69551440a70252d76ebbbc62df08e962e8c7425a473d84bf97e5e68db94177e9

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a691ddb33477981eec57bfcaa82e35a0_NEAS.exe
Size

96KB
MD5

a691ddb33477981eec57bfcaa82e35a0
SHA1

3b90bfb7b7f0969c33a5cf61ac7b49ec5b0bd98c
SHA256

69551440a70252d76ebbbc62df08e962e8c7425a473d84bf97e5e68db94177e9
SHA512

c9c76d434e290f44796081ec153178209870458d439ab7f869128cc931e3d2362c4b5dbe51655b334ef324fd55235a5b7353ecffec5c31c14b7c6fc584f6a02c
SSDEEP

1536:qyb81a3Her2vtiuY20TUq32Lk1HPXuhiTMuZXGTIVefVDkryyAyqX:qybnXeeWiraHPXuhuXGQmVDeCyqX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a691ddb33477981eec57bfcaa82e35a0_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a691ddb33477981eec57bfcaa82e35a0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe

Executes dropped EXE 64 IoCs

pid	Process
1616	Fmficqpc.exe
3904	Fodeolof.exe
3964	Gbcakg32.exe
3664	Gimjhafg.exe
3064	Gogbdl32.exe
440	Gfqjafdq.exe
5012	Gmkbnp32.exe
4892	Goiojk32.exe
4436	Gbgkfg32.exe
2040	Gjocgdkg.exe
396	Gpklpkio.exe
2128	Gbjhlfhb.exe
4628	Gidphq32.exe
3336	Gqkhjn32.exe
4908	Gcidfi32.exe
3800	Gbldaffp.exe
2236	Gjclbc32.exe
1824	Gmaioo32.exe
4496	Hclakimb.exe
1700	Hfjmgdlf.exe
4840	Hmdedo32.exe
1092	Hpbaqj32.exe
3528	Hjhfnccl.exe
3372	Hmfbjnbp.exe
2456	Hpenfjad.exe
4492	Hfofbd32.exe
4432	Hmioonpn.exe
3360	Hpgkkioa.exe
2684	Hbeghene.exe
1244	Hfachc32.exe
3092	Hmklen32.exe
4240	Hjolnb32.exe
4112	Hmmhjm32.exe
720	Ipldfi32.exe
1388	Ibjqcd32.exe
3924	Iidipnal.exe
944	Impepm32.exe
2536	Icjmmg32.exe
3088	Ifhiib32.exe
4856	Iiffen32.exe
2420	Imbaemhc.exe
2204	Icljbg32.exe
1928	Ifjfnb32.exe
2812	Iiibkn32.exe
536	Iapjlk32.exe
1832	Idofhfmm.exe
3040	Ibagcc32.exe
4800	Ijhodq32.exe
216	Imgkql32.exe
2844	Ipegmg32.exe
4600	Ibccic32.exe
4200	Ijkljp32.exe
3460	Imihfl32.exe
2276	Jdcpcf32.exe
2772	Jbfpobpb.exe
4220	Jiphkm32.exe
2556	Jpjqhgol.exe
4652	Jbhmdbnp.exe
1084	Jjpeepnb.exe
3736	Jmnaakne.exe
2268	Jplmmfmi.exe
640	Jbkjjblm.exe
2784	Jjbako32.exe
1924	Jaljgidl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6628	6536	WerFault.exe	239

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 1616	4572	a691ddb33477981eec57bfcaa82e35a0_NEAS.exe	84
PID 4572 wrote to memory of 1616	4572	a691ddb33477981eec57bfcaa82e35a0_NEAS.exe	84
PID 4572 wrote to memory of 1616	4572	a691ddb33477981eec57bfcaa82e35a0_NEAS.exe	84
PID 1616 wrote to memory of 3904	1616	Fmficqpc.exe	85
PID 1616 wrote to memory of 3904	1616	Fmficqpc.exe	85
PID 1616 wrote to memory of 3904	1616	Fmficqpc.exe	85
PID 3904 wrote to memory of 3964	3904	Fodeolof.exe	86
PID 3904 wrote to memory of 3964	3904	Fodeolof.exe	86
PID 3904 wrote to memory of 3964	3904	Fodeolof.exe	86
PID 3964 wrote to memory of 3664	3964	Gbcakg32.exe	87
PID 3964 wrote to memory of 3664	3964	Gbcakg32.exe	87
PID 3964 wrote to memory of 3664	3964	Gbcakg32.exe	87
PID 3664 wrote to memory of 3064	3664	Gimjhafg.exe	88
PID 3664 wrote to memory of 3064	3664	Gimjhafg.exe	88
PID 3664 wrote to memory of 3064	3664	Gimjhafg.exe	88
PID 3064 wrote to memory of 440	3064	Gogbdl32.exe	89
PID 3064 wrote to memory of 440	3064	Gogbdl32.exe	89
PID 3064 wrote to memory of 440	3064	Gogbdl32.exe	89
PID 440 wrote to memory of 5012	440	Gfqjafdq.exe	90
PID 440 wrote to memory of 5012	440	Gfqjafdq.exe	90
PID 440 wrote to memory of 5012	440	Gfqjafdq.exe	90
PID 5012 wrote to memory of 4892	5012	Gmkbnp32.exe	91
PID 5012 wrote to memory of 4892	5012	Gmkbnp32.exe	91
PID 5012 wrote to memory of 4892	5012	Gmkbnp32.exe	91
PID 4892 wrote to memory of 4436	4892	Goiojk32.exe	92
PID 4892 wrote to memory of 4436	4892	Goiojk32.exe	92
PID 4892 wrote to memory of 4436	4892	Goiojk32.exe	92
PID 4436 wrote to memory of 2040	4436	Gbgkfg32.exe	94
PID 4436 wrote to memory of 2040	4436	Gbgkfg32.exe	94
PID 4436 wrote to memory of 2040	4436	Gbgkfg32.exe	94
PID 2040 wrote to memory of 396	2040	Gjocgdkg.exe	95
PID 2040 wrote to memory of 396	2040	Gjocgdkg.exe	95
PID 2040 wrote to memory of 396	2040	Gjocgdkg.exe	95
PID 396 wrote to memory of 2128	396	Gpklpkio.exe	96
PID 396 wrote to memory of 2128	396	Gpklpkio.exe	96
PID 396 wrote to memory of 2128	396	Gpklpkio.exe	96
PID 2128 wrote to memory of 4628	2128	Gbjhlfhb.exe	97
PID 2128 wrote to memory of 4628	2128	Gbjhlfhb.exe	97
PID 2128 wrote to memory of 4628	2128	Gbjhlfhb.exe	97
PID 4628 wrote to memory of 3336	4628	Gidphq32.exe	98
PID 4628 wrote to memory of 3336	4628	Gidphq32.exe	98
PID 4628 wrote to memory of 3336	4628	Gidphq32.exe	98
PID 3336 wrote to memory of 4908	3336	Gqkhjn32.exe	99
PID 3336 wrote to memory of 4908	3336	Gqkhjn32.exe	99
PID 3336 wrote to memory of 4908	3336	Gqkhjn32.exe	99
PID 4908 wrote to memory of 3800	4908	Gcidfi32.exe	100
PID 4908 wrote to memory of 3800	4908	Gcidfi32.exe	100
PID 4908 wrote to memory of 3800	4908	Gcidfi32.exe	100
PID 3800 wrote to memory of 2236	3800	Gbldaffp.exe	102
PID 3800 wrote to memory of 2236	3800	Gbldaffp.exe	102
PID 3800 wrote to memory of 2236	3800	Gbldaffp.exe	102
PID 2236 wrote to memory of 1824	2236	Gjclbc32.exe	103
PID 2236 wrote to memory of 1824	2236	Gjclbc32.exe	103
PID 2236 wrote to memory of 1824	2236	Gjclbc32.exe	103
PID 1824 wrote to memory of 4496	1824	Gmaioo32.exe	104
PID 1824 wrote to memory of 4496	1824	Gmaioo32.exe	104
PID 1824 wrote to memory of 4496	1824	Gmaioo32.exe	104
PID 4496 wrote to memory of 1700	4496	Hclakimb.exe	105
PID 4496 wrote to memory of 1700	4496	Hclakimb.exe	105
PID 4496 wrote to memory of 1700	4496	Hclakimb.exe	105
PID 1700 wrote to memory of 4840	1700	Hfjmgdlf.exe	106
PID 1700 wrote to memory of 4840	1700	Hfjmgdlf.exe	106
PID 1700 wrote to memory of 4840	1700	Hfjmgdlf.exe	106
PID 4840 wrote to memory of 1092	4840	Hmdedo32.exe	107

C:\Users\Admin\AppData\Local\Temp\a691ddb33477981eec57bfcaa82e35a0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\a691ddb33477981eec57bfcaa82e35a0_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\SysWOW64\Fmficqpc.exe
  C:\Windows\system32\Fmficqpc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\Fodeolof.exe
    C:\Windows\system32\Fodeolof.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\SysWOW64\Gbcakg32.exe
      C:\Windows\system32\Gbcakg32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3664
      - C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        24⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        37⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        38⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        39⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4856
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        43⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        47⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        56⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        60⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        63⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        65⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        66⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        68⤵
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1516
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        70⤵
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4328
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        73⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1788
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        78⤵
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2312
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        84⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4780
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2468
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        88⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        89⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        91⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        92⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        93⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        94⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        96⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        97⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        99⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        101⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        103⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        104⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        107⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        108⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        109⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        111⤵
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        112⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        114⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        115⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        116⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        118⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        119⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        120⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        121⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        126⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        127⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        128⤵
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        129⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        130⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        131⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        132⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        136⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        137⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        139⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6328
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        146⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        147⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        148⤵
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        149⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        150⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 404
        151⤵
        Program crash
        
        PID:6628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6536 -ip 6536
1⤵
PID:6604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
96KB

MD5
f0df5671ed949d47646cf390e42afa3d

SHA1
e876c5d675d7c55ddd57c21256522f7655a36629

SHA256
1aa91a778e60d7045598a1ab0f143e9c65f798b41e0e0ade7b70bf6f2163c65b

SHA512
b91acfdcdf9082d83210a9bc8de897e714556526289265d42c7825e29e53b161ecc7209fc120f73f15082c4623d9eb8614ac455ff47d2e8ca312961ebd055078

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
96KB

MD5
2cd2485bf0dbdce4ca0ebdf4dc5294db

SHA1
9de2c44a77d16dedf61220df01585455683625f3

SHA256
25eff7f56bf2d0ea9769e08ad5b3522151bcc4b55cde3dc904c2374adfb2818c

SHA512
569235fb7281168710af79ff8c02d7624a64e8e803e10ccab7b4917fbfde64dae0eb911c8a20da95f55aca7518f6650f3d5f22062286b8f2dc19db54c8401c06

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
96KB

MD5
d12a4aa9fb1f45b36b91f3acbde6d145

SHA1
4c4ddecfbf68157aa7e78af0748d9ea8f5d2ac78

SHA256
8de2e4d156d6e60e40e80dc1892a107f203f184d1890ef79c3a3b309a44ea577

SHA512
63a77f180dfad886a80f444cf027787bf8b28da46c1b3d0f74378feba204de0789af1e065f58a5ce78bb9e1d758d4416c73c1b84fd1b0680c64472f73111d457

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
96KB

MD5
ccb88807139f863f4cae4c4d44bbec7e

SHA1
a3430382417c68dc86d5c162227d1de395c9f742

SHA256
8ada3fabda9ce7be249b90876c1cbb140dbe047ed1367bb1783a061b9b81bd57

SHA512
6e7e7920aecd0622681b9e698e9db809580a3deb4f6890cf9248dbee07ed82463bb0e0a4b60297fe17a7a2802bd6155e9fb87f82bfaaa4349e6a041f1d9552ba

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
96KB

MD5
fd3a7c1c4403dc09207550553f485878

SHA1
24569354bbba1ec393044f05d7dcc9ce305b329d

SHA256
28f2fe730023c939a2913cbcaee289b7e83f14bab39b742404c9a521c1ff03fe

SHA512
177fa6baabe677305192a1a94bf7bd42a3b437dadf3292ad56e20c81b03c6cfb7fa334f0cd39431bca526f0d6902ab8904a7c384729f63c58299b6002fc007ce

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
96KB

MD5
a219e375a8b1d88b8c8d050a787b47dc

SHA1
49f3d80578f4a1e2275132db7108ea11094b4db0

SHA256
5fa8508ddc3063642fcefedde2bcd406985b197b62bd072409048b1e3a5cf2da

SHA512
c4d1f61650644352d3316148a886e4d32fdfd1f23f6b3992df54d01af4f4e06e8d772bc3462fa99cfb914daa29c4a30b1039360ca231a02cc285332e6da3be19

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
96KB

MD5
400ff908ad97831b7d377e532727aa5c

SHA1
4a9513c9d7f533983eacb5ac407a9a86d39d4f65

SHA256
b69e8aad15104031963350a318f0e0cab952fde77bfbcab7989543147d0f1af1

SHA512
9b570944f4e6b6f4bb36546b1a4cbd5aac62842d49abf850913b6b3548c979fb8610d45c608aed743ab630cd43afb0e0807d5708b44448e014f410dce61ab8f4

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
96KB

MD5
b5ad9edd63bafe1c9f91d3c4f7405f5c

SHA1
5af86b6aa8ef0868d10ce0ad8a7ae54ef957d940

SHA256
3011fe9b5d18f17988dd99587eaad09e44e24397c216026cd588b11af5ee694a

SHA512
1f4bb3fd3655e6ff9c82ff20555ba6923fcb158e86d801613ca4e86a51173f73a908c9bd7fed7d74e22a02f2abd6ed9a8566c0a2089f6574450cd0471bdfbbc9

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
96KB

MD5
50f5d04d2f58d36b1b69e1757cc38d14

SHA1
bf1b920ed1da96eff96b2ef06f52c1a66441031c

SHA256
0344affd1267e53f1f27a99762e26323f3064daad0bf297d216a39468fee28f4

SHA512
d4447152f03b099d156a84def4dca2f8bd6867afe3df4ec54615ba5c2196bff447ae3c5ebd8ee688c3aa9a45a57ca68ab2e0ea1cd1d57d5586c1563eb9182a3c

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
96KB

MD5
d0ad5494fedc9348a41083045d0dbe59

SHA1
b5ce0f19853a05a393c933cdb61d65feb8e6486e

SHA256
01efda2efd0225802fc40ff5130cbd92762a240461196d600e24ea1c37ace2d3

SHA512
d0e1fb670180d8bc2ac3cc73dc3e67a6e20b21d578015d239b9a1eb5ff5922fe1483ce0ade118effea6a13350df30ca27059dab5b9e923ddf4d6df76f07ad3e5

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
96KB

MD5
578dc5bdc29ab4e622309d6ee5bf39ad

SHA1
add15855fccd6c77e8936263fb14dd02d145aed5

SHA256
f27fc2d2bec9b955605dea36ba1ae26d4830e35560670e1d6bb0510f1755ce13

SHA512
73a417a7eee3ef9be1a65e4f2392440ee6617af8cfc931dffbb0eb9cbc2ef2ce24ef62995e5875b219e6acfa27f2f60a654a3100779acb08d0b67018e084c7c8

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
96KB

MD5
1a827211976a39147b19e5f971653eb4

SHA1
720de7cbc438f1a25bfbfc97971dbc35e487dcc2

SHA256
da200890a5c876063ca51b20b6204363332521fa6d443f231b28db193e272548

SHA512
b6943559162b58fc6b87b89d35e7903d45ba2575e30a90b47f5633156d7a79c991ed3e552f06af1e49fe71fa7b8c7cba786bf889d8b3577b4d489a16ae075f68

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
96KB

MD5
a3176cbb76021643632b09896a30fac1

SHA1
0e951ea730c3ed3266d04ab70a6d8a15b9dcbabf

SHA256
9c0db6ca368c47d086eb3b615197357e3d92aac9e530008c8b8aedddfdd1f5bd

SHA512
359226ff7adfc6927173ddd503f42f6e2e709071a05f1b4f83cfe41a91466d987009f9ae864852aee9b7a9fbce9133f6d25c5baf5bb361dd8e90c4ee993bc368

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
96KB

MD5
51c3f2448feed6e453779dd8cc5d94c4

SHA1
93b149cc7db5ce18c8c9ef7d478735e2e2051183

SHA256
53a8f38a37d9539c28c46e48c283a051ae7bcc4d1ffd153a88373e3040de51ed

SHA512
e0a43f86cdb1801ef2ef460527bd31e497bef309b9f9d42d3433e2c8e06f521780d4de5add1ff4197b6e22dc99369ca8f94530b06910b542ab7cc617256f2302

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
96KB

MD5
43bf1f0959177413ff211c1724a00ee3

SHA1
bc194f2c217220d915c67ef7f434f4a5c38c0e33

SHA256
a40d57c0bb1babf4760ff34250413d5d8b6187f0d895529b5ce1a988a4edc298

SHA512
0d2bd4498294f7ab50f1c4bbe491998ee3896e7bdc3abf856f39a39ecae72f79ef972b9f907666f03dd9b5d2cbd9ef188347c38d5991535ab4dcac7ff3f714a3

Download Submit
C:\Windows\SysWOW64\Goiojk32.exe

Filesize
96KB

MD5
0ab3a9ea72f0603cef6eb6956a4932ab

SHA1
ab24c06f07fac79450a2cdcda4a2fd2b034c8f13

SHA256
942b085f752f68b63c146286c8f42405e7ebb5a09337466e19617ac094acdaa2

SHA512
6d48d120abafb5f94684079478e020588d3a5fa2070d805c2356f8aca12a0c4663e00f805790d2e784b07349ebbe1629a315c32ec994b9ac4882e919f49b9fd8

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
96KB

MD5
7cfd2e0b8fb2c0a3b7fcea117f138067

SHA1
b26f6d12345aefe96d8b2fc66c0a54d8458fe184

SHA256
e690c0097e88b1e620a67ca3bb0e8fd00d9781368a2f24093fe0433913952d7c

SHA512
ebc784114bd09ec5aee9b9c9315fad7281f6ae2b73c2587227cd80b2a2f80b665d0ced2bc1f5690d44c04a3155f9782b070af73cf80293c5bd1b1192b8504743

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
96KB

MD5
1fde6c9cc12ebc5ee654858881db3b05

SHA1
3bb519ad79cccf8454cd27a36b9fcd7d6ef41465

SHA256
42cd5a8630c307ced55d7504af2190273b2092c7fa47afc7c6d0a1d551477ff8

SHA512
e29e5ca17a0a0c41224dc13a66d93169c11f62400fdf467ecb440b5639c39f8bca0bc560f0e39e6f4ff2096ac740e74b91738feeb151b95ebabbd08b1c65aec8

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
96KB

MD5
5b1d985e4bfa6284fac2e229b24c4347

SHA1
379069d51f774c8409b0365eee395c0326727928

SHA256
63aeec73a46fa10d9fef4c38e98d07030af778f58b10262b0a653ade463c15c4

SHA512
db9c265e14f5986d193b52990a1998a52ef452926bb1d8e49cf9ee5df0e293b8dc5222580b3ddbe26945d0e0a5deb24a2101695700c49413a827896336feb798

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
96KB

MD5
855ab21aece0290b608a940a2de38c40

SHA1
d749a5e9513f30438babf4bc0e7663f2dbed5de7

SHA256
f777e4cbb75c1e3a3e350c70a88a42284b4fff5f7f5a34c1c0e4df3f3807278d

SHA512
a36c805926009d210ec69d195005d45a5360d5d3f695ae8979c988145d1bf3439ff1e111dc8fc0634e35f1c5943b1a177a46fbeb67618957f8bc1356a128899d

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
96KB

MD5
486d10806126ee60c5514dbc060d0b35

SHA1
916ad59cf3f3b2d28a5abbe1b273f8e2cd7e197d

SHA256
9450b1b631b05760316e14259b408ca68c1ebb0446b5ad3d6a130891d9015cf7

SHA512
8c174c702ab568b3a76716a9bd680b30ddcce190fa472335b91a4fe02d42071b4192c88b6e4929fd29ba821d1928ce4cacab2ea6196e44e0882eaf6aceff87b2

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
96KB

MD5
a586a572cbfa17854c74c4cde053b0a8

SHA1
66b2e378afcbbdc4d477d396a032424ea8d41a0c

SHA256
77d559addddb46f5edd5b84293d71631a1d6b81029787bcd07a4128486088f1c

SHA512
f1938b2981d294eb65272547f0d82c60de16ad4c2f246b522ab6890f5450d56389da7f8ee25b1fbfc2052a1c634e4fef6c83cbcda747c704f531771d4d65e3b2

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
96KB

MD5
d5157d506bebdee823a3446185d864fa

SHA1
b7d93347ea34116237ae0b981bc913675c23b6fa

SHA256
c2c5bd018841058b6293c2c19b6e999f49c046ba5c8cd88d4300a9d97987932a

SHA512
cd40d7d4a23a37a0ed6bca3e6b06834bb40caaf21c16573469acb6969a9b7777c0a1ad2ecac5f92c2d522075af9c8ea709772598127f68a6eaeed201f7d2bb52

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
96KB

MD5
418bf56865c628d15f2990c3d73dc243

SHA1
f911443a97e518943294e40ef5b6036cbf6b7922

SHA256
33886673c4923503c993c807612744bd00f7627f912834505dfb194fb22b7bab

SHA512
1a9663b6f55a6e70af9c6e8276e12596444855e5828d4c7b99671e68c5d03784ec842383d984f2258b0371c65a7ac0cd6d37844fe31b340c4e4f7bd2127c40aa

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
96KB

MD5
57729fee7be83c9d06195c7840f93440

SHA1
c050b5c3311e5269664ee80b3656da0ec6b0b710

SHA256
f8cff8d3dbe2f8a79e15732e69706d36f197d493380eaddce9b4847791b062b7

SHA512
c0a3bcd8ea29d1c3cd9f343c2a5183e878178554b2057378e17f97684d7d054faebc5923297b2ba3def06993c365bd2292b19fe0a12f03f737e3f7eb2abbb389

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
96KB

MD5
83d61430cb67a11cdc8f7a1c7a9ddbd7

SHA1
f343f4dbdd142ef9a773dfc125b1a7e295bb829b

SHA256
dc715fc3a878547c52730499cb5bb8cc0b907dabe0d42a24bf5d896d4e50c4cb

SHA512
cd240d5a0b162850ae27d8e7040fcd9cb99420cfe9df4aed2d590b2fa012ac161a68e437a58b323596f8d916b39a7c6e8e17f864fa76d044da66180ab9f43b11

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
96KB

MD5
ed112cabae8cabed6d1c50384c590848

SHA1
f8d0abbcf717b069bc1084d4945a655d13a814a4

SHA256
c5a3e251c6a84946c62104b080fc0558dbd025b2cd6f731aa6cd9e9f5e578b5a

SHA512
cd68dc419878f992ba5d81a7b090840af46588a9c2a780378516f3aa0d9ebb1eedf92b21f1e6fded1b8b3ebc7c015f530a5e0575462362ceb79a37ec8ab87003

Download Submit
C:\Windows\SysWOW64\Hmioonpn.exe

Filesize
96KB

MD5
f3050aabda860dd2e7c4a42423f4ea91

SHA1
070e44a07917be3266d6238acc237e6b4dea2b7a

SHA256
02a802d2292f0d19ce8e8ad107b1cbcae54651cb1182dcfe3d5522fafc9d7ef3

SHA512
aeb18866853d83e5bf3041e4cd36c0c92f27348dc9168125d9a3dc0379e6cf7f78c1cb691618b15e34c6e55ce0f8bcc9eb35c9ca23b3050b0127be5a58686d01

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
96KB

MD5
6b0daf2372185d09fc9729c74b716104

SHA1
115ad31d8982e56c540f5209d771cd670ffc072c

SHA256
64d46df4631e56eb42a9e8d6851b23b33498f275d0bd84ca456b10dea7a96272

SHA512
5a50b1ebd25549cf41a60ec026baad2a106662df0c0e2cedd9b44729f549dc227c061b3854e4995143d903fc80effba0f18d6d25cd04a11d9d8bc77716fc82b8

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
96KB

MD5
f88a321f757ab5c02e6eb517513da0ff

SHA1
9ce7700e3482e3a00a9babdeaccfb8f9dbc5003c

SHA256
d7212b7a156958751e65fcac4d06971b2059a5a5b5dc51aa266d6f8b966f378d

SHA512
d88578d13c4f70a2bdbfa5c2eda450017c1e70bb0a790dd7aee61d7479bae0609b8b83465a783fe48eacb66b59cb2cd00619058e3e15d7c52e1df3c83ead48f0

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
96KB

MD5
11da72f7034f066b2824a542bcc48562

SHA1
0c1ecc63333de80634f1d8818ca94c6a13f888f0

SHA256
95a31d95082539eb00b423bd5308e63814344dcdccc665622a618821411001bc

SHA512
a942b9416199a875411f524fede78d883d4dd1d26aafde208106d398bf7091b4b7b9c752812fec6cbd1b9acc3876f2699745a4407e8f2668f88d623a306a160a

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
96KB

MD5
22011f3e768820fcd89b5354e5c50615

SHA1
dfe068da0333409bffeef05666b0bcb091c14aba

SHA256
0e3089a0ad562a9d6fbd5914837a77f0108dda6ad2364019e6600bcb83dfb81c

SHA512
749f065e9d05da43458f8ea0e38ecc14556d216dcf51b2164c83fe0b1aec17101920dd7b4827a007b34803b68c9b3a19c7f0fa01804d059446234279f7618bd2

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
96KB

MD5
03dccd87ed2001b0a34fa4bd0e439f2e

SHA1
1206a7a17e88423b003c2c96ef32cfd8978bfca4

SHA256
12a1a720bb1bd7794eb6cd893a7ddd5a46be5b66b94c8343f49519de5581d052

SHA512
331096613c791aaa790ed75ff4810ce3e03a131fbb9188aa2bf03ad397863601a2976785487ae1891dd70f0bc8b0db65fd83690940a0187a9c226589705b79bb

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
96KB

MD5
d66bd1e1e89cf56335c6905256c44cfb

SHA1
b6044f49299f4b49c588c737bc53fc307900065f

SHA256
de54aeaafa7dca09a34e370298afdb970f6ece71301650682722ebfd87ea50e7

SHA512
93b9f0e31b9232c0da72e4b529f7784581b461fbf3e575e1e1ed83e7709d5577afa09c829d24cea5df434cc63ca0162f45e71e41abe2730cd87aa13f16c022f5

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
96KB

MD5
ab3b3b6ddbea0f1573a73cff454a757d

SHA1
724777b627735e6fb0ab2d4d548fc518ccfb5c9c

SHA256
7c25580d09496b5e5f0b74532b4dc1bbd8ebedf66cf06896ebd4cb7a8c79e3fb

SHA512
9589af4aec214d860541eaab7505443b0d7eb5c985f188e240ab86297a5f2332ff2c592532340c3908a915653785567bdd39cfc0f0ff3f9d4a9bf9e741dd5ac8

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
96KB

MD5
edef0ef753b530a48a8b11eb5e501c10

SHA1
4ea64decd5a41c50ae7621787daaaa9a664bd2b4

SHA256
0c4c4b586a30d99fa6801918b38dcfb5f06af2f84152fbba9e17296546b20ed2

SHA512
7f9d1036a68ac5804c64690c2131df3bb43dd1a14bd10ef8346c6257227bbee2ff583e3858ddaa18ba77b5df42abe67359e07e338f3c554dc8068402779253d8

Download Submit
memory/216-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/396-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-590-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/720-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1084-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1440-534-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1928-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-561-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2312-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-582-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3040-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3404-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3508-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3528-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3572-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3824-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3904-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3904-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3956-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4200-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4240-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4572-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4600-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4628-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-568-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4844-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4892-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5164-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads