65c7b2f9cebaa1d28a0856d17cec27b7b05157ebaf9cebde19a880c71af16dd3

Analysis

max time kernel
133s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9c9fc201a60978a684ca53fe8752990_NEAS.exe
Size

96KB
MD5

c9c9fc201a60978a684ca53fe8752990
SHA1

2a891bc257d6fdbe99dac20d504e7bf7eb32a778
SHA256

65c7b2f9cebaa1d28a0856d17cec27b7b05157ebaf9cebde19a880c71af16dd3
SHA512

cd1dcded4f73ead33b4611a59aa9dffc5903cbe0ace48c54b082acbcb127d41b122716e706236ba76d12277bd02b8ef9eae89a517676c5054868423a764e6f34
SSDEEP

1536:klJ7L2dyF02pGL5hUpR/j6QvgWTWS/k68y0g0Z5eq19GYAWQhrUQVoMdUT+irF:MqdyFBpGA9eQvg6WS98yRUsI95AWQhry

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c9c9fc201a60978a684ca53fe8752990_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe

Executes dropped EXE 64 IoCs

pid	Process
2032	Fjcclf32.exe
4356	Fmapha32.exe
3644	Ffjdqg32.exe
1484	Fihqmb32.exe
4980	Fobiilai.exe
1884	Fflaff32.exe
1052	Fmficqpc.exe
2440	Gcpapkgp.exe
4284	Gjjjle32.exe
3892	Gqdbiofi.exe
2608	Gbenqg32.exe
4552	Giofnacd.exe
2456	Gqfooodg.exe
1508	Gbgkfg32.exe
4000	Giacca32.exe
4936	Gpklpkio.exe
3928	Gbjhlfhb.exe
1348	Gidphq32.exe
208	Gqkhjn32.exe
3324	Gcidfi32.exe
1204	Gfhqbe32.exe
2916	Gifmnpnl.exe
1228	Gppekj32.exe
3380	Hfjmgdlf.exe
4848	Hmdedo32.exe
644	Hapaemll.exe
3320	Hcnnaikp.exe
4412	Hfljmdjc.exe
2104	Hmfbjnbp.exe
1356	Hpenfjad.exe
1564	Hjjbcbqj.exe
4316	Hpgkkioa.exe
1888	Hccglh32.exe
4448	Hfachc32.exe
3432	Hmklen32.exe
840	Hcedaheh.exe
1640	Hjolnb32.exe
5052	Hmmhjm32.exe
2484	Icgqggce.exe
4792	Iffmccbi.exe
2400	Iakaql32.exe
848	Icjmmg32.exe
4976	Ifhiib32.exe
3048	Iiffen32.exe
1436	Iannfk32.exe
4940	Ibojncfj.exe
1860	Ijfboafl.exe
1940	Iiibkn32.exe
1496	Ipckgh32.exe
4860	Ibagcc32.exe
4548	Ijhodq32.exe
4056	Imgkql32.exe
4956	Iabgaklg.exe
3484	Idacmfkj.exe
1664	Ifopiajn.exe
3964	Iinlemia.exe
2080	Jpgdbg32.exe
3812	Jbfpobpb.exe
4968	Jjmhppqd.exe
1404	Jmkdlkph.exe
1880	Jdemhe32.exe
5080	Jfdida32.exe
3256	Jibeql32.exe
3860	Jplmmfmi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Jiikak32.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	c9c9fc201a60978a684ca53fe8752990_NEAS.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Ghiqbiae.dll	Kpjjod32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6196	5256	WerFault.exe	231

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c9c9fc201a60978a684ca53fe8752990_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 2032	4224	c9c9fc201a60978a684ca53fe8752990_NEAS.exe	83
PID 4224 wrote to memory of 2032	4224	c9c9fc201a60978a684ca53fe8752990_NEAS.exe	83
PID 4224 wrote to memory of 2032	4224	c9c9fc201a60978a684ca53fe8752990_NEAS.exe	83
PID 2032 wrote to memory of 4356	2032	Fjcclf32.exe	84
PID 2032 wrote to memory of 4356	2032	Fjcclf32.exe	84
PID 2032 wrote to memory of 4356	2032	Fjcclf32.exe	84
PID 4356 wrote to memory of 3644	4356	Fmapha32.exe	85
PID 4356 wrote to memory of 3644	4356	Fmapha32.exe	85
PID 4356 wrote to memory of 3644	4356	Fmapha32.exe	85
PID 3644 wrote to memory of 1484	3644	Ffjdqg32.exe	86
PID 3644 wrote to memory of 1484	3644	Ffjdqg32.exe	86
PID 3644 wrote to memory of 1484	3644	Ffjdqg32.exe	86
PID 1484 wrote to memory of 4980	1484	Fihqmb32.exe	87
PID 1484 wrote to memory of 4980	1484	Fihqmb32.exe	87
PID 1484 wrote to memory of 4980	1484	Fihqmb32.exe	87
PID 4980 wrote to memory of 1884	4980	Fobiilai.exe	88
PID 4980 wrote to memory of 1884	4980	Fobiilai.exe	88
PID 4980 wrote to memory of 1884	4980	Fobiilai.exe	88
PID 1884 wrote to memory of 1052	1884	Fflaff32.exe	89
PID 1884 wrote to memory of 1052	1884	Fflaff32.exe	89
PID 1884 wrote to memory of 1052	1884	Fflaff32.exe	89
PID 1052 wrote to memory of 2440	1052	Fmficqpc.exe	90
PID 1052 wrote to memory of 2440	1052	Fmficqpc.exe	90
PID 1052 wrote to memory of 2440	1052	Fmficqpc.exe	90
PID 2440 wrote to memory of 4284	2440	Gcpapkgp.exe	91
PID 2440 wrote to memory of 4284	2440	Gcpapkgp.exe	91
PID 2440 wrote to memory of 4284	2440	Gcpapkgp.exe	91
PID 4284 wrote to memory of 3892	4284	Gjjjle32.exe	92
PID 4284 wrote to memory of 3892	4284	Gjjjle32.exe	92
PID 4284 wrote to memory of 3892	4284	Gjjjle32.exe	92
PID 3892 wrote to memory of 2608	3892	Gqdbiofi.exe	93
PID 3892 wrote to memory of 2608	3892	Gqdbiofi.exe	93
PID 3892 wrote to memory of 2608	3892	Gqdbiofi.exe	93
PID 2608 wrote to memory of 4552	2608	Gbenqg32.exe	94
PID 2608 wrote to memory of 4552	2608	Gbenqg32.exe	94
PID 2608 wrote to memory of 4552	2608	Gbenqg32.exe	94
PID 4552 wrote to memory of 2456	4552	Giofnacd.exe	95
PID 4552 wrote to memory of 2456	4552	Giofnacd.exe	95
PID 4552 wrote to memory of 2456	4552	Giofnacd.exe	95
PID 2456 wrote to memory of 1508	2456	Gqfooodg.exe	96
PID 2456 wrote to memory of 1508	2456	Gqfooodg.exe	96
PID 2456 wrote to memory of 1508	2456	Gqfooodg.exe	96
PID 1508 wrote to memory of 4000	1508	Gbgkfg32.exe	97
PID 1508 wrote to memory of 4000	1508	Gbgkfg32.exe	97
PID 1508 wrote to memory of 4000	1508	Gbgkfg32.exe	97
PID 4000 wrote to memory of 4936	4000	Giacca32.exe	98
PID 4000 wrote to memory of 4936	4000	Giacca32.exe	98
PID 4000 wrote to memory of 4936	4000	Giacca32.exe	98
PID 4936 wrote to memory of 3928	4936	Gpklpkio.exe	99
PID 4936 wrote to memory of 3928	4936	Gpklpkio.exe	99
PID 4936 wrote to memory of 3928	4936	Gpklpkio.exe	99
PID 3928 wrote to memory of 1348	3928	Gbjhlfhb.exe	100
PID 3928 wrote to memory of 1348	3928	Gbjhlfhb.exe	100
PID 3928 wrote to memory of 1348	3928	Gbjhlfhb.exe	100
PID 1348 wrote to memory of 208	1348	Gidphq32.exe	101
PID 1348 wrote to memory of 208	1348	Gidphq32.exe	101
PID 1348 wrote to memory of 208	1348	Gidphq32.exe	101
PID 208 wrote to memory of 3324	208	Gqkhjn32.exe	102
PID 208 wrote to memory of 3324	208	Gqkhjn32.exe	102
PID 208 wrote to memory of 3324	208	Gqkhjn32.exe	102
PID 3324 wrote to memory of 1204	3324	Gcidfi32.exe	103
PID 3324 wrote to memory of 1204	3324	Gcidfi32.exe	103
PID 3324 wrote to memory of 1204	3324	Gcidfi32.exe	103
PID 1204 wrote to memory of 2916	1204	Gfhqbe32.exe	104

C:\Users\Admin\AppData\Local\Temp\c9c9fc201a60978a684ca53fe8752990_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\c9c9fc201a60978a684ca53fe8752990_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\SysWOW64\Fjcclf32.exe
  C:\Windows\system32\Fjcclf32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\Fmapha32.exe
    C:\Windows\system32\Fmapha32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\Ffjdqg32.exe
      C:\Windows\system32\Ffjdqg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        27⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        32⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1436
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        53⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        61⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        66⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:460
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        68⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        69⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3064
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        71⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        72⤵
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        73⤵
        Drops file in System32 directory
        
        PID:2044
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        74⤵
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        76⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        78⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        81⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        83⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:976
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        85⤵
        
        PID:752
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        86⤵
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3488
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        88⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        89⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        90⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        91⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4420
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        95⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        97⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        98⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        100⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        102⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        106⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        107⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        110⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1544
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        119⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        121⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        126⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        127⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        128⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        130⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        133⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        135⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        136⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        139⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        141⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        142⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        143⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 420
        144⤵
        Program crash
        
        PID:6196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5256 -ip 5256
1⤵
PID:6164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
96KB

MD5
3499f60928b5241cc1ddb0be9bcf3919

SHA1
3d899065b605fcfc509bfedfe6f679b5f6aa8e0b

SHA256
fca2ac4a80d8b8cef6dbc6c9ffb32ba37d842b61b039adaa31eeb0453dd29306

SHA512
65c9fc15f0a11c7311d9f44dc7f0f1e45c9f904e93d2f53a27d6f664fae866459c4152d59e319f542c1ec48eb0de62d8ccbcefe2eb24ab0d8fd26f0669c1d26d

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
96KB

MD5
20880a3b6f991ba2f18518cc6ab999ce

SHA1
c51a3718398431a1256522bcd9fcfa5ed2654e17

SHA256
2a4f6b4ded71a2ed690d4230d0db50c614328dfc057649fec117df0e0b63262d

SHA512
5a8ea9a328a7fa9069a8c5bbd3db3c3eb5254da8f806fff77d3b460e50bd4b0b5cdcf3d43c94da2568af2a481e6ea9fc85b2b1d9283ce18e80f56344f397ddfb

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
96KB

MD5
c6839ed3da760acea22e580c5ac8a51d

SHA1
b555fde37b89c77639b186e11dad509b35804215

SHA256
f517edae58d4ad8903244a686f3768f713933cd52a448f576423a66d34bfcbe1

SHA512
0bcafab3e8adb23600b13444c1f75b8418637f6d50edf26ffb1ad36553791cd5f587e03afd199908f9f2077cc9ab7c1a3e9f6077897b60a8d15feb9c0f68e502

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
96KB

MD5
b2c4828421063565851b4431b312e0b4

SHA1
0a954875330ef28fd2a13fe7ee13f70961417e87

SHA256
852b6618af9a56b7b963dc7ab3508cd1a1982abf36d59d5d6f37ab4053172bf8

SHA512
119c354fa2ed7476245eb2562ed7dd1226bf093d38631e034c120cef14003056a873dc1b4ce5ce666947d535b104cbd42312d8be28145cde85cc0801f9a51b6b

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
96KB

MD5
c73433d5c48fa9a5bb5f413c4693087e

SHA1
dfe07290be8bfa4fdc535dc1cbeccd56e4b9ba35

SHA256
41b5a41f4c7b2f42c1d3a4507fc6afd6a91ed7c0e11e7e2632ed2c9ea43fb3ad

SHA512
cc3ed3c8aa814fd2f5cd2f3404f94d10628df4b0b22b81f2d83381f78ee924b801777eb06931010d90e97c28fc4b4acb9a2256947ed70c2c1846824ecb0d02cb

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
96KB

MD5
204e50f4777a823e4c117db346f75286

SHA1
93396e9c5b59d25cb9dfc473211c2afb35616489

SHA256
6d16120dced68418b45ca4a9e7d4347c0e1df2c927014a1c46d13138c6c1de52

SHA512
47b604645c310926791df2d68ae5cdd4b0da253e6dd6438158a0894867e1c0bfab3bcc188e46afd865be67d8b94e8bc9dfe6fc24609ffad0a8c1afe2c263de0d

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
96KB

MD5
1d51ea15130c2280a492841c21161f2f

SHA1
5f2b45a5ac35ec5eb6735fc9665f8b6b49fb1f1e

SHA256
0a871acdcce487f615b693f6ba98bdb656c4ec170c426789b00f3ca29dfb74c5

SHA512
0d03cc733e886111dc5bf863020bfe1419c8950d03d6039215b3b9a846eace69cb37413c9440c57cb1c73186de28fcd15613df1aea89e7ca9a4bbc67f9c52620

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
96KB

MD5
edcc2f57a0aa77369689d0d65e731267

SHA1
fc89fd2c4dd7eb22aa1ab8d2e175c695be18ccfa

SHA256
3733fa8a0a3ab9bdfd1e9765df42fcc121ea1e41a301a0a5ad5e270b37eb376d

SHA512
1dadf31254416aeef872152ffd80694432d2b3f6f1ba99b1a2475c0f1e6b30b0c5ad598534fdba84b2c096775c15204277df3c8df1eea48128e1f378f3d3c32c

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
96KB

MD5
7773cb25f0df01382fcb5cc5cd7236c8

SHA1
7254277eb6fe1ab58b0bd8530bcd564aa9f3ecb5

SHA256
de3d7f98f2138b98cea613ffce0d3b0c7925de01a65d77c8bfbdca08e2742c6a

SHA512
850e7be6e581c0cf0e9bf8aeb91cbef5cfbe4a6d24274a245b4c1d1a098c739d204efc2f462bf2ee2e1ad23e2880ab0639490ccc5b49a2ac56fbba09f4528742

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
96KB

MD5
f49eeaabfa8357c3cdef47cfcd4fd0be

SHA1
c73ecddc8b1ee12aab3b7b2ab09a677f952edcd4

SHA256
0220d71a62fe3a1ecf7dc525234762a1768e4606156ee243f9e91f03ee4c8368

SHA512
379eacd4b323db1b41d192b38cae0a26fee630d8966657322279219f8974724cbeb6dff2b6721be8cc7101fe778f89ed3959c46f0759c63b0f6cb0f216b25206

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
96KB

MD5
fadee6cf11b80290331ab3292f89eb1f

SHA1
9706bd831075444ca4ce56d59d58a57d7bf7b89c

SHA256
6442f270ea43bb0501be0a45c78e4191a1acd5547097656358895f9f2cffdd9a

SHA512
2b905f3eabe0f58b20e0123efce8cdafab5eb64b8adfb93c6663d6ec3f1f816b238102b641b1e3bd5843b268103ddf70af12706e1efba8067fe0e53a799dcd26

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
96KB

MD5
c406f7b17a8f11b208b96c4e275bc54e

SHA1
8f93a8b490644472c5e234dbda68eb5f80528346

SHA256
ae2de4cc2443e417120dbecf04f58e5bef68cf87dd70120b7290a3ab58e917bc

SHA512
aa0a9d06dde711a061332a0f92fc45654816b4fb4b35fda799241cf050fb860aa095afca7d9d47a3af2ed9d8eb5bdd56dc5ab6a6c3873cf7328e794e666e6426

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
96KB

MD5
4adfe657667d05396efed467a3d2f1f8

SHA1
a7589a42334e4cb4a118c3d3373211a1e0ee9bcb

SHA256
d19fc966964ed632a5ac3d3d49c13793ebd05619a4caa560c08fee0de16ac86a

SHA512
a7f619e85c6e84237fb79390417981230f3a918204ad714f142b583807b611cdfa7cee76375010a49c6f2f154b3acfafd933890891718793db98ad4b4b95438d

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
96KB

MD5
c7ff4804840dc37da2cb624d07cce1c0

SHA1
1de11c6038d4457b624d2cc9d3e86709bc9d432a

SHA256
e39e70c58800289e4784f37c188b314afe69b1bed548d88bb8d3f3659563d30a

SHA512
ee4fce5de9bda866170727d1b60574246958db75c4e21c2488da672c425fdfe7f5a34e9a7177e28d4666cba0b92d4beb17cd21dcd1dfbecf5cbb558a2fe6e84f

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
96KB

MD5
3b4041a708bb260f99337e10b526312c

SHA1
f52222454ffb7a1efed4f2146763d2f242d13669

SHA256
b488cebb4c38b418c96dbab414c9dc3431902dd8fca6bba2fc371d18868edc02

SHA512
37072d010ab1c122a5b4b37eed20d0b2121029a9e11e0818cbd40b679eabe72de582da4809b8170ecc8c946aadf6eb375f4d843cf4f1a5832b44744e297f190f

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
96KB

MD5
666de2cd5df927f4890838ca40d3c3f4

SHA1
8968ad0d341a00e31c048e00962c82b63860d9a9

SHA256
fecc3d1e3445ac16cadc40b592ea3cb5feb5a2e98a3016bc8046516cbbb7eaff

SHA512
910065f2007de5ca7844dea486b2074b52ee6acffdd94d30a174149d9b1d38aea058a8d1c5b61e709cbcb474660ecfbac7b118e4f732f3bfcb9e48c5b6d88bef

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
96KB

MD5
fde1bee3381435ae094461dffcd89c78

SHA1
c8e7c483fa8f4441d4b8ca866ff4aa7ef42e3bc7

SHA256
9c4744d3d99d7222df8475d49fe8dadba87e07a8cb526471bb083cd3ef966bde

SHA512
8ffd37f509e56587cf38ce53d74367dfd512b26eb97cae96982fbaa1225e19b8f2210e5b40c273edae0d3f87c217b8b90546953cb8c66cf11778f4fbd7565eba

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
96KB

MD5
ca7225e89ddb89a6c7066c318114b253

SHA1
36350fb58328c13049d36a596f57c47717507716

SHA256
ba30982e3c11fd1968635914ee75b4920aaa93a9d0e9c59dced73ffebff832fd

SHA512
debedcfaff475ecc62d59c83e113d931fa0fd8378c8405e96fd42f37ee32775d2a106aeeae050f11b0afc7829bf4b232fa894ddc31f7a6acf4180cfe65607b59

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
96KB

MD5
6e11e106478553272c1ceba2bed1e820

SHA1
5989dd3d394fd621ee574afa8ccbea88ad37e8be

SHA256
a8f45b747a19581ebc54210d634c1a792af2831c6e4110dfec2d55f46bb9c8a2

SHA512
7838c61ba6f6d91af546ca8e2bbe8693ff1bd4f7716be2295e71515f1e5341d59b19192c6a260ad58507ed8d5b3092f4f9287be384faab023da0a75f9fc95b2a

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
96KB

MD5
187de7f6b96932de63ff2742fdb70417

SHA1
0d797f0114da362c5bf5871302fd6eca41ffd42e

SHA256
bd05f01834a3bf0747a3801c69aa16e9f2b6e8bcbe8cc5036556a975d52ecb40

SHA512
69b3cb212cb90e74b7acb49ec9e791e05bfa59d1fdde895ced0bac2aa0ab67273e1300fde9e8072c03f1f308e0d21b0405568b7d77c78e6f35798ee87ee6ac80

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
96KB

MD5
45d25f66e9ec46e43b0bb6e7b199595e

SHA1
1006f0ad6f5d2fb81601dd437b9aa174b4f4ba30

SHA256
8c307cfcd3f816e4d7c5428adab899b4785c1ee252e6561d890f72fcfbb421c4

SHA512
1f4a63c66368abcca9fb5a0c7dd31a6bc157da826b28513817ba0544965cee5d4680755dcf7c4f070cc5b555f01cd4a55421ee61cd77d9451f15bbde3ed3086a

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
96KB

MD5
7f54109e6648ceb2651198cbce80d6e4

SHA1
e9596aa11ebe006553bf080cc460b6fcc8621b57

SHA256
4a4fa2bf1a285609f80764a3f10071ca6482467f6f26b56b88027662f8d92489

SHA512
2b2640fc43765c12d33ed9c67e4332b067f4b0d29252cc8a7bacc7f20b15f8c6ff26aa7bbc289354bafa5ea0ffb18ee07f0a322c67edecf523d2b365a36483fe

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
96KB

MD5
ade868c271c1eabb14bb3464b9b8337a

SHA1
ce8fdc064f88912ceda59e85f490db5ec7786a3f

SHA256
2e486e9a6825ff17090a5cc2e81e6f97e0714a829ce2eee01b0e4652a97a5bb3

SHA512
23fb23448a1379508f0fd34ec67b27b27c82c5cc06348ff55c22ab40481686d963e7ef84662946ca301604946a16f76496d90bf0f66b91fe9154070ba5b517a2

Download Submit
C:\Windows\SysWOW64\Hapaemll.exe

Filesize
96KB

MD5
f3373ba5232100670119163c4040b8d2

SHA1
44a30095764c3bc90d170541ee67f99770b1bd74

SHA256
92bb10e00f4b64e640a04d5834ea67a9ff6ef3768bbd70625c04669b3a25b2a4

SHA512
a2ed449ce2730e25144c1d7c984e7698eb0ac14df0ba5c2de38909283d4685b6a523722dc3c7c2e00480bda25b36b9ee2c8396a5d690782a385c720fab84137c

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
96KB

MD5
c51912c485c4996a8c69f0c650bec33e

SHA1
270cfb003b8819ffed74f73c352c3a6dcb6c30dd

SHA256
a5a2439c7ea7ab68bec5c47fd050bcec627ef5a2fe04f7e78571811a7be23be2

SHA512
480ce945a1adc048b30b1185c018ce2113d568dcd03eebf0216ae6ce20ba1526cb3440215fcce6a33e55ef37b055768b63ad64379f06b87a6a8d8029c1502687

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
96KB

MD5
d668870ac25018372cdcbef78497402a

SHA1
38960cd36322f8a00b19da2ec3ad7cdd4096123b

SHA256
20febbfd598fa6aa3cac7d6bc46b514b3826e964a33a3ade13c2227596ea8bfa

SHA512
14fd4ed089a353d3575080960bbe25e3ad314d78bf5e49b5be3e10e8ff89b23f2ce62e393b93f281af19729be511088307217b61ec6b1d20904082a31b3ccc5c

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
96KB

MD5
3edff63d4aa616d9c89cb265b8a6caef

SHA1
6c654d25024bbeee4936c4ce26bbe9fc90fdec25

SHA256
090b610ae927772f6fd8662c37aaf35d8c72aaecc6b4ee795ce8e55b308a2ae2

SHA512
b80f5a361086bd46a1a0ff1bc6c7bb11df1aa04b7dc8965064cb8be972bc01964e58bfe8b728785839bca7435318e08797d1a5d93312ce48aefaba54d74a02f3

Download Submit
C:\Windows\SysWOW64\Hjjbcbqj.exe

Filesize
96KB

MD5
fcf742d509ec81b67b27eb4b5b6cff11

SHA1
95d9b39a6a48cb9274aa1b135ca2d39cdd2a547c

SHA256
21ae9b17a8e8de10657d021b76be638153726c096aca9ef281ea97349a732109

SHA512
18960d855a8f4a70296e93c0eae5a6e7bc0c0b51cc14cf93ac869782e19464c2d9d9a3f27e160b6531fdee64abd77e9a90f2ccff3a9c5eb9552d5c56e68a2204

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
96KB

MD5
db5fde57d7af64758c38419e71a8e0ec

SHA1
328e4d37a74e09bbab91c74fc41096010bbba55f

SHA256
f965163cfe3275b127f1857c3d0eac4b2e338f1d98ec08575b116d2504dcd231

SHA512
9e9d66d7f59727976ac91102739bdb4794eda6c5ee666a62a4ffaf9f7fbe7b47f4bd6110b1f85b105afa228ee4c88b9b6ac11c8b92bbf8c93fdc86efe36ae3bd

Download Submit
C:\Windows\SysWOW64\Hmfbjnbp.exe

Filesize
96KB

MD5
7b567f3b2c6bf7af238b81f8718e9908

SHA1
9e6889584dbec337188f9e0f07e460607d647ab8

SHA256
ed8d712c45ab33c2b1775507130d18d9e5aaf80848739ef52b7b3c6d4e5d3a37

SHA512
51d765fbd5dd5ffd743a1c4b5a1439b28df33c763ec808897b154d9406fc48f2354246ba058eeeade3283d9e427a609243bc5da100ed454da51a06e5c2fc23ed

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
96KB

MD5
336a24c69699ec2a0e800c916d4b3ea9

SHA1
4303a23d52994a24e1d3823d30e25b7cef332dff

SHA256
aaaf85f17b533152e511313b420f94c56b57ff1e7c56b93661dc9fb616aa7183

SHA512
5e05f8925b5ee1a6f0a7241503c1ea49b4dc29d6b99d57d27da2270fdbb5a0d11f5ae76e65081b0d202ba048bc60d51c9f343cc380a03ef081e6e5823059d840

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
96KB

MD5
4d38220165590b48fc3d6a7ed5095513

SHA1
4fe9cdd56c75439fd687be10ce4d77807c1dde81

SHA256
345aa89a1bf93a522fc6892edd7eb0de9d0be4dbd4a9c080cb29aacbf5428255

SHA512
cac40c961534f111b73c6648e18b46951c12b434cc9a3aba1c5ad34a2e0f4c9d0c5aedd79ac74e677d1a7a2f00626643ce97873bc9c73bbc1b3952d3b360925d

Download Submit
C:\Windows\SysWOW64\Iblilb32.dll

Filesize
7KB

MD5
c72a53a03cfb19adb117e7e0f45c7249

SHA1
db830e90f9a785fd375aabc52a1bd7a2ac21ec45

SHA256
ec2717c3ac2407ae6f18feadfcb3e777c844c1bec051e8e7c822593a7ee6c1d1

SHA512
e531f4c568fd4b5888b5dc0ebd6d0181ac1ddc2f1433b3db391ec242d8f7d5ca2fa02879204dd8e9aa2d923525d3fd85a534d3b42d05098beaef6d2414a985ea

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
96KB

MD5
94f5c50eca70e2638cad764160625b3d

SHA1
933f6ecce104f0a50ec5e452c5697489c4190f0c

SHA256
1602ba797feafb10850f4329f5e8e254ee475dba61bc5de2da83cc2557ac436a

SHA512
7054c3d92c58b8bdfa2b3d7714c97f47372211803c10328c77d7aae37507ae029eab02e13255225bd3812627c2ac021f74b06ce1767cdd4f89ae46339d6f9573

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
96KB

MD5
814c0503f859c77cf2ace6ed5d7bd2bc

SHA1
946a4985a54c73c3ccc9c5c256af6071a2cb2cff

SHA256
ebf7e94daa08af689f94bfb15a64a04605b7e069d711de34e420be6e023fe1ad

SHA512
14f9b597c1299967ab9afd56b0225ba1fbf9c36679a5bb7e906a86788453f03b09dc99d0afd1e832e14de344e386b3e6c28140c104b0918cf3b8fc4e1299d529

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
96KB

MD5
7929d6e713978ad8dd06420c0399d708

SHA1
1afe53fd089ca41788d272600090418d50422579

SHA256
6e3ca0aa8ebe16b618e5206119105cbe792f7b1602b734514a750dbec99105e5

SHA512
1a97be19661a0ee244de003c057ddd94da0bd5b878b855ab487d431d3982a728b077effeb62d35d25284eb8ca5a865a56dfc6f0a7f1362ebad32e5dd70a9c932

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
96KB

MD5
d595bd6bb8cac6a540b9b3706e2f176e

SHA1
0b493875c8f5806e1d899d8a06c4727cc2e2a895

SHA256
c5eff3a8abd32c9a4bbe9ab7ec46154fa7cf2fd6f656f6e272ca56cab4af2e8c

SHA512
7d7305e8cc7573c30b07e4e02bb7e9bc122c29656d94f60dfaa131670b5e7cb61d2a15b92b6f5e31acf3dae84dd0ea5a94bf9c230713704d8f3e63733cacf14d

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
96KB

MD5
7c3fa3ffac2304739d0199c33cfad547

SHA1
db72beeae6f04b38c5cefef7b27efb0987a8a60f

SHA256
f5922b9323aded873357fdbe8a0a50fb03e3ed54c05b629ee16e881c8bc16a1b

SHA512
320234d6de1f5193d50789faa7add934a487b03a84b9a1c6802f9a865cdceb3402726ea311e1de00d092616589c33928d86dc0661f2f96a7dd2e5d0f51b74d0f

Download Submit
memory/208-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/384-506-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/460-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/644-213-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/752-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/760-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/848-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/976-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1052-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1052-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-471-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1228-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1348-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1356-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1404-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1432-557-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1436-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1524-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1652-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1664-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1860-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1880-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1884-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1908-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1932-531-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-551-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2440-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-542-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3256-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3324-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3380-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3432-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3484-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3584-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-565-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3644-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3812-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-532-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3892-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3928-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3964-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4208-584-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4224-544-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4224-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4316-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-558-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4436-550-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-525-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4548-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4552-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4792-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4860-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-598-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4976-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-579-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4980-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5052-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5080-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads