393f529d8c1d6b7afd4efe173f4fffe09a36ef4edaeed97441df1f7ae8cbc019

Analysis

max time kernel
134s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cb2f61e98149cbbb74612db71b464b0_NEAS.exe
Size

64KB
MD5

2cb2f61e98149cbbb74612db71b464b0
SHA1

4a3cc1d1be5e9e46342e32dd9dcee2707308bc5e
SHA256

393f529d8c1d6b7afd4efe173f4fffe09a36ef4edaeed97441df1f7ae8cbc019
SHA512

203335e3a596c0b8967c473004520185844fab65a635a1f60c5cfd1b074816c04a9dd84106181ddc713267e41a84f6a11856ac3bad0d81af6e9ac5f438384393
SSDEEP

768:3fD41tASA1i6u71iq2g71afbB5Zd1nRxd/1H54FYSBKA2kms8Y/ts/9d2NzYVmfQ:3f8ASYquR1RhWysrPFW2iwTbW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe

Executes dropped EXE 64 IoCs

pid	Process
1088	Gmhfhp32.exe
3976	Gogbdl32.exe
4540	Gbenqg32.exe
4364	Gjlfbd32.exe
2988	Gmkbnp32.exe
2164	Goiojk32.exe
4512	Gbgkfg32.exe
1616	Gjocgdkg.exe
2864	Gmmocpjk.exe
1072	Gpklpkio.exe
2020	Gbjhlfhb.exe
1912	Gjapmdid.exe
2640	Gidphq32.exe
1064	Gmoliohh.exe
4596	Gjclbc32.exe
4852	Hclakimb.exe
3012	Hihicplj.exe
3644	Hapaemll.exe
440	Hbanme32.exe
3628	Hmfbjnbp.exe
3540	Hpenfjad.exe
4632	Hbckbepg.exe
1932	Himcoo32.exe
1012	Hadkpm32.exe
4768	Hccglh32.exe
3316	Hmklen32.exe
2388	Hpihai32.exe
4828	Hfcpncdk.exe
4484	Hmmhjm32.exe
4476	Ipldfi32.exe
1596	Iffmccbi.exe
2432	Iidipnal.exe
1816	Ipnalhii.exe
5084	Ibmmhdhm.exe
5060	Iiffen32.exe
628	Ipqnahgf.exe
3892	Ifjfnb32.exe
1860	Ijfboafl.exe
540	Ipckgh32.exe
1628	Ibagcc32.exe
1856	Ijhodq32.exe
4840	Iabgaklg.exe
2192	Idacmfkj.exe
3408	Ifopiajn.exe
2856	Iinlemia.exe
452	Jaedgjjd.exe
2132	Jfaloa32.exe
3672	Jiphkm32.exe
4384	Jagqlj32.exe
3552	Jdemhe32.exe
4152	Jfdida32.exe
3108	Jaimbj32.exe
4964	Jplmmfmi.exe
3384	Jdhine32.exe
2464	Jidbflcj.exe
1680	Jpojcf32.exe
836	Jfhbppbc.exe
1968	Jmbklj32.exe
4532	Jdmcidam.exe
4472	Jkfkfohj.exe
1720	Kdopod32.exe
976	Kgmlkp32.exe
3636	Kmgdgjek.exe
5064	Kacphh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jdhine32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kacphh32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6604	6500	WerFault.exe	237

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2cb2f61e98149cbbb74612db71b464b0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1088	1636	2cb2f61e98149cbbb74612db71b464b0_NEAS.exe	84
PID 1636 wrote to memory of 1088	1636	2cb2f61e98149cbbb74612db71b464b0_NEAS.exe	84
PID 1636 wrote to memory of 1088	1636	2cb2f61e98149cbbb74612db71b464b0_NEAS.exe	84
PID 1088 wrote to memory of 3976	1088	Gmhfhp32.exe	85
PID 1088 wrote to memory of 3976	1088	Gmhfhp32.exe	85
PID 1088 wrote to memory of 3976	1088	Gmhfhp32.exe	85
PID 3976 wrote to memory of 4540	3976	Gogbdl32.exe	86
PID 3976 wrote to memory of 4540	3976	Gogbdl32.exe	86
PID 3976 wrote to memory of 4540	3976	Gogbdl32.exe	86
PID 4540 wrote to memory of 4364	4540	Gbenqg32.exe	87
PID 4540 wrote to memory of 4364	4540	Gbenqg32.exe	87
PID 4540 wrote to memory of 4364	4540	Gbenqg32.exe	87
PID 4364 wrote to memory of 2988	4364	Gjlfbd32.exe	88
PID 4364 wrote to memory of 2988	4364	Gjlfbd32.exe	88
PID 4364 wrote to memory of 2988	4364	Gjlfbd32.exe	88
PID 2988 wrote to memory of 2164	2988	Gmkbnp32.exe	89
PID 2988 wrote to memory of 2164	2988	Gmkbnp32.exe	89
PID 2988 wrote to memory of 2164	2988	Gmkbnp32.exe	89
PID 2164 wrote to memory of 4512	2164	Goiojk32.exe	90
PID 2164 wrote to memory of 4512	2164	Goiojk32.exe	90
PID 2164 wrote to memory of 4512	2164	Goiojk32.exe	90
PID 4512 wrote to memory of 1616	4512	Gbgkfg32.exe	91
PID 4512 wrote to memory of 1616	4512	Gbgkfg32.exe	91
PID 4512 wrote to memory of 1616	4512	Gbgkfg32.exe	91
PID 1616 wrote to memory of 2864	1616	Gjocgdkg.exe	92
PID 1616 wrote to memory of 2864	1616	Gjocgdkg.exe	92
PID 1616 wrote to memory of 2864	1616	Gjocgdkg.exe	92
PID 2864 wrote to memory of 1072	2864	Gmmocpjk.exe	93
PID 2864 wrote to memory of 1072	2864	Gmmocpjk.exe	93
PID 2864 wrote to memory of 1072	2864	Gmmocpjk.exe	93
PID 1072 wrote to memory of 2020	1072	Gpklpkio.exe	94
PID 1072 wrote to memory of 2020	1072	Gpklpkio.exe	94
PID 1072 wrote to memory of 2020	1072	Gpklpkio.exe	94
PID 2020 wrote to memory of 1912	2020	Gbjhlfhb.exe	95
PID 2020 wrote to memory of 1912	2020	Gbjhlfhb.exe	95
PID 2020 wrote to memory of 1912	2020	Gbjhlfhb.exe	95
PID 1912 wrote to memory of 2640	1912	Gjapmdid.exe	96
PID 1912 wrote to memory of 2640	1912	Gjapmdid.exe	96
PID 1912 wrote to memory of 2640	1912	Gjapmdid.exe	96
PID 2640 wrote to memory of 1064	2640	Gidphq32.exe	97
PID 2640 wrote to memory of 1064	2640	Gidphq32.exe	97
PID 2640 wrote to memory of 1064	2640	Gidphq32.exe	97
PID 1064 wrote to memory of 4596	1064	Gmoliohh.exe	99
PID 1064 wrote to memory of 4596	1064	Gmoliohh.exe	99
PID 1064 wrote to memory of 4596	1064	Gmoliohh.exe	99
PID 4596 wrote to memory of 4852	4596	Gjclbc32.exe	101
PID 4596 wrote to memory of 4852	4596	Gjclbc32.exe	101
PID 4596 wrote to memory of 4852	4596	Gjclbc32.exe	101
PID 4852 wrote to memory of 3012	4852	Hclakimb.exe	102
PID 4852 wrote to memory of 3012	4852	Hclakimb.exe	102
PID 4852 wrote to memory of 3012	4852	Hclakimb.exe	102
PID 3012 wrote to memory of 3644	3012	Hihicplj.exe	103
PID 3012 wrote to memory of 3644	3012	Hihicplj.exe	103
PID 3012 wrote to memory of 3644	3012	Hihicplj.exe	103
PID 3644 wrote to memory of 440	3644	Hapaemll.exe	104
PID 3644 wrote to memory of 440	3644	Hapaemll.exe	104
PID 3644 wrote to memory of 440	3644	Hapaemll.exe	104
PID 440 wrote to memory of 3628	440	Hbanme32.exe	105
PID 440 wrote to memory of 3628	440	Hbanme32.exe	105
PID 440 wrote to memory of 3628	440	Hbanme32.exe	105
PID 3628 wrote to memory of 3540	3628	Hmfbjnbp.exe	106
PID 3628 wrote to memory of 3540	3628	Hmfbjnbp.exe	106
PID 3628 wrote to memory of 3540	3628	Hmfbjnbp.exe	106
PID 3540 wrote to memory of 4632	3540	Hpenfjad.exe	107

C:\Users\Admin\AppData\Local\Temp\2cb2f61e98149cbbb74612db71b464b0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\2cb2f61e98149cbbb74612db71b464b0_NEAS.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\Gmhfhp32.exe
  C:\Windows\system32\Gmhfhp32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\Gogbdl32.exe
    C:\Windows\system32\Gogbdl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\Gbenqg32.exe
      C:\Windows\system32\Gbenqg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        28⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        29⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        32⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        36⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        41⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        47⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        53⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        63⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        66⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        69⤵
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        71⤵
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1788
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        77⤵
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        78⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1156
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        80⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        81⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        82⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        84⤵
        
        PID:944
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        86⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        87⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        90⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        99⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        102⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        103⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        104⤵
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        107⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        108⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        114⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5536
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        117⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        123⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        125⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        126⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        127⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        130⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        131⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        139⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        142⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        143⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        144⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        145⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        146⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 400
        147⤵
        Program crash
        
        PID:6604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6500 -ip 6500
1⤵
PID:6572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
64KB

MD5
aed48b0a876ced468cc39621d8fa47a5

SHA1
714105a2d37ce6fceadafbd6092b36b5ea07c970

SHA256
8d8c9ce3bdd4f5eb5251b089d5fdcfee88ae5ba11b0a2eeb79b0f806703a5180

SHA512
c303f775ec527b21a2dd045d7865ad776276112a1435ab8b4ffd474815676fe2fe2e6ec7ed2d1c04d45626167ca8c9ea9f2534f9fa23eaa78e86e364516234fa

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
64KB

MD5
6f692ff4ac284b4b45dfc0006fc67cc5

SHA1
c31baec958b6a61f4043b4fa919b3a470ef86817

SHA256
988becf1988008f367ad19a3f24576996e1fce8d9f668bd181edff66d97d32fd

SHA512
269cfb426c1617f40886faa726827490945e13446cdbc1a0a6c6a2bd245e067e9ed5be5336de9907bd777de85838d385fe861ac780a7cc6097953b0659b67337

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
64KB

MD5
a719dbaabb138788484d01385ab394ec

SHA1
d1dcf72932a3fe3caeb18423ac2a697622d990be

SHA256
c28414b88b9a6f60a3fcec149ce8ff81a5a194537365ead98224d78a0b972601

SHA512
5f0c6c93d24acf80432f640a7de0052662bbbf489f50da1db13da4b980c86cf793c8af806ad87ccf876ac53edde751d5a92ce84f3bab4af0aa52e42c1c1735b4

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
64KB

MD5
4b4219fece20e243d6598551acc216ef

SHA1
7949d05398d04e58fe299a79e4d85a9a6b7ed55c

SHA256
59bf74c44ccc5abbd13f66929498b8869356b24c724dcef66a15518bc1e4832f

SHA512
4e6b001e221a093993c2fe1fa09b8b0d4c91297848b079844959350423660b706f8422444308406a48a7489805a5c4432dbb15334cfba036686d89be54837d34

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
64KB

MD5
257def949a2b9de926f3a609e95da7b4

SHA1
b80689c79c629742c4870974d203d603ad007458

SHA256
3cae496de997554232512b083a323a479d5a317cb61f99c2c7f76d8b7371da59

SHA512
995ce564b1475db8044a6b38cae9b7be37052734cf16f07052da102b2a14e7468231e10d215e876a215c30299752e9906daa725f22804fee929e3a9267dc16c4

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
64KB

MD5
ad6c169932f2c8838699498703924172

SHA1
00ba214b0be00efe24d753f432bbd3b55c975ed2

SHA256
e1c6979bf6f2d9ff7f47fabba2a42c44c3aa633f36f10911230ae5435dac0e09

SHA512
b68740c118dd1d9fb9ca1496ace072a30e63026895a8e10d4ba2fa28a6704752c7f3a6df4093b35cb8df7d2746ac7860bc8cd55850130343c8020446d8e70cb2

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
64KB

MD5
bb443192eabe65688741b7f814a86123

SHA1
11664edc63522e5cd7e49eb82d378fc356f44dc9

SHA256
9b8d40f74ab1acba1a8faaf3c436c465b04e9eb3c9f63ff5b21c57ca46d80e49

SHA512
4d5574008ea67f7a5e75de289844389a38d228c5b3e1a8784e1903a2c42c7312919872b3664b18543a120143a3ee4d7f63b9b74f2e32c7b4c82a2998b8e6f6ea

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
64KB

MD5
fef1eabe58d73af4b641813e9a0ba16c

SHA1
d1a60a95fc04495d65b63ae61b9ba505fb8417dd

SHA256
9b268ce3c65312516efd1a3256d6c326d77068dc1d82dd84ef20d51d8cd9ec64

SHA512
bf21720bf7ce22622c2d9e1158ec7695ed6fc565ce0e3fe5c01c1073cc92669e9a5326ea4cdb9babf2ab437e4eddc8695c9bff9a6bd0ee07535471dc10d3eec9

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
64KB

MD5
10350ddbbd8118cf5a6953e8b8aa23a6

SHA1
5c748a9d846b4f3839069199f5f254677d1b0099

SHA256
396be34bc968c5abebf3e2acd2833695ce7baefc8f9265c0dd17f007960de504

SHA512
8d34c434e400476eabe86204bdf11abba4f439199fd9671e82fd10c6916bd1e0bb865be96a038e365c212a3096bcc247a6cc2e8a65b1423a098ed024c5b66ebe

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
64KB

MD5
4d8fb89e4f917fe33afae4cbf37bf2c5

SHA1
161d616afec5bf69908b9f607493b36a820e4a2b

SHA256
d5c70deb69d7d67c61c350a5e8b340b677ef9b177f691462fad02982c77743f1

SHA512
cd16846e5fbae4bb38135bdaaa89a0b9e5f89cb3240ccc7e43d65957fbc72ce54cc730b230a69708364f5abf5cbc2a46f0ea6dbdf481516df0eab716b31a05ab

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
64KB

MD5
28f512283ca717cabe05ff4b015a9ecc

SHA1
dfe47a7ad0da8cd471d10856bd34b8b178040d5b

SHA256
890d9f9f7a96a21d3e9d378863d2989d3ebc76d8134d7388a46197185b1635f6

SHA512
12aa8cf7bf65e3dadc21c2fab36215bbc1e3c00c54adbc2af3c5549ed804e7748e9af84a176c023cda82deccf82e00664a69579b7eb739ca5d4c123dc63a64e8

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
64KB

MD5
bb869129226a7b0fe300bf9f0d1b160c

SHA1
a951e992e86d78250572bb551583884a0726e650

SHA256
85fd4e61d11cb4330ecb41f7efb2f6240bf85558f6683bb84a7c49da039e4443

SHA512
86f2def01274d52c746ef92de932268c2b6f73fa5667ac18cbcb37f8ad307690f6067c3e827fb5acd09c86d5f0edf8cce54ff7d6fe8f6864a1c7d92c15424332

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
64KB

MD5
3951c629f9f8dad348b70d22a3b9fa81

SHA1
b313a6120b3d7b29d8f30af00b025b6a285b3a59

SHA256
a86ceb9c4f88cf58307b1943e38a89063b3056931e56a71a95304c85fceadcb5

SHA512
3826d4bddb5f9db1d1906b2bab8043c475aef7ee40ee72437352cd681f3874f8469b77a861ce3003888f9a6ecb34afa35dc24b037c96f4148112e7c2accb6dc9

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
64KB

MD5
8ca2abb9fcc40211004d3811adc554f2

SHA1
2adaf218468e788a7af4bf0971eeb477bb225b3c

SHA256
4e9267427b59f5efd49ffd47296b5e0c60693ba3c833433d0a70a91202281f2f

SHA512
77afd50cb955fe3c0f462dde91dc39e65c20a6958258d3a4aa4f6630c4800cba4a24d7bc6bb07c756fd23e9c7df3e6d13b1ae68ba25d2e298cc978d14d097286

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
64KB

MD5
28f934572628f6f5208a65e4db5654a4

SHA1
a665178c842ebfb716843cfc17553391a48af9ba

SHA256
0bed7e02cc51974be8105a9cae069eac033a6b14f89984422b6e5d95a172fe95

SHA512
55a8d04f72d80579e75f77b02281f142a1d5ed79bba9f297cf1702e72a47e90c536d4ab414a757848709e94f86f676d584356af91dff32f1ba0aa45f4fcf94b8

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
64KB

MD5
aab15e20bc6f71689a3c16b8120afec9

SHA1
08f55cc0480450363324227abeaedcadd346d015

SHA256
d4ce7e0508c1966aff84697e95a4c5076cfb51a75f7620c4a556c7ccb9c71fc8

SHA512
303104eb084c2e113e32b8d4ac841bfd587723f43945c337fa3c7362b80e6286a7a9ffedf75f44b28588c65cb6c1639e15af73e59a6c85d58926b527e6bcde9e

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
64KB

MD5
2ff54982fe1a1367f18f2a8bed294ecd

SHA1
858c3a1b7374039d9376b7c9b62c8a925b213c5b

SHA256
2e48549eac745fb5bb9b5d73d4eeac2f23d0f89839c0e219568b24e85655626b

SHA512
23ff819194f728a58b83ee0dfa744a0ba23b9227138d56d5b7c32bf676b3da567f923a02e26a6c9b01b2ec9789fba95278e1f1a3c92c9789012c5230437dac3a

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
64KB

MD5
a3e2a33609685a7d15a96148f401c83a

SHA1
08eca144afe8a8ae34a477c8237799de123e8ae1

SHA256
a3111e48cd64cdae9d8f66604fbcf154dbe9ca16e49fe241f37460def7af188e

SHA512
7e0290814c0b4d248ba084c396670a4a9b27a147871874908800cca3c9f1f8de2cbae8279fbd20030a6938e7dca5bceeda795e4cf5ac58d535513e137cce285e

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
64KB

MD5
ce02e69a33f3f30df5b8babf9b3bb1ba

SHA1
c7aa0a6985fa41c7b3e3c4b4c2af870195e830d4

SHA256
4da8b9838b0a5354bbca2341dbb858687bc34143869447d23f1907e0ec06b41a

SHA512
c44caa8acf6d3ae16b629ed5bf847253cb65d096a035cd6204aadb8ce4f6e714e6b59ca40e77c9dfdef951a889f7e1a8ca825721db2a63ab5d1eb40a882508fb

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
64KB

MD5
3dd4c3c8bf7d7ef9f24cbef7bd5a4093

SHA1
44365c7d0055b8152595e33fba73a11271a4caf1

SHA256
008e99f0cc0873e0bcdaa6610c8310f4c930ab994296787f10f88bafef67cedc

SHA512
87869ccd11f8acd99ebf76af082425314b2a4b0248e678548735ec5e2407d42f81b89282853b4fbf600babcaa5bde1e68d4bebc5ae10ca2fae4bd384739b47f6

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
64KB

MD5
c767f332b4df8b79b3f8417012331201

SHA1
6004c42198a615470d60127a42551103d24f86a3

SHA256
85d80ab25ce821acca0854d842a631f9b7e8c6522b46981962589d1b4c4e3ca4

SHA512
fbbe65820bbdb4bba169f6a485524925ebf9b271882b2ab68d0e81ede68e8244608642b2a829e94ccb893dce4da312401ccaf8b537d19dca48b6a414862e80c9

Download Submit
C:\Windows\SysWOW64\Hfcpncdk.exe

Filesize
64KB

MD5
979be1a27cf633c4552d2963449a0347

SHA1
6e5bf7596770629526fe665c747d678f2b43c375

SHA256
e94a40dec0e488d69c2827015ff0fb20718c845924ec38833f751901fbfa57ae

SHA512
e45661c126c9e184efd513e06ef34d28c0beb0003ee68d547dd4c2268f1c57b80a7be9efbcadeeb3c6fb93d82ba7a9c439dedd49a05b698748f69473f1bbe01a

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
64KB

MD5
981bb80c9f7a10ed03e632d207174a02

SHA1
88d3445e45323ccc25d5e4f052334a6d404e7481

SHA256
7111fee67999bc4ba9648755d67bd1412e6fd86bfbdb01756de4260fa4832c87

SHA512
4edd6b7c7a57c7d000790450b72c46aedfd93a3bbd5d672b1cb56896263925bdd95b8521500fd73353b2332dfe465f016c6023c94abfea5f8a669625cd260b9b

Download Submit
C:\Windows\SysWOW64\Himcoo32.exe

Filesize
64KB

MD5
8a9a0a02fef458829cd72972295de841

SHA1
5dd17a57526eb77497434664a3e42eb2fc7c019b

SHA256
bea822efc96127fcbcbaafc288ac0bf72ae03ac7e1cdce548909ebf83b8f89f8

SHA512
03ddaa1ce68d975e77fc0773f341e1352b197ef35719bd0386f64a9343c3f6332d255bbaf243c2a7ed565f4a62f2d3d66c8dcbdc76bf70af27b7f36b41744005

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
64KB

MD5
c1780876c27251d34507fb0f562465f7

SHA1
3e302c702f84e185090c74b9ce65d18855937c13

SHA256
26c79c11ba368b26fdd2fbfc1528d1208608432ae15877faf822839644ebac28

SHA512
f7952f5a7294b5d2f4d16dd5f5a56a58efc11809c06c69f81d340824c0b8fa675282c9150696a1dee7c02c23998d315f35e1641f1ef0e2c123cbedc4155d5be9

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
64KB

MD5
8a8b6ebf19850d345b4a1dc7eb5cb78e

SHA1
588d31af83a86de7d1f28966521f7c9daaae6549

SHA256
3224f0c9686776ecbe1b4b743e1b17e9a9e8ec6ad847eebb68684ea5c0c91edc

SHA512
9b1148ada85c4645fc166bb8cbddbc8bac7177c0a8774f68e194f4d3917d93f2461747dcb9ec548a04fc7def599e3a463d97b5a1d12d7da48a7a95f6d6ba04a4

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
64KB

MD5
978cde54a57cc6227a836594f0d98651

SHA1
ca456babd10946102bdfb7ad5bcff00045286a38

SHA256
586c2809e25dca05903b2afdb065768099e99d5784b4682462de7f20750e9729

SHA512
f40e41ed35a6bd31c5b5d2ce7565647f46adb0e5fba083c4626c79d9fdd9da11559a7240bc43c8f8b5b6aa5110a2124e40ee91e0599887bf62f3ffc067011bb3

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
64KB

MD5
28f38b08f140ccfcd5ba7687f109ab80

SHA1
e0c723140440030fb52a53ea182400a3bc66ef15

SHA256
907fbc22a9f40264824f976b752e1f6b5174590cfdb44c934b7d014402b86c28

SHA512
054c62371257012b53967fded1420a20ebbd4e3cd54d1aa7f29ded1c1ab4a8344f87d3ba9cc28cdeabce9f595b783d3ddcfc0205497ab764063ac117eaadc3a3

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
64KB

MD5
90f14be60ebec83a62eb76fa52d7aa84

SHA1
26562aeead0dff37c39844267211cd6758a72d73

SHA256
779f427d7dda7447aa5d575b1a3bd315aecb8bd8ad0d7943c8bb8616a92a9c1a

SHA512
1b5b2d370b2fb7ffd97dc234e921cdffac49e20c0f1f13605d1cfcbd95ed597157664e6325a85bc501450691fbb8a14d7cb994bb819cce8159409968387729ab

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
64KB

MD5
e1718576a7e0eeb9f5adba5d203bbfec

SHA1
faefeafe836704ed1b1d34a61f9b135796e17e99

SHA256
3dd77c1531cea46ea172936c776a5cf91de2ed93f2a3128d86b8741e93728192

SHA512
733cfa8791b4ab38b80cdb45f1a70110a4787a64dd630ad02fda480b356426ae1b2b12d2d869ec082078d9da1791fe7908562345aad1f57493c1e5aab54ba768

Download Submit
C:\Windows\SysWOW64\Iffmccbi.exe

Filesize
64KB

MD5
a097730298b261d764fd14d626327ccf

SHA1
8278898c3c73241d0bac1e79cafa805d00ffab7b

SHA256
2dc8ea0632e1d18e39587be97c7bafdcc8cbee8147afc992204802f65fc149c9

SHA512
1a6b661a43e42380fa1b3d69317f9932e9dd68e589fbe13191ac25c183904c0a49bff9632d04a4be83159c789e4d1cc9a767b61fb3fc2d3a1fd5a3ae24f9f5eb

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
64KB

MD5
18da15001b6fe478fa6d261f45e55e0b

SHA1
94a3bb7cbe0eee0ad9272a2a5b125bf808d91c48

SHA256
636f33bcd0e98b328f6f3ea098370ea46cf4dcc1ace923b853e30883453b519f

SHA512
fdbc9f6bceb6f22c8d04473e7d3ae682e007013cd075c017b1033ccde4dff7ed4984b7d9e4fb7956e8a0882fea42c79f40618a41c1d485d0fa1d1264ecc93a86

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
64KB

MD5
3169db4cc1366d09f9ffdf75d3c1c96e

SHA1
995708860d54f6e4e82a3560ab06cd20ff8695f8

SHA256
a4b0979a7266dd9203cc75647e93db6200715a5f8ce261e6f12a1b86fec53b3e

SHA512
d0c020fb61b62c030c8ecc56b5134d51fe40464b5269b70257c0da307e3ac4f921c5ba4f495caa0f669bcae8d6a9c8bb2eb3fea8e04862fc75a67b894984d9db

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
64KB

MD5
0ea9f8d25575d2d058580b529ab40490

SHA1
8ae7aec7bfa30afc2e2e2cdf0407b42227612119

SHA256
e605a2f87ad9751a8f4678c38212d02cde5ba0c6515ada76a54b3a2f831b3709

SHA512
051b9087a9d0fcb5307cdc4d0cfb262c27dfe62f6eab22b969d503afea23ec51f54ecac63fb0b49757e8c490f0f3b22a7df7f8e252d1918f35708ac2c66f682c

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
64KB

MD5
4efeb52b511a06c9ea58948e84458930

SHA1
df70fbba5f7f7e9e1fa8d56cc9e20cf95691bd87

SHA256
2384700252c6d7dbb9fb66891db25fabd7eda02f31517fd70ec8d822b8467415

SHA512
26ad0c66d40c52226460df2db5cac5e24da7f26eb59564b337e8abd20af18d4caf8b8e3b94cc11fb4788e923050fd0b0fd36cb8e6a4e015d6df5a36a5cb70e20

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
64KB

MD5
2c2a9b4696319235c7bd860116db2af3

SHA1
b55e2b855f899e23bd62fe8b757cf29cb14a5102

SHA256
b1ac0e8033202ac6b35d05e34498b2a2e7747bc1ce369f531e72a192fde845b8

SHA512
17987080fb4691366e22f7b6b49ea3c175fbda3912e8ceaa1d873827489913a26fb8a06950cbe539ac73e2c187ff3e29814856edc4a5cde4889e85e38733343f

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
64KB

MD5
72b6cdf9214c70c6aaff67302016cd98

SHA1
9927ea1072d86e2ff93dc6cb44d5e28d2e29cbe0

SHA256
d19472ddabee322bb38fc6ea27485be2e0672aba856441431a0b5a52e7c09870

SHA512
46fc12eeca2ff472c16d4ef0595f0ce40ba09c480f5fb3e697fec646831e4bf1c0b142bfcea2a2eb9fa81e7aeb063239b297b924e999392823b9d9eca04a20e8

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
64KB

MD5
ade978a4b491b812262ae30c46007256

SHA1
5b63ba6efd9e6691d36ca664a1addcce6d571d6d

SHA256
b8ac052e3b5a3e65f326c51ec429b80e11de96c597a3af32d2a9c4d591ffc7da

SHA512
0e4c9549c920b1958a15ec87f8db527d123351e1a7ed6efab1fa04e10aca93e90eab094807cb0e029b952a4212fb815bab573a0856d23ab559582533db517127

Download Submit
memory/440-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/440-248-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/452-437-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/452-364-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/540-318-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/540-387-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/628-363-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/628-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/836-438-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1012-284-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1012-201-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1064-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1064-200-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1072-167-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1072-86-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1088-93-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1088-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1596-263-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1596-331-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1616-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-395-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1636-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1636-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1680-431-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-283-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1856-332-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1856-403-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1860-312-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1860-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1912-102-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1932-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1968-449-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2020-94-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2132-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2132-444-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2164-48-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2164-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2192-344-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2192-417-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-309-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2432-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2464-429-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2640-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2856-361-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2864-158-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2864-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2988-123-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2988-44-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3012-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3012-227-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3108-404-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3316-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3316-219-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3384-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3408-351-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3408-428-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3540-176-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3540-262-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3552-396-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-168-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3628-253-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3644-154-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3672-451-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3672-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3892-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3976-20-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4152-464-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4152-397-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4364-36-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4384-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4472-458-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4476-254-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4476-324-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4484-249-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4512-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4512-141-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4532-452-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4540-110-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4540-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4596-128-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4596-208-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4632-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4632-184-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4768-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4768-209-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4828-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-410-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-338-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4852-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4852-218-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4964-411-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5060-296-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5084-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5084-350-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads