ccc089632460e1cbc261bc93937f4c4eb35143b227076b492ceb7893b99a7b42

Analysis

max time kernel
133s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d2a321cd5876c4513ca9ca8322199ee0.exe
Size

78KB
MD5

d2a321cd5876c4513ca9ca8322199ee0
SHA1

58bf5a89874593b2bc24cef6a89575191c9f4380
SHA256

ccc089632460e1cbc261bc93937f4c4eb35143b227076b492ceb7893b99a7b42
SHA512

6aec6a8e54f9bc7c3c08d0da38effbcc588bab40c4b558dc7e136623a6bb60405f142cc7586a7927171d021e4b3e06433ab89b85181eb4c03a6a494dcff62506
SSDEEP

1536:bFfUNtL3qI3WIqOFp5KR11q9wpIVywiVL8DN+zL20gJi1ie:R8NtL6I31qeps4OOVywiVQDgzL20WKt

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpmomo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbihjifh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hffken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmqfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaagkcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcnpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomqcjie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haaaaeim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giljfddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbgeqmjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koaagkcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lggejg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eomffaag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoahh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kolabf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilqoobdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjgaoqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lebijnak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbjddh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enmjlojd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlblcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpegkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonlfo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlaldg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiacacpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhoahh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njfkmphe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Momcpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcghg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kolabf32.exe

Executes dropped EXE 64 IoCs

pid	Process
5032	Gnepna32.exe
4908	Gbeejp32.exe
2744	Hfcnpn32.exe
4440	Hffken32.exe
3328	Hifcgion.exe
5092	Ifmqfm32.exe
1564	Ibcaknbi.exe
1688	Ipjoja32.exe
2172	Ilqoobdd.exe
2096	Jghpbk32.exe
3084	Jgkmgk32.exe
3284	Johnamkm.exe
3916	Jcfggkac.exe
4144	Kpjgaoqm.exe
3064	Klahfp32.exe
1808	Koaagkcb.exe
3188	Kjgeedch.exe
3500	Kcpjnjii.exe
3940	Kgnbdh32.exe
4040	Ljnlecmp.exe
2996	Lomqcjie.exe
4756	Lggejg32.exe
2056	Lncjlq32.exe
3484	Mjjkaabc.exe
3372	Mnjqmpgg.exe
3728	Mnmmboed.exe
2368	Njfkmphe.exe
4240	Nadleilm.exe
2552	Ompfej32.exe
3552	Omgmeigd.exe
4196	Pccahbmn.exe
1416	Ppjbmc32.exe
3420	Paiogf32.exe
2128	Pnmopk32.exe
3808	Panhbfep.exe
3784	Qpcecb32.exe
4380	Qacameaj.exe
844	Afbgkl32.exe
2008	Agdcpkll.exe
3512	Apmhiq32.exe
4680	Amqhbe32.exe
5016	Akdilipp.exe
2148	Bhhiemoj.exe
2316	Bpdnjple.exe
1364	Bogkmgba.exe
1616	Bhblllfo.exe
4176	Bajqda32.exe
4552	Cammjakm.exe
3644	Cgifbhid.exe
5088	Ckgohf32.exe
1896	Cdpcal32.exe
3876	Coegoe32.exe
1860	Cklhcfle.exe
4580	Dpkmal32.exe
3812	Dolmodpi.exe
1232	Dggbcf32.exe
4456	Ddkbmj32.exe
1824	Doagjc32.exe
3920	Eohmkb32.exe
3936	Enmjlojd.exe
1104	Eomffaag.exe
3972	Gpmomo32.exe
1300	Gnblnlhl.exe
3492	Gpaihooo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cknmplfo.dll	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Ipjoja32.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Bgagea32.dll	Njfkmphe.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Iacngdgj.exe	Haaaaeim.exe
File created	C:\Windows\SysWOW64\Glqfgdpo.dll	Mofmobmo.exe
File created	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Giljfddl.exe	Gngeik32.exe
File created	C:\Windows\SysWOW64\Hhaggp32.exe	Hbenoi32.exe
File opened for modification	C:\Windows\SysWOW64\Kocgbend.exe	Kekbjo32.exe
File opened for modification	C:\Windows\SysWOW64\Mnmmboed.exe	Mnjqmpgg.exe
File created	C:\Windows\SysWOW64\Paiogf32.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Cggkemhh.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Dahkpm32.dll	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Hfcnpn32.exe	Gbeejp32.exe
File created	C:\Windows\SysWOW64\Ibcaknbi.exe	Ifmqfm32.exe
File opened for modification	C:\Windows\SysWOW64\Lomqcjie.exe	Ljnlecmp.exe
File created	C:\Windows\SysWOW64\Lncjlq32.exe	Lggejg32.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	Pnmopk32.exe
File created	C:\Windows\SysWOW64\Eomffaag.exe	Enmjlojd.exe
File created	C:\Windows\SysWOW64\Iondqhpl.exe	Iialhaad.exe
File created	C:\Windows\SysWOW64\Pmcckk32.dll	Jghpbk32.exe
File created	C:\Windows\SysWOW64\Jobfelii.dll	Jgkmgk32.exe
File created	C:\Windows\SysWOW64\Lggejg32.exe	Lomqcjie.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Ompfej32.exe
File opened for modification	C:\Windows\SysWOW64\Hlblcn32.exe	Hbihjifh.exe
File opened for modification	C:\Windows\SysWOW64\Jaajhb32.exe	Jifecp32.exe
File created	C:\Windows\SysWOW64\Ifenan32.dll	Jcfggkac.exe
File created	C:\Windows\SysWOW64\Coegoe32.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Ojidbohn.dll	Eohmkb32.exe
File created	C:\Windows\SysWOW64\Dgpamjnb.dll	Gpaihooo.exe
File created	C:\Windows\SysWOW64\Ppjbmc32.exe	Pccahbmn.exe
File opened for modification	C:\Windows\SysWOW64\Akdilipp.exe	Amqhbe32.exe
File opened for modification	C:\Windows\SysWOW64\Ojnfihmo.exe	Ocdnln32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdnln32.exe	Nfnamjhk.exe
File opened for modification	C:\Windows\SysWOW64\Klahfp32.exe	Kpjgaoqm.exe
File created	C:\Windows\SysWOW64\Gnblnlhl.exe	Gpmomo32.exe
File created	C:\Windows\SysWOW64\Gakbde32.dll	Hbihjifh.exe
File opened for modification	C:\Windows\SysWOW64\Kplmliko.exe	Kolabf32.exe
File opened for modification	C:\Windows\SysWOW64\Mhjhmhhd.exe	Llcghg32.exe
File created	C:\Windows\SysWOW64\Kpbgeaba.dll	Mhoahh32.exe
File created	C:\Windows\SysWOW64\Eeclnmik.dll	Kocgbend.exe
File opened for modification	C:\Windows\SysWOW64\Nfnamjhk.exe	Nhhdnf32.exe
File opened for modification	C:\Windows\SysWOW64\Gngeik32.exe	Gpaihooo.exe
File created	C:\Windows\SysWOW64\Hiacacpg.exe	Hhaggp32.exe
File created	C:\Windows\SysWOW64\Enndkpea.dll	Hhimhobl.exe
File created	C:\Windows\SysWOW64\Eciqfjec.dll	Iacngdgj.exe
File opened for modification	C:\Windows\SysWOW64\Koaagkcb.exe	Klahfp32.exe
File created	C:\Windows\SysWOW64\Gpaihooo.exe	Gnblnlhl.exe
File opened for modification	C:\Windows\SysWOW64\Pbjddh32.exe	Pjlcjf32.exe
File created	C:\Windows\SysWOW64\Pciqnk32.exe	Pidlqb32.exe
File created	C:\Windows\SysWOW64\Gabfbmnl.dll	Mjjkaabc.exe
File created	C:\Windows\SysWOW64\Njfkmphe.exe	Mnmmboed.exe
File created	C:\Windows\SysWOW64\Ihmfco32.exe	Iacngdgj.exe
File created	C:\Windows\SysWOW64\Nfnamjhk.exe	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Ehmjob32.dll	Lggejg32.exe
File opened for modification	C:\Windows\SysWOW64\Pccahbmn.exe	Omgmeigd.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Egcpgp32.dll	Mcfbkpab.exe
File created	C:\Windows\SysWOW64\Chfhllkp.dll	Gbeejp32.exe
File created	C:\Windows\SysWOW64\Jlbejloe.exe	Iondqhpl.exe
File created	C:\Windows\SysWOW64\Hapfpelh.dll	Kekbjo32.exe
File created	C:\Windows\SysWOW64\Kigcfhbi.dll	Hifcgion.exe
File created	C:\Windows\SysWOW64\Lomqcjie.exe	Ljnlecmp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6080	4304	WerFault.exe	215

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didmdo32.dll"	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lomqcjie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmlag32.dll"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hffken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogakfe32.dll"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmjlphl.dll"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Bhhiemoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekamnhne.dll"	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Lggejg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll"	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll"	Eohmkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnepna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjnnbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll"	Ihmfco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdpcal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epoaed32.dll"	Dolmodpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiidnkam.dll"	Kplmliko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pidlqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Nadleilm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dolmodpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll"	Gngeik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieccbbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcfggkac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcckk32.dll"	Jghpbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klahfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggbcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cagdge32.dll"	Enmjlojd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keifdpif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpmomo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpaihooo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haaaaeim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjbog32.dll"	Jaajhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll"	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipaooi32.dll"	Ddkbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjgaoqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlbejloe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpgp32.dll"	Mcfbkpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilqoobdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfcnpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipjoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgnbdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqhbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddkbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhaggp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 5032	3228	NEAS.d2a321cd5876c4513ca9ca8322199ee0.exe	91
PID 3228 wrote to memory of 5032	3228	NEAS.d2a321cd5876c4513ca9ca8322199ee0.exe	91
PID 3228 wrote to memory of 5032	3228	NEAS.d2a321cd5876c4513ca9ca8322199ee0.exe	91
PID 5032 wrote to memory of 4908	5032	Gnepna32.exe	92
PID 5032 wrote to memory of 4908	5032	Gnepna32.exe	92
PID 5032 wrote to memory of 4908	5032	Gnepna32.exe	92
PID 4908 wrote to memory of 2744	4908	Gbeejp32.exe	94
PID 4908 wrote to memory of 2744	4908	Gbeejp32.exe	94
PID 4908 wrote to memory of 2744	4908	Gbeejp32.exe	94
PID 2744 wrote to memory of 4440	2744	Hfcnpn32.exe	95
PID 2744 wrote to memory of 4440	2744	Hfcnpn32.exe	95
PID 2744 wrote to memory of 4440	2744	Hfcnpn32.exe	95
PID 4440 wrote to memory of 3328	4440	Hffken32.exe	96
PID 4440 wrote to memory of 3328	4440	Hffken32.exe	96
PID 4440 wrote to memory of 3328	4440	Hffken32.exe	96
PID 3328 wrote to memory of 5092	3328	Hifcgion.exe	97
PID 3328 wrote to memory of 5092	3328	Hifcgion.exe	97
PID 3328 wrote to memory of 5092	3328	Hifcgion.exe	97
PID 5092 wrote to memory of 1564	5092	Ifmqfm32.exe	98
PID 5092 wrote to memory of 1564	5092	Ifmqfm32.exe	98
PID 5092 wrote to memory of 1564	5092	Ifmqfm32.exe	98
PID 1564 wrote to memory of 1688	1564	Ibcaknbi.exe	99
PID 1564 wrote to memory of 1688	1564	Ibcaknbi.exe	99
PID 1564 wrote to memory of 1688	1564	Ibcaknbi.exe	99
PID 1688 wrote to memory of 2172	1688	Ipjoja32.exe	100
PID 1688 wrote to memory of 2172	1688	Ipjoja32.exe	100
PID 1688 wrote to memory of 2172	1688	Ipjoja32.exe	100
PID 2172 wrote to memory of 2096	2172	Ilqoobdd.exe	101
PID 2172 wrote to memory of 2096	2172	Ilqoobdd.exe	101
PID 2172 wrote to memory of 2096	2172	Ilqoobdd.exe	101
PID 2096 wrote to memory of 3084	2096	Jghpbk32.exe	103
PID 2096 wrote to memory of 3084	2096	Jghpbk32.exe	103
PID 2096 wrote to memory of 3084	2096	Jghpbk32.exe	103
PID 3084 wrote to memory of 3284	3084	Jgkmgk32.exe	104
PID 3084 wrote to memory of 3284	3084	Jgkmgk32.exe	104
PID 3084 wrote to memory of 3284	3084	Jgkmgk32.exe	104
PID 3284 wrote to memory of 3916	3284	Johnamkm.exe	105
PID 3284 wrote to memory of 3916	3284	Johnamkm.exe	105
PID 3284 wrote to memory of 3916	3284	Johnamkm.exe	105
PID 3916 wrote to memory of 4144	3916	Jcfggkac.exe	106
PID 3916 wrote to memory of 4144	3916	Jcfggkac.exe	106
PID 3916 wrote to memory of 4144	3916	Jcfggkac.exe	106
PID 4144 wrote to memory of 3064	4144	Kpjgaoqm.exe	107
PID 4144 wrote to memory of 3064	4144	Kpjgaoqm.exe	107
PID 4144 wrote to memory of 3064	4144	Kpjgaoqm.exe	107
PID 3064 wrote to memory of 1808	3064	Klahfp32.exe	108
PID 3064 wrote to memory of 1808	3064	Klahfp32.exe	108
PID 3064 wrote to memory of 1808	3064	Klahfp32.exe	108
PID 1808 wrote to memory of 3188	1808	Koaagkcb.exe	109
PID 1808 wrote to memory of 3188	1808	Koaagkcb.exe	109
PID 1808 wrote to memory of 3188	1808	Koaagkcb.exe	109
PID 3188 wrote to memory of 3500	3188	Kjgeedch.exe	110
PID 3188 wrote to memory of 3500	3188	Kjgeedch.exe	110
PID 3188 wrote to memory of 3500	3188	Kjgeedch.exe	110
PID 3500 wrote to memory of 3940	3500	Kcpjnjii.exe	111
PID 3500 wrote to memory of 3940	3500	Kcpjnjii.exe	111
PID 3500 wrote to memory of 3940	3500	Kcpjnjii.exe	111
PID 3940 wrote to memory of 4040	3940	Kgnbdh32.exe	112
PID 3940 wrote to memory of 4040	3940	Kgnbdh32.exe	112
PID 3940 wrote to memory of 4040	3940	Kgnbdh32.exe	112
PID 4040 wrote to memory of 2996	4040	Ljnlecmp.exe	113
PID 4040 wrote to memory of 2996	4040	Ljnlecmp.exe	113
PID 4040 wrote to memory of 2996	4040	Ljnlecmp.exe	113
PID 2996 wrote to memory of 4756	2996	Lomqcjie.exe	114

C:\Users\Admin\AppData\Local\Temp\NEAS.d2a321cd5876c4513ca9ca8322199ee0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d2a321cd5876c4513ca9ca8322199ee0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\Gnepna32.exe
  C:\Windows\system32\Gnepna32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\Gbeejp32.exe
    C:\Windows\system32\Gbeejp32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\SysWOW64\Hfcnpn32.exe
      C:\Windows\system32\Hfcnpn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
      - C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Ilqoobdd.exe
        
        C:\Windows\system32\Ilqoobdd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Jcfggkac.exe
        
        C:\Windows\system32\Jcfggkac.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Klahfp32.exe
        
        C:\Windows\system32\Klahfp32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Lomqcjie.exe
        
        C:\Windows\system32\Lomqcjie.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Lggejg32.exe
        
        C:\Windows\system32\Lggejg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Mjjkaabc.exe
        
        C:\Windows\system32\Mjjkaabc.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        38⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        41⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        45⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        47⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        53⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Dolmodpi.exe
        
        C:\Windows\system32\Dolmodpi.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Ddkbmj32.exe
        
        C:\Windows\system32\Ddkbmj32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        59⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\SysWOW64\Eohmkb32.exe
        
        C:\Windows\system32\Eohmkb32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Gpaihooo.exe
        
        C:\Windows\system32\Gpaihooo.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Giljfddl.exe
        
        C:\Windows\system32\Giljfddl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4072
        
        C:\Windows\SysWOW64\Hbenoi32.exe
        
        C:\Windows\system32\Hbenoi32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Hhaggp32.exe
        
        C:\Windows\system32\Hhaggp32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Hiacacpg.exe
        
        C:\Windows\system32\Hiacacpg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3124
        
        C:\Windows\SysWOW64\Hbihjifh.exe
        
        C:\Windows\system32\Hbihjifh.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5116
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        73⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Haaaaeim.exe
        
        C:\Windows\system32\Haaaaeim.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Iacngdgj.exe
        
        C:\Windows\system32\Iacngdgj.exe
        75⤵
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        76⤵
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        77⤵
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Ieccbbkn.exe
        
        C:\Windows\system32\Ieccbbkn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        79⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        80⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        81⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        83⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Jojdlfeo.exe
        
        C:\Windows\system32\Jojdlfeo.exe
        85⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Kolabf32.exe
        
        C:\Windows\system32\Kolabf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Kplmliko.exe
        
        C:\Windows\system32\Kplmliko.exe
        87⤵
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Keifdpif.exe
        
        C:\Windows\system32\Keifdpif.exe
        88⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Kekbjo32.exe
        
        C:\Windows\system32\Kekbjo32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5632
        
        C:\Windows\SysWOW64\Kocgbend.exe
        
        C:\Windows\system32\Kocgbend.exe
        90⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Lebijnak.exe
        
        C:\Windows\system32\Lebijnak.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Ljbnfleo.exe
        
        C:\Windows\system32\Ljbnfleo.exe
        92⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Llcghg32.exe
        
        C:\Windows\system32\Llcghg32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        94⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        96⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Mhoahh32.exe
        
        C:\Windows\system32\Mhoahh32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Mjnnbk32.exe
        
        C:\Windows\system32\Mjnnbk32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Mhckcgpj.exe
        
        C:\Windows\system32\Mhckcgpj.exe
        101⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:488
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        107⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        110⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        111⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        113⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Ppgomnai.exe
        
        C:\Windows\system32\Ppgomnai.exe
        114⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Pidlqb32.exe
        
        C:\Windows\system32\Pidlqb32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        119⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 400
        120⤵
        Program crash
        
        PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4304 -ip 4304
1⤵
PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akdilipp.exe

Filesize
78KB

MD5
6ecf1016d264b3e1d76dc90aaf3ee76c

SHA1
786499949ff804369f55209fad897f9e1ebadcd8

SHA256
f98c2a60445cfe4178b2086acdd811a3d9800a25c0e7b9d663c81da07ab37235

SHA512
b31a83ed0bc25086cac7430be3da0e44db334d1ea7dabb08d7d172aef9a2919ae26b37368fdbb539f75cf735d72186dd2bab8de07547c92a51edb84324bec630

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
78KB

MD5
8c4d75a3509b0bdbe2b2e3d7cfa023a8

SHA1
975d1071bcc5ee7dbb16b609c1a2786b3e2498a4

SHA256
ed9b428fded8a481be8c69fe330a37c756e131cd86c66a06411c737de2d7c6ce

SHA512
55454b6c5e64218e8559a5045ed093a935246811e89c6ee68f1d7fffa536df81a6d2e1b77f199fbe91c476c982b96f1fe42355f127b920bc56e2aed83531b393

Download Submit
C:\Windows\SysWOW64\Ddkbmj32.exe

Filesize
78KB

MD5
42468311bad4c61572ba0258f6f25ae8

SHA1
71dc0b8ae61d949d0be87f1d4bf62fde81837cf6

SHA256
66e75fcfc7f65816c2b3451e23decdaf8e09d5cc87d20afa05c4d50802c14f4e

SHA512
de37227fa5e9a274ac7d83d039e98de3d2c3495d2cf59db6975ec5507f7f2d5fc5f6783fe0d8e2eb6c2dc8d87e935c48fed1df3a2fb8c1f9ecaf49ff1484b5b7

Download Submit
C:\Windows\SysWOW64\Gbeejp32.exe

Filesize
78KB

MD5
669d96c3d8afa0e906a34522c0114aa4

SHA1
53f8cdf69ad63f6a88e44b3356f913a71c7c3540

SHA256
3cff49c618ee09c35a81a70bb3e1ef1554fd18b0eb30724d77dda1a5eda25b09

SHA512
9a7e3d4b2885dbc066e08288f4c0dbff624e21fa6effe4b1887e7f62af78ba721939bfe15a7e9ff94c91609571a1c4f23c7fe57fea2cee89ad38cb292431c6a8

Download Submit
C:\Windows\SysWOW64\Gbeejp32.exe

Filesize
78KB

MD5
669d96c3d8afa0e906a34522c0114aa4

SHA1
53f8cdf69ad63f6a88e44b3356f913a71c7c3540

SHA256
3cff49c618ee09c35a81a70bb3e1ef1554fd18b0eb30724d77dda1a5eda25b09

SHA512
9a7e3d4b2885dbc066e08288f4c0dbff624e21fa6effe4b1887e7f62af78ba721939bfe15a7e9ff94c91609571a1c4f23c7fe57fea2cee89ad38cb292431c6a8

Download Submit
C:\Windows\SysWOW64\Gnepna32.exe

Filesize
78KB

MD5
1b5e4c2a4afe08750fbc2378c7acd496

SHA1
7eb977b081f52e0bee36d5829af60480d179f313

SHA256
a3b0870e0756354e6ceeae4a54d936428ed8f410d8387cf3a7672b5910b22f07

SHA512
ba036a637e865e5645cc32205ac30027e5634dab635becd40b92063f25be307bb45fcce832aee17f091fcfeee52e2c99c479279d139c4558cd73c0ccbe623e68

Download Submit
C:\Windows\SysWOW64\Gnepna32.exe

Filesize
78KB

MD5
1b5e4c2a4afe08750fbc2378c7acd496

SHA1
7eb977b081f52e0bee36d5829af60480d179f313

SHA256
a3b0870e0756354e6ceeae4a54d936428ed8f410d8387cf3a7672b5910b22f07

SHA512
ba036a637e865e5645cc32205ac30027e5634dab635becd40b92063f25be307bb45fcce832aee17f091fcfeee52e2c99c479279d139c4558cd73c0ccbe623e68

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe

Filesize
78KB

MD5
1ffbbc8a4a81bdc649e33d4d92020fab

SHA1
426d2401895de0d2269fe1454e2bd33a4feea65e

SHA256
0b9266b1b653066a13271b99148ef428f93ae9018185c35f51d0675aff38b526

SHA512
213cd284985eb63bb35f31e8487195d104ed10e54acb36209a9a8649f98a2c5aa21bd0279d53936a9ba636f4d8d894386ebe6739a9d63813907ec4137ffff220

Download Submit
C:\Windows\SysWOW64\Hfcnpn32.exe

Filesize
78KB

MD5
1ffbbc8a4a81bdc649e33d4d92020fab

SHA1
426d2401895de0d2269fe1454e2bd33a4feea65e

SHA256
0b9266b1b653066a13271b99148ef428f93ae9018185c35f51d0675aff38b526

SHA512
213cd284985eb63bb35f31e8487195d104ed10e54acb36209a9a8649f98a2c5aa21bd0279d53936a9ba636f4d8d894386ebe6739a9d63813907ec4137ffff220

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
78KB

MD5
7892b35ef7c5d398e8b2070d54460f02

SHA1
6404118db5b96c205d6607eb57d8597d5d8a129d

SHA256
546777c7244c09fe0f4d5df35fdeb44be9964315b7d6c34a557a3e15deb5bb77

SHA512
cceb1185b7260e13017d6cf19f02d433469e89f51af20757c981dfd24d8c23f7a7a6eb1feb99716819e3b466c6d832180215a23c8d300dfeda08fa3e3bc607d8

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
78KB

MD5
7892b35ef7c5d398e8b2070d54460f02

SHA1
6404118db5b96c205d6607eb57d8597d5d8a129d

SHA256
546777c7244c09fe0f4d5df35fdeb44be9964315b7d6c34a557a3e15deb5bb77

SHA512
cceb1185b7260e13017d6cf19f02d433469e89f51af20757c981dfd24d8c23f7a7a6eb1feb99716819e3b466c6d832180215a23c8d300dfeda08fa3e3bc607d8

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
78KB

MD5
7892b35ef7c5d398e8b2070d54460f02

SHA1
6404118db5b96c205d6607eb57d8597d5d8a129d

SHA256
546777c7244c09fe0f4d5df35fdeb44be9964315b7d6c34a557a3e15deb5bb77

SHA512
cceb1185b7260e13017d6cf19f02d433469e89f51af20757c981dfd24d8c23f7a7a6eb1feb99716819e3b466c6d832180215a23c8d300dfeda08fa3e3bc607d8

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
78KB

MD5
987e365b57461b072e3019ee1a2bf5b8

SHA1
ac89561232af55228fc7b88245c2c226803f0d25

SHA256
85bf4d881cc908f01d2ee01b599249acf1b685c90f7a72e47a8bbb987eb7a20b

SHA512
e496f6855cb6ae78a85659eaac820c0af55771a50da543ff0f5c927edcb354f18b399871ee2959fced4be4c023dc6b49d38bfdc0636a2a79f7c0ae4e877e69cf

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
78KB

MD5
987e365b57461b072e3019ee1a2bf5b8

SHA1
ac89561232af55228fc7b88245c2c226803f0d25

SHA256
85bf4d881cc908f01d2ee01b599249acf1b685c90f7a72e47a8bbb987eb7a20b

SHA512
e496f6855cb6ae78a85659eaac820c0af55771a50da543ff0f5c927edcb354f18b399871ee2959fced4be4c023dc6b49d38bfdc0636a2a79f7c0ae4e877e69cf

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
78KB

MD5
a4544cba5e4352f94c36f5c2f75040fa

SHA1
7f81821b7c1ebaab6b6d1b5a80c6bccb8a873a7a

SHA256
4c2a83b7ba68fb871626ac328d7161d23a0fcaf8f3c64a2f4d8ec123eaec06c7

SHA512
a63edc18b2a0a5f09205ea84067b4d041b40831c09c88acae9c3742bd352046841865fcdba0d397dd1eb5a0714daf6c5e181fb633d38e3647460122a6ddb64a8

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
78KB

MD5
a4544cba5e4352f94c36f5c2f75040fa

SHA1
7f81821b7c1ebaab6b6d1b5a80c6bccb8a873a7a

SHA256
4c2a83b7ba68fb871626ac328d7161d23a0fcaf8f3c64a2f4d8ec123eaec06c7

SHA512
a63edc18b2a0a5f09205ea84067b4d041b40831c09c88acae9c3742bd352046841865fcdba0d397dd1eb5a0714daf6c5e181fb633d38e3647460122a6ddb64a8

Download Submit
C:\Windows\SysWOW64\Ieccbbkn.exe

Filesize
78KB

MD5
ad8fb9a1127946c1d8f5d76e8d3a3ca3

SHA1
ff9f095af03c2297983766c6b1e57b295cf0a897

SHA256
94ce3f1b41684b56e38dc76ae1d90b911ddc07e832ffd6e6a6577b85fc83d443

SHA512
b050850bdacd2fac455fdcabb491fb0eb7c8b07c44add579f5abfc697a69ab2e8a9ee1ca947d109ab2504ba42a2a91be0e12b3f3bfd388c0a9d57c453892f61f

Download Submit
C:\Windows\SysWOW64\Ifmqfm32.exe

Filesize
78KB

MD5
5ee62ede9023022f67f633ca6651662a

SHA1
0768789f807b43235c3f2bf2d2f27046723ce7fa

SHA256
29dae361e2b87721e81a044e7648e6c10b2d34f88053e0de3ebb987bfcbd7f6c

SHA512
2099d29ae90ed085f45f7f7b422d077462808a41ad57bbc8c2f1aa78b01a2e568ebd07beb086e8b2e263eeff04868878035172dbde02973d8ed6450d0b33435a

Download Submit
C:\Windows\SysWOW64\Ifmqfm32.exe

Filesize
78KB

MD5
5ee62ede9023022f67f633ca6651662a

SHA1
0768789f807b43235c3f2bf2d2f27046723ce7fa

SHA256
29dae361e2b87721e81a044e7648e6c10b2d34f88053e0de3ebb987bfcbd7f6c

SHA512
2099d29ae90ed085f45f7f7b422d077462808a41ad57bbc8c2f1aa78b01a2e568ebd07beb086e8b2e263eeff04868878035172dbde02973d8ed6450d0b33435a

Download Submit
C:\Windows\SysWOW64\Ilqoobdd.exe

Filesize
78KB

MD5
0ab3bde2f8cf79d302c341d3fb9f34a1

SHA1
31708806b8ffbce32e615789d46127cde519b798

SHA256
22947e04d64af7c19249b3efd41a26ac25aab27c1da20299663f53c80b94738e

SHA512
b9bfcd8cf4b574f320307719773c233b1ca0fa03758a93feeacf60edcba827c55f39826c243811aa1a4f313e95e5f0f5c95ca499ad65fbe3ea24c65e9edc372c

Download Submit
C:\Windows\SysWOW64\Ilqoobdd.exe

Filesize
78KB

MD5
0ab3bde2f8cf79d302c341d3fb9f34a1

SHA1
31708806b8ffbce32e615789d46127cde519b798

SHA256
22947e04d64af7c19249b3efd41a26ac25aab27c1da20299663f53c80b94738e

SHA512
b9bfcd8cf4b574f320307719773c233b1ca0fa03758a93feeacf60edcba827c55f39826c243811aa1a4f313e95e5f0f5c95ca499ad65fbe3ea24c65e9edc372c

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
78KB

MD5
830f35e95fbc14fab3eb16cbd7be02f6

SHA1
7e2ba16785fa026495550eda28261a764a08115b

SHA256
d75134cb02361a39fe6ff1791e9548bcf933b1a5ca71543cfa2e3f79e1d2e578

SHA512
0251ff3e0d271baed9882e7c2b628eb22590af5a6112494e377720f72dd0d0a26631f920aef7394b67e2c7c5c7a955fc49791dadf59c0f00c7d174adec9a137a

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
78KB

MD5
830f35e95fbc14fab3eb16cbd7be02f6

SHA1
7e2ba16785fa026495550eda28261a764a08115b

SHA256
d75134cb02361a39fe6ff1791e9548bcf933b1a5ca71543cfa2e3f79e1d2e578

SHA512
0251ff3e0d271baed9882e7c2b628eb22590af5a6112494e377720f72dd0d0a26631f920aef7394b67e2c7c5c7a955fc49791dadf59c0f00c7d174adec9a137a

Download Submit
C:\Windows\SysWOW64\Jcfggkac.exe

Filesize
78KB

MD5
a1cdeed7c75b3390cc515af03922ed0f

SHA1
ec7bfde46274c0f7c637c5b094caa9b8772de05d

SHA256
0e8d0c4cf5cdad1d1189d2a5d7b36d2109445ad1cc18e2c8dc77c3f1155ce35f

SHA512
60fc59b565f79363752597cf628ed30e415e9b4acacc0eb0793f895952191d81cc6e8c2c1cc60d59bd55e9c90cadd57977beab0e9e9eb771e04fa6759fa75a1c

Download Submit
C:\Windows\SysWOW64\Jcfggkac.exe

Filesize
78KB

MD5
a1cdeed7c75b3390cc515af03922ed0f

SHA1
ec7bfde46274c0f7c637c5b094caa9b8772de05d

SHA256
0e8d0c4cf5cdad1d1189d2a5d7b36d2109445ad1cc18e2c8dc77c3f1155ce35f

SHA512
60fc59b565f79363752597cf628ed30e415e9b4acacc0eb0793f895952191d81cc6e8c2c1cc60d59bd55e9c90cadd57977beab0e9e9eb771e04fa6759fa75a1c

Download Submit
C:\Windows\SysWOW64\Jghpbk32.exe

Filesize
78KB

MD5
aaad93d0b9a0adba05a7c763225fa852

SHA1
ec22186deb4c37c1dc2c6ecef877b2de771d8e77

SHA256
ec859ff10a9e90982d8cc097d6436ff268e7a4443643a2223abf3eec57f6e93d

SHA512
6aa44c47e1ac659e7d34cc51db451149f4bd222891f4cb5381b51e5ccd3c8fb20441e4936cb5ff337e63862b8984c2e842792212325f56cef5711dcf523c773c

Download Submit
C:\Windows\SysWOW64\Jghpbk32.exe

Filesize
78KB

MD5
aaad93d0b9a0adba05a7c763225fa852

SHA1
ec22186deb4c37c1dc2c6ecef877b2de771d8e77

SHA256
ec859ff10a9e90982d8cc097d6436ff268e7a4443643a2223abf3eec57f6e93d

SHA512
6aa44c47e1ac659e7d34cc51db451149f4bd222891f4cb5381b51e5ccd3c8fb20441e4936cb5ff337e63862b8984c2e842792212325f56cef5711dcf523c773c

Download Submit
C:\Windows\SysWOW64\Jgkmgk32.exe

Filesize
78KB

MD5
c226fab5674b49b110ebbd680b6ebf9f

SHA1
ca2e03a5199aa110402ef5c2b4462faa254cf76f

SHA256
cf7f252a69b7d5ed34a5dd1ca944b084c6355b7e46dc9695686a2f7cd32c1693

SHA512
b2bcc256879090272586303f0af1f07d90d08fac8a82287c812393e2087fcac36770e7419f65ab155757f6f39d3fc61a1ea79ac108c60b6ed2307108cc03a248

Download Submit
C:\Windows\SysWOW64\Jgkmgk32.exe

Filesize
78KB

MD5
c226fab5674b49b110ebbd680b6ebf9f

SHA1
ca2e03a5199aa110402ef5c2b4462faa254cf76f

SHA256
cf7f252a69b7d5ed34a5dd1ca944b084c6355b7e46dc9695686a2f7cd32c1693

SHA512
b2bcc256879090272586303f0af1f07d90d08fac8a82287c812393e2087fcac36770e7419f65ab155757f6f39d3fc61a1ea79ac108c60b6ed2307108cc03a248

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
78KB

MD5
19743abd1b8bb9c2ddd1f45b901ac24c

SHA1
83b3d36ac575eed68e1360e249b6658ea433f19a

SHA256
e9d3afda54dd187d14d94c5aa738d54208d370b9640ebbc503e5116a79093990

SHA512
54553e5d3eb94832b18219ff620a13819ccc7d1e8a81b131c7197a43dfdfeca7e0e1fe27178739d38b3a6bd1df7c3aa564c85ed080d739dc125713530741838a

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
78KB

MD5
19743abd1b8bb9c2ddd1f45b901ac24c

SHA1
83b3d36ac575eed68e1360e249b6658ea433f19a

SHA256
e9d3afda54dd187d14d94c5aa738d54208d370b9640ebbc503e5116a79093990

SHA512
54553e5d3eb94832b18219ff620a13819ccc7d1e8a81b131c7197a43dfdfeca7e0e1fe27178739d38b3a6bd1df7c3aa564c85ed080d739dc125713530741838a

Download Submit
C:\Windows\SysWOW64\Kcpjnjii.exe

Filesize
78KB

MD5
f3f910b18ccd8a84a7d8c33289068e52

SHA1
9d32920f44aea30eedc315dd67fe45228f10224e

SHA256
4e717177f39031791053ac764f6665618775556e576d27cde9ae9d78aabcc862

SHA512
daa44d35e4bd708ef95698957f4948984de1148b07be721fc510f75f48915031c6b96d4e239e02adf0093e1f74320df9e1e50372f2b58f6e174b01669b301e45

Download Submit
C:\Windows\SysWOW64\Kcpjnjii.exe

Filesize
78KB

MD5
f3f910b18ccd8a84a7d8c33289068e52

SHA1
9d32920f44aea30eedc315dd67fe45228f10224e

SHA256
4e717177f39031791053ac764f6665618775556e576d27cde9ae9d78aabcc862

SHA512
daa44d35e4bd708ef95698957f4948984de1148b07be721fc510f75f48915031c6b96d4e239e02adf0093e1f74320df9e1e50372f2b58f6e174b01669b301e45

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
78KB

MD5
67403e8603cc958f795b2c17e8b21884

SHA1
d94e4947ff7c7bc7c633427f31727e127f15d7d5

SHA256
9350c6d7e40eb4a7e4f99d88a104f60a5f1d87e048c2976461bb88cc04e8bace

SHA512
6d84000d3ec2a841e44d117bbf850c7df17a0e70ee304726f5923306854b2e460c2c1fe9c8fc822be599ad67498f0ee031104c71dc1dc26a5d537483586077e4

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
78KB

MD5
67403e8603cc958f795b2c17e8b21884

SHA1
d94e4947ff7c7bc7c633427f31727e127f15d7d5

SHA256
9350c6d7e40eb4a7e4f99d88a104f60a5f1d87e048c2976461bb88cc04e8bace

SHA512
6d84000d3ec2a841e44d117bbf850c7df17a0e70ee304726f5923306854b2e460c2c1fe9c8fc822be599ad67498f0ee031104c71dc1dc26a5d537483586077e4

Download Submit
C:\Windows\SysWOW64\Kjgeedch.exe

Filesize
78KB

MD5
4c18e83dee8aa98c3f26fa45e7683f0e

SHA1
736fd06638487ebbb0682a4d3c5b05039d6a05bf

SHA256
250bd0355bd769d4b9e7e3a5cb2b4c030827210144e34e19be3b08c4ba805809

SHA512
f4b26ab72141320d5b039902094f1196b5b8046483f6a708c9f6c13354f6f6df47ccc1a7c62eee88dce730d80ba56843374da6455733824a6db35e5c71cd1593

Download Submit
C:\Windows\SysWOW64\Kjgeedch.exe

Filesize
78KB

MD5
4c18e83dee8aa98c3f26fa45e7683f0e

SHA1
736fd06638487ebbb0682a4d3c5b05039d6a05bf

SHA256
250bd0355bd769d4b9e7e3a5cb2b4c030827210144e34e19be3b08c4ba805809

SHA512
f4b26ab72141320d5b039902094f1196b5b8046483f6a708c9f6c13354f6f6df47ccc1a7c62eee88dce730d80ba56843374da6455733824a6db35e5c71cd1593

Download Submit
C:\Windows\SysWOW64\Klahfp32.exe

Filesize
78KB

MD5
41001b18d89d50f816b8dd115971795f

SHA1
2f80706eb8d02ca2d02a765dcb036908cb1da9d3

SHA256
c8168261b23c820592184bff6c5466bca098a8352cbec5277c508abb29e9ec7f

SHA512
e755d9ad7c2b763579059378a1e4c212e356d6102522670ff00a97fc4ea54cd3c10b3191ea07583d60eb9d88224bf42f53d13af2e62180130e563a0cca922e09

Download Submit
C:\Windows\SysWOW64\Klahfp32.exe

Filesize
78KB

MD5
41001b18d89d50f816b8dd115971795f

SHA1
2f80706eb8d02ca2d02a765dcb036908cb1da9d3

SHA256
c8168261b23c820592184bff6c5466bca098a8352cbec5277c508abb29e9ec7f

SHA512
e755d9ad7c2b763579059378a1e4c212e356d6102522670ff00a97fc4ea54cd3c10b3191ea07583d60eb9d88224bf42f53d13af2e62180130e563a0cca922e09

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe

Filesize
78KB

MD5
fdb75982c034bb9c59094c2b0f774bfc

SHA1
2c808fa880a94f4b0d80cbe1f881bc0f01e34462

SHA256
fcf282cc65d291efd2da681cad2c432d6f20219cc1719c2c6e37e07c56f9a695

SHA512
e00bc66ed4a1eee258e340f8c58b6caf47e8f570a36ec17944e382945bc6c81b2fe0a2ae7c1c94586924316414361264dfe347b0752a591504fc8aefa7dcb1f5

Download Submit
C:\Windows\SysWOW64\Koaagkcb.exe

Filesize
78KB

MD5
fdb75982c034bb9c59094c2b0f774bfc

SHA1
2c808fa880a94f4b0d80cbe1f881bc0f01e34462

SHA256
fcf282cc65d291efd2da681cad2c432d6f20219cc1719c2c6e37e07c56f9a695

SHA512
e00bc66ed4a1eee258e340f8c58b6caf47e8f570a36ec17944e382945bc6c81b2fe0a2ae7c1c94586924316414361264dfe347b0752a591504fc8aefa7dcb1f5

Download Submit
C:\Windows\SysWOW64\Kpjgaoqm.exe

Filesize
78KB

MD5
65500c736855250fb7d427751bd35099

SHA1
7bcea0b95ac9b13e8fdd381d72b76af1ae077272

SHA256
6e4f4b71bd7dee243cc9a941451ac429fcae546ef5df78a6f10c9bf046779ae9

SHA512
5a751499e1cc5a984fa5431ce2cb72e763ccd7f87ad068c7225d6ae9752931f2f678161007dba251623fac8f2f46f4202ae98ca86f01aa0221cfcf097ed305a0

Download Submit
C:\Windows\SysWOW64\Kpjgaoqm.exe

Filesize
78KB

MD5
65500c736855250fb7d427751bd35099

SHA1
7bcea0b95ac9b13e8fdd381d72b76af1ae077272

SHA256
6e4f4b71bd7dee243cc9a941451ac429fcae546ef5df78a6f10c9bf046779ae9

SHA512
5a751499e1cc5a984fa5431ce2cb72e763ccd7f87ad068c7225d6ae9752931f2f678161007dba251623fac8f2f46f4202ae98ca86f01aa0221cfcf097ed305a0

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
78KB

MD5
cb0095ff9da31c06cc6ca30fbe81bc0e

SHA1
56f2c850a631a6304dd925150177fe33568035d5

SHA256
8c09a9fbf02d6c204c4040e938de1f46afa15e95f152c0f30b72471fae39b3ae

SHA512
8c0b73b7b692b4939ecde7c5391b12bde999ce1221c192de26f80b77346c38ac5a3291ac191643cf2054ac5baf8e870098d8347c5d2e890e3415db815ff90a98

Download Submit
C:\Windows\SysWOW64\Lggejg32.exe

Filesize
78KB

MD5
cb0095ff9da31c06cc6ca30fbe81bc0e

SHA1
56f2c850a631a6304dd925150177fe33568035d5

SHA256
8c09a9fbf02d6c204c4040e938de1f46afa15e95f152c0f30b72471fae39b3ae

SHA512
8c0b73b7b692b4939ecde7c5391b12bde999ce1221c192de26f80b77346c38ac5a3291ac191643cf2054ac5baf8e870098d8347c5d2e890e3415db815ff90a98

Download Submit
C:\Windows\SysWOW64\Ljnlecmp.exe

Filesize
78KB

MD5
cb557a9f414f00cfd86e6cdc4f3b6950

SHA1
3df82f6be02effb69d143ff756c344c1384e8223

SHA256
95ec6302bedd40bc62fff9eb4fde3488482fed29fabf3b3b003565af729b8ecc

SHA512
c6e79b39b93d1866e15cc3a48caba22a73310cba76bec0336ee58888775b03aa23407c28af0d79a5a24df683e73e44bbed5b7449ddaec9e280a4f9ee8e690167

Download Submit
C:\Windows\SysWOW64\Ljnlecmp.exe

Filesize
78KB

MD5
cb557a9f414f00cfd86e6cdc4f3b6950

SHA1
3df82f6be02effb69d143ff756c344c1384e8223

SHA256
95ec6302bedd40bc62fff9eb4fde3488482fed29fabf3b3b003565af729b8ecc

SHA512
c6e79b39b93d1866e15cc3a48caba22a73310cba76bec0336ee58888775b03aa23407c28af0d79a5a24df683e73e44bbed5b7449ddaec9e280a4f9ee8e690167

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
78KB

MD5
fee3bdc903bca95c052d70185c0875fb

SHA1
cd9456d46ca928920c8f288b1e7dcdb93ed5f504

SHA256
8fb7f87e9915f991801058a6f0023f61eb2d8e2043e730973c1ff1f51edebddc

SHA512
4a3ec735092178925d463660d9687da58288b34096f96e6eca36d50e6aafa0a2b5448be81116d0a02359c76eb23c66e39a1ea5c8f59c41e3f2078b84496f352e

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
78KB

MD5
fee3bdc903bca95c052d70185c0875fb

SHA1
cd9456d46ca928920c8f288b1e7dcdb93ed5f504

SHA256
8fb7f87e9915f991801058a6f0023f61eb2d8e2043e730973c1ff1f51edebddc

SHA512
4a3ec735092178925d463660d9687da58288b34096f96e6eca36d50e6aafa0a2b5448be81116d0a02359c76eb23c66e39a1ea5c8f59c41e3f2078b84496f352e

Download Submit
C:\Windows\SysWOW64\Lomqcjie.exe

Filesize
78KB

MD5
87d1fb305808f349cf710f59bbe6d1f0

SHA1
4e7e31d6d3e2d8f08c2e19cd57f40a7d78a455c9

SHA256
7ad063001f96d25909ec2de3ea35abcf4f503eabfbc9fe12a57b9c935a3e6518

SHA512
652c07c515748d9fee9cd9934f2f3684d00e4928041c4168672188ceb18f86e1d3260916b5906b7f4891d947b1d0a0bc2aa59ee7a6a072dc730741874548d9e4

Download Submit
C:\Windows\SysWOW64\Lomqcjie.exe

Filesize
78KB

MD5
87d1fb305808f349cf710f59bbe6d1f0

SHA1
4e7e31d6d3e2d8f08c2e19cd57f40a7d78a455c9

SHA256
7ad063001f96d25909ec2de3ea35abcf4f503eabfbc9fe12a57b9c935a3e6518

SHA512
652c07c515748d9fee9cd9934f2f3684d00e4928041c4168672188ceb18f86e1d3260916b5906b7f4891d947b1d0a0bc2aa59ee7a6a072dc730741874548d9e4

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
78KB

MD5
503afd72601eab945c3f9991a6563b69

SHA1
6d446af66cbfc0bca963778bdbeaddbf2ee78474

SHA256
72f492a479946b755967fd87e0a60df22e01a1e6a8a15c858c5c28e3f37a36b3

SHA512
cd0898efb8e649e939957c6a31e445fd651942aa82dfd614efb5f6883e75c4c6b288184c6ae5b0ee7be923dd43c6de17e5fba55b137a9629cb7f5b2dc853a748

Download Submit
C:\Windows\SysWOW64\Mjjkaabc.exe

Filesize
78KB

MD5
503afd72601eab945c3f9991a6563b69

SHA1
6d446af66cbfc0bca963778bdbeaddbf2ee78474

SHA256
72f492a479946b755967fd87e0a60df22e01a1e6a8a15c858c5c28e3f37a36b3

SHA512
cd0898efb8e649e939957c6a31e445fd651942aa82dfd614efb5f6883e75c4c6b288184c6ae5b0ee7be923dd43c6de17e5fba55b137a9629cb7f5b2dc853a748

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
78KB

MD5
c2cd8c7dae6156fc40adeb2df70fe6ad

SHA1
2f5250820f55ee1e9daf8ab98fa2745e4a24623d

SHA256
0cfaf24ea35173860b7de3656b1d005d77decff456bc785f66adf5dd3bee5156

SHA512
d437c0d0260b902c2f39c8c0fc76826ab81bffdce89bb659353e4c7cbf572452976a8892766a3223dd7a773aec5fbd2f6c6d41258618817711ac9bad0b6d30b8

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
78KB

MD5
c2cd8c7dae6156fc40adeb2df70fe6ad

SHA1
2f5250820f55ee1e9daf8ab98fa2745e4a24623d

SHA256
0cfaf24ea35173860b7de3656b1d005d77decff456bc785f66adf5dd3bee5156

SHA512
d437c0d0260b902c2f39c8c0fc76826ab81bffdce89bb659353e4c7cbf572452976a8892766a3223dd7a773aec5fbd2f6c6d41258618817711ac9bad0b6d30b8

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
78KB

MD5
21950509f32a8357fbca446d569988bd

SHA1
01e53678c2cb201927e62a7cbf24df7cda516d7e

SHA256
8f5b68094252a73ed1113deeff57cb6c5ee58a8e17571c2dc972eed416daf0f2

SHA512
2f0a62e3581e90cedf6e9f1d01cf8532713ac38fa5f8f948705ed2d7763a68fb9fc9d668483e3771a14e73848b5714c2e3860891d96e129333a7e42e01fe1909

Download Submit
C:\Windows\SysWOW64\Mnmmboed.exe

Filesize
78KB

MD5
21950509f32a8357fbca446d569988bd

SHA1
01e53678c2cb201927e62a7cbf24df7cda516d7e

SHA256
8f5b68094252a73ed1113deeff57cb6c5ee58a8e17571c2dc972eed416daf0f2

SHA512
2f0a62e3581e90cedf6e9f1d01cf8532713ac38fa5f8f948705ed2d7763a68fb9fc9d668483e3771a14e73848b5714c2e3860891d96e129333a7e42e01fe1909

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
78KB

MD5
6f3230f277026697dec8262e932a8d66

SHA1
b470862c81a217bf0fa15b3d1c350ca2997b95c3

SHA256
1261ff32f2b945a5c291bd091fb70d74ba1bafe90dc1d996a824e6d70733f6ec

SHA512
717fb340f191c7d2c6e1eeb4e29e4df766a111ee01cd1c0886c5c2aa4f969a499f1522bea63438fd6a820ac0f402500f1f3fd8c535ef9b94f83cf09bd52dda90

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
78KB

MD5
6f3230f277026697dec8262e932a8d66

SHA1
b470862c81a217bf0fa15b3d1c350ca2997b95c3

SHA256
1261ff32f2b945a5c291bd091fb70d74ba1bafe90dc1d996a824e6d70733f6ec

SHA512
717fb340f191c7d2c6e1eeb4e29e4df766a111ee01cd1c0886c5c2aa4f969a499f1522bea63438fd6a820ac0f402500f1f3fd8c535ef9b94f83cf09bd52dda90

Download Submit
C:\Windows\SysWOW64\Nfnamjhk.exe

Filesize
78KB

MD5
ae9dbcf745aec2036eee2b215e24dcef

SHA1
c76f621aa0936633565db97e94f2f6e54d5fefb5

SHA256
c188322fbfa97600f533327f08bd05dde6708173e6028e1f194da3631b3b0704

SHA512
85edd8dcb83e4816443e10ac6fb9bb2b2ce9d5791a91ccadbc7622c557cb6d6bdffdc3705d6ef7428472b725fe49cac5c20c236fbbfdfa53a24fb8050cf9def0

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
78KB

MD5
86165653f4aa1100833db753f5329466

SHA1
5faa4091eb80a66e5b08d67067947179c06e571e

SHA256
f20f2376a84dd4a0d74895e86d2d31834d9d64993089c0894f072a97fe595c67

SHA512
59de303fd56d0b91add8ed2fde6eba7765e20b904912b3d12e1e2fff5bffd08a7fb93b50cf69b4d6948b4cff0d3cad3e1c7a7201fac826a18c860ce7827b5f8d

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
78KB

MD5
86165653f4aa1100833db753f5329466

SHA1
5faa4091eb80a66e5b08d67067947179c06e571e

SHA256
f20f2376a84dd4a0d74895e86d2d31834d9d64993089c0894f072a97fe595c67

SHA512
59de303fd56d0b91add8ed2fde6eba7765e20b904912b3d12e1e2fff5bffd08a7fb93b50cf69b4d6948b4cff0d3cad3e1c7a7201fac826a18c860ce7827b5f8d

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
78KB

MD5
6e706d94a776ca592fb8d5ff031640d1

SHA1
b8a632a5d9a063ae89958fed7a47eb06dce94458

SHA256
9e42905455697b0baca8b2ad89e00b90c430a9d45c6944daca09a33a13d5fba6

SHA512
187167afda1c7c6dbc6131e0eec8d6f87071ff687be031303e074ce5fbba7f75c575c4ce41805bd1838bdbb7c433a1c15449af8f2c65b599ec3eadd2d179d55a

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
78KB

MD5
6e706d94a776ca592fb8d5ff031640d1

SHA1
b8a632a5d9a063ae89958fed7a47eb06dce94458

SHA256
9e42905455697b0baca8b2ad89e00b90c430a9d45c6944daca09a33a13d5fba6

SHA512
187167afda1c7c6dbc6131e0eec8d6f87071ff687be031303e074ce5fbba7f75c575c4ce41805bd1838bdbb7c433a1c15449af8f2c65b599ec3eadd2d179d55a

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
78KB

MD5
b8c58c0454d7c49e7591c94f7f12b289

SHA1
d2e9042ed0c37531c173af69cf66be70c3790e84

SHA256
22c8e3b1c0d7da04470a3573313594c10fef24f22eae0d3a53280f8784da6117

SHA512
ae005726d1e7387ebdf94674f8d4d083905be9e664052401e9f89f0ecf2429cb9e5803cf2cc66a73a44153164dd322e4b14f5a677faf43c6fff0e92a85a17f9a

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
78KB

MD5
b8c58c0454d7c49e7591c94f7f12b289

SHA1
d2e9042ed0c37531c173af69cf66be70c3790e84

SHA256
22c8e3b1c0d7da04470a3573313594c10fef24f22eae0d3a53280f8784da6117

SHA512
ae005726d1e7387ebdf94674f8d4d083905be9e664052401e9f89f0ecf2429cb9e5803cf2cc66a73a44153164dd322e4b14f5a677faf43c6fff0e92a85a17f9a

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
78KB

MD5
003905576e84832849c0e7d9148ca605

SHA1
2553e15e519fa5ef343b22419bdf2f05742d262d

SHA256
5c7ce3078c1aaa1272791212ac239c5272435ce55572db50fa142159e144841c

SHA512
0ee545138fe85f0c31711926f252dcb35609233f3fedd00bc07e4fb329bee73735cbd9a61eec0fbf73d906cf4811030ac5247e8d9b8a84d96ef930aa2de08206

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
78KB

MD5
003905576e84832849c0e7d9148ca605

SHA1
2553e15e519fa5ef343b22419bdf2f05742d262d

SHA256
5c7ce3078c1aaa1272791212ac239c5272435ce55572db50fa142159e144841c

SHA512
0ee545138fe85f0c31711926f252dcb35609233f3fedd00bc07e4fb329bee73735cbd9a61eec0fbf73d906cf4811030ac5247e8d9b8a84d96ef930aa2de08206

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
78KB

MD5
9279a9fb076fea43b4e455dd416e97e8

SHA1
ed78a2ebfcefb3cb1ba842c1aaac05ffbaa36dfb

SHA256
9962e8c63b9dcea5a8d2204078dee1a46dd63470e269ff521427712d85d927da

SHA512
de8158cf37e1ad258ee440d59d06e562fd0b99cd02aecb7349e7e6388893a215accd9ad5eb1dcb6d26db0c22c7850d14421398e1b168e784160217c8865478fd

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
78KB

MD5
9279a9fb076fea43b4e455dd416e97e8

SHA1
ed78a2ebfcefb3cb1ba842c1aaac05ffbaa36dfb

SHA256
9962e8c63b9dcea5a8d2204078dee1a46dd63470e269ff521427712d85d927da

SHA512
de8158cf37e1ad258ee440d59d06e562fd0b99cd02aecb7349e7e6388893a215accd9ad5eb1dcb6d26db0c22c7850d14421398e1b168e784160217c8865478fd

Download Submit
memory/844-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1416-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1808-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2096-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2096-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2128-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2172-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2744-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3064-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3188-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3328-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3372-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3420-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3484-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3484-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3552-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3728-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3728-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3784-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3808-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3916-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3916-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-245-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4040-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4144-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4756-272-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-50-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads