b50c4190a4c1438216dbe4597804d307391338715b52740c19ccc464c797440b

Analysis

max time kernel
138s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 03:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

58b600c1b4ec4e63b312eca3d588ff20_NEAS.exe
Size

128KB
MD5

58b600c1b4ec4e63b312eca3d588ff20
SHA1

f30687d47a5d8bdf42543c58024927e132c0709d
SHA256

b50c4190a4c1438216dbe4597804d307391338715b52740c19ccc464c797440b
SHA512

7a81a1ba59f719f152cc52da48ef515aaf30483f283de2cb1d017b8edcd8e84039313eed69bb9b5e3b62b6f43625ae9c6a0cd9b45e772551a11511969c0cb2fa
SSDEEP

3072:QybwKBMx9wlS5DSCopsIm81+jq2832dp5Xp+7+10l:BwmlSZSCZj81+jq4peBl

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	58b600c1b4ec4e63b312eca3d588ff20_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe

Executes dropped EXE 64 IoCs

pid	Process
4108	Fijmbb32.exe
888	Fqaeco32.exe
4196	Gbcakg32.exe
3748	Gfnnlffc.exe
2352	Gimjhafg.exe
5004	Gcbnejem.exe
404	Gfqjafdq.exe
1368	Gqfooodg.exe
3948	Gbgkfg32.exe
2952	Gjocgdkg.exe
3772	Gqikdn32.exe
1844	Gbjhlfhb.exe
220	Gmoliohh.exe
4980	Gpnhekgl.exe
3956	Gjclbc32.exe
3864	Gmaioo32.exe
2224	Hclakimb.exe
2236	Hjfihc32.exe
4360	Hmdedo32.exe
4632	Hcnnaikp.exe
4404	Hikfip32.exe
1212	Hpenfjad.exe
3528	Hjjbcbqj.exe
3576	Hpgkkioa.exe
2300	Hfachc32.exe
4492	Hmklen32.exe
5020	Hbhdmd32.exe
3668	Hjolnb32.exe
1540	Hmmhjm32.exe
3684	Ipldfi32.exe
4548	Icgqggce.exe
4240	Ibjqcd32.exe
4684	Ijaida32.exe
772	Iidipnal.exe
3456	Iakaql32.exe
4652	Ibmmhdhm.exe
4692	Imbaemhc.exe
3324	Ipqnahgf.exe
3736	Icljbg32.exe
1392	Ifjfnb32.exe
2044	Imdnklfp.exe
3568	Iapjlk32.exe
2784	Idofhfmm.exe
4696	Ifmcdblq.exe
4424	Iikopmkd.exe
1768	Iabgaklg.exe
3408	Idacmfkj.exe
1356	Ifopiajn.exe
4372	Iinlemia.exe
3084	Imihfl32.exe
540	Jpgdbg32.exe
4044	Jdcpcf32.exe
3700	Jjmhppqd.exe
2228	Jmkdlkph.exe
4620	Jagqlj32.exe
4512	Jbhmdbnp.exe
2780	Jjpeepnb.exe
4036	Jmnaakne.exe
4808	Jplmmfmi.exe
5084	Jbkjjblm.exe
3356	Jjbako32.exe
1316	Jmpngk32.exe
4592	Jaljgidl.exe
1592	Jdjfcecp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6564	6472	WerFault.exe	236

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchnlc32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 4108	2732	58b600c1b4ec4e63b312eca3d588ff20_NEAS.exe	84
PID 2732 wrote to memory of 4108	2732	58b600c1b4ec4e63b312eca3d588ff20_NEAS.exe	84
PID 2732 wrote to memory of 4108	2732	58b600c1b4ec4e63b312eca3d588ff20_NEAS.exe	84
PID 4108 wrote to memory of 888	4108	Fijmbb32.exe	85
PID 4108 wrote to memory of 888	4108	Fijmbb32.exe	85
PID 4108 wrote to memory of 888	4108	Fijmbb32.exe	85
PID 888 wrote to memory of 4196	888	Fqaeco32.exe	86
PID 888 wrote to memory of 4196	888	Fqaeco32.exe	86
PID 888 wrote to memory of 4196	888	Fqaeco32.exe	86
PID 4196 wrote to memory of 3748	4196	Gbcakg32.exe	87
PID 4196 wrote to memory of 3748	4196	Gbcakg32.exe	87
PID 4196 wrote to memory of 3748	4196	Gbcakg32.exe	87
PID 3748 wrote to memory of 2352	3748	Gfnnlffc.exe	88
PID 3748 wrote to memory of 2352	3748	Gfnnlffc.exe	88
PID 3748 wrote to memory of 2352	3748	Gfnnlffc.exe	88
PID 2352 wrote to memory of 5004	2352	Gimjhafg.exe	89
PID 2352 wrote to memory of 5004	2352	Gimjhafg.exe	89
PID 2352 wrote to memory of 5004	2352	Gimjhafg.exe	89
PID 5004 wrote to memory of 404	5004	Gcbnejem.exe	90
PID 5004 wrote to memory of 404	5004	Gcbnejem.exe	90
PID 5004 wrote to memory of 404	5004	Gcbnejem.exe	90
PID 404 wrote to memory of 1368	404	Gfqjafdq.exe	91
PID 404 wrote to memory of 1368	404	Gfqjafdq.exe	91
PID 404 wrote to memory of 1368	404	Gfqjafdq.exe	91
PID 1368 wrote to memory of 3948	1368	Gqfooodg.exe	92
PID 1368 wrote to memory of 3948	1368	Gqfooodg.exe	92
PID 1368 wrote to memory of 3948	1368	Gqfooodg.exe	92
PID 3948 wrote to memory of 2952	3948	Gbgkfg32.exe	93
PID 3948 wrote to memory of 2952	3948	Gbgkfg32.exe	93
PID 3948 wrote to memory of 2952	3948	Gbgkfg32.exe	93
PID 2952 wrote to memory of 3772	2952	Gjocgdkg.exe	94
PID 2952 wrote to memory of 3772	2952	Gjocgdkg.exe	94
PID 2952 wrote to memory of 3772	2952	Gjocgdkg.exe	94
PID 3772 wrote to memory of 1844	3772	Gqikdn32.exe	95
PID 3772 wrote to memory of 1844	3772	Gqikdn32.exe	95
PID 3772 wrote to memory of 1844	3772	Gqikdn32.exe	95
PID 1844 wrote to memory of 220	1844	Gbjhlfhb.exe	96
PID 1844 wrote to memory of 220	1844	Gbjhlfhb.exe	96
PID 1844 wrote to memory of 220	1844	Gbjhlfhb.exe	96
PID 220 wrote to memory of 4980	220	Gmoliohh.exe	97
PID 220 wrote to memory of 4980	220	Gmoliohh.exe	97
PID 220 wrote to memory of 4980	220	Gmoliohh.exe	97
PID 4980 wrote to memory of 3956	4980	Gpnhekgl.exe	98
PID 4980 wrote to memory of 3956	4980	Gpnhekgl.exe	98
PID 4980 wrote to memory of 3956	4980	Gpnhekgl.exe	98
PID 3956 wrote to memory of 3864	3956	Gjclbc32.exe	100
PID 3956 wrote to memory of 3864	3956	Gjclbc32.exe	100
PID 3956 wrote to memory of 3864	3956	Gjclbc32.exe	100
PID 3864 wrote to memory of 2224	3864	Gmaioo32.exe	101
PID 3864 wrote to memory of 2224	3864	Gmaioo32.exe	101
PID 3864 wrote to memory of 2224	3864	Gmaioo32.exe	101
PID 2224 wrote to memory of 2236	2224	Hclakimb.exe	102
PID 2224 wrote to memory of 2236	2224	Hclakimb.exe	102
PID 2224 wrote to memory of 2236	2224	Hclakimb.exe	102
PID 2236 wrote to memory of 4360	2236	Hjfihc32.exe	103
PID 2236 wrote to memory of 4360	2236	Hjfihc32.exe	103
PID 2236 wrote to memory of 4360	2236	Hjfihc32.exe	103
PID 4360 wrote to memory of 4632	4360	Hmdedo32.exe	104
PID 4360 wrote to memory of 4632	4360	Hmdedo32.exe	104
PID 4360 wrote to memory of 4632	4360	Hmdedo32.exe	104
PID 4632 wrote to memory of 4404	4632	Hcnnaikp.exe	106
PID 4632 wrote to memory of 4404	4632	Hcnnaikp.exe	106
PID 4632 wrote to memory of 4404	4632	Hcnnaikp.exe	106
PID 4404 wrote to memory of 1212	4404	Hikfip32.exe	107

C:\Users\Admin\AppData\Local\Temp\58b600c1b4ec4e63b312eca3d588ff20_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\58b600c1b4ec4e63b312eca3d588ff20_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\Fijmbb32.exe
  C:\Windows\system32\Fijmbb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\SysWOW64\Fqaeco32.exe
    C:\Windows\system32\Fqaeco32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\Gbcakg32.exe
      C:\Windows\system32\Gbcakg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        28⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        30⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        32⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        33⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        37⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        38⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        51⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        55⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        57⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        66⤵
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1808
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        69⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3144
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        73⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3256
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        77⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3572
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        79⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        81⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        82⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2872
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        89⤵
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        93⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        94⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        96⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        99⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        106⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        107⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        108⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        109⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        111⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5400
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        117⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        119⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        120⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        121⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        123⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        127⤵
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        129⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        130⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        131⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        133⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        137⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        139⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        140⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        141⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        143⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        144⤵
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        145⤵
        Modifies registry class
        
        PID:6364
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        146⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        147⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6472 -s 400
        148⤵
        Program crash
        
        PID:6564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6472 -ip 6472
1⤵
PID:6540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
128KB

MD5
26288a14fdaf631d2897f9bf7b1fb464

SHA1
6d578d35b4e80f2239647710e2772975f6f00d8b

SHA256
97436dd1cff83819ab6973a4df8c9af98dcec9cbf8dba81ebbd50f9b1c3681e2

SHA512
6d54c068ca51e9c38f60c613346767d8e4fab4e9287f5599a8792893954f9a40b4fd5e94b021706ae69c72baa186904ae7c7ba32e8e1cf46d6e5099a3ae7d303

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
128KB

MD5
9e1b0be7b5250ee4e2c168d2d2178858

SHA1
f571c7710c99e86070a78fae7e517935a95ab7be

SHA256
b24efd8fbda1336180663b7ff2d2887d7b3c097280977d659bd99f908a571d3f

SHA512
49c020b7d67dca7cfc41e8a5f7e848999663efe3a5f5ad4899d467ff3f7384b7810ff262c94204e57305c949d21cde43bcca654b3659a25a32c1ab052ba1111a

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
128KB

MD5
60e3e9c5dc26580a26330957827389dd

SHA1
08b020b0e62bec11362045afe3f472f89b6c97ff

SHA256
8dbe81ddfe4104e2d64b7cd65d029befdac547693888e13b9e6271a6f85cc882

SHA512
3cb46ed3f70ecd7696c3d07ead1948780b4569ea5708a9ed3ee2f13f9467f50fc4aa5a0f166178cb187f67b0e962bbc3647c410507095ddf0c9774bd437878d4

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
128KB

MD5
67a4e2919b405bdf60a34dc61d09cda4

SHA1
6609fd998399e0e5d2934bfbf02fe6e5d707b025

SHA256
bfc6bb58976f5b9248c38afbe1272bfc2175db3b3e4a8ddf396707150ea64311

SHA512
11f5cd6d1fa521d706d3e17d24eb36a41d213c903fb2d065a3a70b0d498c4708280e4c59d7bb76092d3796916d4a9f4df523c343b78df87dfb617cad48d0c9a2

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
128KB

MD5
afbe765acdb52f161cbc290382168e5f

SHA1
ed9d0e88134e9110e4cfb09cf94c7e6d800751bb

SHA256
dad22e5d00e68e7abc62a0e83472d04cd3e09c146cd78b6af4a774b1e5f801e6

SHA512
a8122248c5f0c7fd4a53ad8579333124546081c41eb5a5b9a267c7f5a5655ca4632b3fd5d7825f0a8dc83c4f65cfd537c968584827b4c3f074c29eaa7087f1ea

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
128KB

MD5
0d56024672d39ee55afc53ef65b9c03a

SHA1
4118fa4183e3b92ecb2d8b8445cdedcc4e699608

SHA256
b8bd04cfede8e606b3e7973d2f8559992bba2c9b0818262d36d3c9de745307d8

SHA512
43d2db82355ff8ccee80aa68a69cea1075d30aee942bbd13bbec82f37d50c63bde8ca6b1d1d9cca417a020c9f20162237250e44a65ad114cd631e92e4e2e7c14

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
128KB

MD5
9d18358ccf46d0ab3f80fd7c895cbfac

SHA1
fac049e79bad9df95b1145e54bf2a75110cff5ec

SHA256
112ece36bcf892c4e1ab5acd2115613ebaca37488a4f7048bd5d40b75f8389c3

SHA512
344614023ee10b7c642a10afa7ca6447d113cd9fcb6b2de6ae5ed52933bea4598281b467cde9bcd7501c156851fe1b91ae7b59472f6eb82e5daff74d9ca7728e

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
128KB

MD5
e1eb1d664417c40e7b2f3cf19a4f0ce7

SHA1
c7de1a7b3b9af975ed8efc8b0e851a1ce18618e9

SHA256
36f47aaf7218ee582cebbe01309ad3990b5dd4a439c298213d8b990f647809b6

SHA512
05e149ca44115aedd9b91cde89427e7a97d1c33bde709c9571f54d01648d3c18d11cb4ff5be2332340d1a451c000adca8a181449eeedf883cfd8e2c739a68283

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
128KB

MD5
dbc82d10b9b3c50f00822f01e56d9345

SHA1
870656933a7f6cbf76fc8300de187b986db66dfe

SHA256
6d37502380f5af9e4c963d75b819e2bc9eef04f886a8d6bdc50f7312679d50fd

SHA512
5ee875e43e5de6e5a7e773a35fdf6954bf78a16b690fc07609c64781ca8a14bda47d41264aee59d1bec2266a588c15d18bc3d36e9a6d413911227acc2291c2c9

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
128KB

MD5
5bb0c6e90f8542db910e123d29609cad

SHA1
f5725b34df394461878562f82aa7e4851e7a3c33

SHA256
46618d7d3898e4a899291bbd37e49234b9f4a3670b7c9abe903676719c56dcf8

SHA512
0aeab9c3c31f38fa518ce13cc340ea2506ac1d8546ae145ce59b41faac34edefab2bf210a7050b2ca15f8a277b4b5876b0d56597d6e024f9c534e5f0ba9daad0

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
128KB

MD5
f0840355cb9276b0a34dc9d85f149c41

SHA1
3af82e176c7c9ef956462dd2e60b81afe57eea9a

SHA256
88b9f5db30fa09a201fdf9fdbc833119a89233ae121a177685c3cad31f89c8e0

SHA512
7992b9023b314356abc1c6ae547ba1dc54983a78911278d3162749dd2ab2207c2d51b04e99bd055d80d77cefa0a200c85a440b939a9fd70668ffe398073f7c52

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
128KB

MD5
9c37b180c6f61705803400d9a70a6751

SHA1
d9e7c2a498dc6233942ebf57ef761ea3be5137d5

SHA256
e62f5151b97e1f53df89f7bd68a5a119285ff1d209044520d5486708b378f2aa

SHA512
db00e87e6c1343a1d8a0971fe35bf9301892d23f7b87394e79c41fea1faed5d2e2f54c9bf6e88d54cf788412284934a6a5ec2e206d669bb0fa8cd3b0c0970c6f

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
128KB

MD5
942c3a1fc9687ad02cba987f4943b8b3

SHA1
527eb70dfbf45683f0aee2ff70156a5f3e034362

SHA256
d20e8b17a64eb26c6b610fd23341a0c09fdb29d8bdfc8125b5586e5f9dd8c9d6

SHA512
517fa3dd6bfefc31762ad175639417dc08c1aa964e9a1b8be3a51a363f6f41b0df18da47ab130639ef8cff6fc3d63630e3a3109fbec5ae5c696b060ce6f13493

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
128KB

MD5
030ab7dd826c969451cf4a5c55f80669

SHA1
0b4b935a996edbf9ecc691641b721f34436b3642

SHA256
45cc757741a107236b804e4f77bb99229a9e54b4aff3af16da8b7f1bb2dae0bd

SHA512
67175f1fb37645eccea1a3302d81fcff561f751c7fecbcc5aa72dc59fa256470453609a2cf6463c20ef20a630f5622a451d294289820504c944cc1e6eaa32a98

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
128KB

MD5
8d3c006db6b2257f4c2b1bafd1831b82

SHA1
69db269c14e5631a271d44d594b032b7a0f59c5e

SHA256
59385b873e6d8dbf67f83d85ae9dd496d0d16e1edb66c02b9ae18d3b0061092a

SHA512
98a918ac21df94524c76c68ac60bba5f25eccee9311dd8490333a10fb87736ad49e70e29e18ba82d51be6b5ae42ae73761be117af6c60f552b6166712b487581

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
128KB

MD5
8c0e2591fcf4db87f41a980c1b73abe6

SHA1
f393c86e8d604b583f427b3ed008cb801d005bde

SHA256
2d20576447f2d2a7158673df3f819acaaf20390cd26a5aa42883dd5086468abe

SHA512
ad9a325db110d4a1db70bca16effc44c58ee7de3cc3936a248d624fa07f9ed19f9103dda4d4139b80194e635a5e8cab2c670109845fca46317a3361b79c69305

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
128KB

MD5
819e4c7b64e3fd51f7bbbc18f0b0970d

SHA1
12ad02b021879ee5b4cfe07d93a41414f3dc3ba1

SHA256
8cbddd3db5e3b2535fa67ff0b6aedf37cf1c3b8da966b65803a54b024284799c

SHA512
86ef9ee54431cb9ddf59ab343a49de5cec823993e9ec674464eec8c139c2ecb8942447f3ad2c6c1f218863af3f23b37d15f9f3dc96a61520b8b15cf0fcb80d49

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
128KB

MD5
74eea73fbd0c2c8a345afaa9ceead7bc

SHA1
cf4a0cb56ef4ff8e2a49ba7c119f6701c63f2b68

SHA256
554477e87df1c7a15c098bc14b51a3602d3a879da31612645290b46b21efe9ff

SHA512
e6676a14adfa562e5e7a3293f1610314317ab61430480767314467d5c79d3ddbe4fbc5aff06989c14f76b2a9b39e928eca7a69bfc68cd42dad177ca4a57a772c

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
128KB

MD5
2201f355de1adacdf9f7198f4fa117e3

SHA1
831bbc148c26388d3f38f6ec0fe5a133f54fd2f0

SHA256
026b3f8140bbd75740b3380b08a49dfa868d91dea1da4838b65be1eb1ea6eb39

SHA512
7e236d8322be50ecc58be1a386b2ac728491bb7c14d4c47fc7345d9cfd7a13404a0581093081508b78ead6bc1e4561bf010edc7f1054ca99436070be9270a79f

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
128KB

MD5
04f26e9b3ba5a34d9b0377ea4aa367cf

SHA1
a41c43884263a38477f7b90ec8308c38125bda93

SHA256
f2dcd644c6be4f05ec2a0d0bf63fe9343529f52edbcf2545251109ff9d5e7139

SHA512
9d47bbf96697dd34044ce8e1a33e9cd678c0db4baac74b762f48ddeb1e9f865c6ffe04f705999f9a272c2b074f5218aa29b2cb64fa3137fee05a81d86a17ea91

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
128KB

MD5
c0b5c5e33bcddd29af47158e307af896

SHA1
bb4e40f2c67f92a7368bd0fafd44b36e293812ae

SHA256
1e1ea40e74ace2853a4da552dea050f69b6fe84b92c1ca797eea4800c4b07085

SHA512
5c412622185c25b27742c0810088dd88e1219f4c6cc98d942e0dc3f44bf936e6b17b30061aa692df42d9ad38215da1ec2f43ba7d4b548555b041d29d18a2c922

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
128KB

MD5
7eae359e834aff9fb38707499aff5f98

SHA1
2a9a63ac7188d6b97895174215a6564418efe237

SHA256
272fa48ad94bdd6ae9315f77369b7ed7d29fe27b2fc1c2de33e71ef4853edb53

SHA512
5a8add31a56b9bc46d9e253370b8ddc964a2a8b0a21f1efb19461c667d41de0c373b7409885412793f996bd678239d7fb7ce0c82e6038833f84121a9eb8c560a

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
128KB

MD5
67d731433e903720a79233d5d0765384

SHA1
321244d52edb3e9684bf0d7c3595af259d3373cc

SHA256
59d8d28cb37821591d9cd5d38beb92d454a7a891c1b3e8238a7e09369299e489

SHA512
721a83da28452a8abadea3789cddb7aaab61b87e1821f00bd6324b129b6bd37c1c96198fc4db2b1825f60bbfcf6ec3981b369ac1422402cccdd5e02b018e47c8

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
128KB

MD5
d78f513cf9b1dafde3c036ee50e98e47

SHA1
3b648a8124daf4f5a840fff064e528b598d9c37f

SHA256
64698decfd76d9b32831742ce7e6c3a7093035830601aa96d9733dcd6be26abd

SHA512
5bf875143360e40896d25a3ce4efee0d69370127989e1f27f777b44ade55ae0f737e7191ba9cd608b64a7e747a7a421775d2d5cca871c63904677d334af020b5

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
128KB

MD5
cd15b7baf5546286011886e44f4c6ab4

SHA1
6408161bbe144e62b77ca5968d9baf456fd35a22

SHA256
15e0d9874b80a893bca05685ca8752fcc5277ea76e2a5eefcf40170e3f9798b6

SHA512
96f48be054c977411fbf66c7cae68df2aead58125c1ebb2ea6767cefccd5e857a35f7e515723139043ef58dae258e59bc9b1c4be504a4819dc77b495cd7a396f

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
128KB

MD5
274de175fa61a5504d6b9ef82b2d1cae

SHA1
225a8d10a0807675b9b0c2b23d2145e091f148be

SHA256
2eea47fcb18c8b1b680df432a5427bf2534b36e505ea58c39d7186289135db65

SHA512
4025f9c3d63fe65dc42995d86b99f70618abb09efbcc10403651784ed072fcaf40b55fe12e7629ea02d3f6cac30cc67ce031125797cc79379087746af1fb49f5

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
128KB

MD5
dc1641add314cbed6b64182fb2d5587f

SHA1
e0125fe474fa62da6606d93ab0a3d4b3b4c78b60

SHA256
e866d06166281efc595b438804c42bc19d9e3680ec81a39913618450029a4518

SHA512
d6ee27d155695907390b00f8262868d3c64149db3d89cc2077642db389fbaa604eb806fe9816467074e8b371875617f6b7ac940c8aae0692e5bbce8f979612fe

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
128KB

MD5
9ecd471759e2cdca01f5309327793bd2

SHA1
63fda7bcef2e3cad7ee74f4e131eae7c90140781

SHA256
5f4af1e12e960a23fa72a1f7e31d6d32bae8e3d537e318757df71506ea85fe2a

SHA512
7e90adf01e6473a5ae0501268fb6b17595ae7ed3bbf028b3027df894e813faf2aa23223364094a239fd2ae1806fd3e7bae59e7fe17901b8b93466de02665e13a

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
128KB

MD5
8703eaa89e03fcf3fe42780dc8bb423f

SHA1
969b1259e000eb2d02c77443a6cfb1292993e053

SHA256
62a36b42df1ab0b2191eb284f9c8fcdfb2f339c861b75e42325d48a240966911

SHA512
5cbb32df8bd22073e4c63b46e133aa5f313c3ca91c19d68fc03adc2980fd9b729a4d20f089f4d864a96f73ee38660be19eaca3ea8eaca66912316077249faac5

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
128KB

MD5
b6ee3614d2167d60be0109f7981a7909

SHA1
9055d47d5756332e0841e4140492601e6c3d3a15

SHA256
bf22734f767c1a5657348d4eff269d6ee1e07a3e8e9fbcd454eb52f630ab2e2e

SHA512
cfb543fa6637c7940622a022722db4697bf086dade8b45e54cb530aff2f0e0d69d69958a95e92592e48f6cbe9cfcea6559dfea756ecaa4cb2882fe2399a49e07

Download Submit
C:\Windows\SysWOW64\Icgqggce.exe

Filesize
128KB

MD5
c57487be2a840f33c313375f7ea2f794

SHA1
9eae3efe5f7fc9dc20efa519d2655e61263830e9

SHA256
7120f49aaeaa3760cc02d8a4959a628ddbfa7fb5131459425f69774b8c085b56

SHA512
138e585af7de30c65ae5954555d819c63dbe366dcf82289d7aa5435c4684e41ea386fb04c1bd726e6459054a056a250b98bbafdaa543ba09fcb3f24272ffd8f2

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
128KB

MD5
4982e3304957afcb02a6abd94842f669

SHA1
0e05d88ce5ae94b9282ca93d5f2d275fe64f5782

SHA256
3c8cf733622e0fead3aa1a12f0cb69013f1b206a53c015a78ebe30f53d1e7d37

SHA512
5f6a7abb050ced6f2e948fc0fcd9d4052c7347c7a6a8b102dd93e0f25bfb46ea06055edf66db5ba61288dab1c728e8a9107ca6f1cece518cbfe75109dc54f87f

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
128KB

MD5
241fbb855fb0631a955c6f33ce3cb992

SHA1
51ced565fef8a2b91a73ebded76d98f98e76bd2a

SHA256
9ac371c8bfaf5108d39719867ab29c89a49c26850a9b3aa6d3f4d1c3a6a8f34a

SHA512
4a8f2ad01af44ab25fd20317978ffdfb5e556c70f967a6df4967c56b1ad94124eacf4fda1b8e8397546117bde69847b5b0c10f746bbe893a60574e69ac6434e4

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
128KB

MD5
d386905f0c08ae808d95f2cbce275ca4

SHA1
122e87d9603f81f83e060122ad6c62a1fd614511

SHA256
f23f833ce1a3979d1e0697c9516b1a5a331e756400d1baea28fec7e87f129a47

SHA512
a622c1b147acf87be0d47074eb50a8b325e3e4b3c22cd7731cce04bd8988f152ba4c33b22971a1d808c7391bd3a9f09a0f88499585f13464082c8f1b75cca7b6

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
128KB

MD5
81e6250c237d8f9ee5225c1bdb4ded42

SHA1
422a8c39441f986d3853ffc5f7050d0966bf6b67

SHA256
80e7b416f6d0e1a5ae73b5f5ba1271d2e51d89b1214b78dcefc1d8cddfb9b135

SHA512
df3c8cb1df7b069cbd2f4669d531c17a2d24976131613a253f1ba696df4a47ac92d75cc99b28cfa68cb91051c92cf6ffe6bbca79f577360c637b7afdf3cc673b

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
128KB

MD5
056ff972e52e4847dbb8d2ef7f7ed788

SHA1
729eed3abd898b653f55587fa8d0eaeefdcc66e1

SHA256
e325ba98698e3d29bb444e869f28d11fc24460492be1fa79cb38db5c156f3d36

SHA512
e322be59dd2f269b61142a17258110b01a0853b03f90ddcd707960692828d4b8ca81f73fcd7d738448e194e706a572e51b46315541ceac9582d16c5709bb8384

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
128KB

MD5
2bf113aa7cb643fb9adafc168f7a7f8c

SHA1
317c4065377060d2a5b33597b6fd73ccad56eeea

SHA256
02ceddb1def4f855ef41af9235f452d26b94eeb7a7a3c1197e30aa0b4d0d18e8

SHA512
eb74083f40e3a2158ea07fdbf43d8b4fe3163a62412ef2a9fba02d62ddf7ec574bd6b0f7d18fda6c297d4efea086d841a70d75fcfcb34c9535a218c7bbc4143f

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
128KB

MD5
bfbc48688bdc9af93d76c7c2d9662c74

SHA1
9bd7861b32479384f4f8d06d3d60f7d4cd6a8286

SHA256
a12c8064b9f94bde034c6b46fc27cb08a09f9111d461e13ba6ea5fe1f867a0fe

SHA512
cb5ad8f0cc5c4ceb49f3b8c143775cd6b107dbdfba6a8633e8d9643229c1722707122ef5bf7040f34bcb9b47849e29d6190d5dc1ddb96a13e0fdc41032bfff71

Download Submit
memory/220-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/224-570-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/232-545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/404-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-576-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1212-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1356-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1392-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1768-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1852-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1948-557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-590-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2032-597-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2200-583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2228-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2236-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-609-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2608-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-569-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-6-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2780-411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2784-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3084-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3116-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3144-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3356-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3408-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3456-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3572-531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3700-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3720-525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3736-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3748-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3772-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3864-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3956-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4044-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-596-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4240-267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4512-405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4592-447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4620-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4652-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4692-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4808-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5020-222-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5148-607-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads