8c2118f584af8d53e2aeeb63fc62c762d06f71ed5d99ca74a9a83924ff6cfaf9

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1115c58aa108cea8b56c3c7c9239f1b0_NEAS.exe
Size

349KB
MD5

1115c58aa108cea8b56c3c7c9239f1b0
SHA1

f772003583a29529a0cb7b67fd154158aaa0b9d8
SHA256

8c2118f584af8d53e2aeeb63fc62c762d06f71ed5d99ca74a9a83924ff6cfaf9
SHA512

950ba931bdad9c208f1d16d6b3ec0e8fe72d6fdb8efb67483268d701bf7d3354166a7c13dc4508ce75e3e08c231ec846fde00fbed1f223a23c49954cb5b2c54c
SSDEEP

6144:qOdEdCXnPOwXYrMdlpfDFk/pB7gl0cziyqczZd7LFO3A9xoLBZ9oGnFnj+MpZfPX:TedHwIKfDy/phgeczlqczZd7LFB3oFHF

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1115c58aa108cea8b56c3c7c9239f1b0_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe

Malware Dropper & Backdoor - Berbew 35 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000c000000023b50-8.dat	family_berbew
behavioral2/files/0x000a000000023bad-15.dat	family_berbew
behavioral2/files/0x000a000000023baf-23.dat	family_berbew
behavioral2/files/0x000a000000023bb1-31.dat	family_berbew
behavioral2/files/0x0008000000023c09-230.dat	family_berbew
behavioral2/files/0x0008000000023c05-223.dat	family_berbew
behavioral2/files/0x0009000000023bff-216.dat	family_berbew
behavioral2/files/0x0009000000023bfd-209.dat	family_berbew
behavioral2/files/0x000e000000023bef-202.dat	family_berbew
behavioral2/files/0x000b000000023be0-195.dat	family_berbew
behavioral2/files/0x000b000000023bde-188.dat	family_berbew
behavioral2/files/0x000a000000023bdc-181.dat	family_berbew
behavioral2/files/0x000a000000023bda-174.dat	family_berbew
behavioral2/files/0x000a000000023bd8-167.dat	family_berbew
behavioral2/files/0x000a000000023bd6-160.dat	family_berbew
behavioral2/files/0x000a000000023bd4-153.dat	family_berbew
behavioral2/files/0x000a000000023bd2-146.dat	family_berbew
behavioral2/files/0x000a000000023bd0-139.dat	family_berbew
behavioral2/files/0x000a000000023bce-132.dat	family_berbew
behavioral2/files/0x000a000000023bcc-125.dat	family_berbew
behavioral2/files/0x000a000000023bca-118.dat	family_berbew
behavioral2/files/0x000a000000023bc8-111.dat	family_berbew
behavioral2/files/0x000a000000023bc6-104.dat	family_berbew
behavioral2/files/0x000a000000023bc4-97.dat	family_berbew
behavioral2/files/0x000a000000023bc2-90.dat	family_berbew
behavioral2/files/0x000a000000023bc0-83.dat	family_berbew
behavioral2/files/0x000a000000023bbe-76.dat	family_berbew
behavioral2/files/0x000a000000023bbc-69.dat	family_berbew
behavioral2/files/0x000a000000023bba-62.dat	family_berbew
behavioral2/files/0x000a000000023bb8-55.dat	family_berbew
behavioral2/files/0x0031000000023bb5-48.dat	family_berbew
behavioral2/files/0x000a000000023bb3-40.dat	family_berbew
behavioral2/files/0x0007000000023cf0-588.dat	family_berbew
behavioral2/files/0x0007000000023d0c-672.dat	family_berbew
behavioral2/files/0x0007000000023d40-828.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
1468	Gjapmdid.exe
760	Gbldaffp.exe
2540	Gifmnpnl.exe
3896	Gameonno.exe
3868	Gppekj32.exe
1916	Hboagf32.exe
592	Hjfihc32.exe
1924	Hihicplj.exe
532	Hapaemll.exe
3024	Hpbaqj32.exe
4932	Hcnnaikp.exe
3828	Hbanme32.exe
724	Hfljmdjc.exe
3984	Hikfip32.exe
3980	Hmfbjnbp.exe
3472	Habnjm32.exe
440	Hpenfjad.exe
2396	Hcqjfh32.exe
5056	Hfofbd32.exe
1240	Hjjbcbqj.exe
944	Himcoo32.exe
4596	Hadkpm32.exe
4872	Hpgkkioa.exe
2452	Hccglh32.exe
4708	Hbeghene.exe
3684	Hfachc32.exe
4616	Hippdo32.exe
1596	Hmklen32.exe
3396	Haggelfd.exe
5060	Hpihai32.exe
5032	Hcedaheh.exe
2536	Hbhdmd32.exe
4032	Hjolnb32.exe
4772	Hibljoco.exe
2988	Hmmhjm32.exe
232	Ipldfi32.exe
4456	Icgqggce.exe
4420	Ibjqcd32.exe
408	Iffmccbi.exe
4172	Iidipnal.exe
3652	Impepm32.exe
4344	Iakaql32.exe
3152	Ipnalhii.exe
952	Ibmmhdhm.exe
1696	Ifhiib32.exe
4536	Ijdeiaio.exe
1716	Iiffen32.exe
3776	Imbaemhc.exe
808	Ipqnahgf.exe
3988	Icljbg32.exe
4500	Ibojncfj.exe
5052	Ijfboafl.exe
1196	Iiibkn32.exe
1104	Imdnklfp.exe
4824	Ipckgh32.exe
4124	Idofhfmm.exe
4108	Ibagcc32.exe
4556	Ijhodq32.exe
4560	Iikopmkd.exe
5076	Iabgaklg.exe
1972	Ipegmg32.exe
1512	Idacmfkj.exe
4600	Ibccic32.exe
4268	Ifopiajn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjmhppqd.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Iakaql32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5520	3716	WerFault.exe	218

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngoghpn.dll"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 1468	4244	1115c58aa108cea8b56c3c7c9239f1b0_NEAS.exe	84
PID 4244 wrote to memory of 1468	4244	1115c58aa108cea8b56c3c7c9239f1b0_NEAS.exe	84
PID 4244 wrote to memory of 1468	4244	1115c58aa108cea8b56c3c7c9239f1b0_NEAS.exe	84
PID 1468 wrote to memory of 760	1468	Gjapmdid.exe	85
PID 1468 wrote to memory of 760	1468	Gjapmdid.exe	85
PID 1468 wrote to memory of 760	1468	Gjapmdid.exe	85
PID 760 wrote to memory of 2540	760	Gbldaffp.exe	86
PID 760 wrote to memory of 2540	760	Gbldaffp.exe	86
PID 760 wrote to memory of 2540	760	Gbldaffp.exe	86
PID 2540 wrote to memory of 3896	2540	Gifmnpnl.exe	87
PID 2540 wrote to memory of 3896	2540	Gifmnpnl.exe	87
PID 2540 wrote to memory of 3896	2540	Gifmnpnl.exe	87
PID 3896 wrote to memory of 3868	3896	Gameonno.exe	88
PID 3896 wrote to memory of 3868	3896	Gameonno.exe	88
PID 3896 wrote to memory of 3868	3896	Gameonno.exe	88
PID 3868 wrote to memory of 1916	3868	Gppekj32.exe	89
PID 3868 wrote to memory of 1916	3868	Gppekj32.exe	89
PID 3868 wrote to memory of 1916	3868	Gppekj32.exe	89
PID 1916 wrote to memory of 592	1916	Hboagf32.exe	90
PID 1916 wrote to memory of 592	1916	Hboagf32.exe	90
PID 1916 wrote to memory of 592	1916	Hboagf32.exe	90
PID 592 wrote to memory of 1924	592	Hjfihc32.exe	91
PID 592 wrote to memory of 1924	592	Hjfihc32.exe	91
PID 592 wrote to memory of 1924	592	Hjfihc32.exe	91
PID 1924 wrote to memory of 532	1924	Hihicplj.exe	92
PID 1924 wrote to memory of 532	1924	Hihicplj.exe	92
PID 1924 wrote to memory of 532	1924	Hihicplj.exe	92
PID 532 wrote to memory of 3024	532	Hapaemll.exe	93
PID 532 wrote to memory of 3024	532	Hapaemll.exe	93
PID 532 wrote to memory of 3024	532	Hapaemll.exe	93
PID 3024 wrote to memory of 4932	3024	Hpbaqj32.exe	94
PID 3024 wrote to memory of 4932	3024	Hpbaqj32.exe	94
PID 3024 wrote to memory of 4932	3024	Hpbaqj32.exe	94
PID 4932 wrote to memory of 3828	4932	Hcnnaikp.exe	95
PID 4932 wrote to memory of 3828	4932	Hcnnaikp.exe	95
PID 4932 wrote to memory of 3828	4932	Hcnnaikp.exe	95
PID 3828 wrote to memory of 724	3828	Hbanme32.exe	96
PID 3828 wrote to memory of 724	3828	Hbanme32.exe	96
PID 3828 wrote to memory of 724	3828	Hbanme32.exe	96
PID 724 wrote to memory of 3984	724	Hfljmdjc.exe	97
PID 724 wrote to memory of 3984	724	Hfljmdjc.exe	97
PID 724 wrote to memory of 3984	724	Hfljmdjc.exe	97
PID 3984 wrote to memory of 3980	3984	Hikfip32.exe	98
PID 3984 wrote to memory of 3980	3984	Hikfip32.exe	98
PID 3984 wrote to memory of 3980	3984	Hikfip32.exe	98
PID 3980 wrote to memory of 3472	3980	Hmfbjnbp.exe	99
PID 3980 wrote to memory of 3472	3980	Hmfbjnbp.exe	99
PID 3980 wrote to memory of 3472	3980	Hmfbjnbp.exe	99
PID 3472 wrote to memory of 440	3472	Habnjm32.exe	100
PID 3472 wrote to memory of 440	3472	Habnjm32.exe	100
PID 3472 wrote to memory of 440	3472	Habnjm32.exe	100
PID 440 wrote to memory of 2396	440	Hpenfjad.exe	101
PID 440 wrote to memory of 2396	440	Hpenfjad.exe	101
PID 440 wrote to memory of 2396	440	Hpenfjad.exe	101
PID 2396 wrote to memory of 5056	2396	Hcqjfh32.exe	102
PID 2396 wrote to memory of 5056	2396	Hcqjfh32.exe	102
PID 2396 wrote to memory of 5056	2396	Hcqjfh32.exe	102
PID 5056 wrote to memory of 1240	5056	Hfofbd32.exe	103
PID 5056 wrote to memory of 1240	5056	Hfofbd32.exe	103
PID 5056 wrote to memory of 1240	5056	Hfofbd32.exe	103
PID 1240 wrote to memory of 944	1240	Hjjbcbqj.exe	104
PID 1240 wrote to memory of 944	1240	Hjjbcbqj.exe	104
PID 1240 wrote to memory of 944	1240	Hjjbcbqj.exe	104
PID 944 wrote to memory of 4596	944	Himcoo32.exe	105

C:\Users\Admin\AppData\Local\Temp\1115c58aa108cea8b56c3c7c9239f1b0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\1115c58aa108cea8b56c3c7c9239f1b0_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\Gjapmdid.exe
  C:\Windows\system32\Gjapmdid.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\Gbldaffp.exe
    C:\Windows\system32\Gbldaffp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\SysWOW64\Gifmnpnl.exe
      C:\Windows\system32\Gifmnpnl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        23⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        25⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        35⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        40⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        41⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        49⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        50⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        56⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3052
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        68⤵
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3952
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        70⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3816
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        73⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        75⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        76⤵
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        77⤵
        Drops file in System32 directory
        
        PID:3500
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        82⤵
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        83⤵
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        84⤵
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1020
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        86⤵
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1572
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3240
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        91⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        92⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        93⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        95⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        97⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        98⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        100⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        104⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        107⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        109⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        111⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        112⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        113⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4492
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        122⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5592
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        126⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        127⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        128⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        129⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        133⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 408
        134⤵
        Program crash
        
        PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3716 -ip 3716
1⤵
PID:5364

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:5796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gameonno.exe

Filesize
349KB

MD5
246de0c1849bf94e41c7f6f47a5beb3a

SHA1
2b691de62176b7e93d53fd3251d0f383ad2dbe1e

SHA256
817d4a1f04c740d527c79b8e64b752e676f76b8e7da3ce65297eaeb3bf893989

SHA512
1b0e198d79629222b5df6098862bb8eb2ac0ebb55d57611eedfb0861f24ecb94ba4919bdb97d13c14c34a6466db8ca03b9e30f60c2397e844aa8782bd25df64c

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
349KB

MD5
5bf80e92de1a0404859e5488555f5f57

SHA1
3e81faa9cca3fb68d97095d8414a1c9d2851df69

SHA256
38e27d02c47b5985bb997af736bffc1e24cdab75feba1f986a41102ccb1ad3d1

SHA512
47ddad223c6cbcfdf3b816194c97ad885f04b472955d7497860039afe843244aa8c61bff68a5740b56a0ffe31dd7d36dcd5c6566e7ff92bdb9ec894c7c54ad01

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
349KB

MD5
725ace68dbf9a2f590c680bfeab5208b

SHA1
67d73b6656e4f92b7023c255523e09f42218db98

SHA256
815aa8a0ddf7e92b2876bbff5a76fb92b29885f566ad8314f25bc6a32e57cc6c

SHA512
ef3c56964b0fe872fce134cfa467df6ad19f7b426917b1741573420e37b12493ff01f2018058eeb58971875a60fddfce82e5ae5769dbb085bb5b3891076c5199

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
349KB

MD5
20bd25e099376d144beabd4dd0e4763f

SHA1
c75a2aa82ef97386a2822404a36a3c7f3c3672b6

SHA256
cc2c18be8189e40e15b0aa4b77fd437344f0d80c98840ee9a237129aaf5dfea8

SHA512
f06a3e4bbb00724e66f3d78b63534cc59a7be2f816a1c90cb9c3276d892ce7505b4b2db0e3deff0c7e42dd2964f74cc9dd6a6d59d5e96f9688a0152e281dbc99

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
349KB

MD5
b8b5ff80e6cbfc9262fe25d924de788d

SHA1
4fe40702fa64acaa019d89c23e7d9e2854a6cf85

SHA256
fd0ec5aab5feddd33992648a8ac9914ee5833d67264a8218b8a20e23ac10bfe6

SHA512
174de5648164651850986a6eeb453aa8fa9281781bb1411bd1985c734a7c42c5b8acba23eac6c4478e2cc6e4f443a5860f0ede63fdd0ba9951b55fb7b69d549c

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
349KB

MD5
95086340350dcc91c165b82966923509

SHA1
34eb4fb162d204536309a89f425201b1353ea96b

SHA256
8d5d7494661a188113c740f01d682a38674719e82c79db15c84e65a9b19fa5ad

SHA512
7674345aeebcbddf767fd0170181c1caba7b72c57c8ab81f12ece7d0245d8fe017fc5b40041da83c1c8dd6c61190fac53c54e2cd7b1ddbdae847807e3e5f9da1

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
349KB

MD5
84735e4bb78ef696e526302ad8f93a18

SHA1
3b6f24a8462ee85f71a4f74efa37be4bdcf37540

SHA256
1b29b23d0c8e4775904ec66f14259be7c59e373c13e69954c45daf0a76efffcf

SHA512
df9460d3fe9d7ebf212d067bd8bc0e0ea30e0012973401b99fcce6c8257376b186879b1df664b07eb99feefa9ff28af351fcda6cf22a6716a0008c1099186a9c

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
349KB

MD5
c70a3da15d1bc2017fb95b61116e49e1

SHA1
789bb2c3ea5738593c3e55cba90e9891d1cab9eb

SHA256
328c1f8306253ae7302f471639f52bb1a2f83cffe7dfefc02dda2ffc81960bb8

SHA512
067dba02b17aa3f3a8623cbf64133b1eff7b7dff05d7a3f70e61e94709090e307e51778b3aa036c6a4c253f1132def4b399cdc3cc12a16b0bcdd1df6aba5f9f1

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
349KB

MD5
cf41b792571b982dc26a05025b57a796

SHA1
8dafec1b936cee998ed4ec91f415c03a38c8dbef

SHA256
63202b9174a801ea5b0f9365e013a6891eef12bf58fb244dd0adedc05be38275

SHA512
21666cc4edc98fe69bb857b1904ca4b9a7c8bec48273591dc31137ec258aff7608f74f0058341e04166bdb641047b320585ac13cb533dc00333019f6158740b3

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
349KB

MD5
a0639ceca55a127677f293639c33961d

SHA1
b1445759d885a4b2ac937e7ea982341ee3b4a2dc

SHA256
fc384d0657d02db98f6e25d4d2ea758fb94320cb503eac8b2dfe147dbc405e2b

SHA512
9ca4535910aa2faa66db9bdb16e464e376a09e8ad48843c9f3b14d814ca5add2057c3bca5bf4f1dc699bc5c793ef46369cf21a7776f2479e31467637362a1d46

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
349KB

MD5
3b93ecc940a90ce6433538405c846c61

SHA1
6997da8bb8a01ce19eb5e138fd438a6e3fe06931

SHA256
12d11f30d2a135d8d6ed69be87a413259344090aa4ebd2da0f10a52d0957cd69

SHA512
a6567a560e1254e77f20a90ffd9891efa5f2980318a521e2f113010df480dd70858f9d7adc81cfef385fb061bfb6c453f9a05e917a15497da4f58e66506f696c

Download Submit
C:\Windows\SysWOW64\Hbhdmd32.exe

Filesize
349KB

MD5
2166a30d5253ae2f1c41391bee8f05f4

SHA1
45cd0c69a72fce27daf666c04e514398f848f203

SHA256
1c834153d486396248d1cac2a66a488e1884e323629c85370e6805589b4343a6

SHA512
0994e0bdd68b248f7561e7d22999feda1bb0f95c29125170fc6bf9d9b96c223c93f744d0451836fa45ecada4e6e28abb701b74280cf084edd60a11fecf43edf8

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
349KB

MD5
4af893acc926b730809b832285c8bf80

SHA1
6d6ed9699796ad932617c0322e2738c912ea735c

SHA256
82a644d3be860e4fee7aa821a02eb0bca5d6b3990759cf6d2d6eec527ed45ceb

SHA512
9ab16e1e69810400f72001a7b3daeb160f89f87d47ac0a8a81d49f5f3d976d29f9d4d2ec549c632592bf2896a0bfb921736f70a6629de15305a01814b62d7767

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
349KB

MD5
c2ae3e2194bd7c83b6700041d5a594fa

SHA1
763fbf8f1db3a6249a891fa549c5e96aa1d40c23

SHA256
d091eade6396425d0fbfb8b96cb91a15747bad2c1c36c39828873cf50acdb632

SHA512
59e52850f9755d28e2af480ba3ca263f358b5a8c82041ca4fc338384dc1b70e8f552e3f7d07cb8dba2e923e96da586620bbd121ebbe103e5ce8370af6749ce58

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
349KB

MD5
e7ab7f97fdefffe412508f885cadc67d

SHA1
bfc962977d691ca385ffccfa1f3789325320f1e3

SHA256
82fe90fb7d7b4673e50366a289c384c83636c65aa783338a689e6697429cd7a0

SHA512
290651e1c1cffe9868b6430e10a460ac0922a3099b0161ba073fc144bf4e0fe4f0e2cd0cd25441c1080c8a81dc2eb8f2834718947b3085c467fd81dd93e7bfc4

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
349KB

MD5
75e81ab463bf62fdc54c7ece80cc499f

SHA1
1c5b1129dd335f6e8543234efb9aa51f1467ad9f

SHA256
9783a34fa08d833aa76d51f3f4c4fd73a1d48bd6e7fc61ba0b29431ae5d99c2c

SHA512
56d985e6edf1b17c613a06d76b7e998f96021c984a4c5926d80084454230bf0fd9142f04f1a5924259c802e2127cc2bdea7a9d5487bcbad11d0fc85b836b65a1

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
349KB

MD5
a03881da6302965e9b7e58f69c423a2e

SHA1
7ce27c992008df4dd804f9edc3674329f5eab471

SHA256
1e877fc65e7ee60ad6244656b195d8c7bf7225de4c0a47fd5b74e6552b93cf6a

SHA512
e5fb1fd28c4dcd3ee5530217bd1da783a5ded2dd41550324396ea6604cf027a33757d79f156a79253f6b4f2c97d95beeb4b34ff9c1ef0e30dc0cb2921b55a503

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
349KB

MD5
74e5f7f24cc9f11fbf4d7643d36c279b

SHA1
0c83160f529c1466464003e49e9311d1350437d8

SHA256
7f4df97d23b90b12410b81a6a401f5d581eda44a29b4057b40b2c3c246dfcdf8

SHA512
01b68ea640d28795b77fedee29e612c21ab83bd8f8f53dcdefc2105403bcaa120ac9d8afcaf72e86688fb7165c9bcd7b093871ae59e7118437e1d55708024e58

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
349KB

MD5
94f8cedfb7e17b08c08e01ddfab7b43c

SHA1
236b0feddc4740041bcda723e8a09dbebcaead94

SHA256
f1b87106ae7da7a8d25ecd3c9bc56b0325cd3e6975e8d1189ed4892a7318b3d2

SHA512
22a9f70e3e2495b8294b37258bd31d12872e6bf5287c3b25379d6bd0d4f51d4eb22ad5503823fc1788947d1259b1fe1ac992d393fe8cf0db0026fe9366394c4e

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
349KB

MD5
0656724b3364e80587376e0bbcda5365

SHA1
c7b1fa67ccaa942edc4ca9de54c55828bb84a802

SHA256
694eade41845d642ae7d95f44c44b742dd8c45bce726e1b1f90fa3fcdb924d80

SHA512
17b3698e0d0cf963e1f3890f3eb25b524d5d6e8968a9f571f78b942454ae04a2bf1c1baa6a388079a88d12925862904cab2c195ac45b913541936d5045f70d2f

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
349KB

MD5
e581d8fcfbe1e79bb96133db56203bf8

SHA1
4c8f6af95216d6394fc03228de7f3664f5f0a64d

SHA256
a7b6122ee4792eb09cff04ab9bd448d532b12627a5a2ca0975f55d7331f35a9a

SHA512
edcd197ce06d77e141a8bdef9a4fb3cb3f259bbeb86d40b05cc4e38a0ef8d1a31c4dfc6570b4d5f9463b33a70f3ae62961c921fc8d3f230c132a4020fd6ffcab

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
349KB

MD5
b92b673b16d624e82a70dcdcd1c37233

SHA1
f756d72b9a4da84a41087e5bed2f3e2b56b7e483

SHA256
0e7748a9f594ec62f7d944ca4a868bbf22dd5605dc58c90b8bd48a1e410b38a7

SHA512
40d86de6f971b8a28f5397d24325c8cb7f2c5b3cae1b3d267071ebfb883c25f223b2bcf26bb539622b0e29269ee6aa69c8a446847e8fb01606f5b5f8bbad9963

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
349KB

MD5
25278066b447ec5b6f5795f2967ddcda

SHA1
fccc702a9042801d41e4adc07f1540e2c53e58e8

SHA256
9dc8d8ce13312c33e715a8bd90234991e11123b9001381246f65b729e6a98437

SHA512
2adc4f4b6068919bbfd54f95ab18e0aa9596c64af6146233e4b7bd36b20d91037ecb1f32930b3557eb45099a071ca63d73654fc0a488d4e944b7aa6c3865de83

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
349KB

MD5
7fadbd97788121cd929637210da0cbbf

SHA1
193f642e01a7605260e189f09e80fd4c86a7b6f9

SHA256
a2c7cd6e3b7b774355b737f31f66ee48abf8715b0746c56b11cdd9a36ac42d47

SHA512
c3f016b6f90652f3d94ae671ecc744ccba12906a52eb5cc275a14cc18981e8785f8cea9187a39fded10733f35957f83d4c47af05fc0767b62e2056ef387a3bb9

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
349KB

MD5
a6007e19bc0640858de3998e46123a24

SHA1
68d26916a170231e428a53ab35c43a77e8cd288f

SHA256
62170ebcf939fdbd37eeef46d640125d66919a6adbd715d6eb4c588d5acfd2d3

SHA512
796dbc5e993795a54bc19811e8b70c3d083d41ffbd2bb6fdbd115b7bb18ab9b0e404e9b1a4438fba29c075410b2cefecde33a9586e366578d1ed1635800f4c6b

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
349KB

MD5
a16d018b5b39bbeebcf63d800f3c18d7

SHA1
4618cc83fa14e8deb7281afe398124182e74b32d

SHA256
1b978a2695246b640812e67bbe5d534921bcdbd2b44801c100d04fd1cce7eabe

SHA512
2815260af8951b0fd056e7dc70ad611bc56caf94ce39cd9a5ff40dd0af7eb49359b3d8dfec891ffd2a05fe8196142e610b278edcde4b12b34ef598cb515de412

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
349KB

MD5
7654ea9b50c8ca5243748a6b199081fd

SHA1
477e421c883293bf40c73f0a997d0b79b07b0f71

SHA256
2c883bc0da5382494b6a0994b69170f41a209731820f477ef67d3171a87f3f4b

SHA512
b370cf6b77e4c5c5a1d7f303d63427d193eff24dfec6a63845b20889847982f4e7b009f6e68ed45406e824e5ba299828d80d9f26b5d15bd09ad5c1d34bb30f2e

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
349KB

MD5
824aaaf263de17ae09d37277086d3571

SHA1
edcbf651d723be4cf6f7f698b7e3ed405a5880d8

SHA256
0d15ae5d611a8f34a468a99f831d9787d1a15de2f709815541229d41f7a944a5

SHA512
359b7d62ae7684c7312bc14097cddcf08205ddd59311f40411a0edc30253dbe116f511ad356140a3270c43f11deac0bb5a7da3da28ac863c555ba28e48c8041b

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
349KB

MD5
1742efdf0a6afa094da8e8278349e2ae

SHA1
14b8f4603963159f40960ae0c8684e394ac654a5

SHA256
3f74768e755d1b6f99ebeebfd8a9028127b1d38dd98187662039d644a843f946

SHA512
ba43098f23cbac8e5ecea9594c65b5a79e05d09bcfecaecdf17581de749000557e752171305367f80ff9e7e1d67f882637b739766d8835a92c3ca1d449dfffb6

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
349KB

MD5
103a3665e57a8765c2a6a9183d2fa8c5

SHA1
64f2aad9b8c263858bc97373135adf9918cc1dd6

SHA256
fc621d45d6255fb2721e19e409f6b9bb357851ab40d745bcdcd20f6c5afb63e9

SHA512
b023037f396893d1f6c0a57134cb5837e2449ba8a09f043170365752240b2f823c0c938ff381612ab9f5261eda9fcbe4d39c8780cb43c8d708cfb4fced168a43

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
349KB

MD5
36103d658d2785e858ceb87b8fc9a087

SHA1
6b6f4f55bf02065fb41c98956b8ca47ba3885058

SHA256
883787aad3681e6d7545056d3135a3e6ab9ea86533e21ed84158b6c19d774553

SHA512
e16ff4a5557d9682ef97024d636fedcd799aeb6772c634b622420b1bb5e3bc865f1e3c692638b6a4da4576c2a651b2f734f5b5569051e1d1b44c85b5c5327b6f

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
349KB

MD5
49bb9b898ab46e84a9681edec81de213

SHA1
23f7a3b178bcc25d134ad05ae5fbbf48313f2296

SHA256
723c533b0c8f8b6ab4197c812bbbb79ed05d84a28385375209b251c8f69bd155

SHA512
aaa1a6d478542f355149a9691f5100c56485057ea451baa438bcfca51eb5406497168bc05137482964553a1466bd3eda2dad99ac663b90a85619aff72934c22d

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
349KB

MD5
6349dd464d39e28a7bb1dc85cedb4c0e

SHA1
243685a0b65cddc287037851812cdd24ab99648e

SHA256
aecb9217833d8dbf623e7864067d294f7fa579b09c509b2d8e486b35c9aefc55

SHA512
bb06ae2c00434a2593558e54366bf9c83163e4269cae8086d4cf8f89377936293ac9143382f424b8f8fd7d7121777416368992ce841b4f12904764859a22fded

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
349KB

MD5
e4146efbbbf586587ce3a31a4f792414

SHA1
4be11b94b27f8bd90453906e273a5a6d4864c972

SHA256
39dfa5defdc53bcc951843daed1e66cecf4f0579b2ca04175e486d7812707ad7

SHA512
f6244dc4fdfd7a6e0afd99e60427dcbd02dc17e06b67e8788bfc80d0f97c5d3d1c6de57f8259e82742295823cffd163a0090d0b02e16e97f3015553024d2ce52

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
349KB

MD5
3942208d3309771a17f7acf9d6bcb819

SHA1
13fa6944796d47669aca276ee5ccd0391500d046

SHA256
093881480132eedaf0e4411c5bafdfa9158696b4a8032f18659f19f6233356f3

SHA512
ee24d08d54c31a2d2356a598dffe21068e41f483f53bff50703924f9d33bae4daf44b7c1ec37584269b44530233dbf60f6a605b36012a6f92d71f03ecb1c62c2

Download Submit
memory/232-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-942-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-599-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3780-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-609-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-7-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4268-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-623-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-634-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5664-895-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6008-859-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads