b3b50f915b115c4e35253941f57c89390390997e78b9bd5dc2b60e3cff4248bd

Analysis

max time kernel
147s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a963404b921363145ee8315692a0e850_NEAS.exe
Size

272KB
MD5

a963404b921363145ee8315692a0e850
SHA1

607f0a256ad24943963e9fcf8e7cb4905a93c4a6
SHA256

b3b50f915b115c4e35253941f57c89390390997e78b9bd5dc2b60e3cff4248bd
SHA512

5280e37c2c12f3940efcaaef4ffc4d47f1ef0ddb9233676f8e48232f0294f88a558dfb39898a57930eb6d5b685956ec3acf6d5a6e12583efc7fe2193c1712223
SSDEEP

6144:Lbuglr39bSR0xZKL2bWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQc/YRuEuT:uqbSwwL2bWGRdA6sQhPbWGRdA6sQxuEe

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe

Executes dropped EXE 64 IoCs

pid	Process
2512	Fopldmcl.exe
1256	Fihqmb32.exe
3224	Fbqefhpm.exe
3152	Fijmbb32.exe
4052	Fqaeco32.exe
3048	Gfnnlffc.exe
4152	Gmhfhp32.exe
2996	Gcbnejem.exe
4468	Giofnacd.exe
3932	Gqfooodg.exe
3844	Gjocgdkg.exe
3984	Gpklpkio.exe
2260	Gbjhlfhb.exe
5092	Gidphq32.exe
4804	Gmoliohh.exe
3876	Gpnhekgl.exe
4360	Gameonno.exe
2808	Hihicplj.exe
4072	Hapaemll.exe
4892	Hbanme32.exe
3112	Hjmoibog.exe
1632	Hmklen32.exe
2444	Hpihai32.exe
868	Hcedaheh.exe
3528	Ibjqcd32.exe
3908	Ijaida32.exe
4448	Impepm32.exe
3108	Ipnalhii.exe
3848	Iiffen32.exe
3480	Ipqnahgf.exe
400	Ijfboafl.exe
1328	Imdnklfp.exe
1000	Ifmcdblq.exe
5080	Ijhodq32.exe
2980	Imgkql32.exe
952	Idacmfkj.exe
1384	Ibccic32.exe
2136	Ijkljp32.exe
3672	Imihfl32.exe
4296	Jbfpobpb.exe
2696	Jfaloa32.exe
940	Jiphkm32.exe
3432	Jagqlj32.exe
2304	Jdemhe32.exe
876	Jfdida32.exe
2016	Jmnaakne.exe
5076	Jplmmfmi.exe
2948	Jbkjjblm.exe
536	Jjbako32.exe
3584	Jidbflcj.exe
1920	Jpojcf32.exe
5048	Jbmfoa32.exe
2768	Jkdnpo32.exe
4412	Jmbklj32.exe
4556	Jangmibi.exe
3228	Jdmcidam.exe
4920	Jkfkfohj.exe
1724	Kaqcbi32.exe
4352	Kpccnefa.exe
3508	Kbapjafe.exe
4384	Kkihknfg.exe
1532	Kmgdgjek.exe
2220	Kpepcedo.exe
2096	Kgphpo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ldooifgl.dll	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gpklpkio.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6276	6192	WerFault.exe	221

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a963404b921363145ee8315692a0e850_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ifmcdblq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2512	1452	a963404b921363145ee8315692a0e850_NEAS.exe	83
PID 1452 wrote to memory of 2512	1452	a963404b921363145ee8315692a0e850_NEAS.exe	83
PID 1452 wrote to memory of 2512	1452	a963404b921363145ee8315692a0e850_NEAS.exe	83
PID 2512 wrote to memory of 1256	2512	Fopldmcl.exe	84
PID 2512 wrote to memory of 1256	2512	Fopldmcl.exe	84
PID 2512 wrote to memory of 1256	2512	Fopldmcl.exe	84
PID 1256 wrote to memory of 3224	1256	Fihqmb32.exe	85
PID 1256 wrote to memory of 3224	1256	Fihqmb32.exe	85
PID 1256 wrote to memory of 3224	1256	Fihqmb32.exe	85
PID 3224 wrote to memory of 3152	3224	Fbqefhpm.exe	86
PID 3224 wrote to memory of 3152	3224	Fbqefhpm.exe	86
PID 3224 wrote to memory of 3152	3224	Fbqefhpm.exe	86
PID 3152 wrote to memory of 4052	3152	Fijmbb32.exe	87
PID 3152 wrote to memory of 4052	3152	Fijmbb32.exe	87
PID 3152 wrote to memory of 4052	3152	Fijmbb32.exe	87
PID 4052 wrote to memory of 3048	4052	Fqaeco32.exe	88
PID 4052 wrote to memory of 3048	4052	Fqaeco32.exe	88
PID 4052 wrote to memory of 3048	4052	Fqaeco32.exe	88
PID 3048 wrote to memory of 4152	3048	Gfnnlffc.exe	89
PID 3048 wrote to memory of 4152	3048	Gfnnlffc.exe	89
PID 3048 wrote to memory of 4152	3048	Gfnnlffc.exe	89
PID 4152 wrote to memory of 2996	4152	Gmhfhp32.exe	90
PID 4152 wrote to memory of 2996	4152	Gmhfhp32.exe	90
PID 4152 wrote to memory of 2996	4152	Gmhfhp32.exe	90
PID 2996 wrote to memory of 4468	2996	Gcbnejem.exe	91
PID 2996 wrote to memory of 4468	2996	Gcbnejem.exe	91
PID 2996 wrote to memory of 4468	2996	Gcbnejem.exe	91
PID 4468 wrote to memory of 3932	4468	Giofnacd.exe	92
PID 4468 wrote to memory of 3932	4468	Giofnacd.exe	92
PID 4468 wrote to memory of 3932	4468	Giofnacd.exe	92
PID 3932 wrote to memory of 3844	3932	Gqfooodg.exe	94
PID 3932 wrote to memory of 3844	3932	Gqfooodg.exe	94
PID 3932 wrote to memory of 3844	3932	Gqfooodg.exe	94
PID 3844 wrote to memory of 3984	3844	Gjocgdkg.exe	95
PID 3844 wrote to memory of 3984	3844	Gjocgdkg.exe	95
PID 3844 wrote to memory of 3984	3844	Gjocgdkg.exe	95
PID 3984 wrote to memory of 2260	3984	Gpklpkio.exe	96
PID 3984 wrote to memory of 2260	3984	Gpklpkio.exe	96
PID 3984 wrote to memory of 2260	3984	Gpklpkio.exe	96
PID 2260 wrote to memory of 5092	2260	Gbjhlfhb.exe	98
PID 2260 wrote to memory of 5092	2260	Gbjhlfhb.exe	98
PID 2260 wrote to memory of 5092	2260	Gbjhlfhb.exe	98
PID 5092 wrote to memory of 4804	5092	Gidphq32.exe	99
PID 5092 wrote to memory of 4804	5092	Gidphq32.exe	99
PID 5092 wrote to memory of 4804	5092	Gidphq32.exe	99
PID 4804 wrote to memory of 3876	4804	Gmoliohh.exe	100
PID 4804 wrote to memory of 3876	4804	Gmoliohh.exe	100
PID 4804 wrote to memory of 3876	4804	Gmoliohh.exe	100
PID 3876 wrote to memory of 4360	3876	Gpnhekgl.exe	101
PID 3876 wrote to memory of 4360	3876	Gpnhekgl.exe	101
PID 3876 wrote to memory of 4360	3876	Gpnhekgl.exe	101
PID 4360 wrote to memory of 2808	4360	Gameonno.exe	102
PID 4360 wrote to memory of 2808	4360	Gameonno.exe	102
PID 4360 wrote to memory of 2808	4360	Gameonno.exe	102
PID 2808 wrote to memory of 4072	2808	Hihicplj.exe	104
PID 2808 wrote to memory of 4072	2808	Hihicplj.exe	104
PID 2808 wrote to memory of 4072	2808	Hihicplj.exe	104
PID 4072 wrote to memory of 4892	4072	Hapaemll.exe	105
PID 4072 wrote to memory of 4892	4072	Hapaemll.exe	105
PID 4072 wrote to memory of 4892	4072	Hapaemll.exe	105
PID 4892 wrote to memory of 3112	4892	Hbanme32.exe	106
PID 4892 wrote to memory of 3112	4892	Hbanme32.exe	106
PID 4892 wrote to memory of 3112	4892	Hbanme32.exe	106
PID 3112 wrote to memory of 1632	3112	Hjmoibog.exe	107

C:\Users\Admin\AppData\Local\Temp\a963404b921363145ee8315692a0e850_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\a963404b921363145ee8315692a0e850_NEAS.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\Fopldmcl.exe
  C:\Windows\system32\Fopldmcl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\Fihqmb32.exe
    C:\Windows\system32\Fihqmb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\SysWOW64\Fbqefhpm.exe
      C:\Windows\system32\Fbqefhpm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3152
      - C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        40⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        47⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        54⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        56⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        61⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        65⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        68⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        69⤵
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:216
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        75⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        76⤵
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        78⤵
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:628
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        82⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        84⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        85⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        86⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        87⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        88⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        92⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        94⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        95⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        100⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        103⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        104⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        107⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        110⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        111⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        113⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        116⤵
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        117⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        119⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        121⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        122⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        123⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        126⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        128⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        129⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        130⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        133⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 408
        134⤵
        Program crash
        
        PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6192 -ip 6192
1⤵
PID:6252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
272KB

MD5
96545281d4a8ac6e123f89cf3b0cb61a

SHA1
9a1eecdd15a51497c1fae71356c0d177d00e4509

SHA256
2763b21abef9c8b499e3bc4ea9b8347320477138d524da2e1aaad5113d8ea99e

SHA512
ef19a44b2b5674b7737233990bc1179ad37def8bf456ed10609995c39a66d8384bec5ed68579322b074af634996f1ed8a68347c130fccef6ee82b79410bda913

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
272KB

MD5
b8bf552f96ed8906c888c88bb1150894

SHA1
336e8b4856f6340725171bfece6315292ce71f05

SHA256
44d2db648c6ae0e757923f1efcc82b33018f8b135a5752f1fee81f11e21d153b

SHA512
03a0952a9e0000c76f382b576fe71aec7fa42374ba38e947aebb80a284fc45c14cc4a2709bf93a9e9be1c2a15c711844238bec7c1fb2ddb21cfe874b3ced3d05

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
272KB

MD5
a6ede88b42a2c35e7cf8f12aa8e18217

SHA1
6beb33264ea93355873b7bb3c9be689a708bdd68

SHA256
f6af5d0651441177494d722bc8e56db2fd12039640859923527010ab50b3cc28

SHA512
2bf366c7c80ff8043c307ef3ac0a396b64f8ac54cbba3ed8a6d185408ad7474d213319aa7d5ea6500b9028ffcc34753d31032241ceac4ef0a2fb7bfd9cef50ec

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
272KB

MD5
1ccf9a70e4e840bfc4f0d0416f1c733d

SHA1
21ec47029afce23227bb58121af4f5cba9487572

SHA256
ecf07685fac5d0d5656b03ce4f1e4c5b3b58093f017c283da39f8b37b64d6b5b

SHA512
b159c0c5fb48091de0d89ef826c6ed07dcf9f8b5d9095b15d17cb566948c8b8205db5247890a9e7585a73d16faf1e29d6a0d5142d504e2caeefa378f33a2ba76

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
272KB

MD5
9226e10256fa26bc574de0b3e91b0b5d

SHA1
9b114431687745dd65dfcab1c63b581287e7122c

SHA256
2afcf6a7de2695f1161f130b62a9f7571abb4c58ea7ce9af006aa19d19957a2c

SHA512
a2640239f1465d058600e7c7b517e17bafebe48fb9d5b6339692de66661a84dca9ef50bcd6ee1c9daf058867ba6c329d29ae66799f3985a896fbe2e4144036e9

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
272KB

MD5
b22d648953b345afa1d950ff4f8f2aaf

SHA1
93384f7f9a335f51aad7a445833cfe5890205ce8

SHA256
136d02759798b385d602b51e4002a292ec444b65ae0f1a580d62ccd1a9209a49

SHA512
1a29a7c172e761628ffed3ce4c2ca0e44f7227953f75bb430c32f35a70ca9696a1382091930f2d9df4a6440e7d2ca138df03f173e2b8bf48c9c62b2535ad090c

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
272KB

MD5
db83769c4f9a97b18b8275599fbe3ac6

SHA1
ca5a1e32091760b63c171f097a58bad5bd0858fc

SHA256
d97e47626671c738e303583b844ce648e2cf29ab1303a7c57b85878cb4e49d75

SHA512
c5e13eabcf87609c9047e2545add280e97b5ea270db00f70b0c8f834d83d8367708cc76cf7511f8567e2b064123e49ec43e213570f705317e126e2f85c551f10

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
272KB

MD5
6e056ff06227caebe2fa90bfe9f6edeb

SHA1
75589feef9692db81a313d61943a704cf3942ace

SHA256
fd18d2c911fdc7882874ddf6d2e696a8522c96a7e62018e5e73eb3bca2e6f045

SHA512
2788adb8a1043ba524d34cf9bf59e952bf5b2c4c3cf938f2fdcbfeeddaca468d860d305e763079f054ff4e19ff9c1492baab2424cbc4abee1025686ccc3636fc

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
272KB

MD5
70c92fade3655e2ac42b4d6559aac760

SHA1
3e8c7dc2271103de2ed0b40d3c2175a67ece40f8

SHA256
6ea44c7f556691de95128f17edbb42afed14e7e6f668c9cd131f9ba14ed2a2b6

SHA512
1ac8b5af998e27e65990e0d33f441727d683fe3eb261782aa20f900a7136f65beaab335909b523f8dfb65057816efc787c918e897d3c832857caed9fc6e0240a

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
272KB

MD5
b4064e8253188e77e9241a69638b7c9e

SHA1
adcfd41d1d5785c632308027caad654af47d1f2f

SHA256
c952c7b05fd839b0367db1a5a1c2840456fc2e97ea58b8cc22b8552c3ba82554

SHA512
afe0e20a85e7c9cea2410443cbf759b5ba7301a3fe6be423ed1ff59084f893a25b8c96923dba7d4c6caca98eefae20246b49439f9d3990addb179ff2d01912a5

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
272KB

MD5
ccd78acc2400f2b2e6753c4714ee7aee

SHA1
71b73d34827de1ee9665556714ddb7beac0a3448

SHA256
35d5b1058f6eb05ea4e43eabb3fcd9fe3da1461a078fc33b5a2397794a57df65

SHA512
0e7579c1fb92e8df1b3139c9ab494bf8682066677ed8bbdb675340177f3b2c6a06eb1870f7c113672d97c9fe63b4e8835899d75dea56665e573e3c480b20fbbe

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
272KB

MD5
fcacf5070eddfb6ad591a33bd2a950b4

SHA1
58d7b66a762450298d2ca9280a1dfb846bf10077

SHA256
92733955301d470acb6aeb6616aa692756e05d7cadbaab9e50675366eb63b5d6

SHA512
50253ccc37dc803c43587a5fa4e544fed1f92f9131b4b2fca55d8de6910914c02c5332332023c5be5e851b196092cb91e27eb50f1c88945c8dca0c2138fd3bcf

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
272KB

MD5
83356a8aeaa9225c186cd63d7ba619d7

SHA1
9748c35a2774b7515fecc243ca9b7e26faeb5c29

SHA256
6a5506506da9880043ad1609016a92a20fad143a8d564ec6ca7f58af5db45a40

SHA512
09eee6359324875d88fa26f8403c5b01def5a8a5a484bbcbfd52380c340865de2faf82015f89b6ee8aa3852db8ed921e9893a4c40a6c28036d09040efa1dd50d

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
272KB

MD5
696509b0b5e320f281b2bb21c7321c3f

SHA1
0faae45431aee2e56f4534313f394d3976d2b653

SHA256
24019b799cabaafda89ba43c780582c3dbee9ec9e4ae7889bbf1c55c3661506f

SHA512
683dbbb58cf0f814e1cae5318b6ba9b8b59ed92bf3996aaf1b5b4b7dab72323464ebc472642804e3e350a28c89d5f97bf1bd78d855bc860f1e581f5403dc916e

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
272KB

MD5
665eee13d2582ea279a9e88c8a2ecee4

SHA1
79455bc313f7d415d98453db3a8ed4a53b000420

SHA256
9b4106e618786ac01b4f91a22d571f46c4e297448f33781c92461e2351c3f60a

SHA512
c859873a9dfc97fa9d63b7b80382f54778e9fdcdc436f3043186dbf888ef5698588898ad05b25f92a0fa3e9615ee7e6737334061aee86b000f5de7e97c6fda49

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
272KB

MD5
d34ab3f1ce0a42ac53f59febebe05163

SHA1
a60f9eb7117c1e2105830e484e7667b698c02969

SHA256
94cc69b831a7fc3be154d0382ae335f1a4d680ddfe217f508268444d79fa749d

SHA512
cad92189efedfb9dbea96beac122b008de6d673ddc6bdf4d2ef5b46b0807e39f6b397f38cac98d50774b138f65e3b209633ed840cff6f3e9b1be3a265415d0e8

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
272KB

MD5
cd77d98d7ea3c92651e70a9196a23636

SHA1
73794fb20bb413c20f0bc54fad21122471cd64b3

SHA256
ca88b7195f2e538f818c6def3a9f426641958cfe5446f1905cb2ba9bd38d16b8

SHA512
bf81f65d83a0cc7bab3ddee7b77c85604086b1128782b0a65bb80d663080dc1f7718c12271f580f09d56e0751242dcc1ebbea0aa327b86170f8c16631f68f74d

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
272KB

MD5
109514708a8cb638ac7d9f70794af673

SHA1
38fd03ee3358d52d2f7a4b845f569866d623f19c

SHA256
7a7bd2435e13ff48951aa13d85e4cae7126ebdf435d25de233944cc2dee3ffa6

SHA512
f54e4679184043a7753c6b2666e82796ae1ea04a3823feff54dcf91e1ca70614b4535394241f93079a9dfed873c0fc93f93d83c172c13268e03f8784d03c28c6

Download Submit
C:\Windows\SysWOW64\Hbanme32.exe

Filesize
272KB

MD5
05d41e895356e25b13c12afbbe88112c

SHA1
42f469cfc697180f5e4160620f1c1368e7aed9d1

SHA256
54220813eaee84a6878d17d898f5576236722b54e8764a7c27ca566c9b5ed0a0

SHA512
f3870b0933fed9e9d007362c50afc6f26caea109d6c60396acc66505546f151dd4c3a8eb0c8dd399d698cea05c466a56f3a31fa845b5ad85c01a2a17aef8e1a7

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
272KB

MD5
dbfc701722946ba2e90c34e9108ba129

SHA1
68db82f91015d409d872f9cda2c80b2ba248bd90

SHA256
e75f2ecc3b781d2f2fb131e272099f61fba3f7c9e294f4020db5c8f608293a09

SHA512
2a6887b0f0a7899d1c158feb1fc30901f7d310764fe6763e213c76bf9fecf01d8452bc1b78786f4231344a2f24da92bd381a261d5347d0e3b6aef70c4ea5dd0d

Download Submit
C:\Windows\SysWOW64\Hihicplj.exe

Filesize
272KB

MD5
f89e9ef0907b1c07bc77bb259c580b39

SHA1
b1c906f0fc7bfbd6ca201edf6ce83aa0d0da7a20

SHA256
191eb0f60171d78623cdde501dfc36a312372b6428b7d68f29e8a748e3f5718c

SHA512
d6c32eab453c148b81fe4ee7517b7743d94e8ddb4d3ccfd5c0192c9b6de90a43edde20e376fa17f53a3f1b6a31d0b6de20c49bcfba3d66b53b4b6f95d133a78f

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
272KB

MD5
c69fecc22944b3a23436c525f72b42e8

SHA1
9992617c364b5c7775d09763e6d7da11c293d6c2

SHA256
1dcf37b2c2151e177ed48c67172c5d7de1ba71b74266dfba0d9b089d80f2d20d

SHA512
8f69c3cb710f4b4c4b7d7e7c5e76abbe0dc7c6714dba74c2ae3a22205fea3fea8e0a6cae1c269db61b3063a709a7f5c1d80f1042565adfa41c655daf5e814353

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
272KB

MD5
c1ee87633f8fe577c8cacfb2f564cfd6

SHA1
59026ddf6e480d3d20def324fe3bf13a0c821c1e

SHA256
1a1686b60079fab12e7d7119cf1849a4a9f2a338b7809ac013bc89cbbb1bab57

SHA512
653259d2ba323aa677e66286a30fc42f29a13cf0469d14c573a8cab9b93b59cfd93cc34e3f032641d63b6e5dd51b2c9e7021221242733b09e0b4f85415913e9b

Download Submit
C:\Windows\SysWOW64\Hpihai32.exe

Filesize
272KB

MD5
e8a90b1ed706948557a90a982d97008b

SHA1
4fc3832ad9d0c8669be5a3132c9bfc3c6881c4b8

SHA256
9a6de4093c9374d9ca73f249bb08f67bcb736bd112f39d1b9f2c31294740039d

SHA512
9d4e8aa7df77483e714a015bcd98b2cf0c0d0aa4b159d1355a8d6c3d36cad5ce3e1f41d49e58462e7b1c65f450d48f7dbd89dd07f18f0bf424f0ceb9f5f71aa1

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
272KB

MD5
1d08401a801cd7a9fa402783b8db7a91

SHA1
ddf2290c66c57d23d75ba238c8b8464560bae70a

SHA256
b40ac91e8fd046ef149bef1ef888ec589a132b7bcab09a76aa9626420f7f5d40

SHA512
be7a5a9d97d1cda9f6c9d10ecd074deca48491ccf6462eeaa02ce73fd940dca805e5de5421a3c07f3417b6fac743c548cff4ba0f9f394cdee18e135b3922362c

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
272KB

MD5
a70f1e4fe6e08c769ac6b87b5ba4d31d

SHA1
d12373b41aa28c608d8b9bf36d178910cb4ad6cc

SHA256
fdb59c63f6cc12ed6cd9182e8b4f4056a7792838ed646cb41f92054d11d592c2

SHA512
75279a8ab14eedfe72ece21895172c5e45fae993eb0dce8d1d2d7db1611b72c363f21bc33f4110461dffbb852b72a918bb4ea489226e06b03e8b405970dcebf4

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
272KB

MD5
8b9fd8d9f753a0b6a58702fcac581d64

SHA1
f7a3181b54f4ba78999a02a40790ac4f3a073fed

SHA256
eec94a371e4910cbbeae5e73c3ba2191bdbd0bb79701a1edafa0a88c78d30049

SHA512
f71800b64727aa7bbf493a9d57f4bd9468cc9e969e0cab3c7ca6136ccba37df718eb22ad1b4cbcdcbec3dfd8a444a28bd065c84ff41658c2c7b31fa1aa6bde3e

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
272KB

MD5
6497b5d8ffaf8c9acee1d80a6e2023ad

SHA1
1d387fa61f88e4a7aaa2df9716351a455c2434fb

SHA256
945bd99f25d91ad3f052db186a3bebc68082933ecfa272598d7fd2326545ee77

SHA512
349e6cc658b9e1c1e96910eb0684a9a04ea737296b5125703d88391d3002af961f3a15c42f11fe1dd383bdaf9198e5e0a23ac5014a0370b1c17cb98f7da52949

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
272KB

MD5
7085fbb82ac6da48bf74d395e13b8ca0

SHA1
ee93170b0415973000139d4e7656429a8d9edb7e

SHA256
575528b4b70195f517a7afc859f5a7db6955b7fdf187203d48cfe59b9761c169

SHA512
0e543f2d6e241218b1e9d5bb9ffbdcae5610cf5fa09d1629d070576acbeedc1d1e2c20872a9d4753958ab7947a50c40fe6b401d31c1f97de4280d8a154fa8735

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
272KB

MD5
b855f2edfda2aad7524f624506a18b93

SHA1
68b62064893dbde642bb045e514a88be77c8c9df

SHA256
9245c0d4726d6944422155a65a8a6514cff69908a6c8871a4a746097697051f0

SHA512
27928ae31695aea241a973e06900ff061593b58374b133ca608cf0d8be08773642fd7bd8c1bccfabcc40e8de085f710d74590c39c3c07b07a96928f9fa8c617c

Download Submit
C:\Windows\SysWOW64\Ipnalhii.exe

Filesize
272KB

MD5
cdc3d4c0a2dbdc7718e308f6fcd87c28

SHA1
fa5e6f0898d19bbc6bac764b6b20018133ba803b

SHA256
2f85d31f6b8bee4f1b42c4940d7c998b2ad2a65fe79e2c9e795ef8edc1fc1162

SHA512
5d06f19e1bdd64098df283741469dcb765c9a2b550df0f9ce61b350811a98689c5db338b40ef67b1f790c3f6c162b3554216cd8d298eacb99b5ddb7e681c2d94

Download Submit
C:\Windows\SysWOW64\Ipqnahgf.exe

Filesize
272KB

MD5
c32b78c6f7a7a74bfd5d863570fac9a4

SHA1
7d19ecae7ef64f5d5d13c0b5f745acbab0c1b06a

SHA256
8e3c4a0635e9d43f85c2a4ba418b2200cb2ce9f9c55aa2ddd61e07a5c4346f91

SHA512
2df9660123b34b865acfbfe15b1eef1d1e559e47dd3a8530ecd00d8e8e9ec5a7be938b6aafb06821a83ceb53a64995a0510f55c0c55a850d345a2aad7205a7c9

Download Submit
C:\Windows\SysWOW64\Jdmcidam.exe

Filesize
272KB

MD5
ec6a9f4574d5fb480c86dc6358d794da

SHA1
5c5488c5f631ab8f169c477c36184181c80eea90

SHA256
b1ac5f87109408ed5b1c855638e289b49b3ad0b454be759bcf0934ba2eccd4a1

SHA512
186abd4fa024cf167c6813d8498746a0d882941a54eafa55bbddd284e0628a95e9e5c2944bb5d11906143310b9e38ca43668d6eceb5ce339008ad69e07ed8111

Download Submit
C:\Windows\SysWOW64\Jiphkm32.exe

Filesize
272KB

MD5
9dba05e2654869a7454933a2a168d533

SHA1
eb41149f1b978446b424c7cc7ffaee71d86c5c2e

SHA256
e8eebd9dec86b9c3d9e59baef9e09d8ab8050545a0bb3ead238f5f8a83f58a82

SHA512
88dc852a301bfcdb9a0a5fd165c12a8f267aa9a05f5a55d0add59b3ea446d9e0d9dc229e7121efac712b8dfafda051b067a75b199d24fe8e2afeeab3937c2b70

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
272KB

MD5
bc7cb4e57031665336abd9c65c019d64

SHA1
22bddf43ace3ef6a5f333020d78932d1d2b3af7c

SHA256
564d8a82657fd07d4f2a9cafd29bd9d4865f545a2038312daaa2d783ae81b77a

SHA512
fbf271f8bb67028df333b3cdeff8489b5c5ee5036537c24590ea9b1f054c0d57e53b3629d9ee0d5224e28b1424826392132f9a16a76dc703618071d4e0209cc5

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
272KB

MD5
954b579eec3487ea1ecbe5b82185672b

SHA1
698cb0224a40284c1330db2b103aadabeab50148

SHA256
ec51043c8486774d16ac75ab8715159027242dd5fb67de0537c413514ffb8d38

SHA512
74282137f402f46385dd70c79ba651cec40fb264577060091c036e2a4a60f9599f3467872a51b39e12cf676afe2acb8a9fce8defc9b37c36310b6282f91bc045

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
272KB

MD5
7717f2ef6c392e206c8e22a95020c902

SHA1
5b65e6f4a9dc633050706064747d8e17015daf8a

SHA256
8e58fcd155d71555a241996025b0e4628087895897dee3ac6b69c7388b100e26

SHA512
cd0ebbf9cb5687edb217c9e6cd63c16c0e2ec55debfc63c73e71557d722f9585fa2878afec24d6735e159d086002a55e3e44137cf0aed675582d3d5494e306a5

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
272KB

MD5
4ce5d1cdb52588fb14a083cd107397c4

SHA1
601ee992805f371177def891c8b2992aa7b74b9b

SHA256
c72b63ce0188f364e551635fd670597f88fd449c24c4d64bbfd69b6e4f9c69e8

SHA512
3df5d82919fd965b23a3f12e3d8ece6578bed0f68aeb60a2a15487c8d30f996bf78a609d835bc5aa88af082abbb1d8dcc81c1e6249e5dc3f01e902c56069b9e7

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
272KB

MD5
cb6215a1887d9364c9216fba0f69cb44

SHA1
e774e7e0a7b3e340113131327b8370c4143413a1

SHA256
39714d6bfb65c4aded6c5715029c65b28980b19e2e96c52744d2aee328db0836

SHA512
24d4abf4344990691b4d3a3b7ab94cf46fc58b55ce0871d0731c125678e04cac727ac04d927a991bedf343f82f159c48ac786f35a27b47084f2384d49562a101

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
272KB

MD5
dd496776fe8fea9f16368643c591b6eb

SHA1
f05cae817eb44050002f3ad2b0bfb6385599ed2c

SHA256
e11dce208093c99d5fdc5d28eb150d3d3063810c780f37d0ca30d99189b5fb89

SHA512
0cf927c8642e81bb231b350e4864f720eafb6db922ab6f23db483f2b7bd3714e18e3397372dc7ef5ae42f3534b4effc7f0c6ebe0cb5d61e4a8a6c027f6e0206d

Download Submit
memory/216-497-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/400-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/536-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/628-546-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/868-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/940-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/952-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1000-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1040-485-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1132-531-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1200-507-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1256-554-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1328-257-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1332-483-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1384-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1452-539-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1452-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1452-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1532-439-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1724-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1736-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1920-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2136-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2220-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2260-105-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2444-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-547-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2744-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2948-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2980-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2996-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3012-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-582-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3108-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3112-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3152-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3152-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3160-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-561-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3228-401-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3412-521-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3432-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3480-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3508-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3528-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3672-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3692-495-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3844-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3848-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3876-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3932-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3984-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4052-574-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4052-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4072-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-589-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4296-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-533-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-423-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4412-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4448-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4468-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4556-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-121-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4892-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4920-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-515-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5076-351-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5084-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5092-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5128-555-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5184-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5224-575-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5284-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5352-583-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads