921950b797bf6af12e7f2717fd72575bb17a05b82c928b2bf290d9622f3491df

Analysis

max time kernel
130s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 09:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20796dd9b2e05da1bde4483a05337c80_NEAS.exe
Size

229KB
MD5

20796dd9b2e05da1bde4483a05337c80
SHA1

04568bd24dca01cd3909bac16fd5875589f3330d
SHA256

921950b797bf6af12e7f2717fd72575bb17a05b82c928b2bf290d9622f3491df
SHA512

570b84d10e980ab1d2f93cb6e18307fa28459f799e5745e38a9202d89342538e0ee7fbe74a8560967f5c174dfbd283ea0638561aa2db3b3ad98652f9698a4505
SSDEEP

6144:LK70Mf+c+u271+HZ/pvkym/89bYEwPhCKvav:uYr7AIfFfvav

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe

Malware Dropper & Backdoor - Berbew 37 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000c000000023b50-6.dat	family_berbew
behavioral2/files/0x000a000000023bae-15.dat	family_berbew
behavioral2/files/0x000a000000023bb0-22.dat	family_berbew
behavioral2/files/0x000a000000023bb2-31.dat	family_berbew
behavioral2/files/0x0031000000023bb4-38.dat	family_berbew
behavioral2/files/0x0031000000023bb6-46.dat	family_berbew
behavioral2/files/0x000a000000023bb8-55.dat	family_berbew
behavioral2/files/0x000a000000023bba-62.dat	family_berbew
behavioral2/files/0x000a000000023bbc-70.dat	family_berbew
behavioral2/files/0x000a000000023bbe-78.dat	family_berbew
behavioral2/files/0x000a000000023bc0-86.dat	family_berbew
behavioral2/files/0x000a000000023bc2-94.dat	family_berbew
behavioral2/files/0x000a000000023bc4-102.dat	family_berbew
behavioral2/files/0x000a000000023bc6-111.dat	family_berbew
behavioral2/files/0x000a000000023bc8-118.dat	family_berbew
behavioral2/files/0x000a000000023bca-126.dat	family_berbew
behavioral2/files/0x000a000000023bcd-134.dat	family_berbew
behavioral2/files/0x000a000000023bce-142.dat	family_berbew
behavioral2/files/0x000a000000023bd0-150.dat	family_berbew
behavioral2/files/0x000a000000023bd2-158.dat	family_berbew
behavioral2/files/0x000a000000023bd4-166.dat	family_berbew
behavioral2/files/0x000a000000023bd6-175.dat	family_berbew
behavioral2/files/0x000a000000023bd8-182.dat	family_berbew
behavioral2/files/0x000a000000023bda-191.dat	family_berbew
behavioral2/files/0x000a000000023bdc-198.dat	family_berbew
behavioral2/files/0x000b000000023bde-206.dat	family_berbew
behavioral2/files/0x000b000000023be0-209.dat	family_berbew
behavioral2/files/0x000e000000023bef-223.dat	family_berbew
behavioral2/files/0x0009000000023bfd-231.dat	family_berbew
behavioral2/files/0x0009000000023bff-238.dat	family_berbew
behavioral2/files/0x0008000000023c05-247.dat	family_berbew
behavioral2/files/0x0008000000023c09-255.dat	family_berbew
behavioral2/files/0x0010000000023a41-359.dat	family_berbew
behavioral2/files/0x0007000000023cc8-527.dat	family_berbew
behavioral2/files/0x0007000000023ce4-620.dat	family_berbew
behavioral2/files/0x0007000000023d06-736.dat	family_berbew
behavioral2/files/0x0007000000023d0c-756.dat	family_berbew

Executes dropped EXE 64 IoCs

pid	Process
2796	Gqdbiofi.exe
676	Gjlfbd32.exe
4972	Goiojk32.exe
4136	Gjocgdkg.exe
1324	Gqikdn32.exe
3144	Gcggpj32.exe
3888	Gmoliohh.exe
4856	Gpnhekgl.exe
3252	Gfhqbe32.exe
1872	Gppekj32.exe
3260	Hboagf32.exe
4948	Hmdedo32.exe
1712	Hpbaqj32.exe
1752	Hjhfnccl.exe
1152	Hmfbjnbp.exe
2108	Hcqjfh32.exe
2264	Hfofbd32.exe
3084	Ijdeiaio.exe
4656	Ipqnahgf.exe
4488	Ijfboafl.exe
4464	Iiibkn32.exe
4084	Ifmcdblq.exe
3532	Ijhodq32.exe
3188	Iabgaklg.exe
3940	Idacmfkj.exe
4632	Ijkljp32.exe
4504	Jdcpcf32.exe
8	Jbfpobpb.exe
4396	Jiphkm32.exe
3860	Jdemhe32.exe
1480	Jfdida32.exe
1404	Jibeql32.exe
4000	Jdhine32.exe
4068	Jjbako32.exe
1800	Jaljgidl.exe
5072	Jdjfcecp.exe
4740	Jbmfoa32.exe
1140	Jkdnpo32.exe
1240	Jmbklj32.exe
1268	Jangmibi.exe
4480	Jdmcidam.exe
3380	Jfkoeppq.exe
844	Jiikak32.exe
3512	Kmegbjgn.exe
2328	Kdopod32.exe
2056	Kbapjafe.exe
2268	Kilhgk32.exe
4676	Kmgdgjek.exe
4888	Kpepcedo.exe
448	Kbdmpqcb.exe
2784	Kinemkko.exe
4668	Kaemnhla.exe
1968	Kbfiep32.exe
3516	Kgbefoji.exe
4368	Kipabjil.exe
2828	Kagichjo.exe
532	Kdffocib.exe
3776	Kgdbkohf.exe
1216	Kibnhjgj.exe
3364	Kajfig32.exe
3752	Kdhbec32.exe
3596	Kgfoan32.exe
4744	Liekmj32.exe
4400	Lalcng32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hpbaqj32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	20796dd9b2e05da1bde4483a05337c80_NEAS.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jbfpobpb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5980	5688	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2796	1320	20796dd9b2e05da1bde4483a05337c80_NEAS.exe	84
PID 1320 wrote to memory of 2796	1320	20796dd9b2e05da1bde4483a05337c80_NEAS.exe	84
PID 1320 wrote to memory of 2796	1320	20796dd9b2e05da1bde4483a05337c80_NEAS.exe	84
PID 2796 wrote to memory of 676	2796	Gqdbiofi.exe	85
PID 2796 wrote to memory of 676	2796	Gqdbiofi.exe	85
PID 2796 wrote to memory of 676	2796	Gqdbiofi.exe	85
PID 676 wrote to memory of 4972	676	Gjlfbd32.exe	86
PID 676 wrote to memory of 4972	676	Gjlfbd32.exe	86
PID 676 wrote to memory of 4972	676	Gjlfbd32.exe	86
PID 4972 wrote to memory of 4136	4972	Goiojk32.exe	87
PID 4972 wrote to memory of 4136	4972	Goiojk32.exe	87
PID 4972 wrote to memory of 4136	4972	Goiojk32.exe	87
PID 4136 wrote to memory of 1324	4136	Gjocgdkg.exe	88
PID 4136 wrote to memory of 1324	4136	Gjocgdkg.exe	88
PID 4136 wrote to memory of 1324	4136	Gjocgdkg.exe	88
PID 1324 wrote to memory of 3144	1324	Gqikdn32.exe	89
PID 1324 wrote to memory of 3144	1324	Gqikdn32.exe	89
PID 1324 wrote to memory of 3144	1324	Gqikdn32.exe	89
PID 3144 wrote to memory of 3888	3144	Gcggpj32.exe	90
PID 3144 wrote to memory of 3888	3144	Gcggpj32.exe	90
PID 3144 wrote to memory of 3888	3144	Gcggpj32.exe	90
PID 3888 wrote to memory of 4856	3888	Gmoliohh.exe	91
PID 3888 wrote to memory of 4856	3888	Gmoliohh.exe	91
PID 3888 wrote to memory of 4856	3888	Gmoliohh.exe	91
PID 4856 wrote to memory of 3252	4856	Gpnhekgl.exe	92
PID 4856 wrote to memory of 3252	4856	Gpnhekgl.exe	92
PID 4856 wrote to memory of 3252	4856	Gpnhekgl.exe	92
PID 3252 wrote to memory of 1872	3252	Gfhqbe32.exe	93
PID 3252 wrote to memory of 1872	3252	Gfhqbe32.exe	93
PID 3252 wrote to memory of 1872	3252	Gfhqbe32.exe	93
PID 1872 wrote to memory of 3260	1872	Gppekj32.exe	94
PID 1872 wrote to memory of 3260	1872	Gppekj32.exe	94
PID 1872 wrote to memory of 3260	1872	Gppekj32.exe	94
PID 3260 wrote to memory of 4948	3260	Hboagf32.exe	95
PID 3260 wrote to memory of 4948	3260	Hboagf32.exe	95
PID 3260 wrote to memory of 4948	3260	Hboagf32.exe	95
PID 4948 wrote to memory of 1712	4948	Hmdedo32.exe	96
PID 4948 wrote to memory of 1712	4948	Hmdedo32.exe	96
PID 4948 wrote to memory of 1712	4948	Hmdedo32.exe	96
PID 1712 wrote to memory of 1752	1712	Hpbaqj32.exe	97
PID 1712 wrote to memory of 1752	1712	Hpbaqj32.exe	97
PID 1712 wrote to memory of 1752	1712	Hpbaqj32.exe	97
PID 1752 wrote to memory of 1152	1752	Hjhfnccl.exe	98
PID 1752 wrote to memory of 1152	1752	Hjhfnccl.exe	98
PID 1752 wrote to memory of 1152	1752	Hjhfnccl.exe	98
PID 1152 wrote to memory of 2108	1152	Hmfbjnbp.exe	100
PID 1152 wrote to memory of 2108	1152	Hmfbjnbp.exe	100
PID 1152 wrote to memory of 2108	1152	Hmfbjnbp.exe	100
PID 2108 wrote to memory of 2264	2108	Hcqjfh32.exe	101
PID 2108 wrote to memory of 2264	2108	Hcqjfh32.exe	101
PID 2108 wrote to memory of 2264	2108	Hcqjfh32.exe	101
PID 2264 wrote to memory of 3084	2264	Hfofbd32.exe	102
PID 2264 wrote to memory of 3084	2264	Hfofbd32.exe	102
PID 2264 wrote to memory of 3084	2264	Hfofbd32.exe	102
PID 3084 wrote to memory of 4656	3084	Ijdeiaio.exe	103
PID 3084 wrote to memory of 4656	3084	Ijdeiaio.exe	103
PID 3084 wrote to memory of 4656	3084	Ijdeiaio.exe	103
PID 4656 wrote to memory of 4488	4656	Ipqnahgf.exe	105
PID 4656 wrote to memory of 4488	4656	Ipqnahgf.exe	105
PID 4656 wrote to memory of 4488	4656	Ipqnahgf.exe	105
PID 4488 wrote to memory of 4464	4488	Ijfboafl.exe	106
PID 4488 wrote to memory of 4464	4488	Ijfboafl.exe	106
PID 4488 wrote to memory of 4464	4488	Ijfboafl.exe	106
PID 4464 wrote to memory of 4084	4464	Iiibkn32.exe	107

C:\Users\Admin\AppData\Local\Temp\20796dd9b2e05da1bde4483a05337c80_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\20796dd9b2e05da1bde4483a05337c80_NEAS.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\Gqdbiofi.exe
  C:\Windows\system32\Gqdbiofi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Gjlfbd32.exe
    C:\Windows\system32\Gjlfbd32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\Goiojk32.exe
      C:\Windows\system32\Goiojk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4136
      - C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        23⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        30⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        34⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        47⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        50⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        57⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        58⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        59⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        61⤵
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        67⤵
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4936
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        73⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        75⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        76⤵
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4244
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        78⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        79⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        81⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        82⤵
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        84⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        91⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        92⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        93⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        98⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        101⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        102⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        103⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        104⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        105⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        111⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        112⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        115⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        116⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 232
        117⤵
        Program crash
        
        PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5688 -ip 5688
1⤵
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
229KB

MD5
06c02e581c12506384e6c8b7655b435a

SHA1
3e3a078411142846cb7baf8893f0054ddb37b765

SHA256
205d9a333b418e0af69076f6b02a38659415a87e187c61e3b9bbc467a4d4a437

SHA512
e30f5c5542a5909ea6aad09b5b085039909d28a1e4e610eaed9eba1e5d9ac74c9542cd40b7ff02788258eef02d819dfc5901d183aa36c4862efcde37eadd4ad0

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
229KB

MD5
d70065d0ce4d41b2f9d33fedb7551a7c

SHA1
8864f29ecd3ace6262a68d60319af7e223947bc1

SHA256
32d26fd2f31c81cef1c40166154dd6114db28c7714f38440ca55f511119f72c8

SHA512
0dc5717e50a75e5d4790e50b9803b8e2ec0714b94e981a4c684e770d64c8a4765dae1b0d971663aba8d457f5a47053440c59d750d774bb7866743dd8d5fa2dff

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
229KB

MD5
b618e6b92d4f3961c3edf6df1f4805cb

SHA1
479eabb991f449d64d8d7edc4ddfbf5a132c960b

SHA256
7ab5e0716233893fd4b140e32ea3865c37776200233bd9592e1f0a4af611f37e

SHA512
f60efbb81cf045d72b1e5d440a61b8028da7a575016c514c1909c50cef1f0d9fdf7b63185edef49cc0a76c3a8b9dc34d5141082afc5f6df8bee2d536ba780aff

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
229KB

MD5
69b9391a90aeb875d8aa08e59aa35df4

SHA1
e08d67ae1696dbb571c24eb44251badff359d17f

SHA256
61724ad9768b153416d1549933107790b94c3ebfac95a457f2ca1b33ec2256e6

SHA512
a0bcec5950613b17f4b508ed2db1f5ad4a3ab12d4da790685ba22b3d65b5f50f3cb938ca3d2dfa25eb7a95729cc7fe529a851b96a35d41050aac3afc55f370fa

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
229KB

MD5
aa9b6f7e3521978214be166b8febeb27

SHA1
f63201feaf8c2a37297b1b3c319fe833664509e4

SHA256
02c5da39ac756a581ec08a774284723ad844917ef3d3142d40a205b2f87f11d5

SHA512
3784fda9ba1e24e486be2a29d62d58c8c4eb522e979bb960060dd7016205f65c01aee30b26d628550d37db55f645de800d9a03766bc16bbad05fd572c68560ce

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
229KB

MD5
f03ef21681b96a8229742ceb7edcc5d1

SHA1
225ad0bd8647f1e3e8d4a86774ab498232cc4e91

SHA256
9376ded9ad4e911a2fca0bb7a9b75163c188b02c79c1cd5f2132112504163a09

SHA512
3257ae8894ef53fb2b4d3d5d188be4b4c8ef931b026bd6e1fe21c6de223dd88827d4ac492d1db3a781cc31d29e594283c0535e0663f208a5e723c4f197f83e3c

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
229KB

MD5
f13f10eae60008bb64b4011ccb9d0c54

SHA1
dbca8696852e3e8a97926cb3cc71ad4540d2453a

SHA256
0774f60a0128beee2d5095b3b4f0edd297ddbd60a9b83dd643ab2026fdc2e9ca

SHA512
f5cb1fb895c6dac7206756fabf03aa44ae04647e838b7a5ecf97526f6d85c2da385a20bdce86312b564702e3e0c285cc9ee32d8285840b1f039c342b3c923aed

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
229KB

MD5
f900d854562e42a77276d89d75735dd5

SHA1
81c3726d1ff53b442c08d9b09c9a36993f914937

SHA256
41a84c786cdcbe3b5a808b5a90fb4ad4ddc8aba1209ca1d3e2814137f4796e6e

SHA512
e0989af36adbbb9515161750311b4fa7635ae51e6c6ed9f9e684b7cf4d7788397138c3f38ff8f07198c10b6c2dbbe4f5cd7c3b4a11bb612354402a7d62758e8c

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
229KB

MD5
d86be6ca2c0dbe46dfe997002f087f90

SHA1
04dced3bc35a2275709a7bb4b1897689010b2f38

SHA256
299bfde42cb5cb5601a9b55012c49de71d639f78c72539d8f32f554b0574d2a5

SHA512
ad0cbe545ba095e6c8a36e85541a426eeebc1acf90b3f2152074e9ca2097967174482992cc261e4f017a92f75440d386eb9f45dfc0bbc789f999cd07091a2c1a

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
229KB

MD5
4bab10c291ec17c200a8d7cdc10adb1d

SHA1
44acf41e5e20ce06be614444df84b6e0a20bae12

SHA256
b71373a3c98d3173b157e0c7a2a8428e2f3b131cb1dac1b50da6f3b2f9abd074

SHA512
1a26ffb6ab97a8ebc96a86cf7bd7177ed4d195a17f6c4e50805f50ade96556e4cd1750db57da6368a80670b576c7b39e89e270956d255aa260424d9ca7e6a19f

Download Submit
C:\Windows\SysWOW64\Hboagf32.exe

Filesize
229KB

MD5
e27e31ee9ff5fa00c26dfc4faa05fe48

SHA1
8fdea8d7a834aff6be5793a5e6645f5d7784e044

SHA256
65e066ebdc77c818880c1ca8d715be09171811244ae588bb493c6c8e26e39062

SHA512
e31b105de881cd4d52e2aa53e0b6da138f4c14db9cf6fb512ab9d291e20e629abc3420e3127eb5d55a71e10963bd4762799b1587241b4c22c6bcd12fefa41f98

Download Submit
C:\Windows\SysWOW64\Hcqjfh32.exe

Filesize
229KB

MD5
a6a0321008ed0251edefd5cc550e34f2

SHA1
8d30d063bf8672c2675a187718b337fdd907bc24

SHA256
81f7f33a3b9b71f27d6f8cb59c1cf1153000c653fca5746310cb2fb7728f362a

SHA512
89d2d0f7489c0143723e60b8bfa05be433a68f6d0e4e66d083cf5ddbc491700746b45a8686b2353c6ed18c7d1de6d842706dc8f6d08ce53f48c98b9a4a1bea65

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
229KB

MD5
5aa711e69c3d348f9352079ac85560f2

SHA1
e179650f366e9efb91d9e17a09fe7f2f0cb458f3

SHA256
ef0ce3d923d52f5f2ffb16eedf4d224dec7eef6572cc53bde161c98de40253e0

SHA512
e4388ea107d670b8df79273bf2976cf9158a9f828177f5936eb7fadee4d4a8d8c85764b881d6d54edc133022e52667da79102cc7ec32121b3bba206b31d33fe1

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
229KB

MD5
c5e52c21e410965c9b16c1281a517812

SHA1
4b87e6768fd6476183cc1ae42a9fbd58b74597b2

SHA256
6ddeafbeb1ae176800932fa341ded8d5e7a06dfdca7a70095544ecb4f68c6337

SHA512
fa6952277028a121e9e0912e4131c867f2d399cfb6f90ea6d280dbfc7a7409a0188a6d1c78eccb0ea9362772e1e372d0b932dc14abd461d692961e74ab12e069

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
229KB

MD5
429be43ee38faeab191124eb2f5ceac2

SHA1
dae17f3c88349ca6ecdf87f804b0159eaad98506

SHA256
0f04bf5bc52bcb7b876304c3d19f72e789343c11f17d50836e3c62942fc7c0c5

SHA512
ffd8cc7271d69df4e55990a628ba3ca9a7f0b5869801e15620eb3421ebbd9f28f7b67465267ce383a630e33a2e4985af9bef0db9e09a1a377ed129e681adaf82

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
229KB

MD5
da4fef36fa174c6ed5cefb8ac25c2215

SHA1
b9de9240a8069c82552846595f6452e6cf2aaeb5

SHA256
0a12178dfd7509496575e3bd85ff569a595cf602c5470992464beec8ac0531d6

SHA512
fd83f6ea1b3c8a671bb7b793095388c3b9810b3e7b788b0eac288d21f25cca63d1a630c4259823961928fcbffda13dab2bf629ff25393a02dd14ad71aec790c7

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
229KB

MD5
7a8c9d61b53dbd8cf190dd9f2784674a

SHA1
946f41dc8932c7db08ae2e66ed860cb96c52a76d

SHA256
73815773d269e7bdbe9c1fbb641f4b6b3d7a8ae429a4bfa1d7ffc5924519d28f

SHA512
38c99c4d8bafedf9b13c52e27e8e9a7d9adb47911287fcd38bbdac0cc1551c8ce69ff6e6bfeadff14562a11f2f7f624813e6ea7cdba4d0a7755b0ce0f4af1d2e

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
229KB

MD5
c8e7844ad182a1757f475e4b3aa9a254

SHA1
57480ccd20370acc241b71124ab9b1dbb28b727c

SHA256
8509a58fa51baa067b8d25507d6ae7d24f048a1801a065f77981c7b0fc2c739b

SHA512
eeacb740a4312b5cf333addfda5a145952f519ae0d476a618992391fae477277cf9d05fdf5b9849125419f7685df363d53c5dc7db754d338d3d20cbb92dbe480

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
229KB

MD5
6afd2ba366cb4e076df20c983160ea03

SHA1
63f9d8e36d7e36709a0dd5cc435ff3e7dfdb33b0

SHA256
0a3142d79850a5c7528b0ba6b09a63c37b161545b8bd0e9b9bbbd4fa6a761f04

SHA512
739a312ec044b38f5376b43abe2f8c2ea6eda4365767f24f98e633bb3d6c70b83a7f39d1eefdf5f5bffd125b43da4936f5e0ebf84593d5e934d9b6cb5f3f946d

Download Submit
C:\Windows\SysWOW64\Ifmcdblq.exe

Filesize
229KB

MD5
47f34369759c814e83c579f62ad7b419

SHA1
9e2915706400c41a3746c23e7a63b586d0b120b8

SHA256
6be9d5ecbec740d4c86549e673e989b4d6aecb3af516a5a2c3360cf783c63528

SHA512
00237141138bbd791c6caf78d71d6d7b18c2acb6a7b23836cb633780d09359fb34441653e3c2ea046733e1723f625bca7dd2de2f4b32805f3ffb77c47700fa2f

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
229KB

MD5
f61424089d374bd4f6c0900b451d15bb

SHA1
0b935e8e003c41fe6a0dfdee338b451e3943b7e5

SHA256
6d91126e2ba92dbba4a07d22c12b4fdabc3468c362d353b0246bbaf0b370619e

SHA512
c45ce928d6696eb9d4f0150ba13117c597dc9963c90f972e426776b8e8b2479129083a00ea01470329fc7001eac89c55426e457801e2fa9f6837d10bd2a87f97

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
229KB

MD5
8f914de914d27eb9bdbaea04c81d0986

SHA1
012ecb91dbaa1d2d59056df37714f0813ff14b5c

SHA256
2c5c3097bac4348fd9739703141da10435f9a570d3651a5c9494a1b6f7486b63

SHA512
8eadb46cd9835171d72ab405a536e2f982226c6a93b3b7b0445c256911ef3ea7a8ff0de9801c9fa7013b6aa96ff2e4345e0b386e6c472b2319912a0b54738fd2

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
229KB

MD5
2fabae1a93df1d93dd48db86b7b680fb

SHA1
5e30082edd35375ce8d2086e7a3248d9e6a05716

SHA256
e4f96f8e0b2d58331abd6d82cd7bff5e6eeeb82bc57981f6a9b0d6c9ba246119

SHA512
0fb237bc2fee542923f9819a3a96a4a41ca42cf1f09a5879368b1b24563a850b3172365ff7ec8b3d6a311f22e5cace34ed94136feaef9a8e5f6433cce063b893

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
229KB

MD5
5b1810be6dc7feb89e447ad4bb88d768

SHA1
c939e178f631875a76d60a235ea0b4f6dfbb793e

SHA256
e6f4df846b5628a6af1fa44eecfb31cde4fc39da4efbbf9d7478a74f9f69f470

SHA512
566c8114c6d7a6183e50e2cca405da857cc3029cf5e4bc01db3247a809dfd7e366c95fa0dbe11c905e7c23032f797a9c37fbeaf16bd840f2a4e47222ce6fbcac

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
229KB

MD5
03b8980b59bb92235aaca9cc73ae5a3b

SHA1
9a9bf4f490c1facadc27c00e98f644831296d4f3

SHA256
55b7f91d168d9a72c6a3d9ac585e59c6c708fa390209b26fdb869e8545f49ad0

SHA512
e85defb718a138acfc3d22b4630128b1886a2934f0429e7224ec31f052793d09b94aef687e727e678839dd4a8038f8176645ccbbd86f2d985eb91ca1c98c572c

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
229KB

MD5
6430261ae2a0d37c7578e19863190f69

SHA1
f166c923b9459d3bfad36e3661dbbe75b245ac26

SHA256
4c450d927b33ebb3239cf54ad535aa4a55cbf0cf8425ac5b7aa1453185194463

SHA512
311b004ddb1b9bc6846b565b4716ac9027ca11835051bacd1d5469b670efd75e7e93d7b6b004bab79618a3ef237cc36c7f782526a2fba049fcbbfb88683f69ff

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
229KB

MD5
326b5817769a2b2eae3a0cc806435ab2

SHA1
048767bf677c8c42d61f958719524445ba9342aa

SHA256
25c4bc0a85d9491194c28ba9b69a5741023b68d91574fe007bc15cd2e7d021a6

SHA512
2674da409ce698476defd36f6bc5517e77dc694283be04095c89d98203135b39658cb4d3e7c6bf2aa5b2d7766e1be6f78b1a2a6bad855262039f9e08df7e29fd

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
229KB

MD5
f1132e68d82eb75d367ca20028e3852f

SHA1
13b576a21482266684c104c09e9c50e021ddd7b3

SHA256
5347e18f4ee08cfcc3c4a541f380db195676b282f71509e991f9360a8e848939

SHA512
18412174b9a1ae44596fd3c0ebd76a1d208289b9b52ddac0bc38d5af3d3f3f8198d25dce224965f04fcbff78146cf2e147b5d28d8e7c2956808bc6a0f069a2ea

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
229KB

MD5
39125ebd595c7917d04ce63087ad59fb

SHA1
edb27efd27dcbf090e1c816f87aecf29650aab25

SHA256
9aa0912e171e6ff889321738f2a5c01186893d815c5b3808a88e83edf350f377

SHA512
62e5f8dcd964894251f0b280c9de0f33dfbbb8ddc20d751b2688caa5a1ccab6822a24b48306a08b8f2bde4b229facec2e3c8f48b391e3819a2c6a254553e0e21

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
229KB

MD5
9aa19cd23632381b0a830b344e691dc4

SHA1
c7503c1dc049c5166d9a3d8702d9246a5667ec1b

SHA256
ec27db22ed142f47291657c808f092bc260481e59e3f8c9d87ddaff83d230149

SHA512
b7aafd1c64f7f91e063032f65d93d102805d626edc3479ae8443f437cbfd04ec15154266145ced3ef03b27e9c9603e24db1fd74e14ca7a47faa2ee96f256c769

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
229KB

MD5
4c8466b8c01e35067e234935c90b148c

SHA1
ea4bba3be0096ded0f9c35adb61459de82eee598

SHA256
1a83231d0eb4b3d9019bfca246051222a6f5de8c9a43961ff6d2e9d028e2b16e

SHA512
fd7badeb99d2c08680c5c26f6a836716a493a2b50427a3b7faaca8cf16e9cd95d48eaa13505c099bea2c724400e25a03f76becebc1fc15ad296568f5227337ee

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
229KB

MD5
e8fe77babe5f1a387f92fcc89a843520

SHA1
a3d65f2f18c500dc2ef83830630602595af25f55

SHA256
f75c873c3664575213dd6121769e871d420c02a49e6395bf79fa264fb1318ca8

SHA512
427df8e23de5fcef81a01644f734095445f4d90730cf33ec4e423f4a785ea2c4aa94633b866b02f1f06f4c63df16cb54b7fe8e29c98f2112799fa7011f21fe79

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
229KB

MD5
12b74c2e38617ebc810f359a59d31b7c

SHA1
3eb1d93fefeef04d31aa4327a8049b6c764f3e5a

SHA256
bdb16be1ff6d04c595f0aa93a5bc60bc60b733a194792d6c9564a40fd7590cf6

SHA512
acc0ab35df663b8da83573be4e61aa2986cf618a432867e7845ddd00e3d1db30a32e667157ce59f01d2978048b8b6922d8d4256e420ca8bcddffc74ea17b5ef0

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
229KB

MD5
9be2d17efb84246efde224af8f4b69f5

SHA1
474b08b7d6b13f9b3d988127bf789651926a52dd

SHA256
7490ed5f5bc2f9e9593b4db18914156b6f712d37ed616e3809b3c2cceae3c26f

SHA512
736c45e72c7b92863a80397bb991b4b4d619d38d5ee625988e939fac2ca21c84e5ebdc82a802b439815f54ae33225a4c9a36545ce23fa2dda9e2d3eefab0d799

Download Submit
C:\Windows\SysWOW64\Lmbocjjm.dll

Filesize
7KB

MD5
16a12ac4eb22b81037c4d83c1073e75a

SHA1
31e663f952b51bc631d24b7a858c8d5764527e71

SHA256
1c4fd1a733b2c4a1ae1813f323eeba315c8fa1c3f6b315b73a255a4d323a4453

SHA512
eb535a0282c014605f91525feeb115374820270f654d29e9ef4f15fa68f24f7ff8800071537cce7c04b30f9fc982aafd2f524d9dbd5e2bb7754c4891b2d8282a

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
229KB

MD5
d2dfde4e03ac17f83a6d6c16b913643f

SHA1
86b998c0fd836035a6fda0561a1b74d484210f3b

SHA256
b247215d011f0136169b15980d0ee3941cb97132f2df8756ca94dfb0abc92715

SHA512
c4a3d9976550ac59e8f1bb262d2a0b113656a4f5c48e10a44e6d2f3a2133d6e083dca01133c19baefc69dca89fb05b6ab69cd1db3413deff356bcdfec249f5ed

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
229KB

MD5
bef910c10149ed40b59afa87893fdd61

SHA1
3037ef6477bdffb63ad74b36b2effe0bafd7beab

SHA256
9812158ad454d0ed713d39b3bfed287919e62dc6eb0f094583d53e4fe66a033e

SHA512
a758dfd32c5724308ecb799cdcea955a69461b62879067df820ab27987552daa3942de2bd5a280c3277ac91c1c1469607776faebdd5ec57016938adee9cc08c8

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
229KB

MD5
9c578d7eb4b938e1b4b0be584d1c8831

SHA1
e61aa178b8f0ea9ceb356de6eac6ad34b6921032

SHA256
178c5ffde3d796ff8e3932b0ca9877fe96f0ebb2dad12ef53256f7a39b522e43

SHA512
4836c27cf04479247d392954bd0aa0fb9635c49243d1ab445093e75d45e3983379dd53af01ad7bb68e3aa063892fa3ac0c075ae1dd9d83557a188e9be4f46c3a

Download Submit
memory/8-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/448-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/532-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/676-570-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/676-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1140-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1216-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1232-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1240-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1268-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1320-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1320-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1324-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1324-591-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1564-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1712-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1752-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1800-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-471-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1872-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-386-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2056-345-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2108-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2140-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-542-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2268-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-482-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2784-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-563-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2816-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2828-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-537-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-561-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3084-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3144-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3144-598-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3172-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3188-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3252-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3364-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3380-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3512-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3516-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3532-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-441-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3776-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3860-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3888-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3896-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3940-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3984-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4000-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4068-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4084-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4136-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4136-584-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4200-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-522-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4396-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-452-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4480-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4504-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4508-550-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4632-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4656-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4668-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4676-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4744-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4756-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-488-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4948-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-577-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5164-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5212-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5256-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5300-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5348-599-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads