495644804951bf529fc7687bb8a1d3a40ad972a63ef7affbdd1d14fefadc0a2e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

494cfb04d649ffd944292b5e71fd7690_NEAS.exe
Size

121KB
MD5

494cfb04d649ffd944292b5e71fd7690
SHA1

8c13da5acf65d994c40d342d1ff87c191464778b
SHA256

495644804951bf529fc7687bb8a1d3a40ad972a63ef7affbdd1d14fefadc0a2e
SHA512

218b53ada8fc09f228307fa1a34c2f628e4b42031dc04fb22e57a8a356e9cf7edc005a41b250b67419663c6cd1eaa3c594e70e457d6ce4a54f234122f90a0ffe
SSDEEP

3072:7MY8DsAysaZd56gc99VEHdBNu3n7X2JygO7AJnD5tvv:7MYUyBTITE6nj2J1Oarvv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	494cfb04d649ffd944292b5e71fd7690_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	494cfb04d649ffd944292b5e71fd7690_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/1924-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000c000000023b80-6.dat	family_berbew
behavioral2/memory/4396-12-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b97-15.dat	family_berbew
behavioral2/files/0x000a000000023b9a-22.dat	family_berbew
behavioral2/memory/4188-20-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/1376-24-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b9c-30.dat	family_berbew
behavioral2/memory/4484-36-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023b9e-38.dat	family_berbew
behavioral2/memory/4620-44-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/4252-48-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba0-47.dat	family_berbew
behavioral2/files/0x000a000000023ba2-54.dat	family_berbew
behavioral2/memory/3576-56-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba4-62.dat	family_berbew
behavioral2/memory/2916-68-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba6-70.dat	family_berbew
behavioral2/memory/2404-76-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023ba8-79.dat	family_berbew
behavioral2/memory/4180-80-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023baa-87.dat	family_berbew
behavioral2/memory/4984-88-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bac-94.dat	family_berbew
behavioral2/files/0x000a000000023bae-102.dat	family_berbew
behavioral2/memory/2128-100-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/1940-104-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb0-110.dat	family_berbew
behavioral2/memory/1392-112-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb2-118.dat	family_berbew
behavioral2/memory/3592-120-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb4-126.dat	family_berbew
behavioral2/memory/2784-128-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb6-134.dat	family_berbew
behavioral2/memory/5020-136-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bb8-142.dat	family_berbew
behavioral2/memory/3648-144-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bba-150.dat	family_berbew
behavioral2/memory/1664-152-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0031000000023bbc-158.dat	family_berbew
behavioral2/memory/2356-159-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0031000000023bbe-166.dat	family_berbew
behavioral2/memory/3168-172-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc0-175.dat	family_berbew
behavioral2/memory/4028-181-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc2-183.dat	family_berbew
behavioral2/memory/5088-188-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc5-190.dat	family_berbew
behavioral2/memory/3316-191-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc6-199.dat	family_berbew
behavioral2/memory/4808-200-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/3640-208-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bc8-207.dat	family_berbew
behavioral2/files/0x000a000000023bca-214.dat	family_berbew
behavioral2/memory/4264-220-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bcc-222.dat	family_berbew
behavioral2/memory/2256-224-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bce-230.dat	family_berbew
behavioral2/memory/4048-236-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd0-238.dat	family_berbew
behavioral2/memory/4560-240-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd2-246.dat	family_berbew
behavioral2/memory/4880-248-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000a000000023bd4-254.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
4396	Eoifcnid.exe
4188	Ffbnph32.exe
1376	Fhajlc32.exe
4484	Fcgoilpj.exe
4620	Ffekegon.exe
4252	Ficgacna.exe
3576	Ffggkgmk.exe
2916	Fmapha32.exe
2404	Fqmlhpla.exe
4180	Fckhdk32.exe
4984	Fjepaecb.exe
2128	Fihqmb32.exe
1940	Fobiilai.exe
1392	Fflaff32.exe
3592	Fqaeco32.exe
2784	Gcpapkgp.exe
5020	Gjjjle32.exe
3648	Gmhfhp32.exe
1664	Gbenqg32.exe
2356	Giofnacd.exe
3168	Gbgkfg32.exe
4028	Gfcgge32.exe
5088	Gmmocpjk.exe
3316	Gfedle32.exe
4808	Gcidfi32.exe
3640	Gbldaffp.exe
4264	Gmaioo32.exe
2256	Gppekj32.exe
4048	Hmdedo32.exe
4560	Hbanme32.exe
4880	Hikfip32.exe
4072	Ibjqcd32.exe
1404	Iffmccbi.exe
2560	Impepm32.exe
2996	Icjmmg32.exe
2456	Ijdeiaio.exe
4512	Iiffen32.exe
4324	Ipqnahgf.exe
2224	Ifjfnb32.exe
220	Ijfboafl.exe
3164	Ipckgh32.exe
5040	Idofhfmm.exe
2204	Ifmcdblq.exe
3488	Iikopmkd.exe
4976	Imgkql32.exe
4916	Idacmfkj.exe
3148	Ijkljp32.exe
4092	Imihfl32.exe
4908	Jaedgjjd.exe
1096	Jdcpcf32.exe
3336	Jiphkm32.exe
4272	Jpjqhgol.exe
424	Jdemhe32.exe
2928	Jibeql32.exe
4496	Jaimbj32.exe
4604	Jdhine32.exe
3956	Jjbako32.exe
4600	Jmpngk32.exe
4932	Jdjfcecp.exe
3868	Jfhbppbc.exe
4536	Jigollag.exe
2344	Jangmibi.exe
1840	Jbocea32.exe
1984	Jfkoeppq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jfkoeppq.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Onkhkpho.dll	Ibjqcd32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6184	5232	WerFault.exe	227

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaohfpc.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmmocpjk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 4396	1924	494cfb04d649ffd944292b5e71fd7690_NEAS.exe	85
PID 1924 wrote to memory of 4396	1924	494cfb04d649ffd944292b5e71fd7690_NEAS.exe	85
PID 1924 wrote to memory of 4396	1924	494cfb04d649ffd944292b5e71fd7690_NEAS.exe	85
PID 4396 wrote to memory of 4188	4396	Eoifcnid.exe	86
PID 4396 wrote to memory of 4188	4396	Eoifcnid.exe	86
PID 4396 wrote to memory of 4188	4396	Eoifcnid.exe	86
PID 4188 wrote to memory of 1376	4188	Ffbnph32.exe	87
PID 4188 wrote to memory of 1376	4188	Ffbnph32.exe	87
PID 4188 wrote to memory of 1376	4188	Ffbnph32.exe	87
PID 1376 wrote to memory of 4484	1376	Fhajlc32.exe	88
PID 1376 wrote to memory of 4484	1376	Fhajlc32.exe	88
PID 1376 wrote to memory of 4484	1376	Fhajlc32.exe	88
PID 4484 wrote to memory of 4620	4484	Fcgoilpj.exe	89
PID 4484 wrote to memory of 4620	4484	Fcgoilpj.exe	89
PID 4484 wrote to memory of 4620	4484	Fcgoilpj.exe	89
PID 4620 wrote to memory of 4252	4620	Ffekegon.exe	90
PID 4620 wrote to memory of 4252	4620	Ffekegon.exe	90
PID 4620 wrote to memory of 4252	4620	Ffekegon.exe	90
PID 4252 wrote to memory of 3576	4252	Ficgacna.exe	91
PID 4252 wrote to memory of 3576	4252	Ficgacna.exe	91
PID 4252 wrote to memory of 3576	4252	Ficgacna.exe	91
PID 3576 wrote to memory of 2916	3576	Ffggkgmk.exe	92
PID 3576 wrote to memory of 2916	3576	Ffggkgmk.exe	92
PID 3576 wrote to memory of 2916	3576	Ffggkgmk.exe	92
PID 2916 wrote to memory of 2404	2916	Fmapha32.exe	93
PID 2916 wrote to memory of 2404	2916	Fmapha32.exe	93
PID 2916 wrote to memory of 2404	2916	Fmapha32.exe	93
PID 2404 wrote to memory of 4180	2404	Fqmlhpla.exe	94
PID 2404 wrote to memory of 4180	2404	Fqmlhpla.exe	94
PID 2404 wrote to memory of 4180	2404	Fqmlhpla.exe	94
PID 4180 wrote to memory of 4984	4180	Fckhdk32.exe	95
PID 4180 wrote to memory of 4984	4180	Fckhdk32.exe	95
PID 4180 wrote to memory of 4984	4180	Fckhdk32.exe	95
PID 4984 wrote to memory of 2128	4984	Fjepaecb.exe	96
PID 4984 wrote to memory of 2128	4984	Fjepaecb.exe	96
PID 4984 wrote to memory of 2128	4984	Fjepaecb.exe	96
PID 2128 wrote to memory of 1940	2128	Fihqmb32.exe	97
PID 2128 wrote to memory of 1940	2128	Fihqmb32.exe	97
PID 2128 wrote to memory of 1940	2128	Fihqmb32.exe	97
PID 1940 wrote to memory of 1392	1940	Fobiilai.exe	98
PID 1940 wrote to memory of 1392	1940	Fobiilai.exe	98
PID 1940 wrote to memory of 1392	1940	Fobiilai.exe	98
PID 1392 wrote to memory of 3592	1392	Fflaff32.exe	99
PID 1392 wrote to memory of 3592	1392	Fflaff32.exe	99
PID 1392 wrote to memory of 3592	1392	Fflaff32.exe	99
PID 3592 wrote to memory of 2784	3592	Fqaeco32.exe	101
PID 3592 wrote to memory of 2784	3592	Fqaeco32.exe	101
PID 3592 wrote to memory of 2784	3592	Fqaeco32.exe	101
PID 2784 wrote to memory of 5020	2784	Gcpapkgp.exe	102
PID 2784 wrote to memory of 5020	2784	Gcpapkgp.exe	102
PID 2784 wrote to memory of 5020	2784	Gcpapkgp.exe	102
PID 5020 wrote to memory of 3648	5020	Gjjjle32.exe	103
PID 5020 wrote to memory of 3648	5020	Gjjjle32.exe	103
PID 5020 wrote to memory of 3648	5020	Gjjjle32.exe	103
PID 3648 wrote to memory of 1664	3648	Gmhfhp32.exe	104
PID 3648 wrote to memory of 1664	3648	Gmhfhp32.exe	104
PID 3648 wrote to memory of 1664	3648	Gmhfhp32.exe	104
PID 1664 wrote to memory of 2356	1664	Gbenqg32.exe	105
PID 1664 wrote to memory of 2356	1664	Gbenqg32.exe	105
PID 1664 wrote to memory of 2356	1664	Gbenqg32.exe	105
PID 2356 wrote to memory of 3168	2356	Giofnacd.exe	106
PID 2356 wrote to memory of 3168	2356	Giofnacd.exe	106
PID 2356 wrote to memory of 3168	2356	Giofnacd.exe	106
PID 3168 wrote to memory of 4028	3168	Gbgkfg32.exe	108

C:\Users\Admin\AppData\Local\Temp\494cfb04d649ffd944292b5e71fd7690_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\494cfb04d649ffd944292b5e71fd7690_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\Eoifcnid.exe
  C:\Windows\system32\Eoifcnid.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\Ffbnph32.exe
    C:\Windows\system32\Ffbnph32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\SysWOW64\Fhajlc32.exe
      C:\Windows\system32\Fhajlc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        28⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        31⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        34⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        50⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:424
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        55⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        56⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        59⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        62⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1840
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        69⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5052
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        77⤵
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        78⤵
        
        PID:64
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        79⤵
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        80⤵
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        81⤵
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        82⤵
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4400
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        84⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4820
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        86⤵
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        89⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        90⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        93⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        97⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        105⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        106⤵
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        107⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        115⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        116⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        118⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        119⤵
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        121⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        122⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        124⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        127⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        128⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        129⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        131⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        132⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        135⤵
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        136⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        137⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 412
        138⤵
        Program crash
        
        PID:6184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5232 -ip 5232
1⤵
PID:6164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
121KB

MD5
1af28fbe7e0ef3def4362b6c6aa23dec

SHA1
881a4d54c36ee60f44d0b090b4b20a0d866e71d3

SHA256
dcec7cf6577cc365632388590076ed5d4c9df9328240ff920865855705c76045

SHA512
ddd09ba0dd091ac8636980150995c73d842615225a15b658110ee3bb5eb5853ac842a36e8ec0d66d353d5badb85150833169841a7b88cb344c01375f933548e0

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
121KB

MD5
537c0cbd56363b85b5d111e938e37197

SHA1
d6a7a05bf0090e107e8a6d15a14301460bd5678b

SHA256
421f99111b23fc5280586545c7aa93959d0b44d5eb45a31a0d24a56dc133bb5c

SHA512
23f7122fa87f8c1153af6f56a90576ab63076980c724512b7d3ffd749283a7a5c0c14cc6ebded353bf34fe6d26668463812f68979b2ce3da4d15e760e2192eac

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
121KB

MD5
7216eab39100426dcc2db31c2d6c11b7

SHA1
758c0a1947f6ced7ca2941db66756e9ec593db41

SHA256
17d57f8d5cbaa59ed97705bb6f01b46d036fa97f183277edc55a26e37506f1ed

SHA512
a9a97052b124e7c8a520da27b6643cadd907cc1cfb55dc21e897d4700b906e425df182ba9313e2c40a284c28d72b3a9d0d331e8079d2545824d9c9a3f80b55a5

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
121KB

MD5
92b216d13fce221f0a9b3cd68c18c5a2

SHA1
87c4174a0c892ccf8a0267b81419470ee85d200d

SHA256
868931c8c51f350f71055cefecd53e35657bbfbccb047b94c377abd3460a1e8f

SHA512
e5653dc4b7be92da6b09054ed508c3dfe4d888620da453a3e3316e24d1ef3364633c29cffbd4e8771702f7975463b41952d7a638cb400b479675cab2eecaf92c

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
121KB

MD5
18877f4151cfd9ac82f4892cfb0ca6fb

SHA1
a53763c706e8426037ab69e84ee0b5055133e8ce

SHA256
8233c11342715d9df7fb5207f1cc175eb33d5e1ffd73fdb4a04acfdd1cb12497

SHA512
a56bafcf9777f8743396c34c6103ceff2e96e543f9e175613629ec539e8bcca078ffdabd31ca41b7564c4a44331e380a7d1cbc5497ee10525ff6aa7cee973939

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
121KB

MD5
b975ea827a06dd4500172a9d8b36cd9e

SHA1
d16308b5355c0599eb9aca73080a3be587ac4593

SHA256
71ce92491840c3d5815edfc0d3593de6d57cfb8f4f31a61dd93a7daa7614cd54

SHA512
0e1588a2dc954f0d807ecaee64e1bd38f2870a99b46a000e9e8ec412663882b9fbbf23694519ac868a762ac2edd97626a580af02c8cfc68c50dee672796037f6

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
121KB

MD5
511f536011302070fdfcf6d25eb5af68

SHA1
5952bfe6ffe762c5c1d9387434952dec21d2e932

SHA256
eb36d67efe4c5ecf55531d3ed47f5d157b281441c490d53a279699fed647ba56

SHA512
b00d8f26156a562db4e76bcfb52aa168399e46460cb1c579cee5c500bcbcbe4051eb85cdd10c7231a2db0cbd5dd1f78dce10d5dab73e7406697a52f5d6f03dea

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
121KB

MD5
52784455003ac8bdb85501e7babada0c

SHA1
1be12896f432b514993b251e4747c6b98c6b01a9

SHA256
debaa2f9738de2f3f1ff94eb5a2e1525172bf39ab1f1bd2277351699c33dc566

SHA512
dd5f61c96416983ac3a28abfa703086f54f5a0670e510ae527fe83604cbb2ee447b95f28cd650cd1c875b5bc18f36582b04ca67b4ce0b3c5303b3d62ddc384a4

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
121KB

MD5
76746ae5177e2f5dfaa35ba16c35fe58

SHA1
f1efdf250870bbe7a4e10ffef4f30f8a56a4aeed

SHA256
1bdf9c2267c9a6fc035bed30c5fb3ff944ebf5fd34297566083cb8c80b6024c8

SHA512
0e8b6b5eea5e82e9c65c3a26a98ea35c4e48a158a49c6ab448fe0e371e2ee195f4e0dcc1530a7616d3e871c407b8d61f10be9efdcdd29ced2c20c8ecbc2822bd

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
121KB

MD5
b47b57eaecb9e8c6eff722971eaabd7c

SHA1
cc59f7ed87a69fb320ac15d2b83a891dcbb56059

SHA256
ec30b6599c5e6bf8c9b80bda8c2555a0e22f9c71edbdfeb8ce329ba3f5055784

SHA512
257ff576caf2e4c0e74ed9658d6fffedccd2f3fe8ccac4122bc1d08a6297ab14a04a49f1861f93aef2021b4dbf1d2de629fffdf95cf50a84bb395cbf821b8729

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
121KB

MD5
d0141856c9a2ebfadec615b6089a280a

SHA1
993976c83f5f9e24086101d8d786958bba933800

SHA256
5cfd8aba8f71a21e4c252beb0d2fdb0d3cc16b20aa0760db529b1e87023ff655

SHA512
6de14c73e1bd8c1262d71feb01fcbc0e48ddaa09c81a82f25896daca172fbfdd0357b710bba1e7fb8aeaf906010d1e3de2aec21b4b6a16e5d3c59e4b4b42a324

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
121KB

MD5
ba5fbb1c730705289e2692b622887d04

SHA1
811fd997c36b0ac21b8295ab904d211b274f4a43

SHA256
2d3d9d3d31cfb3ec22ca74fc5ad36cb3f17b970e14c878ae3b302e5e11f1e586

SHA512
2c6dbf394ed240c9e852259ccb9c41e72ef029a37af40a59a2c45a66ff2e7e84b89448a7bdd87d165e581bc0e7fe58794424588397a543b7679aab5d9ea48bed

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
121KB

MD5
fcf8b5bb58b3c0e757c54358fe861554

SHA1
3d7d424d5e7e219de4250a4f5bafb7445d019aca

SHA256
a353a5a27d83f072d0704c37551f36712868cb2256e44218040260c8cb17d896

SHA512
6472061ff81c156b2c9490ebc53d7a0844094daca5f7f32e548cc2b663c08a54cbd12a3d853addbab6bfcf249cff3e26210dc55434fa0d4c0cc39c74c1d732ac

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
121KB

MD5
0149aab7ad56d5870ac42f015fd33c89

SHA1
40453f3e285967679434a0f373476e1842e1554e

SHA256
8f27b3c1fa7b81469ccd7b313098b3d0a14fe875bcc8ff441d162b4734bb980f

SHA512
636fe620e9a398e67f8b81bfad912c2dc013c6c41e61db38df73fce44f43046556ec9ea455da0f491864738ca7a710bf1dc335ef01b72ae25e3d126fa17cbfb1

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
121KB

MD5
92a16bb646913f052e35aa28ee49c5fd

SHA1
2b84e86ea837acd76fa4339a41c66886adcd7643

SHA256
8183ee7588057b623d53410100e3c889988b0817c97ef585f834dc9b9abbcaeb

SHA512
377c42111f762b505ed7a890591ecaa3f258155b879cd38386179299689ed8e65d3750e50157f20c21cdffdbd62bca8f11e09cae63bf845e74967eacc845ff7e

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
121KB

MD5
70f9fde3a1fd5ee393ab20167af184bd

SHA1
23d9db8aa0edb6ac0c233348354c8a2ed034ec30

SHA256
8796256a4e6692f22db49d7bdc3481e289959ffac47c7e67b53bf761465a742d

SHA512
0794eff35d8f575a832e4209daac82843858a0606f05dae4f0e5e5d0582ea9ba94b7bffc457bd20114bea7dd10479ecc226b228840a1fc41188f124740f1ad4c

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
121KB

MD5
f413a872c30b284d194f451f9419c953

SHA1
5f79bd6214470b31dbd178b64a549eea848394b6

SHA256
8461242557ad953afb3c5d8ed382191a5a33d4662a6f0378acdecc22183d1c24

SHA512
08bb7e55694f182c19d0cf8ebafe87eae2ef17110592d3444fa47bf36e0de1c13b4736fa8305cd197571074a327bf6fe0e128e041e30409c32b205536cd19338

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
121KB

MD5
0f3c9bd71b0a6dd1efdd954afcf4006a

SHA1
f6f341975fad184a6b2158655b578aebea1c9f43

SHA256
2e3b7351f55aa41279c7041bda3fb8716eb6072866d44d2377b4c1a07eb44aa5

SHA512
ecb381662e9db1b3b2f03aada1728219c49683e96830d679d3a0c238d39b16da92b07c314513ca5210367bcaa2416db88d62ebbac91dc4f8a688edfbf0a41376

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
121KB

MD5
5f81b659decbb861db286cfbe59b817a

SHA1
1dd5b06ceb608231ba5c44f2a9c5830c687f6847

SHA256
cc770cd6013a0fca33f882ef2a7421d8487d5528786492eebb64ad8e146a76f8

SHA512
929988db199a0ce7e90f869440b357522bc74918e08ddcf95d22698d921dd03968ea8eca9070015149bc367d6c82d1669b0f1c484c33014960284d0522c0b3c4

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
121KB

MD5
3d026afac02d140edc304fa8601d2a14

SHA1
7a30e4915008c1151adce0be38209ff203682df0

SHA256
ee336629d66427faac0272bce26b8b8accf748e35e0f6567eabefff12943caf3

SHA512
7a6737f33d680116ae5261f5dce508d17fe69078deb253f9ebd23c54f702b67ca99df483316c8d2969b3f80ec068788034f628eb4631cb7ae494e1ae8c38ba18

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
121KB

MD5
a59756e95d9765e2ef5afd7152ae861b

SHA1
3bd6dbe8487dda7a9bee55bb8a4ba9977ac99e2a

SHA256
4c245dfd11814282db8576b8503d739d750055a6ff909ecaf8d9e7b98e82bd11

SHA512
21f5b69cffd35a226af750be936dd887210581c6c66b362fcf9dabcbdee6d3379054f0191a5d873e166fdcba841ed2291c9d626a9ec52f759ef106766721ef53

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
121KB

MD5
0fad6bb9f9935048a87e42d1e17cfedc

SHA1
1f64816fa9c977237fed36311d0611cb0193d045

SHA256
b9360450efd52a2277c80dae1caf8d5a7a7d2a16464b000160bdf01bcf1ceb3e

SHA512
c61c97586ee4f588f9f517d45e1eb4e139abb474b81b1dcd61a4414e4da837b1329242490d967263f523c9c475c5edf34fbc21480494c7f605ba683004694a17

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
121KB

MD5
392743639b7814b014ad1db70a82db42

SHA1
9a3f555cc4a4f2465fcb12204db201bf31e60371

SHA256
678391e1854bb6f44f8469420fe989447be302fda7b940c85ae407e86ae30bf1

SHA512
f2d7e409a50fc006b6452f20a32c99a5305b57773a792a0bf13cc0703660496b38e0ab2863f2691d6c0d9904a2e1cd50b84e8d5299c1c19e71d966cb4a6deb59

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
121KB

MD5
14d7cb0040aef1abe11201c26c3d15ce

SHA1
4d2ce919aede65a4e8292992f7ef72cd170c54ac

SHA256
e7f9b2a4267e7e017b5894b8c5a503af95fff86f47377006ceb06208836c6deb

SHA512
08105740f1df5f011bfc88ffca95e9aea0c1309565eedfac4995e998a1edcef89aa8989d13e074b3387f25ee4b3234bcff18d5ad9ba226d0f266caa9aad4bb0c

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
121KB

MD5
5075a9a3046b0750dbb42379710f5976

SHA1
01072b6e87b8dbc02d8d45fe1f6a0efe1b12bd55

SHA256
dea913d433a6aba53b311a7d9432d7a0c0b2bc7c1f600f05ba72acd915a84cb7

SHA512
e7eec13f86c14dd94a74c841b17ba98e9a82aa67cc564ace747aaa457fb8c8a0da69408b79f8e441a6f5cf3c30ead3ab9dc081dd3deb24b19ec9d68cb946a9f3

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
121KB

MD5
cc720187554742da73a5835af8737a51

SHA1
61da61e68eaa66b6a668c979b8ff470188239b5f

SHA256
b8ee520c8ce8760da1dc168f2cdf295dcea1c139864aca4404181cdd6d57534a

SHA512
6c9a6a30a4e127adfcb4c4cc2a894a7e083bb0a8820e713c089978fdac1f0a47a6685b9796e17c6fe79fc403b2a581d6dd44ddc87dbd116d427f2c03e376d266

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
121KB

MD5
a768710df6839493116882d6b4adcb95

SHA1
7d93377b22777ef824180563d00cede31a860cb3

SHA256
919a94add4b65abca1d44ed08bc4e04457f9268544f969b72d18c8e91a9947e6

SHA512
8d9b7edee383c5164084231c9e1eee08a22317ba012546f0591512dbef5735cefc75eab168574d4a7ac56358b7c39bf095db067ee062a3117c418a1bb53fb3f5

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
121KB

MD5
4de4a7e358394936bc38e6b8a7da99d3

SHA1
1c5b85a2774af1f1317a14fd52821020e9e636f3

SHA256
f9500614f17cfcca53d98a4a96fcfa53803bde0d7c60e3e6e72dde3c707c3753

SHA512
ea325a15541e10059492a5d4100f63478a60d4c9dca144bedfb8ae2d09c4c9385dab4c75bbbd26b614019750f07f20d97305f605503f38bec82a80ea4fb55bb7

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
121KB

MD5
a2a219ec09f1c14d0d71428265ed136a

SHA1
f4a16091ea11406d7070ee02d03f576032fa1faf

SHA256
51de490f57b312460e71ea0b75f004c8fb459a3dcbafb91bd8cc5e9b7fb54ccc

SHA512
dd1d6871a02d50b27f0dea561259bb04267873641180f247c39a92eb1c873eea77ee9615a099ade8c4158b63b41dff3b4b0c9f935653def17e5e2aeed9bec82b

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
121KB

MD5
d775bf113e6e3e0b3c26f34623a09da4

SHA1
ab0f48209de2640a3e42bc6d9211a90ed7145101

SHA256
90c025ee3961a3a7127df1cbd5994c5b33a2a8111d6eaad5ed095d480ce58333

SHA512
666949ccdaed07a1f556bde75760f3f91478545f51e6c8d267ef518cdf39e618b788d70e6f74af89117ac6666baca667c6ea841671001659a8898ba3073ca399

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
121KB

MD5
e30f2454d8b4f1b5a33b75f5f1f79c25

SHA1
ea0f7d324120c10eeeb93806ec080c1635e22372

SHA256
130fe0f3bff02b85fa17329e310e534e61ca03c2e489d2281f1a91be489ddf8f

SHA512
7354d6303961bb591ec17e2e3ad28f8a374267a5ba8dd5d21bb423374a4602dfb1d8f4d08e2cd63bc8522f489f447ff615b24731f0ef5023a87c3eaa15a93175

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
121KB

MD5
805cacf350c4e9546cf07fe6f1cd83c3

SHA1
e1b82578702c3ec27f2d0cb8beaf1213c5bd1a33

SHA256
4d627542b9f4b97b88591b109770ce21f446604047ebe7ceeb7f74b9835ef9be

SHA512
2077f14121c5a204944251c32846b1cf47c67f377a53e99b64f4a17d9c94624702533f3d187550b4094017c3fafb7bd0056830c0740457ce6439d99fa44a1350

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
121KB

MD5
0abb8626f9468fbee9d3e431e43ad8d1

SHA1
0b8c67df0211f851f4695b36a666bd4612677fbe

SHA256
11838abb465bc3fce477b4327a4d4004f8bbce0105eed4abcdbb5c7fccefa39c

SHA512
b6e6800b9cd5c68b712e24225fb872b14719219d3ed49a485189607a66412404952ec0ff1f2835066d1e8a9e2ffb43b2e19e86b71c84f8a04e8cc61c39d53869

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
121KB

MD5
6dd0d108d865862cd041e04758bf56bb

SHA1
19b9ae624ddf238f30c965d4443aec08b890d131

SHA256
8081b5dcbd97682b902dc1b8471867f8f54be8d9e391f2c86fc08c89cf6e02b3

SHA512
834f47ff84a591a587fcafa0a12bbe7e4cf1190e808cd2c9d87738e093740f0723c1100d8b5b176633aab300645619f462e85292008b449d336bae10be676e2e

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
121KB

MD5
61d3228cb89b608f882d10fc3833ec48

SHA1
b8beee7b3baddf6a92584ea6f3c3b3b6ee7fb84e

SHA256
106a7e3c43e2754a65dc1e120c7d0aaa0933f23071f305ecfdbca8080b4bbd19

SHA512
329f913b3f30f9b89268de5cbbe63f0d197580a9b1877bdd319c228b4fb9b799816e99cb50e4c240eb2ec2dfffa4c528e1c7ce7ee8989c89bc079bdcb662e67a

Download Submit
C:\Windows\SysWOW64\Mbfppi32.dll

Filesize
7KB

MD5
fe39008d3bf2bf0bb904472569cc5559

SHA1
b5bc43b5d07c0adaea2905dee112e6e930276570

SHA256
cec828a42fe404af116c829c0761b6aac52938aba6fe92f188d8e2f7592940ed

SHA512
1d363caf4887865103d1b86e49847db3780f8314de0f4b4be58eabe1b0dc3fb8d2e64c8329c94cd6b402dca2179e0cfb9ca29abbd41915cf2f0377d83db86d06

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
121KB

MD5
15f6ce9a81427ec0df8b018641025ae7

SHA1
5f203b1bbf10511305732daa612897e5e1c8e7cf

SHA256
8548d7cfd628f3de4d5bcdf98f3c94a45c56308f151fee3f723cad7e9fd89376

SHA512
83cc99f464a995903f1f3c787dbf8bd5ada7913eaa235e0dc0cdf4e1e93cd6d6ec633dbad21f7536cf2de2dcbf1f6604c4290edfcd9a38037f845bc624dbb8f5

Download Submit
memory/64-529-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/220-304-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/424-382-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1096-364-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1376-563-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1376-24-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1392-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1404-262-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1664-152-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1840-442-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1924-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1924-544-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1940-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1984-453-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2128-100-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2204-322-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2224-303-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2256-224-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2344-440-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2356-159-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2404-76-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2456-284-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2560-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2612-532-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2784-128-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2828-545-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2916-597-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2916-68-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2928-392-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2996-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3148-350-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3164-315-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3168-172-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3316-191-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3336-374-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3368-496-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3468-522-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3488-333-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3516-577-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3576-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3576-590-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3592-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3640-208-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3648-144-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3668-512-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3860-490-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3868-429-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3896-564-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3916-502-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3956-410-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4028-181-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4048-236-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4072-260-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4092-352-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4180-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4188-20-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4252-583-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4252-48-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4264-220-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4272-376-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4296-454-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4324-292-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4340-466-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4368-460-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4396-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4400-561-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4484-574-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4484-36-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4496-398-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4512-286-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4536-430-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4560-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4568-542-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4596-484-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4600-412-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4604-400-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4620-44-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4700-514-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4808-200-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4820-576-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4880-248-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4908-358-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4916-344-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4932-418-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4976-334-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4984-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5020-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5040-320-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5052-482-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5072-472-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5080-555-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5088-188-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5156-584-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5204-591-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5248-598-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5296-608-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads