceaf6f1aa4f37a7667dae6ec4b26d47bd3170a23edacafac901c679c8ab9ec971ec3ed7364d5681355782deb59dc

Download Submit
C:\Windows\SysWOW64\Mjheejff.exe

Filesize
121KB

MD5
95275e5fdc62da24ba6f15c37fee9eec

SHA1
e2d2ff0471a9ac2d2fa8096577bc96c2df2d8c9f

SHA256
4dee1bfe739bc05b532075eddd443f4ca0f2e751de84f2a68a94ce8d667c3bd8

SHA512
2a347e730973adada1ea849517fd471428b645384c4a9c658a7b4e871785280b86d7c80a28fe5c877e08780631f37dfe61377a4ca79cf5fc60b06e32dcd63370

Download Submit
C:\Windows\SysWOW64\Mjheejff.exe

Filesize
121KB

MD5
95275e5fdc62da24ba6f15c37fee9eec

SHA1
e2d2ff0471a9ac2d2fa8096577bc96c2df2d8c9f

SHA256
4dee1bfe739bc05b532075eddd443f4ca0f2e751de84f2a68a94ce8d667c3bd8

SHA512
2a347e730973adada1ea849517fd471428b645384c4a9c658a7b4e871785280b86d7c80a28fe5c877e08780631f37dfe61377a4ca79cf5fc60b06e32dcd63370

Download Submit
C:\Windows\SysWOW64\Mjjbjjdd.exe

Filesize
121KB

MD5
d72fa8f033ec41b25c4c129ee8862dd4

SHA1
f2f8673a040f75f996d5cbd40d68d413e319b6f3

SHA256
c8180330392bee5ae49c5595ef1225fa3467b1947b4b33eee1c5619881b91f5d

SHA512
71d8de315fa6b8884fafef330b07e74ccdaa66147bc013885a049974b99a894afcba811819fba48ced261a82285fc019ee0b36801a51636784dc00835dbadcb2

Download Submit
C:\Windows\SysWOW64\Mjjbjjdd.exe

Filesize
121KB

MD5
d72fa8f033ec41b25c4c129ee8862dd4

SHA1
f2f8673a040f75f996d5cbd40d68d413e319b6f3

SHA256
c8180330392bee5ae49c5595ef1225fa3467b1947b4b33eee1c5619881b91f5d

SHA512
71d8de315fa6b8884fafef330b07e74ccdaa66147bc013885a049974b99a894afcba811819fba48ced261a82285fc019ee0b36801a51636784dc00835dbadcb2

Download Submit
C:\Windows\SysWOW64\Mlialb32.exe

Filesize
121KB

MD5
43d7fc857df75db7b213eed7f04635d2

SHA1
acf7e76f5938be0fff120ea397bc4c1bfe87894b

SHA256
ba4f2ec2da3cb66100b086f09a4a073330d448810a272125d4258bcdeb6f1124

SHA512
c8970f2de972e9c50bf7dedd0acdeccf057e7d9f6ff8319a570c8e5b1a06bd07b0475342bb54bb11016209b33cad62dff0435527b7167a4fd039a22e6828b78f

Download Submit
C:\Windows\SysWOW64\Mlialb32.exe

Filesize
121KB

MD5
43d7fc857df75db7b213eed7f04635d2

SHA1
acf7e76f5938be0fff120ea397bc4c1bfe87894b

SHA256
ba4f2ec2da3cb66100b086f09a4a073330d448810a272125d4258bcdeb6f1124

SHA512
c8970f2de972e9c50bf7dedd0acdeccf057e7d9f6ff8319a570c8e5b1a06bd07b0475342bb54bb11016209b33cad62dff0435527b7167a4fd039a22e6828b78f

Download Submit
C:\Windows\SysWOW64\Mpbaga32.exe

Filesize
121KB

MD5
237b7430b5b254d9348835d7804345e4

SHA1
29b0e4e63b833ac37aa24d1034455c0dcf8393fb

SHA256
7e4681e26af881ed5f825ebf5bc107135c8bc346e96ca899f7634c2e514e5c8d

SHA512
5d695efc5073e600fe4db6c1adc508a0b629e6f077b7c68613a27cb2e46a228d526a6a8446bf2e0e262b27bf4d8c9ebb4ab8b23dc45f64e1ca28efa5b4d50f83

Download Submit
C:\Windows\SysWOW64\Mpbaga32.exe

Filesize
121KB

MD5
237b7430b5b254d9348835d7804345e4

SHA1
29b0e4e63b833ac37aa24d1034455c0dcf8393fb

SHA256
7e4681e26af881ed5f825ebf5bc107135c8bc346e96ca899f7634c2e514e5c8d

SHA512
5d695efc5073e600fe4db6c1adc508a0b629e6f077b7c68613a27cb2e46a228d526a6a8446bf2e0e262b27bf4d8c9ebb4ab8b23dc45f64e1ca28efa5b4d50f83

Download Submit
C:\Windows\SysWOW64\Negoaj32.exe

Filesize
121KB

MD5
f64585588040ed61a2ff952b2555abf8

SHA1
a49f1e4fe29e8b72064bcc518954a2e5bcb0052b

SHA256
f424318dc25e63b585c5efd6e6bbb30e59742b210b02e1f562dd0d282e6209db

SHA512
8b1903348a22522decc555639f81b5b24ebc512c36362f05e515c854f6801fb91170ddb206ad7c87ec41f827d7e818b009ca8687a795442d05b3baaf870da1d3

Download Submit
C:\Windows\SysWOW64\Negoaj32.exe

Filesize
121KB

MD5
f64585588040ed61a2ff952b2555abf8

SHA1
a49f1e4fe29e8b72064bcc518954a2e5bcb0052b

SHA256
f424318dc25e63b585c5efd6e6bbb30e59742b210b02e1f562dd0d282e6209db

SHA512
8b1903348a22522decc555639f81b5b24ebc512c36362f05e515c854f6801fb91170ddb206ad7c87ec41f827d7e818b009ca8687a795442d05b3baaf870da1d3

Download Submit
C:\Windows\SysWOW64\Njmopj32.exe

Filesize
121KB

MD5
acacda417043cb08e833429119e6dde9

SHA1
7ee6e05cf6b5deea6f14166ec6ced4d53bdab852

SHA256
70a1b4de0f11b64c981a89c2897059232b7feaeb273c034a30dd51f81369b524

SHA512
2019dd54e547b5fb1ec017f14b1b811678d51b38e6e1f941fd385821e6e61161c6e8364aee01126d1744e61b94b12b68359c0ade1425d7c6d67876218eeacf66

Download Submit
C:\Windows\SysWOW64\Njmopj32.exe

Filesize
121KB

MD5
acacda417043cb08e833429119e6dde9

SHA1
7ee6e05cf6b5deea6f14166ec6ced4d53bdab852

SHA256
70a1b4de0f11b64c981a89c2897059232b7feaeb273c034a30dd51f81369b524

SHA512
2019dd54e547b5fb1ec017f14b1b811678d51b38e6e1f941fd385821e6e61161c6e8364aee01126d1744e61b94b12b68359c0ade1425d7c6d67876218eeacf66

Download Submit
C:\Windows\SysWOW64\Nkagndmc.exe

Filesize
121KB

MD5
37432a124cde8940d39a17cf56cb9784

SHA1
50748ee0c54b4e674ac0a63ef1bf1a45b4263ddd

SHA256
e35f5c4ee7177015ea1c40cfa20302dc7cb47192aec126bd6ddafb7415b954fc

SHA512
2d042c1c046e37835cb09811773ac4874f8e8fb07d988c61328c28465d32d697642b1591f3ab67b21abe7f0484357e41eeedce690853ca6c458704958b66fd84

Download Submit
C:\Windows\SysWOW64\Nkagndmc.exe

Filesize
121KB

MD5
37432a124cde8940d39a17cf56cb9784

SHA1
50748ee0c54b4e674ac0a63ef1bf1a45b4263ddd

SHA256
e35f5c4ee7177015ea1c40cfa20302dc7cb47192aec126bd6ddafb7415b954fc

SHA512
2d042c1c046e37835cb09811773ac4874f8e8fb07d988c61328c28465d32d697642b1591f3ab67b21abe7f0484357e41eeedce690853ca6c458704958b66fd84

Download Submit
C:\Windows\SysWOW64\Nkjqme32.exe

Filesize
121KB

MD5
1fe9a5b38f72e7cda48331daf921d507

SHA1
4795b3b968d19c667ab798cf6311b9731f353a7c

SHA256
93f2a5bcdc896847f0976b0e62b1cae01115dff6c1e9cc95501204d4e70be5ce

SHA512
af9474cf7740b7f6fda9e33ee7a65b9ec22bf588fccaf56e1393cbb017161573d8a214984f5fb294e2574f8739a544934f74312e275e3d55a6f42157a60262a0

Download Submit
C:\Windows\SysWOW64\Nkjqme32.exe

Filesize
121KB

MD5
1fe9a5b38f72e7cda48331daf921d507

SHA1
4795b3b968d19c667ab798cf6311b9731f353a7c

SHA256
93f2a5bcdc896847f0976b0e62b1cae01115dff6c1e9cc95501204d4e70be5ce

SHA512
af9474cf7740b7f6fda9e33ee7a65b9ec22bf588fccaf56e1393cbb017161573d8a214984f5fb294e2574f8739a544934f74312e275e3d55a6f42157a60262a0

Download Submit
C:\Windows\SysWOW64\Nlknbb32.exe

Filesize
121KB

MD5
30b318db15bd73ab89e99413fee0f52d

SHA1
599ccca49347830d4f862e12a7300baf3fd6348b

SHA256
148bc89bfc96714db64348e20455b8372f8821b6ae413e7c47b289f4a84002ec

SHA512
865bf6042909222a47df49e27d4e076ed971659900bae01068e2508448dea3e6dac14a1ba9b85e16a4b9eab1274752875a1f4de332972c91a1a56c16345ccf82

Download Submit
C:\Windows\SysWOW64\Nlknbb32.exe

Filesize
121KB

MD5
30b318db15bd73ab89e99413fee0f52d

SHA1
599ccca49347830d4f862e12a7300baf3fd6348b

SHA256
148bc89bfc96714db64348e20455b8372f8821b6ae413e7c47b289f4a84002ec

SHA512
865bf6042909222a47df49e27d4e076ed971659900bae01068e2508448dea3e6dac14a1ba9b85e16a4b9eab1274752875a1f4de332972c91a1a56c16345ccf82

Download Submit
C:\Windows\SysWOW64\Nnkioq32.exe

Filesize
121KB

MD5
3f8366586ce74eadeca4c1b627d35da2

SHA1
900f8617583d9eab3d3a43203d9223eef2672798

SHA256
5f4a54d9920c2fe073a9ec3da541582883b94d6c867d8096a7434feac346b4c6

SHA512
2c16bb311234911ff6efff80b6403448deba1bd8b7af6f8039d5844bf4a69b16956d54730b095798f024ad916f39572122c6c81d6ba0565361a43660839528bc

Download Submit
C:\Windows\SysWOW64\Nnkioq32.exe

Filesize
121KB

MD5
3f8366586ce74eadeca4c1b627d35da2

SHA1
900f8617583d9eab3d3a43203d9223eef2672798

SHA256
5f4a54d9920c2fe073a9ec3da541582883b94d6c867d8096a7434feac346b4c6

SHA512
2c16bb311234911ff6efff80b6403448deba1bd8b7af6f8039d5844bf4a69b16956d54730b095798f024ad916f39572122c6c81d6ba0565361a43660839528bc

Download Submit
C:\Windows\SysWOW64\Npighq32.exe

Filesize
121KB

MD5
3097c4ca19b08d7331baa03cf5d57eae

SHA1
963e0b644f5af40ba0ad8e747fb9d3946b622fe0

SHA256
7a90cb94a978118a2d5bb2abe5be530b1b8888c910329f9c0cb701004659975f

SHA512
b1c1b6a473528a6464f1273c3be722365fc231442b3afe280f185070e26de034d3ba3df8cd5aa5fdf8165e60b06333de2f7489e4b717cad5224e73a62df31545

Download Submit
C:\Windows\SysWOW64\Npighq32.exe

Filesize
121KB

MD5
3097c4ca19b08d7331baa03cf5d57eae

SHA1
963e0b644f5af40ba0ad8e747fb9d3946b622fe0

SHA256
7a90cb94a978118a2d5bb2abe5be530b1b8888c910329f9c0cb701004659975f

SHA512
b1c1b6a473528a6464f1273c3be722365fc231442b3afe280f185070e26de034d3ba3df8cd5aa5fdf8165e60b06333de2f7489e4b717cad5224e73a62df31545

Download Submit
C:\Windows\SysWOW64\Nqnofkkj.exe

Filesize
121KB

MD5
15ba29fcf623b55ae86bea8024527f8d

SHA1
c00387e805efdc40675d95890d3c554abc57e4e5

SHA256
d96f1cce4c12fc885f9b116a4804a6349748f1cefb61f13c3a93c1f1726cac0d

SHA512
5886867175b248b0f7df3e602fd43270103743b827e48d7acf97bb1543e4b1be7015340c6bb81d410b84990b5e08814e9fd37048088fcdd60392362be21619b3

Download Submit
C:\Windows\SysWOW64\Nqnofkkj.exe

Filesize
121KB

MD5
15ba29fcf623b55ae86bea8024527f8d

SHA1
c00387e805efdc40675d95890d3c554abc57e4e5

SHA256
d96f1cce4c12fc885f9b116a4804a6349748f1cefb61f13c3a93c1f1726cac0d

SHA512
5886867175b248b0f7df3e602fd43270103743b827e48d7acf97bb1543e4b1be7015340c6bb81d410b84990b5e08814e9fd37048088fcdd60392362be21619b3

Download Submit
C:\Windows\SysWOW64\Oabiak32.exe

Filesize
121KB

MD5
5c84cdecd6bd0c5d93b1e6e25334d169

SHA1
251b8a5afce86b1e37ef002d656c3902b73dadd7

SHA256
0861e7fcccc3463e17fa8e960bcfc2942a883b9984b214324d295a2204607b82

SHA512
23f2d84084659ca745e3d78557c0af9f4e1b3107d0cbcfd70a6e128145e8fc035f3d74ec2c72df06c6b9679a08229d7ec4918dceff37cd6e1a7fee80f4ac5641

Download Submit
C:\Windows\SysWOW64\Oabiak32.exe

Filesize
121KB

MD5
5c84cdecd6bd0c5d93b1e6e25334d169

SHA1
251b8a5afce86b1e37ef002d656c3902b73dadd7

SHA256
0861e7fcccc3463e17fa8e960bcfc2942a883b9984b214324d295a2204607b82

SHA512
23f2d84084659ca745e3d78557c0af9f4e1b3107d0cbcfd70a6e128145e8fc035f3d74ec2c72df06c6b9679a08229d7ec4918dceff37cd6e1a7fee80f4ac5641

Download Submit
C:\Windows\SysWOW64\Obccpj32.exe

Filesize
121KB

MD5
76f58a47e9d2294b63f48babfbf2252d

SHA1
e27735b80174f12af3bf361d2c654971aa7298d4

SHA256
2f94914e80463774e26a00a52ae58563c62c31e0a03b329ac78c46270f89362d

SHA512
bbea8d87fbe091d3d817e54f8d7c085663bbd3e6f1438a13297e162ab4fd4c10ec2630ca7a14cf4e9fed12f0a25b51146418cad8626429f9dcdc7b0eeae8e567

Download Submit
C:\Windows\SysWOW64\Obccpj32.exe

Filesize
121KB

MD5
76f58a47e9d2294b63f48babfbf2252d

SHA1
e27735b80174f12af3bf361d2c654971aa7298d4

SHA256
2f94914e80463774e26a00a52ae58563c62c31e0a03b329ac78c46270f89362d

SHA512
bbea8d87fbe091d3d817e54f8d7c085663bbd3e6f1438a13297e162ab4fd4c10ec2630ca7a14cf4e9fed12f0a25b51146418cad8626429f9dcdc7b0eeae8e567

Download Submit
C:\Windows\SysWOW64\Obmbfpea.dll

Filesize
7KB

MD5
9a1b29e6fe63c1472596a2fcb78580cf

SHA1
cfb7da4b66da0a69f18aedc6c2befa5c0351bdd7

SHA256
eeab8791bf7d6c8bd180c44c837e5a4ebba68c77f2af712df81cfa45dc2e0085

SHA512
bc2791766190960d08de79b39e6978ca9fa2f81558db545d8cd2e542a8e3b84f54312ae7a06149f2f5b037ed512afb0d39a24c07e38872631db397cf6b3e22b1

Download Submit
C:\Windows\SysWOW64\Oigdmh32.exe

Filesize
121KB

MD5
6d1eee06640fba30b4a1ff16d7ed6243

SHA1
a2655b209b9eefff6937a92b8d60f001af922502

SHA256
9f661d0f426bd46cc325bfea961de8dbf03ab8791ae34f2778da1b58c51b9b1c

SHA512
2cbeb80d8df1434e59fa6461ee769e2736fa42d75db10d7cdddf83d6a088dd0efd206cec17a851b01d0eed0ec57b8275c664fa16b8ff6c86d93bca44e1a98ab3

Download Submit
C:\Windows\SysWOW64\Oigdmh32.exe

Filesize
121KB

MD5
6d1eee06640fba30b4a1ff16d7ed6243

SHA1
a2655b209b9eefff6937a92b8d60f001af922502

SHA256
9f661d0f426bd46cc325bfea961de8dbf03ab8791ae34f2778da1b58c51b9b1c

SHA512
2cbeb80d8df1434e59fa6461ee769e2736fa42d75db10d7cdddf83d6a088dd0efd206cec17a851b01d0eed0ec57b8275c664fa16b8ff6c86d93bca44e1a98ab3

Download Submit
C:\Windows\SysWOW64\Onbpop32.exe

Filesize
121KB

MD5
879e0d5789706ecdd44688245759b0dd

SHA1
b1f9e0ba240388c93bdcd7f7260daf181281dd6c

SHA256
55438561fb2bd5ef8bcefe2a2c29fbf83651058eaad0109a8c821e9f0615b1bf

SHA512
df1a299ae3628547081e47cafcb92b2a1d3c87c5fa343eb5fbe2151ff8be8fb369f537e9c53fd2385f7c4c3095ebdde1a394fc0d80c8e5bfc295ccbfe5bb4594

Download Submit
C:\Windows\SysWOW64\Onbpop32.exe

Filesize
121KB

MD5
879e0d5789706ecdd44688245759b0dd

SHA1
b1f9e0ba240388c93bdcd7f7260daf181281dd6c

SHA256
55438561fb2bd5ef8bcefe2a2c29fbf83651058eaad0109a8c821e9f0615b1bf

SHA512
df1a299ae3628547081e47cafcb92b2a1d3c87c5fa343eb5fbe2151ff8be8fb369f537e9c53fd2385f7c4c3095ebdde1a394fc0d80c8e5bfc295ccbfe5bb4594

Download Submit
C:\Windows\SysWOW64\Pmfldkei.exe

Filesize
121KB

MD5
972f627231855158a2eacc711d263fc2

SHA1
f83f088f8b2f61dc190e4622c29cd4b4106d8c99

SHA256
c22f259ac0e5fac79a493c66516fa35804d1baad4c898880dd8390908e5a09a0

SHA512
fec4d0298008e41fab4e5e4c8769deb20821a9bf707385bba66b5245f2d68853159f052180fd3a21c85d91adcde4f144612d61c6b17e301042abcefa08347742

Download Submit
C:\Windows\SysWOW64\Pmfldkei.exe

Filesize
121KB

MD5
972f627231855158a2eacc711d263fc2

SHA1
f83f088f8b2f61dc190e4622c29cd4b4106d8c99

SHA256
c22f259ac0e5fac79a493c66516fa35804d1baad4c898880dd8390908e5a09a0

SHA512
fec4d0298008e41fab4e5e4c8769deb20821a9bf707385bba66b5245f2d68853159f052180fd3a21c85d91adcde4f144612d61c6b17e301042abcefa08347742

Download Submit
C:\Windows\SysWOW64\Ppgeff32.exe

Filesize
121KB

MD5
af9075fea579ecdcfc34dac24cc64635

SHA1
590921a1c7ba5a36700be6505a8495225e5aa8ed

SHA256
d51ea69a39c255375efb24e51b2f9bc32d18743ba18a66e8cd5871ebe589ecd0

SHA512
fd45a67868a1e2a0a49bc26e35ac1967b278dd1e28654f60bf8bb5f1bd1525b1f9901609d10a09f39630b0b89320b7c1dd8576adc9a8e8212b8d6a3baedc6676

Download Submit
C:\Windows\SysWOW64\Ppgeff32.exe

Filesize
121KB

MD5
af9075fea579ecdcfc34dac24cc64635

SHA1
590921a1c7ba5a36700be6505a8495225e5aa8ed

SHA256
d51ea69a39c255375efb24e51b2f9bc32d18743ba18a66e8cd5871ebe589ecd0

SHA512
fd45a67868a1e2a0a49bc26e35ac1967b278dd1e28654f60bf8bb5f1bd1525b1f9901609d10a09f39630b0b89320b7c1dd8576adc9a8e8212b8d6a3baedc6676

Download Submit
C:\Windows\SysWOW64\Qibfdkgh.exe

Filesize
121KB

MD5
dd6142b8a8b3c59b66831d3d23c39a53

SHA1
e91614fb8de5e4ceb1b449956852535ae9065aa2

SHA256
92c2a8e1283c810c686fd1035bdd3802e86844127a2f16df33efc9c40588b833

SHA512
05e8134a4eccad471ea0fa30e23949cf58d802f99cafb778ac7d24b548a69e5b4a9a6db9296109b6754991b17e91e568044f4c0387efdfd68bc87c456bec26fa

Download Submit
C:\Windows\SysWOW64\Qibfdkgh.exe

Filesize
121KB

MD5
dd6142b8a8b3c59b66831d3d23c39a53

SHA1
e91614fb8de5e4ceb1b449956852535ae9065aa2

SHA256
92c2a8e1283c810c686fd1035bdd3802e86844127a2f16df33efc9c40588b833

SHA512
05e8134a4eccad471ea0fa30e23949cf58d802f99cafb778ac7d24b548a69e5b4a9a6db9296109b6754991b17e91e568044f4c0387efdfd68bc87c456bec26fa

Download Submit
C:\Windows\SysWOW64\Qipjokik.exe

Filesize
121KB

MD5
9255627442ef0e8b1ed84f074a81a532

SHA1
1e1ff0fe3f73119a57e85322551f4f285bb21a6a

SHA256
09c4c41718d2ade3f0b6f7d8faae97e9a6c56dd899f9d83ab0ddcb8d0bdf44fc

SHA512
3286536e06ddda365158f76c5dd9f1e3c0030b003cd87fd9104e2192f51772d398c3d1916e75e773f8d594113e04051846681901f3f90b0f447bf53f22bc0fd5

Download Submit
C:\Windows\SysWOW64\Qipjokik.exe

Filesize
121KB

MD5
9255627442ef0e8b1ed84f074a81a532

SHA1
1e1ff0fe3f73119a57e85322551f4f285bb21a6a

SHA256
09c4c41718d2ade3f0b6f7d8faae97e9a6c56dd899f9d83ab0ddcb8d0bdf44fc

SHA512
3286536e06ddda365158f76c5dd9f1e3c0030b003cd87fd9104e2192f51772d398c3d1916e75e773f8d594113e04051846681901f3f90b0f447bf53f22bc0fd5

Download Submit
memory/364-298-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/364-39-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/732-8-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/732-109-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/784-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/784-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/936-276-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1012-325-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1012-169-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1480-320-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1480-105-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1672-340-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1672-201-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1904-294-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1964-23-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1964-296-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2052-52-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2152-157-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2156-119-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2188-267-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2284-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2284-301-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2364-242-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2644-218-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2704-138-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2704-323-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2788-198-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2988-300-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2988-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3028-314-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3104-60-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3148-326-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3148-177-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3192-162-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3192-324-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3224-302-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3224-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3428-121-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3428-321-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3544-250-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3556-295-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3556-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3636-270-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3752-288-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3944-282-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4288-335-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4288-186-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4292-150-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4372-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4372-129-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4396-328-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4516-299-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4516-64-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4548-341-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4548-210-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4564-31-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4564-297-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4568-257-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4624-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4864-308-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4900-225-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5016-319-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5016-95-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5028-234-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads