58d8723f5a81d313ba23562771d74bda530075cf5923544b5fed861584efec2d

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c54c419fcea64faf2e313cc562cd4a8f_NEAS.exe
Size

128KB
MD5

c54c419fcea64faf2e313cc562cd4a8f
SHA1

31795c523807b9dba429e832a9fef4105aef0520
SHA256

58d8723f5a81d313ba23562771d74bda530075cf5923544b5fed861584efec2d
SHA512

69ab8c3355fad164044ba33b665642717e5b24a11c6937a098961e69e011ccd46e76c08293fb9801e46d3324ef1d63ddaa7430a1c7075a888c823dc3a8963478
SSDEEP

3072:klG3qq88UCHf4QoqeXgfeeAA7DxSvITW/cbFGS9n:96qCCHgQoqeX+AshCw9n

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekjded32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egened32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgnbdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhcali32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfagighf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgmjmjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllokajf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lopmii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfnfjehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgnbdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfgmnfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Johnamkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gnblnlhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmkigh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombcji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qobhkjdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnibokbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnhdgpii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edbiniff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Likhem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcoljagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ggmmlamj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgiiiidd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnblnlhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jafdcbge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Momcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fiqjke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gngeik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laiipofp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lopmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfoann32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe

Executes dropped EXE 64 IoCs

pid	Process
560	Hmkigh32.exe
2592	Ipgbdbqb.exe
488	Ilnbicff.exe
1228	Iplkpa32.exe
2552	Joahqn32.exe
4160	Jpaekqhh.exe
1332	Jgmjmjnb.exe
4820	Johnamkm.exe
4648	Jllokajf.exe
3584	Jjpode32.exe
2128	Kcidmkpq.exe
2336	Koodbl32.exe
1744	Kjeiodek.exe
4216	Kgiiiidd.exe
3144	Kfnfjehl.exe
3552	Kgnbdh32.exe
3020	Lpfgmnfp.exe
4744	Lqhdbm32.exe
224	Lqkqhm32.exe
4376	Ljceqb32.exe
4380	Lopmii32.exe
4512	Ljhnlb32.exe
1992	Mcpcdg32.exe
4496	Mqdcnl32.exe
2600	Mnhdgpii.exe
3500	Mjodla32.exe
4816	Nggnadib.exe
3812	Ngjkfd32.exe
1812	Nqbpojnp.exe
3568	Nfohgqlg.exe
1544	Npgmpf32.exe
4780	Nmkmjjaa.exe
688	Nceefd32.exe
1680	Oplfkeob.exe
3868	Ompfej32.exe
448	Ofhknodl.exe
1488	Ombcji32.exe
4488	Ofkgcobj.exe
4868	Ofmdio32.exe
972	Pfoann32.exe
3400	Ppgegd32.exe
3916	Pnifekmd.exe
2556	Pfdjinjo.exe
3336	Pnkbkk32.exe
4312	Pplobcpp.exe
2844	Panhbfep.exe
2548	Qobhkjdi.exe
1712	Qmgelf32.exe
1684	Adcjop32.exe
4232	Aonhghjl.exe
1380	Bhmbqm32.exe
544	Bphgeo32.exe
1624	Bgbpaipl.exe
4572	Bnlhncgi.exe
4180	Bhblllfo.exe
1836	Bajqda32.exe
3828	Cnaaib32.exe
3044	Cgifbhid.exe
3256	Cpbjkn32.exe
3944	Cnfkdb32.exe
4768	Chkobkod.exe
1580	Coegoe32.exe
2432	Cogddd32.exe
4368	Dkekjdck.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofkgcobj.exe	Ombcji32.exe
File opened for modification	C:\Windows\SysWOW64\Pnifekmd.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Qmgelf32.exe	Qobhkjdi.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Fpmfmgnc.dll	Egened32.exe
File opened for modification	C:\Windows\SysWOW64\Haodle32.exe	Hpkknmgd.exe
File created	C:\Windows\SysWOW64\Lopmii32.exe	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Bmgagk32.dll	Ljhnlb32.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Oplfkeob.exe	Nceefd32.exe
File created	C:\Windows\SysWOW64\Pfoann32.exe	Ofmdio32.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Blqhpg32.dll	Nceefd32.exe
File opened for modification	C:\Windows\SysWOW64\Eqncnj32.exe	Egened32.exe
File created	C:\Windows\SysWOW64\Nggnadib.exe	Mcgiefen.exe
File opened for modification	C:\Windows\SysWOW64\Ngjkfd32.exe	Nggnadib.exe
File created	C:\Windows\SysWOW64\Dkekjdck.exe	Cogddd32.exe
File opened for modification	C:\Windows\SysWOW64\Gngeik32.exe	Ggmmlamj.exe
File created	C:\Windows\SysWOW64\Hpkknmgd.exe	Hnlodjpa.exe
File created	C:\Windows\SysWOW64\Lplfcf32.exe	Lomjicei.exe
File created	C:\Windows\SysWOW64\Jfpqiega.dll	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaekqhh.exe	Joahqn32.exe
File created	C:\Windows\SysWOW64\Jgmjmjnb.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Dicdcemd.dll	Nggnadib.exe
File opened for modification	C:\Windows\SysWOW64\Ppgegd32.exe	Pfoann32.exe
File created	C:\Windows\SysWOW64\Koonge32.exe	Klpakj32.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Dkhgod32.exe	Dbocfo32.exe
File opened for modification	C:\Windows\SysWOW64\Iplkpa32.exe	Ilnbicff.exe
File created	C:\Windows\SysWOW64\Pjdhbppo.dll	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Kcidmkpq.exe	Jjpode32.exe
File created	C:\Windows\SysWOW64\Fboqkn32.dll	Lopmii32.exe
File created	C:\Windows\SysWOW64\Eopjfnlo.dll	Pfoann32.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Dbocfo32.exe	Dkekjdck.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Bhblllfo.exe
File opened for modification	C:\Windows\SysWOW64\Lplfcf32.exe	Lomjicei.exe
File created	C:\Windows\SysWOW64\Mfbaalbi.exe	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Pfojdh32.exe	Oqoefand.exe
File created	C:\Windows\SysWOW64\Nffaen32.dll	Pfojdh32.exe
File created	C:\Windows\SysWOW64\Nfohgqlg.exe	Nqbpojnp.exe
File opened for modification	C:\Windows\SysWOW64\Ompfej32.exe	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Ofkgcobj.exe	Ombcji32.exe
File opened for modification	C:\Windows\SysWOW64\Egcaod32.exe	Eklajcmc.exe
File created	C:\Windows\SysWOW64\Plgdqf32.dll	Eghkjdoa.exe
File created	C:\Windows\SysWOW64\Gedhfp32.dll	Gegkpf32.exe
File opened for modification	C:\Windows\SysWOW64\Kcapicdj.exe	Khiofk32.exe
File created	C:\Windows\SysWOW64\Faoiogei.dll	Mcoljagj.exe
File created	C:\Windows\SysWOW64\Ekamnhne.dll	Kfnfjehl.exe
File created	C:\Windows\SysWOW64\Cjceejee.dll	Pnkbkk32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdehlip.exe	Eghkjdoa.exe
File created	C:\Windows\SysWOW64\Fkdjqkoj.dll	Gkaclqkk.exe
File created	C:\Windows\SysWOW64\Pncepolj.dll	Gndick32.exe
File created	C:\Windows\SysWOW64\Fallih32.dll	Hnlodjpa.exe
File opened for modification	C:\Windows\SysWOW64\Hbnaeh32.exe	Haodle32.exe
File created	C:\Windows\SysWOW64\Ekjded32.exe	Dkhgod32.exe
File created	C:\Windows\SysWOW64\Libmeq32.dll	Gghdaa32.exe
File created	C:\Windows\SysWOW64\Jafdcbge.exe	Jpegkj32.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Ompfej32.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Mjggal32.exe	Lpochfji.exe
File created	C:\Windows\SysWOW64\Njjmni32.exe	Nbphglbe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6244	5816	WerFault.exe	218

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmkigh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjpode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll"	Gegkpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhkafda.dll"	Hmkigh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll"	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll"	Qobhkjdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpegkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfkgknc.dll"	Mjggal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccphn32.dll"	Hnibokbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Haodle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Joahqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgiiiidd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfohgqlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klpakj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khgbqkhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klpakj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnhdgpii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpjbdk32.dll"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekamnhne.dll"	Kfnfjehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jafdcbge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnckkha.dll"	Eklajcmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpckhnk.dll"	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	c54c419fcea64faf2e313cc562cd4a8f_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Johnamkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofhknodl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbehfom.dll"	Lpfgmnfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpnkbfj.dll"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjggal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c54c419fcea64faf2e313cc562cd4a8f_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipgbdbqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjpode32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egcaod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll"	Mlhqcgnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnoekk.dll"	Iplkpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljhnlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaacddn.dll"	Ofmdio32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 560	2104	c54c419fcea64faf2e313cc562cd4a8f_NEAS.exe	90
PID 2104 wrote to memory of 560	2104	c54c419fcea64faf2e313cc562cd4a8f_NEAS.exe	90
PID 2104 wrote to memory of 560	2104	c54c419fcea64faf2e313cc562cd4a8f_NEAS.exe	90
PID 560 wrote to memory of 2592	560	Hmkigh32.exe	91
PID 560 wrote to memory of 2592	560	Hmkigh32.exe	91
PID 560 wrote to memory of 2592	560	Hmkigh32.exe	91
PID 2592 wrote to memory of 488	2592	Ipgbdbqb.exe	92
PID 2592 wrote to memory of 488	2592	Ipgbdbqb.exe	92
PID 2592 wrote to memory of 488	2592	Ipgbdbqb.exe	92
PID 488 wrote to memory of 1228	488	Ilnbicff.exe	93
PID 488 wrote to memory of 1228	488	Ilnbicff.exe	93
PID 488 wrote to memory of 1228	488	Ilnbicff.exe	93
PID 1228 wrote to memory of 2552	1228	Iplkpa32.exe	94
PID 1228 wrote to memory of 2552	1228	Iplkpa32.exe	94
PID 1228 wrote to memory of 2552	1228	Iplkpa32.exe	94
PID 2552 wrote to memory of 4160	2552	Joahqn32.exe	95
PID 2552 wrote to memory of 4160	2552	Joahqn32.exe	95
PID 2552 wrote to memory of 4160	2552	Joahqn32.exe	95
PID 4160 wrote to memory of 1332	4160	Jpaekqhh.exe	96
PID 4160 wrote to memory of 1332	4160	Jpaekqhh.exe	96
PID 4160 wrote to memory of 1332	4160	Jpaekqhh.exe	96
PID 1332 wrote to memory of 4820	1332	Jgmjmjnb.exe	97
PID 1332 wrote to memory of 4820	1332	Jgmjmjnb.exe	97
PID 1332 wrote to memory of 4820	1332	Jgmjmjnb.exe	97
PID 4820 wrote to memory of 4648	4820	Johnamkm.exe	98
PID 4820 wrote to memory of 4648	4820	Johnamkm.exe	98
PID 4820 wrote to memory of 4648	4820	Johnamkm.exe	98
PID 4648 wrote to memory of 3584	4648	Jllokajf.exe	99
PID 4648 wrote to memory of 3584	4648	Jllokajf.exe	99
PID 4648 wrote to memory of 3584	4648	Jllokajf.exe	99
PID 3584 wrote to memory of 2128	3584	Jjpode32.exe	100
PID 3584 wrote to memory of 2128	3584	Jjpode32.exe	100
PID 3584 wrote to memory of 2128	3584	Jjpode32.exe	100
PID 2128 wrote to memory of 2336	2128	Kcidmkpq.exe	101
PID 2128 wrote to memory of 2336	2128	Kcidmkpq.exe	101
PID 2128 wrote to memory of 2336	2128	Kcidmkpq.exe	101
PID 2336 wrote to memory of 1744	2336	Koodbl32.exe	102
PID 2336 wrote to memory of 1744	2336	Koodbl32.exe	102
PID 2336 wrote to memory of 1744	2336	Koodbl32.exe	102
PID 1744 wrote to memory of 4216	1744	Kjeiodek.exe	103
PID 1744 wrote to memory of 4216	1744	Kjeiodek.exe	103
PID 1744 wrote to memory of 4216	1744	Kjeiodek.exe	103
PID 4216 wrote to memory of 3144	4216	Kgiiiidd.exe	104
PID 4216 wrote to memory of 3144	4216	Kgiiiidd.exe	104
PID 4216 wrote to memory of 3144	4216	Kgiiiidd.exe	104
PID 3144 wrote to memory of 3552	3144	Kfnfjehl.exe	105
PID 3144 wrote to memory of 3552	3144	Kfnfjehl.exe	105
PID 3144 wrote to memory of 3552	3144	Kfnfjehl.exe	105
PID 3552 wrote to memory of 3020	3552	Kgnbdh32.exe	106
PID 3552 wrote to memory of 3020	3552	Kgnbdh32.exe	106
PID 3552 wrote to memory of 3020	3552	Kgnbdh32.exe	106
PID 3020 wrote to memory of 4744	3020	Lpfgmnfp.exe	107
PID 3020 wrote to memory of 4744	3020	Lpfgmnfp.exe	107
PID 3020 wrote to memory of 4744	3020	Lpfgmnfp.exe	107
PID 4744 wrote to memory of 224	4744	Lqhdbm32.exe	108
PID 4744 wrote to memory of 224	4744	Lqhdbm32.exe	108
PID 4744 wrote to memory of 224	4744	Lqhdbm32.exe	108
PID 224 wrote to memory of 4376	224	Lqkqhm32.exe	109
PID 224 wrote to memory of 4376	224	Lqkqhm32.exe	109
PID 224 wrote to memory of 4376	224	Lqkqhm32.exe	109
PID 4376 wrote to memory of 4380	4376	Ljceqb32.exe	110
PID 4376 wrote to memory of 4380	4376	Ljceqb32.exe	110
PID 4376 wrote to memory of 4380	4376	Ljceqb32.exe	110
PID 4380 wrote to memory of 4512	4380	Lopmii32.exe	111

C:\Users\Admin\AppData\Local\Temp\c54c419fcea64faf2e313cc562cd4a8f_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\c54c419fcea64faf2e313cc562cd4a8f_NEAS.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Hmkigh32.exe
  C:\Windows\system32\Hmkigh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\Ipgbdbqb.exe
    C:\Windows\system32\Ipgbdbqb.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\Ilnbicff.exe
      C:\Windows\system32\Ilnbicff.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:488
    - - C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Koodbl32.exe
        
        C:\Windows\system32\Koodbl32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Kgiiiidd.exe
        
        C:\Windows\system32\Kgiiiidd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Kfnfjehl.exe
        
        C:\Windows\system32\Kfnfjehl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Kgnbdh32.exe
        
        C:\Windows\system32\Kgnbdh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Lopmii32.exe
        
        C:\Windows\system32\Lopmii32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        24⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        25⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Mnhdgpii.exe
        
        C:\Windows\system32\Mnhdgpii.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        27⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        45⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        52⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        58⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        59⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Dkekjdck.exe
        
        C:\Windows\system32\Dkekjdck.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ekjded32.exe
        
        C:\Windows\system32\Ekjded32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2132
        
        C:\Windows\SysWOW64\Edbiniff.exe
        
        C:\Windows\system32\Edbiniff.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:676
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        72⤵
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Egened32.exe
        
        C:\Windows\system32\Egened32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Eqncnj32.exe
        
        C:\Windows\system32\Eqncnj32.exe
        74⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        75⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        76⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Gkaclqkk.exe
        
        C:\Windows\system32\Gkaclqkk.exe
        79⤵
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Gghdaa32.exe
        
        C:\Windows\system32\Gghdaa32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Gnblnlhl.exe
        
        C:\Windows\system32\Gnblnlhl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Gndick32.exe
        
        C:\Windows\system32\Gndick32.exe
        82⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Ggmmlamj.exe
        
        C:\Windows\system32\Ggmmlamj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Hnibokbd.exe
        
        C:\Windows\system32\Hnibokbd.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Hnlodjpa.exe
        
        C:\Windows\system32\Hnlodjpa.exe
        86⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Hpkknmgd.exe
        
        C:\Windows\system32\Hpkknmgd.exe
        87⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Haodle32.exe
        
        C:\Windows\system32\Haodle32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        89⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        90⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        91⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Jpegkj32.exe
        
        C:\Windows\system32\Jpegkj32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        94⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        96⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        97⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        98⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3060
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        101⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Laiipofp.exe
        
        C:\Windows\system32\Laiipofp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        104⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        105⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Lpochfji.exe
        
        C:\Windows\system32\Lpochfji.exe
        106⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Mjggal32.exe
        
        C:\Windows\system32\Mjggal32.exe
        107⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mcoljagj.exe
        
        C:\Windows\system32\Mcoljagj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Mlhqcgnk.exe
        
        C:\Windows\system32\Mlhqcgnk.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        111⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Momcpa32.exe
        
        C:\Windows\system32\Momcpa32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Njbgmjgl.exe
        
        C:\Windows\system32\Njbgmjgl.exe
        114⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Nhhdnf32.exe
        
        C:\Windows\system32\Nhhdnf32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Njjmni32.exe
        
        C:\Windows\system32\Njjmni32.exe
        117⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Ookoaokf.exe
        
        C:\Windows\system32\Ookoaokf.exe
        118⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        120⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        121⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5148
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        124⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        125⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 412
        126⤵
        Program crash
        
        PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5816 -ip 5816
1⤵
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:6816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
128KB

MD5
315ded26c109beb2993a7b50c3b1886e

SHA1
2614ac017c5a05f1e9073ac6fdba746a6c507c11

SHA256
0ed9e38b9dd054dad09d934514c87b9093a84868b0c4b4e94f9a95bd52102969

SHA512
40e7e8426f87f13b6b2f1967959ad745e2e42e53d778e8e13868e68bca32e59c48e6ccade6e6b123efc920e31790cdde3550cbbf6942ccb50ecac89966ccb69d

Download Submit
C:\Windows\SysWOW64\Dkhgod32.exe

Filesize
128KB

MD5
ed3984c093c7b0deabb7f90b5b5467e6

SHA1
9a2a9621076d14fbaed60162e5d97ce0215a2d07

SHA256
83e8f31e86c5c59a393baec75a6845da875a616f6a647337731bbd0f1061886e

SHA512
baee648eb3d485e0371a06c58eff2199eb0dca51106b207f68789455b7c4b54ea733af025e8c1a11991a82074ec72d662772673678a0d6131d47e38c182e306d

Download Submit
C:\Windows\SysWOW64\Dmcnoekk.dll

Filesize
7KB

MD5
bbb2db3ea81ced16f9bd414e9d519dda

SHA1
7a48b19544d6b5c4e51e2a617673ba807873545b

SHA256
0a304a0c26198764f3586fae7d1fbbd687dcca96154be305823ad3f918a9e715

SHA512
08bef8f55460e35a9f26badc6f67930bfe45bbcf5c8f7061dabebf028d603402e6529a7ed90e329f7bba328eccc15774b5233f3f485f2a56df43b50a5c80f190

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe

Filesize
128KB

MD5
c3674c4986ec4883591d75dcbecaf922

SHA1
81e816a6fda893a658121902bea7f31bcc81b79a

SHA256
174c98fd64f47970d1aa30698e7d5ead074c2efa2565605acf9f3a0d1e51bb91

SHA512
4782b76d35d862f6a2e89587717e9321631c1b51a9d04bbcbb8f67cfeec9ed8f43473a62ddebe232ecaabb6835edf4e591608c9e6ba9325d7deffddc3cdc1ace

Download Submit
C:\Windows\SysWOW64\Eqncnj32.exe

Filesize
128KB

MD5
c38971a846e7ccc8c740f64d29b321f2

SHA1
160e1c5031845bca6597ac632f0aa440e62fc315

SHA256
7c1e6269920dfa7844429eff18446ba7fb7125f04104a4dcb03398c13d3e4294

SHA512
834d651caaa8af0ee6eb82b40be37baeadb31e42c014ae92d9819a353da922b7c1e0ab06289e55397d078714eb6bf278a034d5aefa540ac39b93b9252c4c5972

Download Submit
C:\Windows\SysWOW64\Gndick32.exe

Filesize
128KB

MD5
cfb223322c483d647294b08ccd6de690

SHA1
e1325767efaffb732373a9be655eb58e98a316f8

SHA256
1f57f346f16fd8cc7d2025f3faf57d5d944ab03160ef550e4c5771ad3d3d1e56

SHA512
ad15d69abff8db3229df600d424e3f308eeba4fabe4b7fd0920cc6e132a9c09115430384fd9233f99bfb07e23d768c95abb4ed211d15b20b7d76d07820b68844

Download Submit
C:\Windows\SysWOW64\Hmkigh32.exe

Filesize
128KB

MD5
1cf1798d4b9036379c82afba79766899

SHA1
627416aea8aa61cf161a5843eaa689a36a919da6

SHA256
904f188b28fbe2bef573d0f1de16a60beaa2d97bf7f2835efe90a8ca2ca3cc16

SHA512
f90d952465fbbfa32adff69d3dd34d97c4ba832e61d446eedf00ab86e8a38a390dd4c9f9298f2bfc1a18535dd99000635fe488e1bfbd2a576fdba7b1359d7787

Download Submit
C:\Windows\SysWOW64\Hnibokbd.exe

Filesize
128KB

MD5
2cb69198a9189ebdc52d1d9a28c9c7cc

SHA1
bce0489c9f1dd741e924f022eea9c964d132bb0b

SHA256
46c3c18bebc6273f7ffc7ce1aa27499bf4ef6b7de08ea6cc4a0e1ecf0d34f87e

SHA512
6f1e9d08225ad967cb3a79a9063507cae218574a6a8580a863dc9ffbee447adc9c97900d101c8d3b3f5242d2e096fa5c4e8efe104870f294dda76478e4d03d5d

Download Submit
C:\Windows\SysWOW64\Ihbponja.exe

Filesize
128KB

MD5
498013485c579dcca54a99dbe986f605

SHA1
8d6d29be7fe6b82d7544a1018e502ceed13d77ac

SHA256
0dad7815ec02745c839b9394745d92395a2fe20b0ecd1293cf6379b5bfdca9de

SHA512
111d7dc21e83fc9288a844613c8e31ffa4b427de5c629756de266a6d21d57c172058e0769dd213960ed3263f66ac95a42c7a9d4ad6ca55857f6548b92bb3a966

Download Submit
C:\Windows\SysWOW64\Ilnbicff.exe

Filesize
128KB

MD5
c66fca27f153c2171caf331b8950476d

SHA1
4a46a99748ced3d513f8b863d797254d40e542e9

SHA256
af0736c8404a42a11223032b7681255ad7d6765de1c61df17c405ec86e13b331

SHA512
aa5a03f53061f3918bc1fbc41f4f5cd35fb4d93e140f90faf40a74364592e2216740acb3f2b85794673f13226a0b4d0b548ac4eab70a1cbc03e1933056b06bcc

Download Submit
C:\Windows\SysWOW64\Ipgbdbqb.exe

Filesize
128KB

MD5
f118cc4656b3804e92bd8226e3bb306b

SHA1
c98756d326738fe0836bbfcc882f48637abf16dc

SHA256
e41a41e047db9df27697dc9ab4a6a34c40f253c734f1bd0597ff19704bf76125

SHA512
d1caef41ec6889d8460b876744af4536ae7cd7933332abf9bb223b43fd92c055711230d9349251ed41b167d99af3b702a971914bd89e1a137c393e077e50c55a

Download Submit
C:\Windows\SysWOW64\Iplkpa32.exe

Filesize
128KB

MD5
09ee1d7422115fc7d569df6862ce8275

SHA1
5849b848a5c42b0dc63e0a6c3511dd1be37067dc

SHA256
fe7246e4a037770e88e9561c116758929216efac1055060ae4c0ff66438c2795

SHA512
de312619883ccc29bf53c7d2fc962af168737f9422065a7047255f38be8274a59d08daf4b8304574e0a6c78cbab40690c7ec0f302f40e8564412515567972f62

Download Submit
C:\Windows\SysWOW64\Jafdcbge.exe

Filesize
128KB

MD5
58f893b60ffce49ff65e76fdc96df858

SHA1
f056daa29bc3a0352141e2ac11f3cbea062672f7

SHA256
c39f8544cee7dd4f109ae817656ec008acd6797188dcf4384f3322d13a296419

SHA512
1bd9a42e7e920dc5f55ab5040d6235daf40659ef72f40b3a96748a3d16dc6514befc064b70ba2220a53dc869241a59b0f730e7fb24129259b9ec69d6feaa47f3

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe

Filesize
128KB

MD5
ba74905d0347f8f8088eccaeccb55112

SHA1
952f58a8c0dc8508b59a5570a3338697b307b6ba

SHA256
5ff53419cac424078c8a753585086d843dc62ac6b7ef8cc8875b1ae3f046e34f

SHA512
1ef360931234bdce86e702d45798883686997c6bcbc24f79319cc35c2c6275b82fca8cb26f011901ab34c7551d506a359809aaeb521fbb71fbb144ce69348c17

Download Submit
C:\Windows\SysWOW64\Jjpode32.exe

Filesize
128KB

MD5
54ff429d32c482ee01a7c347f0657281

SHA1
4b0ab6948cbcf3534e0599aedcb69d37dc75afad

SHA256
e4908ddfa54d787fa56e73d83adb5fa260687a1dd4ba653f5e8222369876a864

SHA512
7b83133dd6b6665486080736321f608ffb2451bce4f78c329206240a18d78643210df738b64494e44448b984d2f3a2cd7ff75164dde873c96b73a232dcb73c18

Download Submit
C:\Windows\SysWOW64\Jllokajf.exe

Filesize
128KB

MD5
faa11be60980f28bfa6e59fbc7f2caed

SHA1
27a935dff35342607ed77f814e2525e8e007150d

SHA256
6f86d147c76e215bb024cc9a71ada0399d97dc4b37fcc120ef8c9d2526afd172

SHA512
df809c51f91e816fbd361ac9dd0098e4896dda0b8bb444b750ce868f7390ecd7df4a635964fd6d6d214c0ac33442959940e0d5a3301833dc9f5943bc094c1a6c

Download Submit
C:\Windows\SysWOW64\Joahqn32.exe

Filesize
128KB

MD5
32374906074dbefcae014df18391e8b9

SHA1
c6777de9be7a26a8276c5b09e92d1b24797d0880

SHA256
e7c51c4c48fd0dd0d1ae597922fd9365a13c717d83c78adfd83d708107985168

SHA512
80d34b53d50f004f8cddebaa0ad74dce4b35847819680f37a019c46e4896d2394294937aa05a94bc47fcc79c3993a388cc14a21123a685fdeb50b8cdccc572bb

Download Submit
C:\Windows\SysWOW64\Johnamkm.exe

Filesize
128KB

MD5
a1bb0b55030358f411812eb65c5569e1

SHA1
a5db1bdca6cc7ced232c334a9212faf23a695fd1

SHA256
9e47db31d70fe386a30808d09012f23b194b8473a17a01cd63e3a7afa90f8cf3

SHA512
0227ea336194dd74d5230a850b3565c5f3776ec4c0dfd3d75875bb30f5e6cf1da7d3d2a5a0ed87765ba24c877c4868cec3f623fc77c080be8bedd579a5088395

Download Submit
C:\Windows\SysWOW64\Jpaekqhh.exe

Filesize
128KB

MD5
11b24a06d56c51d18c5a192c10162f6c

SHA1
d34cb25d8fd53a9e45e2ec2e6fa37efe82fedd6f

SHA256
6f4e7add35a36dcafc675294f6844ebdf093cf948deabf3671b6ce4793abfb33

SHA512
19da102ab20f74dc7344283b1ed30afb621e21b7068362b8affbafec2833a24eb7aef6e55665dc8165ec396e14859e747c3b48e22c5b1c54ddcb8464644ba1cd

Download Submit
C:\Windows\SysWOW64\Kcidmkpq.exe

Filesize
128KB

MD5
3d8cfdd102d239ddab31ac3aa79ff734

SHA1
46283aa4dcddf98008556c1a528d8d8070263f36

SHA256
ebc0ae9a36c680fa9d3d4e83adf71bad14c4ca7c92a2f1115d139116c9b8a339

SHA512
197738e0fb303a09560ad2f696bea1b39eac1effedadce1d095c91a84fc35ca2b14a8119d1a43eb3431b6ebb743ee9eeccd2ac7833ebca20d5782fdaf03b1bb1

Download Submit
C:\Windows\SysWOW64\Kfnfjehl.exe

Filesize
128KB

MD5
157ff034040eb9338236a1b092c329a6

SHA1
7e94a8b72ae1bd513110a05c6514616a0bf2a4a9

SHA256
bff8bc1fa331c7e0a1c9a8cf704222c5163d79a442bfd559ca7f2f913067598b

SHA512
7b9c087c5b7015b35feb4b5e306dc566102557826da66ae66e764b1c5767ba95ffe829c45ea12f3d6a525f1176d50c1c786823fb501d49a7d8fe2c3d1f852b09

Download Submit
C:\Windows\SysWOW64\Kgiiiidd.exe

Filesize
128KB

MD5
8aed0804d11f3acaff6d0024f9a3a261

SHA1
eb1dffeb3e20ca0127cbc89c9a59151484a1c992

SHA256
8d5b0b2ba5029792317df526cd96f415486f6b519c56b46edfe314f97538fd76

SHA512
abf7002f1080c24b29c946ce8cd1417736b5ac1a495d3e52051d29526d963cbb0dc83c55e63616ff41be817b773d260a72f318b810150b94ab14a11b0aa1ee2b

Download Submit
C:\Windows\SysWOW64\Kgnbdh32.exe

Filesize
128KB

MD5
f1bbf201a80c8f68c7150019df5d358d

SHA1
0d3d420732b24c1cbaaf2fc4a04e90d1d1a9620a

SHA256
75345bf818e2d50ae749192015c919804079e4df58508df2a830b532c9c19421

SHA512
a4748a2fab2e8d01584506194e86a84d8f15ec0dbda5bf3a7e56d782d0818f170ad1d839f83e2725c1e646915774e291d02c1705a5a788da633b052972394534

Download Submit
C:\Windows\SysWOW64\Kjeiodek.exe

Filesize
128KB

MD5
a9a2beaece3b581b50e4c283b0e4903f

SHA1
a1ae6b58c9bd0b7534dff9655179fb0cc1eca587

SHA256
0147d8c85fc92ffeecde5a621f04674274aadde20f79aae1f8bd447dff588582

SHA512
e7eea8035307c6f5f6ea55dba0f2ff9241c045460c38b5c5a7bd6b2b3570a161acc361dec82eba6e5667198e8bee98c5cb6d22758c06f985c014d1fecfef7a1b

Download Submit
C:\Windows\SysWOW64\Koodbl32.exe

Filesize
128KB

MD5
ac9c56368aac02c583af7d2f7929bdf0

SHA1
576ccd1538b2d88cf991b5379557de8a0abffad2

SHA256
b138e4f1f6dc414a30dfb26fc576e3cbd758017407b7e475ea9434949a5cecdc

SHA512
ed3db210c3abce7613c1e488832e57881e8b9da6d8339529c2adc68ae5e57946e0f9d27f49e4519dba12c42ed371fdfb358ca01f823a60f3a8dbcf97f286de36

Download Submit
C:\Windows\SysWOW64\Lhcali32.exe

Filesize
128KB

MD5
a32802933ab6eefccce99bfc96e433c9

SHA1
3855fd9286ae1fb914980c4724e2465f3be4a961

SHA256
117f62805c5082882fac626dd9d60104e344d92422686c67945c36363b979cc1

SHA512
2fb5a493d77f42f8e6ae1ac56b8f8f9a8e8f328c160d261336ef81a60779e8f3711469fb8c9e1f6a84c7bad8fc6700396c1c225a35da12511950e35f897ef26f

Download Submit
C:\Windows\SysWOW64\Likhem32.exe

Filesize
128KB

MD5
b562b4d49083705becffb1de417a1b7e

SHA1
c5dd4d5d3c7354d85b0ba0b075444d71025ff1c9

SHA256
5bd56b6255ebf3d93a4a34a550daf7330b34d6257706005ca7dee6b549e2021a

SHA512
5eed604d2ab85d0eb6710ce6b8e19dd6e10f2419a106922b2d921890f00d7db13906bbc704cb4239633c7eb350e0a747dfd0fb94c7bc29ff5ab42c5df85d3f36

Download Submit
C:\Windows\SysWOW64\Ljceqb32.exe

Filesize
128KB

MD5
af1d1a792006f362eb80913ebf078c43

SHA1
14238b83c60ffd3e8c4d5b7094ac1403351637fd

SHA256
90a26c25894c773c8109c889cd38803a317251494d059715f6f697bf668e8a47

SHA512
6f681a3c20c08184c352058555274f78dea2dfca5a51e364bb55ba69ba114d95138d1bb4ff086ce99ac335e619c00655b9b6d141ea783b7295ca463fed508e55

Download Submit
C:\Windows\SysWOW64\Ljhnlb32.exe

Filesize
128KB

MD5
6d099489adb4994bc85b836a4ac57bd0

SHA1
713da8f25591cd0248f3d5a13f51a3c483938b28

SHA256
04d2bdfad0935200179031eb7512883304bd1caf5642575696dd1d411b0d7e9b

SHA512
eccd84b0b3d3a10dabe3ea7102eefe3415bc578b16f48ddd02a3aa0ddc148da1d0795eb6398c0724cad2b6751ed001613ea67f7af5f5495228f4b8d0ccb6a2be

Download Submit
C:\Windows\SysWOW64\Lopmii32.exe

Filesize
128KB

MD5
46d9106683b2329eef537e24b93d6faf

SHA1
2d1bdec71d1c5b92bfe7ef9cff5ad1de7efc51cc

SHA256
7ae36f4c74cf9cf2b84a50c792b6d4f8599cffc115a9b53e6998abe031c435ef

SHA512
9219097f8279a86d4b2e8805094f4b213378a1212c01646725a0738395b478ca59ec89553118fe91eeac235f8b0f34ae96abb9fc34857a6feccb15bce328aa6f

Download Submit
C:\Windows\SysWOW64\Lopmii32.exe

Filesize
128KB

MD5
ea318998cfa1c317590a56ece27ad420

SHA1
7c16ca3cd7735577eabdcff9c1c2b9add9e15ae9

SHA256
fba03f50deff0668fe917c4fc33b10c7c19ac11e6f086876ca27200eae56f548

SHA512
baaaf51507614d14cb579635da1ca5f63c3d6dfb2e124247d805f7acb9e6137c71cfc8bbae016bebd49e5a1d5e1fc46de0d3cbd795437759fdd9dd822251c87d

Download Submit
C:\Windows\SysWOW64\Lpfgmnfp.exe

Filesize
128KB

MD5
b4720c4c8a1767d857c0fe40bae0857a

SHA1
96da992fdb178d9f0c0544e22493f22410c67aeb

SHA256
34266b698e8f69027303a6ddcaccb9e936f8032600b1593ca17654db9170cd18

SHA512
f38d3d53f35df212dc15674101af42175a4b65369e625cad11184883d1ca0b2ec54a5fff02475fb5edd0b79791a6da11896809851425179ef36c1f6d3e5cc67a

Download Submit
C:\Windows\SysWOW64\Lqhdbm32.exe

Filesize
128KB

MD5
8d59941c136597f0ab8f781f387991df

SHA1
d4a8191d57066bb7f343521d60f69d0184808daa

SHA256
d9d408d2bf5f9e162b8d84d76d000799cb70db331493da4ab5fd9be21e97e760

SHA512
614cc08c30fe77497e73edb578b27cf5fa4332effebe310bc5929b7fdf94ede0f4bda6f0457e266db73ad6d6a771d802e98894aee83261aca7e8115e25d0ff7f

Download Submit
C:\Windows\SysWOW64\Lqkqhm32.exe

Filesize
128KB

MD5
b1a179005e60fa3759093b19d5104c41

SHA1
f1be53e6d4e24603b7a6a2379a625cdbb8d45aa0

SHA256
0b2f6eefd8790a280f3c0743b77e8c8c167b26bc3c447100660186296c130b09

SHA512
a8e86722760cf022fdb550cb7105ac7208d370f056cca7b35c64922dcf08af6f4f9f2104d78836d2701a6a0a4d31823cf26e558ca057eee3a7af898be7e425cf

Download Submit
C:\Windows\SysWOW64\Mcoljagj.exe

Filesize
128KB

MD5
db2f26c85241ef0826ad506655b690f5

SHA1
7b117998d035baf5a261edae7124403c2f046000

SHA256
f90c00cc74e5b91a1045f53ab5aa702b5a5ebf49b27d78106c771af95e315eb9

SHA512
bdcf245808300f4f1573fbec66c8a5fcb266a8f4944e38b4203646a6ca71de52c0ec9c0476ddc90fdc7b09db8ea593c667f43299ca2b149954488ca9dffbd7e1

Download Submit
C:\Windows\SysWOW64\Mcpcdg32.exe

Filesize
128KB

MD5
379e79381de49a94c397822beadfa650

SHA1
3ffe9ae6578663b09cd4eacb8e85d841e9b26e51

SHA256
088e4e10bb4bffd6cceb65efcaa4fd5a031515291a6ef97b13043077dd177dba

SHA512
97fb4c2e132a6f0806c480a522703154b5eedc8e573654835b8a2f405fb9301ad2706a8d4cc690f9132d01e61fc9eccf5f89534cff69c914782c013094e76e32

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
128KB

MD5
45b1608e10b32fec6ad0e4bc3b66a2df

SHA1
03fbf09eefcd62216bf640a8e3552e942e2b3b77

SHA256
3000620829a7289b57154a6e6a1dab1b925ce65c3ad5ecdd99c1c3ecd5726585

SHA512
2c5a79595a5c8cdcc3c52d30a46eeb8785842a6f3b6c3f04c5ff079991e658115298ead66d3b36cc6779c0694e7c2a6cd3057edc4569c4076a8c2e84959c703d

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
128KB

MD5
fa694051b5ff7b1baa51e987809a0ec3

SHA1
d8514df0d6218687a3123563eed607169607a4d4

SHA256
2e7262fc6365b408a853108f036c05f7b75c1d02eba721a3996ebf0e6003deba

SHA512
30cbfad042640274f0eb9c7e01038cfa88d9d3939c20493cd0283b4e4a6847616559f65a97ebf33f8b73e91ffa373ec19e063b684c45695080030c60c8fb987d

Download Submit
C:\Windows\SysWOW64\Mokfja32.exe

Filesize
128KB

MD5
90eaf5d01d52afc1ab0a43cbe089a96f

SHA1
ac9f923ab1dadf940ab23d7e2501aad0247efb29

SHA256
7a68bcde863b5c0c6dcfb76eb49e7a49184f9535ffba41567b185ea91de80385

SHA512
75c0ca14280b484d98432f2c6e05106b28f3d6dfd09aa55b5c212310a296bf117540ca33e03c3dc6cc70fd7cc9e5b1dd5b78378160a39d17a9cecaf6c9a0d4ba

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
128KB

MD5
761310e5cb1b9f1e77c86c8382bce411

SHA1
c515084ca3d1493fa75c6df09f15a32811574356

SHA256
ec129249ff5b769b476fe27373ab8496899591cf56b71c1b097016590498b37d

SHA512
b720794845030c219071efbed373ba854131c170428656ff33194808774b2d29ee21acd1aaada47f1a9d98429bcc6a4a303630a047972a122b4ecfd5fde69954

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
128KB

MD5
f15fb0094b33c7955912a9c017f322f4

SHA1
639c59e003394d587772abecebac398f154e45a8

SHA256
a94fbddc995213d50f58785b96c6bcba0c5fa1b29ddf07f4a3a053f746632892

SHA512
007e9418f39348677edac743f2ce0ff3b04618a9a5c5c86128ff9cbf215680232b7d2e8824a240ca46366c88f4d82739e130404022f49c43b67c6e44c672fc9d

Download Submit
C:\Windows\SysWOW64\Nfohgqlg.exe

Filesize
128KB

MD5
02d18fcf3c7018f5f802a41eabadb75b

SHA1
da78f6499634ab3001fc5c7830cc7b04e08db64f

SHA256
79ae0819d39c95e393db2c830dc7e45b4abc21a10ad59e443e2306fa4aa1e1d4

SHA512
0643f6bfb675f23ec1915cac731e1444d6b9f80c8c9725336bc807514216e1f429454925e5dbecccd09eab7b6813c84a42f4b8f73357e450429480234047aec8

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
128KB

MD5
5c24a2afb345021465b5aee025ff0a7f

SHA1
d6c5afe86347395e41332d5805801a61849e57b0

SHA256
2cda9ad2e5d438f0300a34d5b85c4bf51997a0029102ff2364a6bb14b5fb46f1

SHA512
403d0098f0686a3e2eeca2838eb30ea8a7b6301bd363ae961464fcd65074d022661c5a650ff48c6f03bc5f9a18905a24a4fdb54411467eece53fb52dbfdf6965

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
128KB

MD5
6eebe9ca6cf018cffa4965c3dd655adb

SHA1
2e03325a640287b5cb4ceed1f6a9a23095f1c918

SHA256
5d364d313914ca30b962d6a87f2fa1e904fd2114568dc1ca2d940258eeaffb71

SHA512
38e7627005f71d7763eb81364d33be94100b16311055550df81ff6960afc1f43250cd8533feb2a6db7972cee735a2c583b10576e497ef5bf24d3ca1e41403148

Download Submit
C:\Windows\SysWOW64\Njbgmjgl.exe

Filesize
128KB

MD5
afd802def1e49eaab71f85d2e4f555c5

SHA1
4c24022fc04f88db122fc9cd7b0f9761260edb71

SHA256
7bcd00a26776b046512ca6cc69e4e82c15011d23f59977fd0d2e5cf41cfac04c

SHA512
d9e689e107b992b88d9e510618072d86e14f307cd5e88ecc2b34fbcc1ff8e502fbbcc2678afb07a383a71001160056b7aa62f0a9cb52110e1b40ff8b1e4e881d

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
128KB

MD5
76b62ba148e5012b6a226ae2a3ec8200

SHA1
2e0af5424986387ac062e602c9f1a5b5d63cf335

SHA256
1bb0a5e4c57966d695e22741a4547eeef1c4398d727371eff81d491b3e26dce4

SHA512
acab42e71384a86e07adfcf0766d633d8893c8bf295eee5c9e84cfabe0411789fec59c694ebabdd9e55b76b9b155b18e5dd09e76534a444f246eb3c207a4185a

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
128KB

MD5
dadb27a5e354de409bf82fd6e8cb51aa

SHA1
5e2177b99f87ae3f63840b9cf8ea01728da39dd6

SHA256
d57b763c080cb6d6c7b44f6c4d89fa9d9bca6b7f6a116c85c40ec6092291dcb1

SHA512
086317de6825519e9a33665f6ca0abb6adb92668227627888655f3a3b6a66be8640c034bb4aa32d4e4eb9a7e7b4a8e7a4339eb8616d43a7c678bd75e84f5c8c6

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
128KB

MD5
75bf2dc724dc061eb0549dd1aedd342b

SHA1
e09d7c04747278dd510c339088ad3c76f4da1cd4

SHA256
4c4f3d570865f7f1a61aee66eec8e0736b7ce4671bd39046bbd382da7a3650ba

SHA512
28c548f778e7a7c1d0e9ba768cff2e0802c068d1541061da1e6bb1d8e262a3c2d178ce1cee0b01af14fb4303f50e2590c5eac3f1249585f84509e22f4cd56a98

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
128KB

MD5
584ea0d127bbc4eb6e5d8ead82026f87

SHA1
c0998fbcfd29d657c4a943d28632ef423cba0a37

SHA256
90c265bc92c0e3bdd1bd7318bcab37aedb9b015b3352ad4da62185571369cfdd

SHA512
f079e521e2461a2239e92579dfca862145475bd8cb8b900087bce187e1a9921bf3824cff8a77422400f3bd25e2663a68352b87c9145e53430837f326768c7676

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
128KB

MD5
6010b4cf8ce8fb3dafbd668d553016b8

SHA1
87d27245b850112f6934fee16377469125944284

SHA256
a4db0dc10deef5492392eafd32925b3669265811c539b59d68ec2ed699364b78

SHA512
cf10aee87ae69104c0c0d03614be9efb5280da7db91ebcff15fccda18d140f45e1caf5753df1bab36460337eb4a50527c7077d94c626d70b68b4f4cf1efefc82

Download Submit
C:\Windows\SysWOW64\Oqoefand.exe

Filesize
128KB

MD5
a7f8e3b01303c7dd07307e8ecff8b0ff

SHA1
e04c7de329a0cab51f265c98d92fdafcff07a4a8

SHA256
768993336c4281d2e8038c66b0bb903d7e651d8e26539bd3c1ea4a650f120a74

SHA512
0b06d02463b9c02283920299d268cd6bf68ed9bde02f24728594dacd77dc620d91fd98e07ef4de5ee89fb98a9f14b74ad1721275f088fcaffa8a8e528a9e1c54

Download Submit
C:\Windows\SysWOW64\Pfagighf.exe

Filesize
128KB

MD5
0ecc0624b050be6df302b539ffdf2723

SHA1
cb648984174e1807afadb9ae5a60ab898d54f8f4

SHA256
f5a27f535fdd08d96cedd691127abdcf8ae8bfc1816161aab4a3189e4cadc61c

SHA512
025b3c16f9f9c16c4b47a00db989972450f67cb328014addd9ca98a24dccf445374d5b9c716e1b3e59255f964abd9b6f4e3fa7921f3f1aa0c0bf7df1a9972bf4

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
128KB

MD5
1822a93c84d82971412b5e8ba6e35268

SHA1
c90364b89cc299b77459f4c51f4c9f2d6427b839

SHA256
3ffa2e4225ee930d3d08bc0a34e70c8c2e42f652d9b8abe1eb3716ac4228f35f

SHA512
eabd56d846428fafc2dc2d21c34b980cf554f767203f5e95611d1003956dbca67025e9288f30406c1f6759d2fbd6cf46e97185e8cf93b1e5a8048217108b1090

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
128KB

MD5
79de8124c8d1e318a1ed111bae8737cf

SHA1
89a1c2af1c9a2452a74d3576c962c4250dd76762

SHA256
ed3d7f713cab1c4de9e35082175d7350b62457827ea2d3d558078103f36c98d5

SHA512
07726f1884983ec953c4477a5c2964b11bedea8774f2ebe924eff241cca627d3ab95ef0a000bf7ff5049fab5a637e5b25f41bf07575ed8a76ae6ad48c5c2a3de

Download Submit
memory/224-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/448-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/488-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/488-560-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/544-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/560-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/560-546-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/676-473-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/688-263-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/972-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1016-503-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1044-479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1184-485-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1228-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1228-567-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-588-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1380-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1488-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1544-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1580-437-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-269-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1684-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1744-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1796-491-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1812-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1836-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1860-515-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2104-527-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2104-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2132-467-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2336-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2548-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2552-574-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2552-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2556-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-553-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2600-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-509-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2844-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3020-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3028-528-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3044-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3144-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3256-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3332-461-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3336-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3352-455-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3400-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3500-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3552-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3568-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3584-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3812-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3828-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3860-525-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3868-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3916-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4160-581-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4160-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4180-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4216-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4280-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4312-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4368-449-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4376-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4380-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4488-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4512-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4572-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4648-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4744-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4768-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4780-256-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4816-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-497-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5156-538-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5196-540-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5236-547-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5280-557-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5344-561-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5388-568-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5432-575-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5484-582-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5560-589-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads