bc83dcb2b500ea0b7b70224735011e06e4ae6c665ed851c71e2cbccb9d4540af

Analysis

max time kernel
136s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 03:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

580b01c981b0973907748436a7ac10f0_NEAS.exe
Size

112KB
MD5

580b01c981b0973907748436a7ac10f0
SHA1

27973995eef29b730f7c5b7bfc0a2f2e3116d462
SHA256

bc83dcb2b500ea0b7b70224735011e06e4ae6c665ed851c71e2cbccb9d4540af
SHA512

e2feba470a875b6a02ade3cdec059912a824b35f7611e2b63e326f1428ffa9ee21eb99883c307bbb2c4b294e0d693d0722898d8f5ab1eb7fae07385edc860de2
SSDEEP

1536:OSKL0wjehxGZjZdn1fAmnM4JAuDWl4rConyXiikRynlypv8LIuCseNIQ:mr3DFAEWl4rHCi+lc802eSQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	580b01c981b0973907748436a7ac10f0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe

Executes dropped EXE 64 IoCs

pid	Process
3176	Fmocba32.exe
1580	Fomonm32.exe
4880	Ffggkgmk.exe
1424	Fqmlhpla.exe
5728	Fopldmcl.exe
5292	Fihqmb32.exe
6124	Fqohnp32.exe
2944	Fcnejk32.exe
2156	Fijmbb32.exe
3792	Fodeolof.exe
5996	Gbcakg32.exe
3008	Gjjjle32.exe
2092	Gogbdl32.exe
4612	Gbenqg32.exe
4192	Gjlfbd32.exe
5556	Gqfooodg.exe
5676	Gbgkfg32.exe
5504	Gmmocpjk.exe
5404	Gpklpkio.exe
3216	Gjapmdid.exe
3724	Gmoliohh.exe
3600	Gbldaffp.exe
808	Gjclbc32.exe
4080	Gmaioo32.exe
3364	Hclakimb.exe
4620	Hjfihc32.exe
4004	Hmdedo32.exe
5944	Hbanme32.exe
4648	Hmfbjnbp.exe
2400	Hbckbepg.exe
3284	Hjjbcbqj.exe
5420	Hadkpm32.exe
856	Hjmoibog.exe
5288	Hippdo32.exe
6048	Hpihai32.exe
4928	Hbhdmd32.exe
5148	Hjolnb32.exe
5396	Hmmhjm32.exe
3864	Ipldfi32.exe
800	Icgqggce.exe
1600	Ijaida32.exe
2076	Impepm32.exe
5708	Ipnalhii.exe
2864	Ifhiib32.exe
5768	Iiffen32.exe
228	Iannfk32.exe
2788	Ibojncfj.exe
5552	Iiibkn32.exe
5796	Iapjlk32.exe
4716	Idofhfmm.exe
3048	Ifmcdblq.exe
4772	Iikopmkd.exe
4468	Iabgaklg.exe
1724	Ibccic32.exe
4840	Ijkljp32.exe
1092	Imihfl32.exe
1396	Jbfpobpb.exe
4904	Jagqlj32.exe
5176	Jdemhe32.exe
4088	Jfdida32.exe
5312	Jmnaakne.exe
4700	Jplmmfmi.exe
4976	Jbkjjblm.exe
2672	Jidbflcj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fcnejk32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ckfliccm.dll	580b01c981b0973907748436a7ac10f0_NEAS.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6376	6280	WerFault.exe	229

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 3176	4216	580b01c981b0973907748436a7ac10f0_NEAS.exe	83
PID 4216 wrote to memory of 3176	4216	580b01c981b0973907748436a7ac10f0_NEAS.exe	83
PID 4216 wrote to memory of 3176	4216	580b01c981b0973907748436a7ac10f0_NEAS.exe	83
PID 3176 wrote to memory of 1580	3176	Fmocba32.exe	84
PID 3176 wrote to memory of 1580	3176	Fmocba32.exe	84
PID 3176 wrote to memory of 1580	3176	Fmocba32.exe	84
PID 1580 wrote to memory of 4880	1580	Fomonm32.exe	85
PID 1580 wrote to memory of 4880	1580	Fomonm32.exe	85
PID 1580 wrote to memory of 4880	1580	Fomonm32.exe	85
PID 4880 wrote to memory of 1424	4880	Ffggkgmk.exe	86
PID 4880 wrote to memory of 1424	4880	Ffggkgmk.exe	86
PID 4880 wrote to memory of 1424	4880	Ffggkgmk.exe	86
PID 1424 wrote to memory of 5728	1424	Fqmlhpla.exe	87
PID 1424 wrote to memory of 5728	1424	Fqmlhpla.exe	87
PID 1424 wrote to memory of 5728	1424	Fqmlhpla.exe	87
PID 5728 wrote to memory of 5292	5728	Fopldmcl.exe	88
PID 5728 wrote to memory of 5292	5728	Fopldmcl.exe	88
PID 5728 wrote to memory of 5292	5728	Fopldmcl.exe	88
PID 5292 wrote to memory of 6124	5292	Fihqmb32.exe	89
PID 5292 wrote to memory of 6124	5292	Fihqmb32.exe	89
PID 5292 wrote to memory of 6124	5292	Fihqmb32.exe	89
PID 6124 wrote to memory of 2944	6124	Fqohnp32.exe	90
PID 6124 wrote to memory of 2944	6124	Fqohnp32.exe	90
PID 6124 wrote to memory of 2944	6124	Fqohnp32.exe	90
PID 2944 wrote to memory of 2156	2944	Fcnejk32.exe	91
PID 2944 wrote to memory of 2156	2944	Fcnejk32.exe	91
PID 2944 wrote to memory of 2156	2944	Fcnejk32.exe	91
PID 2156 wrote to memory of 3792	2156	Fijmbb32.exe	92
PID 2156 wrote to memory of 3792	2156	Fijmbb32.exe	92
PID 2156 wrote to memory of 3792	2156	Fijmbb32.exe	92
PID 3792 wrote to memory of 5996	3792	Fodeolof.exe	93
PID 3792 wrote to memory of 5996	3792	Fodeolof.exe	93
PID 3792 wrote to memory of 5996	3792	Fodeolof.exe	93
PID 5996 wrote to memory of 3008	5996	Gbcakg32.exe	95
PID 5996 wrote to memory of 3008	5996	Gbcakg32.exe	95
PID 5996 wrote to memory of 3008	5996	Gbcakg32.exe	95
PID 3008 wrote to memory of 2092	3008	Gjjjle32.exe	96
PID 3008 wrote to memory of 2092	3008	Gjjjle32.exe	96
PID 3008 wrote to memory of 2092	3008	Gjjjle32.exe	96
PID 2092 wrote to memory of 4612	2092	Gogbdl32.exe	97
PID 2092 wrote to memory of 4612	2092	Gogbdl32.exe	97
PID 2092 wrote to memory of 4612	2092	Gogbdl32.exe	97
PID 4612 wrote to memory of 4192	4612	Gbenqg32.exe	98
PID 4612 wrote to memory of 4192	4612	Gbenqg32.exe	98
PID 4612 wrote to memory of 4192	4612	Gbenqg32.exe	98
PID 4192 wrote to memory of 5556	4192	Gjlfbd32.exe	99
PID 4192 wrote to memory of 5556	4192	Gjlfbd32.exe	99
PID 4192 wrote to memory of 5556	4192	Gjlfbd32.exe	99
PID 5556 wrote to memory of 5676	5556	Gqfooodg.exe	100
PID 5556 wrote to memory of 5676	5556	Gqfooodg.exe	100
PID 5556 wrote to memory of 5676	5556	Gqfooodg.exe	100
PID 5676 wrote to memory of 5504	5676	Gbgkfg32.exe	102
PID 5676 wrote to memory of 5504	5676	Gbgkfg32.exe	102
PID 5676 wrote to memory of 5504	5676	Gbgkfg32.exe	102
PID 5504 wrote to memory of 5404	5504	Gmmocpjk.exe	103
PID 5504 wrote to memory of 5404	5504	Gmmocpjk.exe	103
PID 5504 wrote to memory of 5404	5504	Gmmocpjk.exe	103
PID 5404 wrote to memory of 3216	5404	Gpklpkio.exe	104
PID 5404 wrote to memory of 3216	5404	Gpklpkio.exe	104
PID 5404 wrote to memory of 3216	5404	Gpklpkio.exe	104
PID 3216 wrote to memory of 3724	3216	Gjapmdid.exe	105
PID 3216 wrote to memory of 3724	3216	Gjapmdid.exe	105
PID 3216 wrote to memory of 3724	3216	Gjapmdid.exe	105
PID 3724 wrote to memory of 3600	3724	Gmoliohh.exe	106

C:\Users\Admin\AppData\Local\Temp\580b01c981b0973907748436a7ac10f0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\580b01c981b0973907748436a7ac10f0_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\Fmocba32.exe
  C:\Windows\system32\Fmocba32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\Fomonm32.exe
    C:\Windows\system32\Fomonm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\Ffggkgmk.exe
      C:\Windows\system32\Ffggkgmk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5728
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5292
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6124
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5996
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5556
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5676
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5504
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5404
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        23⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        24⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        27⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        31⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        32⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        35⤵
        Executes dropped EXE
        
        PID:5288
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        37⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5148
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5396
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:800
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5768
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        47⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        51⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        53⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        56⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        60⤵
        Executes dropped EXE
        
        PID:5176
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        62⤵
        Executes dropped EXE
        
        PID:5312
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        67⤵
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3256
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        78⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        79⤵
        
        PID:948
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2296
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        83⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        84⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        85⤵
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        86⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        87⤵
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        88⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        89⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        90⤵
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        91⤵
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        92⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        93⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        95⤵
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:440
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1068
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        100⤵
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        102⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        105⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        106⤵
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1860
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        109⤵
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        110⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        111⤵
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        112⤵
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        113⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        114⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        117⤵
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        118⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        119⤵
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        122⤵
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        125⤵
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        126⤵
        
        PID:212
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        127⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4512
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        130⤵
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        131⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        132⤵
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        134⤵
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        139⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        141⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 412
        142⤵
        Program crash
        
        PID:6376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6280 -ip 6280
1⤵
PID:6348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
112KB

MD5
b996d4322a5ba4f4fb579b1e93fd38a9

SHA1
b791d3cee7d16ff7883c8fd543b6be9902e3d013

SHA256
31223b9697b5770998aaaac824b78f3d0f2192271e847b49b075df50c0287262

SHA512
fee92c98a3094791d26b4964e488bbce7c2ecd247889455cef0f4744bad7cb2846176879cf09787fd986da5e6c910fda95bf222b49e4d9d3730067a6d1561b8c

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
112KB

MD5
d5ed4ea261610fa08fc093bd9027607a

SHA1
a7f2f2907211d9e4c9f79a118f4f58cdbd7b19e7

SHA256
a00705b560cd2f4027bc48c133a688187d11feb254019773ca6814d8921c4dde

SHA512
300eeb5c721eb3bc8c0b7c7852cbe30ccd59328fcdb485cc61d4c0be8ed58ccfa99fc3dff713f5b022ce6c04620c4ec257da99a0db9f1d88124527333965931c

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
112KB

MD5
3607401170b57db337e041e80891e0b3

SHA1
47926d1d13523ac84e3c0b1874b4b5f875961c7d

SHA256
6d59b4c3062462b14537227c0c51cb9d28bb25c7bfb72640b6d5995153451c39

SHA512
660ffe0646769209fa4e0d2d51736dbef4ab382eec36752766042e8e703f59f5f1e3669340ee9640d459ae67fdb431913b973188d65c73bedd8341194f0c45c5

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
112KB

MD5
5c9bb825f40032d4ba66fc31cf876cbb

SHA1
b5fb573d49c2c4082f7c94b6e5bbf683591b6268

SHA256
dc36d6c3d655c0a651525c7caaa2654c252b3d382ac3d95623658278c31a7f5f

SHA512
13792195b8b44fa0a4861d5f3a52d8f6fa1ab5b608ffe09ffdf0662910d82042c6d96b4c6db2683f9d1ef912bbbf0769c78b05f651dfa4421d6e513d65790825

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
112KB

MD5
7cc611c82306105d049452471eac5f51

SHA1
387c169d41e93a42af0b2a86ddb572854e33161b

SHA256
01c1d9e2a900ef2c1d53534c0f0b7dc1b34d363d9053777a6fcfbf4c74f6166f

SHA512
6dd6c8e22595a39d7682b9b31cd22ae3508249cc5fa4aee746e869191452423b91ffcf6615a587ae7b71edbe2694493ed3b18333730e177a2df95193e54961cd

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
112KB

MD5
0a6f991760135b490376d0e009c8bc91

SHA1
744fb139bfaf2d86f15a125328669330a15d5992

SHA256
e2a376ca988d6928ee72592600df2fcf3616172acae4d0b84373c9bda0bc9ddb

SHA512
4ab2b9e34b9f241ec8b6e53d1a9d7dea10e65efe4b49dc9f32cbc811fabdc7ea28c72d7c26d866a1a6f333dafaaeb0df0d4cc5d0f3c61489706e62a78c428b0a

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
112KB

MD5
ce7457b0e92d6b3a0b0b9b81d19fbff4

SHA1
cc9099cb61fb48b15808b16814f358f633a0f9b6

SHA256
a758496f224d229b85e0e033e9adab237f744488c6b268a919ebe3ff1a9fcff3

SHA512
bfb67b84299e544d697a8c5240e6c1ca8b2151d388f68bca9d30b1c1183132aee24b73c20ce63138b83d27f8f16bba2a58ea881dfd461c165270ce1dbd85cb79

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
112KB

MD5
a86ca6a10102ef42dca78bfbc382d5e2

SHA1
789ea23a230237919aab6148bc4a54beea77fd1d

SHA256
e8264ee982fe2d81017e620af74237929f8a8a079a533cafb5f572e85369cca8

SHA512
e5dfcf9c558d53e8fbb65936f6eb08447a1332ad284608e937be2400272dc7682ce276e781c8aac374e2c237d60e4c6830447d830a88c4e7a0c4b558fdc4f29f

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
112KB

MD5
b4b254c7b119639dc97033e58ea63486

SHA1
14b1a409808dbd6fd5314db540b9968f278f30ac

SHA256
95f8b8446b0be1e9d83cfa385bf7850c1c5f857773f0147563c3dde5acb38f15

SHA512
144555d743003806818514f8d0574bde07f70f768045332dc0d47383d362a74db9da00be43db7b4e5f69e6cdb60e8158ecd77b9791ff60371312f95ed97b202d

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
112KB

MD5
235e70cfe18e8b2077dbe80381e1379f

SHA1
bf73726fcfa28c1df44e480394b41b8c6662d468

SHA256
3cb1a57342ea47a942c2e9ad40a9d1202a2c48afeaf05899363c349d19a270fb

SHA512
6dfab1215c5860dc74811a0fd98b58e2ce5d6562e1ae96346d6091e7d51bb4220861e647d5e38d460c8fc90807dbd3088ee11a35710f212670278d66880edf79

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
112KB

MD5
a6e1f0a9d0b24db0bfa95e3bf7de04e6

SHA1
72b253dceab53cd830b36e18d87b87292a9881ab

SHA256
7b8974c83244d41cd86b07e5aa138b36d3f48bdc369e566838fbc134be3d780f

SHA512
c9c0337f6c749913a900859759718ef6235da01d66c282db4729fdd6fca09b2bdd01340e5e0637198af9b201fe19da3de18b6a9511de878dc2a8df82be381bf3

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
112KB

MD5
d00cd5a3404ba21a4a3b1f40a84529ff

SHA1
c7d134fcd398ae4c97e939972e71dbe15760fbec

SHA256
df148af280b6b1a3e4588498cd5801f3424166734937a86475012ac1e3dfae1f

SHA512
62aaf3cb5e9bc5dbc5073b63b1f65be79c5cc9ff27f3843cff3ba274bd1a6b746ea3b4c2b83c15d6dec9d9313b580757a2664c9c725f868298e4d24e415c3cdc

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
112KB

MD5
5f353e912e7007268335d55a38a5f2f2

SHA1
6a55c02c42d30768dc70f7316682aae7d2efd6fa

SHA256
1c65611c956b70e125b941310900fe2a0e7e542d17bf8b42a9e83a2c57cfdee8

SHA512
86fefcb1df3effbcfcbf7db7ebd272db5448fd3b1d990a137129ec369f7a73212add313e8a9a3fc34651d38f3c79df1bd9df8f1670314c2e7804649d6ca07a4c

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
112KB

MD5
f49b8b23b061055206d5ef164ecb8110

SHA1
96811df5a6dd0934f95afe1267acbc7d3bca2298

SHA256
ff7fda8b975b835fd8966551da2e5890aec9db8814f583a97d17b34f5c828404

SHA512
ff5b0ca1469206e5ca0c4f98773719c50feaf03bd8ac5325bf827d6e27d223270769df7b3e3eebb9b0532c8dfa60512ef14994c800044ac3b2a1ee22f9645585

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
112KB

MD5
c83520964b1bf83b0cf249f3dfaf8404

SHA1
1a365365bfbae47950e52e8a3de6f457478786a4

SHA256
3119ffe71ea0ccfdbd82e8e7a54d4c1fb8561d0e3118b0071d15d5259f4f448b

SHA512
ec653016c742efed64571c134a85c06aef68f4c139765ba6929355ddfc8213dfa40d21d8ccf683308f5c74bfa9285e4b4c8868c7dd1cb627fe1e7e27f012d125

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
112KB

MD5
6b47626cbd0ba89d6d1c4f5cb2b41770

SHA1
25b24d5cbe67ca263d948a4f1f101edbf3311ab8

SHA256
640b9b33bf641579869f3ba63774bfc1628756f1db2f3baefe00ad533166cee0

SHA512
a4b918ff961db0e18afc131f964231fb58df04adea676a620c555116457dd11636c67bb1ff3b54c467f6af3acb5d4d0bc8fe490312cb882eaa2cf8846e482d4f

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
112KB

MD5
0c093df540572867d66c43627a886ebc

SHA1
6c007383a327a394d108b2c100b9882ec19bbce6

SHA256
6e41fe90270523ee51c35e85d40907d62ca71e6388d059dc8ed1ca5633d38ae0

SHA512
5edf2ae94de1209c589a146cf5f783a7cca7697d57fd276830b4c60aeb8ef93a6f606783663c499e4e5300de3ba21558e1f2408cda867bc1a62924bfbf52026f

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
112KB

MD5
e474734332a10c314990c317601978a9

SHA1
5994065f6e95ab300c2e09487df8febc83205106

SHA256
66167cbf6894845ed34ef404bc8d7739b3b62413d01cba65d2291fccd66790c4

SHA512
a20bcc61a739799f377f3abb5439b72884f55b0c19ecf1d2d816a10409f7035e29d271f578f965a2f9a56339b4ce27b6b5a9bf81257210cf30010428701eab3a

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
112KB

MD5
edc6c3ad2d2a711bf3ef1a1a5ea809dd

SHA1
da9c1bfab971475968f1fb708faeb80a4830f6a2

SHA256
89d1fb39cc1209ca6edc556ae433557df6e27bd4235d741ffab328bdf736aea6

SHA512
2b632bb650c58fc157fc229e5f2d5dacee4b9e1dac6bad2bfc4b43383ea821e08ff7168d44c012512b8b8b738786ffe8cc6164f2958b74018ea28f732b04a992

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
112KB

MD5
00a5ed68522416ae5a270c5d76fd3f98

SHA1
64176bc9ab27681dad4ba493dfde7a672d49be6c

SHA256
ac1643899308b90882e2a53ffa6d839ff72da5ed7dd4c1dc44e14f4e678cea8f

SHA512
8ae860daae538527fdef4b453e7806975655a0d8efbc1c5392eddb11b9e751442236dcd560097680f4059d378e91e9c7f2f44c42ec9962d1a5a3e495ac10f6f6

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
112KB

MD5
59f10b5bdfd967601cd601be2fe1bd2e

SHA1
c7223a8726316b08e459effe8aa903bcf9a4a1ba

SHA256
d38e23043c11f17622556fa54c1df5118c71ad8d2c47d9495d7778055f63f442

SHA512
94ce8d3022e94bf869f2811dda6bec519281aba375b4ba7796f7d4c8a261eea4b621ecd89884c7b56397582fd8abd4d03e29cd49d7db43edbf8a77785106827d

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
112KB

MD5
dc361aaabe3636e5d7a0434f0f14c560

SHA1
2d990ffdf71d26a6110116710cef590001a237b6

SHA256
b941d73f7da0ee9d6d6886c25d7666c52fffb31e8ec4ed33e6a56403c692cfb2

SHA512
a53420f2d621fd18fc80553338419ca54f9753eee0d53cc77f31710d8dd88697c81af77a7e16826627ca0e8ad22abe6cc99173a91facce9f0fceaf7695a02618

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
112KB

MD5
7bfe519ef8d2a678927e64b3e28d02ae

SHA1
5c70941086c74302dc78c7c520405a021a570991

SHA256
f5186f53db26b5793024bc3802e571bcaa42a04e02d2d0ea4de2fb9c2c85ccbe

SHA512
d2ee7af9c3a320c385cf436fd6294c9d376101caa26b4a11562f33d5a6b7001db8a0a00f832222ac5a8cf63369bf7f1384b47e17c664ff98b839fd55d31f5451

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
112KB

MD5
d09f75e413c9364d15ec9ca2648e5c5e

SHA1
f446ecd5e0c65f1ea1e27682b8afc81b04ba1153

SHA256
e121f6225257293fc2a296c92dd88c14725a3fff1aac59dca276996c0723a97f

SHA512
d94f3013c6838a1f1c5e3342345828ac19606da5493216f14f2abd6ffef25c2db4c8c61ba23cdd2ebea8319637ff442fafe5eb4632ca93ec408e9f0fa420b05c

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
112KB

MD5
e02d13ae151956b94abe4a460990e67f

SHA1
677cf7361acafac323599c113ff82170a0d7a6f6

SHA256
0fe6bec844c6138f81132b443df736b5a4fa2d86931a508e5e2c03e8e67c7078

SHA512
b5218b047f42d5d8c8ab9140a026e7ccf988ad89f3b9247e202983c94de4a555e396a5eefbbe7ac6572cea2e1944978d26401f634f6973f06a9b3465767d6c8c

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
112KB

MD5
744fb3752ab640ba2ab460729bf85a2d

SHA1
b5ba11b09932a14a0b2f3372a70a930b49c55a37

SHA256
a90ff8181243745a4c5c0f092a1b603eeb7948099a7432fcbf13f8c95a66b698

SHA512
cd4e81b91d1aa81a13c77a5e299f35a5f2ca6314ad69438c668e772c275f556236246560e16db8251cbf6104ea97e645d48c5763c91084b9f66ef5a69e0db3f2

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
112KB

MD5
25f9eff9eb72c330372b5b503bfe1af8

SHA1
e2d51231c1267e3e443c7be050be0d0772dca935

SHA256
0a042b124355e439d1a176f969f53b56e944daed102454a4f5ce9d1405e13536

SHA512
921e32c38021079516a8b93275906eadb7e25a3982fe4e27b65d8f4fe3d520681d1ce343639eabb6ef4e05d03d891ef65eedb1527bbf4833177f64a91d81bfda

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
112KB

MD5
ef5b82a557899c222daed79a14556e39

SHA1
030ce8748d315cf376a580e3395eab2434bc99c6

SHA256
698a795129a6b71be3d29465c4e1eea9f486665162a7f5692a7e44105e965466

SHA512
161bf750cff741f1d327a2881c91c3942b783516e2b1db41b82dc0b2d0250f69d20e788cd534e7578bbbfae8976ab1fedbbc8b605287d5c64e2147ab82636447

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
112KB

MD5
71cd02816fa267685c92d502f865594a

SHA1
f2afcffecdac39f8636c2f7c14a535342fe9e05e

SHA256
30768ee950c857d6f7844ce0a7b2901f5039da7decaf7504cf3dff3406af5583

SHA512
6a138bc31646353a157f046150d94749cb0a5e21425c7425cd7b1d75c7974f53044e74ae1decb2b93ee860fbae46b09102eb9b25e922b6dd6f3ea40601f08072

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
112KB

MD5
36ded46907a24188b65b09fbc49b9f67

SHA1
805c43a66fa7cf2ea05e45355c8fa30390d969dc

SHA256
44c6506b9c0ab0a3cf587084be7fd4837ff9ec995bbf0ec2221a288655c5c6f5

SHA512
6aa3efa9fb1d4a56a732089084c021a32a62a625dd291f0bc8b9565468e95323d3b080264de1d81fc4764a76ae0f1f1368d01e24cfecdc3c0d06a5bf86f7af13

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
112KB

MD5
e759bf97af7d581b2998bf7e9756fc46

SHA1
fb6cec6b763e23a75f227278363988e60906c1db

SHA256
ec047433be92ae92e77c7e782648f063062c44e00b8f0abecf00722ce18288dc

SHA512
c7031dd900b2ee853f3c09e65fefa3f0d5c0b5223c608280eff9a6e4fb8217e2d512c44688ae7fa00617698bee8bd96157fd0438235ee09374468c8ea118fac1

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
112KB

MD5
d7a7d5ed3e75ec4d9b71919d379165ce

SHA1
1d13a037b047b8ed913632cced2562b20dede7ab

SHA256
1a4dc9c2a7eeaf302f85b3378394198cf5ec8aca278e7f5222c2efca0f1297cd

SHA512
e15230701849e4a28ec209757470df3a89d60b145ee7b7383b3bb3d5aeca3f9e6186b9d8da0ddebba79a58f7c6a966bc01b703ffa6dd9dc041903f5866baa2dd

Download Submit
C:\Windows\SysWOW64\Jbocea32.exe

Filesize
112KB

MD5
fadb2cd1c8eeec41c56bbb4b681b584e

SHA1
f6cce1e8b4066d8dc22c8db8053fd4ee07cc48ca

SHA256
1d20deb8a40e2a8d314aff567c90173c8dc55aab0297b6516c3ae906c126bf8e

SHA512
b9923b73befe6c4cf426fef6d25090d4d7a2f966fa5140d4d439ffbb3b873dd639fcb93bd34c7978e772470ebe577720685ccc1b40c9385b996b148a7cba4610

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
112KB

MD5
b99ae700986e79881bbf1de6ea509b3d

SHA1
d21abb3fbfde8564914b851242c2637fec24d687

SHA256
fdcf7bcdc8abf15ec80af6c663821782581d0c6fd558a0811cede8e5bafab5f6

SHA512
10e4d01e22aa3b29290c87c6e485f31aa31a493966e20b018e5b58ad92e6b94a4e9faccccefc8a4361acdfec43c638b3acc8bf4d964ebfaa1cace0d83bc3af60

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
112KB

MD5
578dc78961c5a42334e5da96c636f120

SHA1
57eda4ac99cae30b5083df167305173327dc9901

SHA256
109579a1d6c7e3e1b84edbe2476a93345ac75abad2e0288460084d133755cc69

SHA512
107feff28c3e29cdad7b6889ef37935b11ea93e067a7819fdb4561e7c655922ab9b9c0973911a66109fec3035ac100c4e2b4e9aa82bad83a97a7a77ecbe40cde

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
112KB

MD5
35f035bd5b4542ad5e82ec454a35e3aa

SHA1
6bd496ccfd5df20c612a8406b6194baaeda07ad7

SHA256
ee7907b71bc9740c40f594e01be4079ff6ece246651f4c3a0bdd90062800fc07

SHA512
a13d3963f23104aa13e1dc60cf37c435dc1538ba541a6ddb33bb3bd5d7fe5db02594bbfe4d711687dd6ba9746ea68db12dcadda11594e74c968fecf8497ff8d3

Download Submit
C:\Windows\SysWOW64\Lpdcae32.dll

Filesize
7KB

MD5
a6649d89f316d85f5768b7269386bca9

SHA1
1e1d6dd89d72a04c38a77641ea7458c3eff4f0a6

SHA256
c9e64b525847af404ef571693e3f3d342a80455d3e1b7dbebbfdecf52a0355a2

SHA512
edce3d37452c32d637ab1d05b8a9f0e00245b1009eab46724db6a061f28695582f8dedfdce2b8bc89fb92b26614423e124c5ed8ba7528c756a8797daf53b51ba

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
112KB

MD5
0b2b7a46c7fd1b2d0bdc167fdf78b6b0

SHA1
3acce06ef89fa3f6bb80b84f3aad370531bc46d9

SHA256
e7f6dc99c5f926d5b44ecb89232b1e1615d9377ed2d0c08a4ccfcbeba5f00373

SHA512
60cfda7c8c9cf4c90ee8b7359fc7a8701ffa5be6f321e44eee91e9c732dc3e755096fcec24eeb4f218d17bf2e9948b1a828bbcd27de1c8d63b2c036d235f1c2e

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
112KB

MD5
23300a53284daf086e389698821ab0eb

SHA1
363abcab67c466e7e4c3b8466f7416ebfcef7ab6

SHA256
fd9153206dd96109b7f18a528aa67567df92585a51c4ea264da365c28d5f86a8

SHA512
1e157c7f7733b6049c48481393712820c8e18cab556a6dc7efb5178546a0d09e404f6c5a94081691462487fef8efa43a5958dfa8ee0f5ee1f1c04375fe6f65ee

Download Submit
memory/228-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/628-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/800-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/808-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/856-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/948-536-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1396-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1424-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1424-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1460-464-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1572-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1600-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2076-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2080-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2156-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-542-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2400-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2580-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-452-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2788-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2920-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2944-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3048-374-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3168-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3176-555-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3216-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3284-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3364-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3600-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3724-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-549-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3792-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3864-302-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4192-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4216-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4216-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4328-591-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4468-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4620-212-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4648-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4700-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4716-368-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-397-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4928-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4976-446-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5148-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5176-422-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5216-530-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5288-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5292-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5292-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5312-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5396-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5404-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5420-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5504-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5552-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5556-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5676-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5708-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5724-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5728-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5728-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5752-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5768-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5780-524-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5796-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5944-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5996-91-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6048-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6124-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/6124-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads