b5668c969317334d203862924305b3c2e04f23be085fe1c0ef3f3752f875b926

Analysis

max time kernel
190s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5668c969317334d203862924305b3c2e04f23be085fe1c0ef3f3752f875b926.exe
Size

50KB
MD5

21a90c977d7eb2842b46c8f6f2816c90
SHA1

740c081e652ff33e2e3e25de47a7722ca5bbc7bc
SHA256

b5668c969317334d203862924305b3c2e04f23be085fe1c0ef3f3752f875b926
SHA512

5a115143776fbaff95b339efe910930af79498496956a7836cb0638eef72536427c17a00ff47187f8853ee3d09deb8f5132b577ccd7ab63fafb950bd81f3e63c
SSDEEP

768:O8kniN2ba6PcoIhnIzY4GXt0jm80Cq5lZ8HRQ6SYbnn1wYBEzG/1H5:aiN2e6PIhI8x8Y1Qx/n1dF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Pemhdhal.exePmflkepl.exeKclgmq32.exeAajohjon.exeHllcfnhm.exeAbaadj32.exeBiifbb32.exeDnompm32.exeEkkkoj32.exePedndg32.exePfcjojbg.exeBjlbhbkn.exeCebcmc32.exeDgbhncjb.exePhigif32.exeDijbno32.exePocpgnjp.exeAmlombnd.exeCciplgni.exeEobgme32.exeMgehfkop.exeCamddhoi.exeIibaeb32.exePecellgl.exeDdligq32.exeIlqmam32.exeAdikdfna.exeOlbfecmo.exeCobnfgaj.exeCqajpj32.exeDnekjogg.exeDfqonada.exeNnfgcd32.exeOogpjbbb.exeDoaneiop.exeHhpheo32.exeEnigke32.exeQeigpfgo.exeAfhdji32.exeNqfbaq32.exePalbgl32.exeBdgged32.exeBlqllqqa.exeAeaanjkl.exeCoadnlnb.exeDngjff32.exeEmhkdmlg.exeHafpiehg.exeOhcegi32.exeAoalgn32.exeBdpaeehj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pemhdhal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmflkepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kclgmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajohjon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hllcfnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abaadj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biifbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnompm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajohjon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hllcfnhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekkkoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pedndg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfcjojbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjlbhbkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cebcmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbhncjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phigif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijbno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pocpgnjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlombnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cciplgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eobgme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgehfkop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Camddhoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iibaeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cciplgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pecellgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddligq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iibaeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilqmam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adikdfna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olbfecmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobnfgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cqajpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnekjogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfqonada.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oogpjbbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doaneiop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhpheo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enigke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeigpfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palbgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdgged32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blqllqqa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekkkoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pedndg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfcjojbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeigpfgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebcmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfqonada.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeaanjkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbhncjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coadnlnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dngjff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhkdmlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hafpiehg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcegi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoalgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdpaeehj.exe

Executes dropped EXE 64 IoCs

Processes:

Olbfecmo.exeOblobm32.exeOekknh32.exePocpgnjp.exePemhdhal.exePpblaaab.exePmflkepl.exePimmpfep.exePedndg32.exePfcjojbg.exeQeigpfgo.exeAfhdji32.exeAmblfc32.exeAbaadj32.exeApeannam.exeAohbik32.exeAphncnoj.exeAmlombnd.exeBiifbb32.exeBjlbhbkn.exeBpfkdl32.exeCebcmc32.exeCgbpgf32.exeCciplgni.exeCpmqekmb.exeCnqaoo32.exeCobnfgaj.exeCqajpj32.exeDnekjogg.exeDfqonada.exeDfclcqbo.exeDgbhncjb.exeDqkmfi32.exeDnompm32.exeEclfhdmc.exeEobgme32.exeNqfbaq32.exeEolhbc32.exeMnlnbl32.exeKclgmq32.exeMgehfkop.exeNnfgcd32.exeOhcegi32.exeOjbacd32.exeOalipoiq.exeOmcjep32.exeOaqbkn32.exeOlicnfco.exeOogpjbbb.exePmlmkn32.exePecellgl.exePalbgl32.exePhigif32.exeAeaanjkl.exeAajohjon.exeAdikdfna.exeAdkgje32.exeAhgcjddh.exeAoalgn32.exeAkglloai.exeBdpaeehj.exeBhnikc32.exeBddjpd32.exeBdgged32.exe

pid	process
4424	Olbfecmo.exe
4524	Oblobm32.exe
4256	Oekknh32.exe
3284	Pocpgnjp.exe
4972	Pemhdhal.exe
4036	Ppblaaab.exe
320	Pmflkepl.exe
4080	Pimmpfep.exe
1828	Pedndg32.exe
4604	Pfcjojbg.exe
2976	Qeigpfgo.exe
2916	Afhdji32.exe
2196	Amblfc32.exe
2980	Abaadj32.exe
1548	Apeannam.exe
744	Aohbik32.exe
1148	Aphncnoj.exe
1156	Amlombnd.exe
1256	Biifbb32.exe
4340	Bjlbhbkn.exe
2804	Bpfkdl32.exe
3604	Cebcmc32.exe
4756	Cgbpgf32.exe
2584	Cciplgni.exe
1312	Cpmqekmb.exe
1268	Cnqaoo32.exe
424	Cobnfgaj.exe
4840	Cqajpj32.exe
2536	Dnekjogg.exe
2204	Dfqonada.exe
1480	Dfclcqbo.exe
1556	Dgbhncjb.exe
3904	Dqkmfi32.exe
4484	Dnompm32.exe
3868	Eclfhdmc.exe
5020	Eobgme32.exe
1280	Nqfbaq32.exe
2820	Eolhbc32.exe
4348	Mnlnbl32.exe
4800	Kclgmq32.exe
3468	Mgehfkop.exe
4156	Nnfgcd32.exe
4040	Ohcegi32.exe
1644	Ojbacd32.exe
1692	Oalipoiq.exe
1536	Omcjep32.exe
4392	Oaqbkn32.exe
3196	Olicnfco.exe
1660	Oogpjbbb.exe
3128	Pmlmkn32.exe
1432	Pecellgl.exe
4644	Palbgl32.exe
376	Phigif32.exe
448	Aeaanjkl.exe
4692	Aajohjon.exe
4696	Adikdfna.exe
5088	Adkgje32.exe
3696	Ahgcjddh.exe
2924	Aoalgn32.exe
4680	Akglloai.exe
4504	Bdpaeehj.exe
1192	Bhnikc32.exe
3192	Bddjpd32.exe
2296	Bdgged32.exe

Drops file in System32 directory 64 IoCs

Processes:

Aajohjon.exeDeqcbpld.exeAphncnoj.exePalbgl32.exeHafpiehg.exeEolhbc32.exeAdikdfna.exePhigif32.exeAoalgn32.exeFihnomjp.exeHklglk32.exePmflkepl.exePimmpfep.exeBjlbhbkn.exeOaqbkn32.exeAmblfc32.exeCnqaoo32.exeEclfhdmc.exeMgehfkop.exeCleegp32.exeDngjff32.exePedndg32.exeEobgme32.exeAdkgje32.exePfcjojbg.exeDnompm32.exeCamddhoi.exeDgbhncjb.exeBhnikc32.exeDoaneiop.exePecellgl.exeLfjchn32.exePpblaaab.exeAbaadj32.exeDqkmfi32.exeDbnmke32.exePmlmkn32.exeBddjpd32.exeCdbfab32.exeCqajpj32.exeDfqonada.exeMnlnbl32.exeOhcegi32.exeDdligq32.exeAeaanjkl.exeCnfaohbj.exeCgbpgf32.exeCpmqekmb.exeKclgmq32.exeOogpjbbb.exeOekknh32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Cmpmfmao.dll	Aajohjon.exe
File opened for modification	C:\Windows\SysWOW64\Emhkdmlg.exe	Deqcbpld.exe
File created	C:\Windows\SysWOW64\Amlombnd.exe	Aphncnoj.exe
File opened for modification	C:\Windows\SysWOW64\Phigif32.exe	Palbgl32.exe
File created	C:\Windows\SysWOW64\Fodbhbhk.dll	Hafpiehg.exe
File opened for modification	C:\Windows\SysWOW64\Mnlnbl32.exe	Eolhbc32.exe
File opened for modification	C:\Windows\SysWOW64\Adkgje32.exe	Adikdfna.exe
File created	C:\Windows\SysWOW64\Cglblmfn.dll	Phigif32.exe
File created	C:\Windows\SysWOW64\Akglloai.exe	Aoalgn32.exe
File created	C:\Windows\SysWOW64\Philfgdh.exe	Fihnomjp.exe
File created	C:\Windows\SysWOW64\Gqmqih32.dll	Hklglk32.exe
File created	C:\Windows\SysWOW64\Qgapgjlp.dll	Pmflkepl.exe
File created	C:\Windows\SysWOW64\Lomdegfn.dll	Pimmpfep.exe
File created	C:\Windows\SysWOW64\Bpfkdl32.exe	Bjlbhbkn.exe
File opened for modification	C:\Windows\SysWOW64\Olicnfco.exe	Oaqbkn32.exe
File created	C:\Windows\SysWOW64\Bncpjk32.dll	Fihnomjp.exe
File created	C:\Windows\SysWOW64\Egloakef.dll	Amblfc32.exe
File created	C:\Windows\SysWOW64\Cobnfgaj.exe	Cnqaoo32.exe
File created	C:\Windows\SysWOW64\Fhkepbic.dll	Eclfhdmc.exe
File created	C:\Windows\SysWOW64\Ffchaq32.dll	Adikdfna.exe
File created	C:\Windows\SysWOW64\Fkemhahj.dll	Mgehfkop.exe
File created	C:\Windows\SysWOW64\Cnfaohbj.exe	Cleegp32.exe
File opened for modification	C:\Windows\SysWOW64\Deqcbpld.exe	Dngjff32.exe
File created	C:\Windows\SysWOW64\Dapaelbg.dll	Pedndg32.exe
File opened for modification	C:\Windows\SysWOW64\Abaadj32.exe	Amblfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Eobgme32.exe
File created	C:\Windows\SysWOW64\Ahgcjddh.exe	Adkgje32.exe
File created	C:\Windows\SysWOW64\Lnojdkmh.dll	Pfcjojbg.exe
File created	C:\Windows\SysWOW64\Ldgmmh32.dll	Aphncnoj.exe
File created	C:\Windows\SysWOW64\Eclfhdmc.exe	Dnompm32.exe
File created	C:\Windows\SysWOW64\Chglab32.exe	Camddhoi.exe
File created	C:\Windows\SysWOW64\Pfcjojbg.exe	Pedndg32.exe
File created	C:\Windows\SysWOW64\Dqkmfi32.exe	Dgbhncjb.exe
File created	C:\Windows\SysWOW64\Neiqnh32.dll	Bhnikc32.exe
File created	C:\Windows\SysWOW64\Ebmenh32.dll	Doaneiop.exe
File opened for modification	C:\Windows\SysWOW64\Palbgl32.exe	Pecellgl.exe
File opened for modification	C:\Windows\SysWOW64\Lbcabo32.exe	Lfjchn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmflkepl.exe	Ppblaaab.exe
File created	C:\Windows\SysWOW64\Qeigpfgo.exe	Pfcjojbg.exe
File opened for modification	C:\Windows\SysWOW64\Apeannam.exe	Abaadj32.exe
File created	C:\Windows\SysWOW64\Fodlep32.dll	Dqkmfi32.exe
File opened for modification	C:\Windows\SysWOW64\Akglloai.exe	Aoalgn32.exe
File created	C:\Windows\SysWOW64\Lpamfo32.dll	Aoalgn32.exe
File created	C:\Windows\SysWOW64\Gahamgib.dll	Dbnmke32.exe
File opened for modification	C:\Windows\SysWOW64\Hafpiehg.exe	Hklglk32.exe
File created	C:\Windows\SysWOW64\Pecellgl.exe	Pmlmkn32.exe
File created	C:\Windows\SysWOW64\Iibjhgbi.dll	Bddjpd32.exe
File created	C:\Windows\SysWOW64\Ongbqjjf.dll	Cdbfab32.exe
File created	C:\Windows\SysWOW64\Igpnbdic.dll	Cqajpj32.exe
File created	C:\Windows\SysWOW64\Dfclcqbo.exe	Dfqonada.exe
File created	C:\Windows\SysWOW64\Iophkojl.dll	Mnlnbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ojbacd32.exe	Ohcegi32.exe
File created	C:\Windows\SysWOW64\Mnlnbl32.exe	Eolhbc32.exe
File created	C:\Windows\SysWOW64\Doaneiop.exe	Ddligq32.exe
File created	C:\Windows\SysWOW64\Mokmqben.dll	Aeaanjkl.exe
File opened for modification	C:\Windows\SysWOW64\Cofnik32.exe	Cnfaohbj.exe
File opened for modification	C:\Windows\SysWOW64\Cciplgni.exe	Cgbpgf32.exe
File created	C:\Windows\SysWOW64\Cnqaoo32.exe	Cpmqekmb.exe
File opened for modification	C:\Windows\SysWOW64\Mgehfkop.exe	Kclgmq32.exe
File opened for modification	C:\Windows\SysWOW64\Aajohjon.exe	Aeaanjkl.exe
File opened for modification	C:\Windows\SysWOW64\Pedndg32.exe	Pimmpfep.exe
File created	C:\Windows\SysWOW64\Pmlmkn32.exe	Oogpjbbb.exe
File created	C:\Windows\SysWOW64\Palbgl32.exe	Pecellgl.exe
File created	C:\Windows\SysWOW64\Pocpgnjp.exe	Oekknh32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2096 1728 WerFault.exe Mbldhn32.exe

pid	pid_target	process	target process
2096	1728	WerFault.exe	Mbldhn32.exe

Modifies registry class 64 IoCs

Processes:

Kclgmq32.exeAhgcjddh.exeOlicnfco.exeLbcabo32.exeOblobm32.exeAmblfc32.exeBjlbhbkn.exeCpmqekmb.exeEobgme32.exeOaqbkn32.exePmlmkn32.exeAdkgje32.exeOlbfecmo.exeAphncnoj.exePhilfgdh.exeHklglk32.exeCamddhoi.exeDdligq32.exeIibaeb32.exePimmpfep.exePfcjojbg.exeDfclcqbo.exeBddjpd32.exeMmpbkm32.exeAoalgn32.exePhigif32.exeBhnikc32.exeMnlnbl32.exePecellgl.exeCgbpgf32.exeCnqaoo32.exeDnekjogg.exeCofnik32.exePedndg32.exeIlqmam32.exeDeqcbpld.exeOogpjbbb.exeAeaanjkl.exeBlqllqqa.exeDgbhncjb.exeBdgged32.exeEmhkdmlg.exeDfqonada.exeMgehfkop.exeFihnomjp.exeAfhdji32.exeApeannam.exeNnfgcd32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kclgmq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjinodke.dll"	Ahgcjddh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olicnfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigmon32.dll"	Lbcabo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oblobm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amblfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjlbhbkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmqekmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eobgme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaqbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlmkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adkgje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbfnida.dll"	Olbfecmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aphncnoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Philfgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqmqih32.dll"	Hklglk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Camddhoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilchfdgp.dll"	Ddligq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iibaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pimmpfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecakqg32.dll"	Pmlmkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfcjojbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfclcqbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olbfecmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oblobm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddjpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpbkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoalgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpamfo32.dll"	Aoalgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglblmfn.dll"	Phigif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adkgje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdgokhb.dll"	Oblobm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fechok32.dll"	Oaqbkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiqnh32.dll"	Bhnikc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlnbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pecellgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgbpgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnqaoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnekjogg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olicnfco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpdko32.dll"	Cofnik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddligq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pedndg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfcjojbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilqmam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deqcbpld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqhblk32.dll"	Oogpjbbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeaanjkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blqllqqa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbcabo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbhncjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbhncjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedeli32.dll"	Philfgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iibaeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilqmam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdgged32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojhojkk.dll"	Dfqonada.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfqonada.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgehfkop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fihnomjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igphec32.dll"	Apeannam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfgcd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5668c969317334d203862924305b3c2e04f23be085fe1c0ef3f3752f875b926.exeOlbfecmo.exeOblobm32.exeOekknh32.exePocpgnjp.exePemhdhal.exePpblaaab.exePmflkepl.exePimmpfep.exePedndg32.exePfcjojbg.exeQeigpfgo.exeAfhdji32.exeAmblfc32.exeAbaadj32.exeApeannam.exeAohbik32.exeAphncnoj.exeAmlombnd.exeBiifbb32.exeBjlbhbkn.exeBpfkdl32.exe

description	pid	process	target process
PID 4568 wrote to memory of 4424	4568	b5668c969317334d203862924305b3c2e04f23be085fe1c0ef3f3752f875b926.exe	Olbfecmo.exe
PID 4568 wrote to memory of 4424	4568	b5668c969317334d203862924305b3c2e04f23be085fe1c0ef3f3752f875b926.exe	Olbfecmo.exe
PID 4568 wrote to memory of 4424	4568	b5668c969317334d203862924305b3c2e04f23be085fe1c0ef3f3752f875b926.exe	Olbfecmo.exe
PID 4424 wrote to memory of 4524	4424	Olbfecmo.exe	Oblobm32.exe
PID 4424 wrote to memory of 4524	4424	Olbfecmo.exe	Oblobm32.exe
PID 4424 wrote to memory of 4524	4424	Olbfecmo.exe	Oblobm32.exe
PID 4524 wrote to memory of 4256	4524	Oblobm32.exe	Oekknh32.exe
PID 4524 wrote to memory of 4256	4524	Oblobm32.exe	Oekknh32.exe
PID 4524 wrote to memory of 4256	4524	Oblobm32.exe	Oekknh32.exe
PID 4256 wrote to memory of 3284	4256	Oekknh32.exe	Pocpgnjp.exe
PID 4256 wrote to memory of 3284	4256	Oekknh32.exe	Pocpgnjp.exe
PID 4256 wrote to memory of 3284	4256	Oekknh32.exe	Pocpgnjp.exe
PID 3284 wrote to memory of 4972	3284	Pocpgnjp.exe	Pemhdhal.exe
PID 3284 wrote to memory of 4972	3284	Pocpgnjp.exe	Pemhdhal.exe
PID 3284 wrote to memory of 4972	3284	Pocpgnjp.exe	Pemhdhal.exe
PID 4972 wrote to memory of 4036	4972	Pemhdhal.exe	Ppblaaab.exe
PID 4972 wrote to memory of 4036	4972	Pemhdhal.exe	Ppblaaab.exe
PID 4972 wrote to memory of 4036	4972	Pemhdhal.exe	Ppblaaab.exe
PID 4036 wrote to memory of 320	4036	Ppblaaab.exe	Pmflkepl.exe
PID 4036 wrote to memory of 320	4036	Ppblaaab.exe	Pmflkepl.exe
PID 4036 wrote to memory of 320	4036	Ppblaaab.exe	Pmflkepl.exe
PID 320 wrote to memory of 4080	320	Pmflkepl.exe	Pimmpfep.exe
PID 320 wrote to memory of 4080	320	Pmflkepl.exe	Pimmpfep.exe
PID 320 wrote to memory of 4080	320	Pmflkepl.exe	Pimmpfep.exe
PID 4080 wrote to memory of 1828	4080	Pimmpfep.exe	Pedndg32.exe
PID 4080 wrote to memory of 1828	4080	Pimmpfep.exe	Pedndg32.exe
PID 4080 wrote to memory of 1828	4080	Pimmpfep.exe	Pedndg32.exe
PID 1828 wrote to memory of 4604	1828	Pedndg32.exe	Pfcjojbg.exe
PID 1828 wrote to memory of 4604	1828	Pedndg32.exe	Pfcjojbg.exe
PID 1828 wrote to memory of 4604	1828	Pedndg32.exe	Pfcjojbg.exe
PID 4604 wrote to memory of 2976	4604	Pfcjojbg.exe	Qeigpfgo.exe
PID 4604 wrote to memory of 2976	4604	Pfcjojbg.exe	Qeigpfgo.exe
PID 4604 wrote to memory of 2976	4604	Pfcjojbg.exe	Qeigpfgo.exe
PID 2976 wrote to memory of 2916	2976	Qeigpfgo.exe	Afhdji32.exe
PID 2976 wrote to memory of 2916	2976	Qeigpfgo.exe	Afhdji32.exe
PID 2976 wrote to memory of 2916	2976	Qeigpfgo.exe	Afhdji32.exe
PID 2916 wrote to memory of 2196	2916	Afhdji32.exe	Amblfc32.exe
PID 2916 wrote to memory of 2196	2916	Afhdji32.exe	Amblfc32.exe
PID 2916 wrote to memory of 2196	2916	Afhdji32.exe	Amblfc32.exe
PID 2196 wrote to memory of 2980	2196	Amblfc32.exe	Abaadj32.exe
PID 2196 wrote to memory of 2980	2196	Amblfc32.exe	Abaadj32.exe
PID 2196 wrote to memory of 2980	2196	Amblfc32.exe	Abaadj32.exe
PID 2980 wrote to memory of 1548	2980	Abaadj32.exe	Apeannam.exe
PID 2980 wrote to memory of 1548	2980	Abaadj32.exe	Apeannam.exe
PID 2980 wrote to memory of 1548	2980	Abaadj32.exe	Apeannam.exe
PID 1548 wrote to memory of 744	1548	Apeannam.exe	Aohbik32.exe
PID 1548 wrote to memory of 744	1548	Apeannam.exe	Aohbik32.exe
PID 1548 wrote to memory of 744	1548	Apeannam.exe	Aohbik32.exe
PID 744 wrote to memory of 1148	744	Aohbik32.exe	Aphncnoj.exe
PID 744 wrote to memory of 1148	744	Aohbik32.exe	Aphncnoj.exe
PID 744 wrote to memory of 1148	744	Aohbik32.exe	Aphncnoj.exe
PID 1148 wrote to memory of 1156	1148	Aphncnoj.exe	Amlombnd.exe
PID 1148 wrote to memory of 1156	1148	Aphncnoj.exe	Amlombnd.exe
PID 1148 wrote to memory of 1156	1148	Aphncnoj.exe	Amlombnd.exe
PID 1156 wrote to memory of 1256	1156	Amlombnd.exe	Biifbb32.exe
PID 1156 wrote to memory of 1256	1156	Amlombnd.exe	Biifbb32.exe
PID 1156 wrote to memory of 1256	1156	Amlombnd.exe	Biifbb32.exe
PID 1256 wrote to memory of 4340	1256	Biifbb32.exe	Bjlbhbkn.exe
PID 1256 wrote to memory of 4340	1256	Biifbb32.exe	Bjlbhbkn.exe
PID 1256 wrote to memory of 4340	1256	Biifbb32.exe	Bjlbhbkn.exe
PID 4340 wrote to memory of 2804	4340	Bjlbhbkn.exe	Bpfkdl32.exe
PID 4340 wrote to memory of 2804	4340	Bjlbhbkn.exe	Bpfkdl32.exe
PID 4340 wrote to memory of 2804	4340	Bjlbhbkn.exe	Bpfkdl32.exe
PID 2804 wrote to memory of 3604	2804	Bpfkdl32.exe	Cebcmc32.exe

C:\Users\Admin\AppData\Local\Temp\b5668c969317334d203862924305b3c2e04f23be085fe1c0ef3f3752f875b926.exe
"C:\Users\Admin\AppData\Local\Temp\b5668c969317334d203862924305b3c2e04f23be085fe1c0ef3f3752f875b926.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\Olbfecmo.exe
C:\Windows\system32\Olbfecmo.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\Oblobm32.exe
C:\Windows\system32\Oblobm32.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\Oekknh32.exe
C:\Windows\system32\Oekknh32.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\SysWOW64\Pocpgnjp.exe
C:\Windows\system32\Pocpgnjp.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\Pemhdhal.exe
C:\Windows\system32\Pemhdhal.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\Ppblaaab.exe
C:\Windows\system32\Ppblaaab.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\Pmflkepl.exe
C:\Windows\system32\Pmflkepl.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\Pimmpfep.exe
C:\Windows\system32\Pimmpfep.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\Pedndg32.exe
C:\Windows\system32\Pedndg32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\Pfcjojbg.exe
C:\Windows\system32\Pfcjojbg.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\Qeigpfgo.exe
C:\Windows\system32\Qeigpfgo.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\Afhdji32.exe
C:\Windows\system32\Afhdji32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\Amblfc32.exe
C:\Windows\system32\Amblfc32.exe
14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\Abaadj32.exe
C:\Windows\system32\Abaadj32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\Apeannam.exe
C:\Windows\system32\Apeannam.exe
16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\Aohbik32.exe
C:\Windows\system32\Aohbik32.exe
17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\Aphncnoj.exe
C:\Windows\system32\Aphncnoj.exe
18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\Amlombnd.exe
C:\Windows\system32\Amlombnd.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\Biifbb32.exe
C:\Windows\system32\Biifbb32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\Bjlbhbkn.exe
C:\Windows\system32\Bjlbhbkn.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\Bpfkdl32.exe
C:\Windows\system32\Bpfkdl32.exe
22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\Cebcmc32.exe
C:\Windows\system32\Cebcmc32.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3604

C:\Windows\SysWOW64\Cgbpgf32.exe
C:\Windows\system32\Cgbpgf32.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4756

C:\Windows\SysWOW64\Cciplgni.exe
C:\Windows\system32\Cciplgni.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584

C:\Windows\SysWOW64\Cpmqekmb.exe
C:\Windows\system32\Cpmqekmb.exe
26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1312

C:\Windows\SysWOW64\Cnqaoo32.exe
C:\Windows\system32\Cnqaoo32.exe
27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1268

C:\Windows\SysWOW64\Cobnfgaj.exe
C:\Windows\system32\Cobnfgaj.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:424

C:\Windows\SysWOW64\Cqajpj32.exe
C:\Windows\system32\Cqajpj32.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4840

C:\Windows\SysWOW64\Dnekjogg.exe
C:\Windows\system32\Dnekjogg.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2536

C:\Windows\SysWOW64\Dfqonada.exe
C:\Windows\system32\Dfqonada.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2204

C:\Windows\SysWOW64\Dfclcqbo.exe
C:\Windows\system32\Dfclcqbo.exe
32⤵
- Executes dropped EXE
- Modifies registry class
PID:1480

C:\Windows\SysWOW64\Dgbhncjb.exe
C:\Windows\system32\Dgbhncjb.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1556

C:\Windows\SysWOW64\Dqkmfi32.exe
C:\Windows\system32\Dqkmfi32.exe
34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3904

C:\Windows\SysWOW64\Dnompm32.exe
C:\Windows\system32\Dnompm32.exe
35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4484

C:\Windows\SysWOW64\Eclfhdmc.exe
C:\Windows\system32\Eclfhdmc.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3868

C:\Windows\SysWOW64\Eobgme32.exe
C:\Windows\system32\Eobgme32.exe
37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5020

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280

C:\Windows\SysWOW64\Eolhbc32.exe
C:\Windows\system32\Eolhbc32.exe
39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820

C:\Windows\SysWOW64\Mnlnbl32.exe
C:\Windows\system32\Mnlnbl32.exe
40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4348

C:\Windows\SysWOW64\Kclgmq32.exe
C:\Windows\system32\Kclgmq32.exe
41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4800

C:\Windows\SysWOW64\Mgehfkop.exe
C:\Windows\system32\Mgehfkop.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3468

C:\Windows\SysWOW64\Nnfgcd32.exe
C:\Windows\system32\Nnfgcd32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4156

C:\Windows\SysWOW64\Ohcegi32.exe
C:\Windows\system32\Ohcegi32.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4040

C:\Windows\SysWOW64\Ojbacd32.exe
C:\Windows\system32\Ojbacd32.exe
45⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\Oalipoiq.exe
C:\Windows\system32\Oalipoiq.exe
46⤵
- Executes dropped EXE
PID:1692

C:\Windows\SysWOW64\Omcjep32.exe
C:\Windows\system32\Omcjep32.exe
47⤵
- Executes dropped EXE
PID:1536

C:\Windows\SysWOW64\Oaqbkn32.exe
C:\Windows\system32\Oaqbkn32.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4392

C:\Windows\SysWOW64\Olicnfco.exe
C:\Windows\system32\Olicnfco.exe
49⤵
- Executes dropped EXE
- Modifies registry class
PID:3196

C:\Windows\SysWOW64\Oogpjbbb.exe
C:\Windows\system32\Oogpjbbb.exe
50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1660

C:\Windows\SysWOW64\Pmlmkn32.exe
C:\Windows\system32\Pmlmkn32.exe
51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3128

C:\Windows\SysWOW64\Pecellgl.exe
C:\Windows\system32\Pecellgl.exe
52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1432

C:\Windows\SysWOW64\Palbgl32.exe
C:\Windows\system32\Palbgl32.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4644

C:\Windows\SysWOW64\Phigif32.exe
C:\Windows\system32\Phigif32.exe
54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:376

C:\Windows\SysWOW64\Aeaanjkl.exe
C:\Windows\system32\Aeaanjkl.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:448

C:\Windows\SysWOW64\Aajohjon.exe
C:\Windows\system32\Aajohjon.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4692

C:\Windows\SysWOW64\Adikdfna.exe
C:\Windows\system32\Adikdfna.exe
57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4696

C:\Windows\SysWOW64\Adkgje32.exe
C:\Windows\system32\Adkgje32.exe
58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5088

C:\Windows\SysWOW64\Ahgcjddh.exe
C:\Windows\system32\Ahgcjddh.exe
59⤵
- Executes dropped EXE
- Modifies registry class
PID:3696

C:\Windows\SysWOW64\Aoalgn32.exe
C:\Windows\system32\Aoalgn32.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2924

C:\Windows\SysWOW64\Akglloai.exe
C:\Windows\system32\Akglloai.exe
61⤵
- Executes dropped EXE
PID:4680

C:\Windows\SysWOW64\Bdpaeehj.exe
C:\Windows\system32\Bdpaeehj.exe
62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4504

C:\Windows\SysWOW64\Bhnikc32.exe
C:\Windows\system32\Bhnikc32.exe
63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1192

C:\Windows\SysWOW64\Bddjpd32.exe
C:\Windows\system32\Bddjpd32.exe
64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3192

C:\Windows\SysWOW64\Bdgged32.exe
C:\Windows\system32\Bdgged32.exe
65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2296

C:\Windows\SysWOW64\Blqllqqa.exe
C:\Windows\system32\Blqllqqa.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3036

C:\Windows\SysWOW64\Camddhoi.exe
C:\Windows\system32\Camddhoi.exe
67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2932

C:\Windows\SysWOW64\Chglab32.exe
C:\Windows\system32\Chglab32.exe
68⤵
PID:1036

C:\Windows\SysWOW64\Coadnlnb.exe
C:\Windows\system32\Coadnlnb.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:760

C:\Windows\SysWOW64\Cleegp32.exe
C:\Windows\system32\Cleegp32.exe
70⤵
- Drops file in System32 directory
PID:2180

C:\Windows\SysWOW64\Cnfaohbj.exe
C:\Windows\system32\Cnfaohbj.exe
71⤵
- Drops file in System32 directory
PID:428

C:\Windows\SysWOW64\Cofnik32.exe
C:\Windows\system32\Cofnik32.exe
72⤵
- Modifies registry class
PID:3652

C:\Windows\SysWOW64\Cdbfab32.exe
C:\Windows\system32\Cdbfab32.exe
73⤵
- Drops file in System32 directory
PID:2348

C:\Windows\SysWOW64\Dbnmke32.exe
C:\Windows\system32\Dbnmke32.exe
74⤵
- Drops file in System32 directory
PID:1272

C:\Windows\SysWOW64\Ddligq32.exe
C:\Windows\system32\Ddligq32.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3548

C:\Windows\SysWOW64\Doaneiop.exe
C:\Windows\system32\Doaneiop.exe
76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4492

C:\Windows\SysWOW64\Dijbno32.exe
C:\Windows\system32\Dijbno32.exe
77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3496

C:\Windows\SysWOW64\Dngjff32.exe
C:\Windows\system32\Dngjff32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3444

C:\Windows\SysWOW64\Deqcbpld.exe
C:\Windows\system32\Deqcbpld.exe
79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1476

C:\Windows\SysWOW64\Emhkdmlg.exe
C:\Windows\system32\Emhkdmlg.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3492

C:\Windows\SysWOW64\Ekkkoj32.exe
C:\Windows\system32\Ekkkoj32.exe
81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5092

C:\Windows\SysWOW64\Enigke32.exe
C:\Windows\system32\Enigke32.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572

C:\Windows\SysWOW64\Fihnomjp.exe
C:\Windows\system32\Fihnomjp.exe
83⤵
- Drops file in System32 directory
- Modifies registry class
PID:776

C:\Windows\SysWOW64\Philfgdh.exe
C:\Windows\system32\Philfgdh.exe
84⤵
- Modifies registry class
PID:4116

C:\Windows\SysWOW64\Mmpbkm32.exe
C:\Windows\system32\Mmpbkm32.exe
85⤵
- Modifies registry class
PID:2652

C:\Windows\SysWOW64\Hklglk32.exe
C:\Windows\system32\Hklglk32.exe
86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2344

C:\Windows\SysWOW64\Hafpiehg.exe
C:\Windows\system32\Hafpiehg.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4604

C:\Windows\SysWOW64\Hhpheo32.exe
C:\Windows\system32\Hhpheo32.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316

C:\Windows\SysWOW64\Hllcfnhm.exe
C:\Windows\system32\Hllcfnhm.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4524

C:\Windows\SysWOW64\Iibaeb32.exe
C:\Windows\system32\Iibaeb32.exe
90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1688

C:\Windows\SysWOW64\Ilqmam32.exe
C:\Windows\system32\Ilqmam32.exe
91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3480

C:\Windows\SysWOW64\Lfjchn32.exe
C:\Windows\system32\Lfjchn32.exe
92⤵
- Drops file in System32 directory
PID:1424

C:\Windows\SysWOW64\Lbcabo32.exe
C:\Windows\system32\Lbcabo32.exe
93⤵
- Modifies registry class
PID:4728

C:\Windows\SysWOW64\Mbldhn32.exe
C:\Windows\system32\Mbldhn32.exe
94⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 400
95⤵
- Program crash
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1728 -ip 1728
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abaadj32.exe
Filesize
50KB

MD5
8a621dcd4bb9593edcd41fe5a3d1d425

SHA1
6fbb4a84894709e23046117d96d34134186939c4

SHA256
8b03445787088d97570c118116c3460a45bd895a055a9e6024079c2bf9c5e7fb

SHA512
ff1c05c0ef8c196a3c344ee3a0c7cad11842657c934256100eee660c7809f9bd4207400801d8e70fcb9133594ec4b9b15d5c63aa170d37bf56a967680f14d853

Download Submit
C:\Windows\SysWOW64\Abaadj32.exe
Filesize
50KB

MD5
8a621dcd4bb9593edcd41fe5a3d1d425

SHA1
6fbb4a84894709e23046117d96d34134186939c4

SHA256
8b03445787088d97570c118116c3460a45bd895a055a9e6024079c2bf9c5e7fb

SHA512
ff1c05c0ef8c196a3c344ee3a0c7cad11842657c934256100eee660c7809f9bd4207400801d8e70fcb9133594ec4b9b15d5c63aa170d37bf56a967680f14d853

Download Submit
C:\Windows\SysWOW64\Afhdji32.exe
Filesize
50KB

MD5
39022ddea2654331d49639b5fff4c952

SHA1
8c6e3ef58854bf968df72fe08ce06196fd51bbcd

SHA256
d7534b8e51d1a98abb064b7a2ae049cf7781944ff337fbc2a3cf7c8ad83a4d12

SHA512
aca37f8a6f39d1cedcef0c95e19e4e3ec3720a67cf39a476b01ac33e6a491e209ee0807b5121d40db1c828e62d4938b1d3879ed9ec737d488555a274479188da

Download Submit
C:\Windows\SysWOW64\Afhdji32.exe
Filesize
50KB

MD5
39022ddea2654331d49639b5fff4c952

SHA1
8c6e3ef58854bf968df72fe08ce06196fd51bbcd

SHA256
d7534b8e51d1a98abb064b7a2ae049cf7781944ff337fbc2a3cf7c8ad83a4d12

SHA512
aca37f8a6f39d1cedcef0c95e19e4e3ec3720a67cf39a476b01ac33e6a491e209ee0807b5121d40db1c828e62d4938b1d3879ed9ec737d488555a274479188da

Download Submit
C:\Windows\SysWOW64\Amblfc32.exe
Filesize
50KB

MD5
ac533eccf958f20f58d526f2f79e98ab

SHA1
e27637e3cca6fa2198980b1eb3450e9dc2d6f814

SHA256
dc17b70df42a871c6c55360f586d432a0acde7f3db2831aa56950e7c8f5ff29e

SHA512
9fbcbe2712c67533f6d622ddd23959ace827c1a69c40ab337c036d15c9eebd85f9225fba6eb001348e790badaaa4f92bda0a5752040bac1dce3cfdc4a41b1c12

Download Submit
C:\Windows\SysWOW64\Amblfc32.exe
Filesize
50KB

MD5
ac533eccf958f20f58d526f2f79e98ab

SHA1
e27637e3cca6fa2198980b1eb3450e9dc2d6f814

SHA256
dc17b70df42a871c6c55360f586d432a0acde7f3db2831aa56950e7c8f5ff29e

SHA512
9fbcbe2712c67533f6d622ddd23959ace827c1a69c40ab337c036d15c9eebd85f9225fba6eb001348e790badaaa4f92bda0a5752040bac1dce3cfdc4a41b1c12

Download Submit
C:\Windows\SysWOW64\Amlombnd.exe
Filesize
50KB

MD5
641b7d8355cdfa28c006b79f87099c12

SHA1
330839d936834307b3c810970820148a6d550a3b

SHA256
2d58dff13294b618d4aa431b70229271a78e349b54b77f17a1ad4b0b8e151e73

SHA512
e56aa58ec50ac3223af9c75659242e6e67e90ba50937acb0550ba66a9f6233f019ab5b7010a3e7c24e15bab1f1dabb04013f9c16caa447771087090d06344ccd

Download Submit
C:\Windows\SysWOW64\Amlombnd.exe
Filesize
50KB

MD5
641b7d8355cdfa28c006b79f87099c12

SHA1
330839d936834307b3c810970820148a6d550a3b

SHA256
2d58dff13294b618d4aa431b70229271a78e349b54b77f17a1ad4b0b8e151e73

SHA512
e56aa58ec50ac3223af9c75659242e6e67e90ba50937acb0550ba66a9f6233f019ab5b7010a3e7c24e15bab1f1dabb04013f9c16caa447771087090d06344ccd

Download Submit
C:\Windows\SysWOW64\Aohbik32.exe
Filesize
50KB

MD5
c05b931f90bc3f485934d7ae46d9bd10

SHA1
62ecd4bde996e8cff3b456faa9ff3bc35f5cbfa6

SHA256
699752489bd2ff241c677c71b4fdc361783f57ef68f77bc3c1ed61df64de5036

SHA512
14973c9781e79f46a1fd22c8c60db439709dde887eeb80317d561f35cef10630508e88902ef64e181378ec6193f32517d97b78bb63431e6d4439bdfcf7804837

Download Submit
C:\Windows\SysWOW64\Aohbik32.exe
Filesize
50KB

MD5
c05b931f90bc3f485934d7ae46d9bd10

SHA1
62ecd4bde996e8cff3b456faa9ff3bc35f5cbfa6

SHA256
699752489bd2ff241c677c71b4fdc361783f57ef68f77bc3c1ed61df64de5036

SHA512
14973c9781e79f46a1fd22c8c60db439709dde887eeb80317d561f35cef10630508e88902ef64e181378ec6193f32517d97b78bb63431e6d4439bdfcf7804837

Download Submit
C:\Windows\SysWOW64\Apeannam.exe
Filesize
50KB

MD5
50e57514fbdc2ab64a7d1e53e95e610a

SHA1
a03e80b9f3ecf8a07f01d5facb0a5d3a51df3107

SHA256
422c494158b83c34da770ea5408606b6d2eb2c8aff1767477a4306a88a2aa38d

SHA512
d269ced815d7f1febb7f22de23b4436b6b585fdd525499d18d0215f102cce466fe17f60d96d3d4b5ff89193175b09b95f56c6aeca422eaefb1f67cfe8d5d455c

Download Submit
C:\Windows\SysWOW64\Apeannam.exe
Filesize
50KB

MD5
50e57514fbdc2ab64a7d1e53e95e610a

SHA1
a03e80b9f3ecf8a07f01d5facb0a5d3a51df3107

SHA256
422c494158b83c34da770ea5408606b6d2eb2c8aff1767477a4306a88a2aa38d

SHA512
d269ced815d7f1febb7f22de23b4436b6b585fdd525499d18d0215f102cce466fe17f60d96d3d4b5ff89193175b09b95f56c6aeca422eaefb1f67cfe8d5d455c

Download Submit
C:\Windows\SysWOW64\Aphncnoj.exe
Filesize
50KB

MD5
8d6cdf1fc456207ff6209e25aaefa369

SHA1
ae33c7326f131bdbe90d02b353ac9b1e598e608f

SHA256
c9679fb23f5358f90c6fd7a20a8eaa02ce7527b3ab279f67f4af9412e5c13f2e

SHA512
8ef92dd7f61eec7a888ba57b18e1834838653486576848f0889083f5425e262c75e01e562687a09dd7521dc4649d2825bebd65d18a3ee4bbd93b79cc8e02aadd

Download Submit
C:\Windows\SysWOW64\Aphncnoj.exe
Filesize
50KB

MD5
8d6cdf1fc456207ff6209e25aaefa369

SHA1
ae33c7326f131bdbe90d02b353ac9b1e598e608f

SHA256
c9679fb23f5358f90c6fd7a20a8eaa02ce7527b3ab279f67f4af9412e5c13f2e

SHA512
8ef92dd7f61eec7a888ba57b18e1834838653486576848f0889083f5425e262c75e01e562687a09dd7521dc4649d2825bebd65d18a3ee4bbd93b79cc8e02aadd

Download Submit
C:\Windows\SysWOW64\Biifbb32.exe
Filesize
50KB

MD5
1e723f763a9f62a6da1232a74aee6468

SHA1
f2f26ad268d349f0bd9dcee3ccf947ce14952479

SHA256
4d4f96bd830dfbe6c44842c585be6c5a620c9a9b92d541fdce07a26c69047874

SHA512
2e3cac797fe880ea524f97d6da544b173f97493e687fe5e7e13a57767efcc52e7988dc050810082a8264ce0bfb4a6e498ebe8f2f8c69e21561a84830c8478fc4

Download Submit
C:\Windows\SysWOW64\Biifbb32.exe
Filesize
50KB

MD5
1e723f763a9f62a6da1232a74aee6468

SHA1
f2f26ad268d349f0bd9dcee3ccf947ce14952479

SHA256
4d4f96bd830dfbe6c44842c585be6c5a620c9a9b92d541fdce07a26c69047874

SHA512
2e3cac797fe880ea524f97d6da544b173f97493e687fe5e7e13a57767efcc52e7988dc050810082a8264ce0bfb4a6e498ebe8f2f8c69e21561a84830c8478fc4

Download Submit
C:\Windows\SysWOW64\Bjlbhbkn.exe
Filesize
50KB

MD5
f3b86c4c2add81341bbf1e8aaacbd849

SHA1
e782a20d5a99d83802a3e83b0fc234f8aa2ceb1c

SHA256
62c9d4d95a385bb5d1f6d5b8dede8dd7519135ba33f5206e3b696bf8c4f446fd

SHA512
48bdf03c87fe8609382f551348838f9228a017049d5744b8c036f990737f16e58cdc3f33606cb57ddfe28c585e0a5ab14c653cd7d1fbc770fb3da9cf83694b56

Download Submit
C:\Windows\SysWOW64\Bjlbhbkn.exe
Filesize
50KB

MD5
f3b86c4c2add81341bbf1e8aaacbd849

SHA1
e782a20d5a99d83802a3e83b0fc234f8aa2ceb1c

SHA256
62c9d4d95a385bb5d1f6d5b8dede8dd7519135ba33f5206e3b696bf8c4f446fd

SHA512
48bdf03c87fe8609382f551348838f9228a017049d5744b8c036f990737f16e58cdc3f33606cb57ddfe28c585e0a5ab14c653cd7d1fbc770fb3da9cf83694b56

Download Submit
C:\Windows\SysWOW64\Bpfkdl32.exe
Filesize
50KB

MD5
25239ebe35e0fdd825dee66c14794afa

SHA1
59f333936342d78538719f2b7036dbd4d8a3874b

SHA256
98093f70e572ee8a7ee2a41131abd281e7f03b2ebb20842b97d9efcd85d3d201

SHA512
967e934d3edd98240c92448fadcca90ebc8abc15cda9d551bdc0b3f32dcd892ccbc54e16d45d3fdc43dbf479395e0640e303cc6669d0007d462ac5b1d50aab09

Download Submit
C:\Windows\SysWOW64\Bpfkdl32.exe
Filesize
50KB

MD5
25239ebe35e0fdd825dee66c14794afa

SHA1
59f333936342d78538719f2b7036dbd4d8a3874b

SHA256
98093f70e572ee8a7ee2a41131abd281e7f03b2ebb20842b97d9efcd85d3d201

SHA512
967e934d3edd98240c92448fadcca90ebc8abc15cda9d551bdc0b3f32dcd892ccbc54e16d45d3fdc43dbf479395e0640e303cc6669d0007d462ac5b1d50aab09

Download Submit
C:\Windows\SysWOW64\Cciplgni.exe
Filesize
50KB

MD5
2fff7b61242944fa55e8e48756de5561

SHA1
dcac6137d6e6f1c17f6bca848dafb832827bd5d4

SHA256
54a4d457d5631679e17c12a3c970b7f5514f99dbd718db71ab70c9f11172650d

SHA512
ec238bdddb94cc5c4cbe1f475b7feee1315699ca9deae8efb3d857b131186a1e5ea1058dde3db6da3458745e4c15602b52b871223e0dd4c6a5613298a4f8ac4b

Download Submit
C:\Windows\SysWOW64\Cciplgni.exe
Filesize
50KB

MD5
2fff7b61242944fa55e8e48756de5561

SHA1
dcac6137d6e6f1c17f6bca848dafb832827bd5d4

SHA256
54a4d457d5631679e17c12a3c970b7f5514f99dbd718db71ab70c9f11172650d

SHA512
ec238bdddb94cc5c4cbe1f475b7feee1315699ca9deae8efb3d857b131186a1e5ea1058dde3db6da3458745e4c15602b52b871223e0dd4c6a5613298a4f8ac4b

Download Submit
C:\Windows\SysWOW64\Cebcmc32.exe
Filesize
50KB

MD5
602b715efacbd3ced67c101b739ec83e

SHA1
d0a988fca21eb49dfe71add06a41183955bb1df1

SHA256
5b7427939bddd8baee906195626e04680c15eb3acd19264a2aed75280a1116ba

SHA512
759fcf36ac5c425c7041e2c36c784d82f9d2cf4ed3e8c8a945bfe4023c2ba82b0c2ec85545900f9e7bd9be7e94838408239ba1d2f5ed92c2bea239574041c07e

Download Submit
C:\Windows\SysWOW64\Cebcmc32.exe
Filesize
50KB

MD5
602b715efacbd3ced67c101b739ec83e

SHA1
d0a988fca21eb49dfe71add06a41183955bb1df1

SHA256
5b7427939bddd8baee906195626e04680c15eb3acd19264a2aed75280a1116ba

SHA512
759fcf36ac5c425c7041e2c36c784d82f9d2cf4ed3e8c8a945bfe4023c2ba82b0c2ec85545900f9e7bd9be7e94838408239ba1d2f5ed92c2bea239574041c07e

Download Submit
C:\Windows\SysWOW64\Cgbpgf32.exe
Filesize
50KB

MD5
5ad0da3df84573bd30d00d74b6a15c99

SHA1
1c0f207d7bfb46eb1c1a8965c8822d8b00500760

SHA256
8eb8fdc35c55935353c4cfbc6e4052fc29bad3d65bc95ec6cc247244f44aeed2

SHA512
0c07efdd0b640247f28d88e83d09c88b51d8b40dbfff9a6c0f99d8614e2d000ddb0b944e0bc73fec1103b7eef5a9531df3c0bd98a46d8d21fc0fab13145fea36

Download Submit
C:\Windows\SysWOW64\Cgbpgf32.exe
Filesize
50KB

MD5
5ad0da3df84573bd30d00d74b6a15c99

SHA1
1c0f207d7bfb46eb1c1a8965c8822d8b00500760

SHA256
8eb8fdc35c55935353c4cfbc6e4052fc29bad3d65bc95ec6cc247244f44aeed2

SHA512
0c07efdd0b640247f28d88e83d09c88b51d8b40dbfff9a6c0f99d8614e2d000ddb0b944e0bc73fec1103b7eef5a9531df3c0bd98a46d8d21fc0fab13145fea36

Download Submit
C:\Windows\SysWOW64\Cnqaoo32.exe
Filesize
50KB

MD5
29087cc6aa9ef294364fcfbd4aca4345

SHA1
8663e13bad50acf9c2e701e8550f2fb8a744c0df

SHA256
632e95029f960bbcee0d15b77a445e462f1bfe8d0e669dc4d58bfb1d54e51526

SHA512
83f5c764f43df5a6f7eb5d99c7e7963947020bbac319abd048286115fe568291cccf793bc7a68f65b0b63a2ec0eb8e4b8442dd5efe2decf711e08b856bbf69b9

Download Submit
C:\Windows\SysWOW64\Cnqaoo32.exe
Filesize
50KB

MD5
29087cc6aa9ef294364fcfbd4aca4345

SHA1
8663e13bad50acf9c2e701e8550f2fb8a744c0df

SHA256
632e95029f960bbcee0d15b77a445e462f1bfe8d0e669dc4d58bfb1d54e51526

SHA512
83f5c764f43df5a6f7eb5d99c7e7963947020bbac319abd048286115fe568291cccf793bc7a68f65b0b63a2ec0eb8e4b8442dd5efe2decf711e08b856bbf69b9

Download Submit
C:\Windows\SysWOW64\Cobnfgaj.exe
Filesize
50KB

MD5
602361b762604e5964f5e2cabf080295

SHA1
5f554439e1de722c31147a38b4e7b3f1823071c4

SHA256
0eb9bf1c2963860658b0a2472e6f17bb040f8b68670d02d1e6482a7a318cb26c

SHA512
60b652046cfbb5f3ec8badb82530f9360a1a3131e3661b105ec208270e2724ca53cfb3a5673268df21e91fab5fa0b4286238270e2e89af6e6bb1318d43528d72

Download Submit
C:\Windows\SysWOW64\Cobnfgaj.exe
Filesize
50KB

MD5
602361b762604e5964f5e2cabf080295

SHA1
5f554439e1de722c31147a38b4e7b3f1823071c4

SHA256
0eb9bf1c2963860658b0a2472e6f17bb040f8b68670d02d1e6482a7a318cb26c

SHA512
60b652046cfbb5f3ec8badb82530f9360a1a3131e3661b105ec208270e2724ca53cfb3a5673268df21e91fab5fa0b4286238270e2e89af6e6bb1318d43528d72

Download Submit
C:\Windows\SysWOW64\Cpmqekmb.exe
Filesize
50KB

MD5
096d52b9d9fd61751008bcb25c34b438

SHA1
40936c52e86539a482800b3894f1d47217047b49

SHA256
ea826bb8e16f043b8f67548d8baea1e82a4747d0f7cdc6126b49e904ed958f48

SHA512
bf1892847175ee99fca7ce4858a2a367acc57b70fc3de696432af542908b12fc83024968206500c95c1a44580aee2993ff1550c978260272c4dd9edd3c97c88e

Download Submit
C:\Windows\SysWOW64\Cpmqekmb.exe
Filesize
50KB

MD5
096d52b9d9fd61751008bcb25c34b438

SHA1
40936c52e86539a482800b3894f1d47217047b49

SHA256
ea826bb8e16f043b8f67548d8baea1e82a4747d0f7cdc6126b49e904ed958f48

SHA512
bf1892847175ee99fca7ce4858a2a367acc57b70fc3de696432af542908b12fc83024968206500c95c1a44580aee2993ff1550c978260272c4dd9edd3c97c88e

Download Submit
C:\Windows\SysWOW64\Cqajpj32.exe
Filesize
50KB

MD5
21af0a5bf2572711946ccafe32b5ccb2

SHA1
7ae5ba61fc6083533e0ffe02563380c05b9bf996

SHA256
a2305044d17220443babc20d5745eb345332f8d7e1c2351511778e2d04843931

SHA512
b057ba35dfc1ab3f79b5b79d409ea3d2300ec6cf68a5f1bcbcaacec6b2e136096ea0d9c39eee9abcdef9892b1b260f41ad9796c0ad05baf595c7b582e68bce9e

Download Submit
C:\Windows\SysWOW64\Cqajpj32.exe
Filesize
50KB

MD5
21af0a5bf2572711946ccafe32b5ccb2

SHA1
7ae5ba61fc6083533e0ffe02563380c05b9bf996

SHA256
a2305044d17220443babc20d5745eb345332f8d7e1c2351511778e2d04843931

SHA512
b057ba35dfc1ab3f79b5b79d409ea3d2300ec6cf68a5f1bcbcaacec6b2e136096ea0d9c39eee9abcdef9892b1b260f41ad9796c0ad05baf595c7b582e68bce9e

Download Submit
C:\Windows\SysWOW64\Dfclcqbo.exe
Filesize
50KB

MD5
576d3b1c6aa4746ab8efd41eff1dabce

SHA1
733d33b57515de5c3e574475a4fcf9ceea5f2bac

SHA256
183d0c8db1951169bfa236dc8b4e0a30b586fc0fc1ea6f6f5451de2300a7a33e

SHA512
4b0b4fda1da9aa3cf0ff3ee5b5bce241acbc4b598890c8391c4a50650af06225e368b86fc8fa05ac65171b16ab83547fa874b56d79dbc6d48313e0dabd41ef31

Download Submit
C:\Windows\SysWOW64\Dfclcqbo.exe
Filesize
50KB

MD5
576d3b1c6aa4746ab8efd41eff1dabce

SHA1
733d33b57515de5c3e574475a4fcf9ceea5f2bac

SHA256
183d0c8db1951169bfa236dc8b4e0a30b586fc0fc1ea6f6f5451de2300a7a33e

SHA512
4b0b4fda1da9aa3cf0ff3ee5b5bce241acbc4b598890c8391c4a50650af06225e368b86fc8fa05ac65171b16ab83547fa874b56d79dbc6d48313e0dabd41ef31

Download Submit
C:\Windows\SysWOW64\Dfqonada.exe
Filesize
50KB

MD5
fae05737e82136e5da2f5ae5d5d7949e

SHA1
a41d21b047c41147df4c64006c7342a27fdfbc7c

SHA256
3cd679ea88a189010a04d2e553d2a3d5124d86795d72938f0b43083ce23b2817

SHA512
d18ffba4b5e3662261416a19b081ac5d07f2a3a748cb2bce1c3c8f49affa18a1fbfc81476edc6e3db1087f38d64094fdef73fa5cd49be142b152dc59de323524

Download Submit
C:\Windows\SysWOW64\Dfqonada.exe
Filesize
50KB

MD5
fae05737e82136e5da2f5ae5d5d7949e

SHA1
a41d21b047c41147df4c64006c7342a27fdfbc7c

SHA256
3cd679ea88a189010a04d2e553d2a3d5124d86795d72938f0b43083ce23b2817

SHA512
d18ffba4b5e3662261416a19b081ac5d07f2a3a748cb2bce1c3c8f49affa18a1fbfc81476edc6e3db1087f38d64094fdef73fa5cd49be142b152dc59de323524

Download Submit
C:\Windows\SysWOW64\Dgbhncjb.exe
Filesize
50KB

MD5
b422b22b1f39412b6361522284cae3c2

SHA1
b367c8bae7e6ab5a549b7765194805d1f53473f8

SHA256
a84eee132869c1b71e0ea41583cccd8e55d2ae551ec132b076cff98854c1f1bd

SHA512
09873a13da50f004bd56a4085330a3781046c9656b315951b8eb6d147e40735b7a4e1870ceec7b23c4ce659c2760e7c9ed1f9baa5c277a7b472a65cdce3c10e1

Download Submit
C:\Windows\SysWOW64\Dgbhncjb.exe
Filesize
50KB

MD5
b422b22b1f39412b6361522284cae3c2

SHA1
b367c8bae7e6ab5a549b7765194805d1f53473f8

SHA256
a84eee132869c1b71e0ea41583cccd8e55d2ae551ec132b076cff98854c1f1bd

SHA512
09873a13da50f004bd56a4085330a3781046c9656b315951b8eb6d147e40735b7a4e1870ceec7b23c4ce659c2760e7c9ed1f9baa5c277a7b472a65cdce3c10e1

Download Submit
C:\Windows\SysWOW64\Dnekjogg.exe
Filesize
50KB

MD5
deda9841fa88e04e6aea689c749b5a10

SHA1
5061d5615384827e9533bd302d3c44b7998aa156

SHA256
0e368fb87d66a048acf43e6d5f583c5f874a2cb731bf5ce6d11f8a4e88c66867

SHA512
5051912e6315ae1707a917e11883cd548ffe71f563e6f9138033c49108f79c1d36647348bb062f4883a0c64e3a313c67f551e61eacdb4cc9073884ab2b0c5a6d

Download Submit
C:\Windows\SysWOW64\Dnekjogg.exe
Filesize
50KB

MD5
deda9841fa88e04e6aea689c749b5a10

SHA1
5061d5615384827e9533bd302d3c44b7998aa156

SHA256
0e368fb87d66a048acf43e6d5f583c5f874a2cb731bf5ce6d11f8a4e88c66867

SHA512
5051912e6315ae1707a917e11883cd548ffe71f563e6f9138033c49108f79c1d36647348bb062f4883a0c64e3a313c67f551e61eacdb4cc9073884ab2b0c5a6d

Download Submit
C:\Windows\SysWOW64\Oblobm32.exe
Filesize
50KB

MD5
67fb6430619cc0aa0d18ff8cfb90abc0

SHA1
fedba3ff14e42a95fa1b9e8689101dd2a4a32167

SHA256
355317f78abb5f279ddfee0038e81b487c09b280443bf70dc4ab0fbf8b145ecf

SHA512
c417d54da97602ddde2e4f23acfd92386db0e9d9a1dbe779ab1ae2e9a5c8ade1d4c00abf0dfeb280173912894c004561428c9d4867d1a56168d6b6ed66c90cb5

Download Submit
C:\Windows\SysWOW64\Oblobm32.exe
Filesize
50KB

MD5
67fb6430619cc0aa0d18ff8cfb90abc0

SHA1
fedba3ff14e42a95fa1b9e8689101dd2a4a32167

SHA256
355317f78abb5f279ddfee0038e81b487c09b280443bf70dc4ab0fbf8b145ecf

SHA512
c417d54da97602ddde2e4f23acfd92386db0e9d9a1dbe779ab1ae2e9a5c8ade1d4c00abf0dfeb280173912894c004561428c9d4867d1a56168d6b6ed66c90cb5

Download Submit
C:\Windows\SysWOW64\Oekknh32.exe
Filesize
50KB

MD5
12ec09f9c371c31f9f13b7828848af26

SHA1
0d40714b85eb6c8d31cdab6dbdadeddb4e53042b

SHA256
2796355115d5ff0190097476ca5fabbe6b41c7b336d035dc17f742f90df37e23

SHA512
6476ca46bcb294ffb9998091dfbb9f3cb7ea499b1ce218f70bae1c592cbfd5799d0b4ee77761b55c3387c0fdfddac7f175489007a125e4e1272d0188be7cc235

Download Submit
C:\Windows\SysWOW64\Oekknh32.exe
Filesize
50KB

MD5
12ec09f9c371c31f9f13b7828848af26

SHA1
0d40714b85eb6c8d31cdab6dbdadeddb4e53042b

SHA256
2796355115d5ff0190097476ca5fabbe6b41c7b336d035dc17f742f90df37e23

SHA512
6476ca46bcb294ffb9998091dfbb9f3cb7ea499b1ce218f70bae1c592cbfd5799d0b4ee77761b55c3387c0fdfddac7f175489007a125e4e1272d0188be7cc235

Download Submit
C:\Windows\SysWOW64\Olbfecmo.exe
Filesize
50KB

MD5
e44cc6c5847b9d143baa0b4642c50d5f

SHA1
ca8fdaf80b02da1c91092b254d30a45a3c239ce5

SHA256
27958297fd8170d30a2bf0735082fc7b4d3e01e44d0fb2723a249091ec59871e

SHA512
89af2659ee8ee22cd265b396f83706ebebed5d7e9acf53f90b65ca6384e4f5e73c21906a6220210f70b02ea988845776281705493aca02c0fbd401667bc6a105

Download Submit
C:\Windows\SysWOW64\Olbfecmo.exe
Filesize
50KB

MD5
e44cc6c5847b9d143baa0b4642c50d5f

SHA1
ca8fdaf80b02da1c91092b254d30a45a3c239ce5

SHA256
27958297fd8170d30a2bf0735082fc7b4d3e01e44d0fb2723a249091ec59871e

SHA512
89af2659ee8ee22cd265b396f83706ebebed5d7e9acf53f90b65ca6384e4f5e73c21906a6220210f70b02ea988845776281705493aca02c0fbd401667bc6a105

Download Submit
C:\Windows\SysWOW64\Pedndg32.exe
Filesize
50KB

MD5
4b1fb17ca07e28b2ae20c32660ea6328

SHA1
708d3f2c8823ec46e1926a72d2f4b3f6ec4bd78c

SHA256
84868567b04a74778b7a300abdad5d329a6e90f211b6a3d493470e9d159e3360

SHA512
327968e2adb083b8d1e3a1ad1377e78c15e0ade1ddb7867e605a6196de11212ca101c6582e64b3ac2500212c8cf13e23975924b86fff45a0523f654a1a405816

Download Submit
C:\Windows\SysWOW64\Pedndg32.exe
Filesize
50KB

MD5
4b1fb17ca07e28b2ae20c32660ea6328

SHA1
708d3f2c8823ec46e1926a72d2f4b3f6ec4bd78c

SHA256
84868567b04a74778b7a300abdad5d329a6e90f211b6a3d493470e9d159e3360

SHA512
327968e2adb083b8d1e3a1ad1377e78c15e0ade1ddb7867e605a6196de11212ca101c6582e64b3ac2500212c8cf13e23975924b86fff45a0523f654a1a405816

Download Submit
C:\Windows\SysWOW64\Pemhdhal.exe
Filesize
50KB

MD5
2d35e4ae0562751772aef4258d957546

SHA1
77aec4ead820e6b9659b22dbbacd362fe28117b7

SHA256
01ea6c6fb22e5cafcc4c023b37cd44c3dd081ca03551b322a59bf944c5f0fdf0

SHA512
0e50b046c8445a121d0714ead5400611287481871b61e53c766d3f25b2f4eb18bb3036381d7cf8b5d2225281ff015de392621e249c40cd9180193518f257e30f

Download Submit
C:\Windows\SysWOW64\Pemhdhal.exe
Filesize
50KB

MD5
2d35e4ae0562751772aef4258d957546

SHA1
77aec4ead820e6b9659b22dbbacd362fe28117b7

SHA256
01ea6c6fb22e5cafcc4c023b37cd44c3dd081ca03551b322a59bf944c5f0fdf0

SHA512
0e50b046c8445a121d0714ead5400611287481871b61e53c766d3f25b2f4eb18bb3036381d7cf8b5d2225281ff015de392621e249c40cd9180193518f257e30f

Download Submit
C:\Windows\SysWOW64\Pfcjojbg.exe
Filesize
50KB

MD5
00a69e792285386fb1a15ee07b5d97c0

SHA1
1c80fe43de6c2aa3c60c85e868ae9426a2820f1a

SHA256
bcc95850edcbdf2cf1e25b34b393db8f225effdd07a11372f11d6cdfb7e662f8

SHA512
0bede06c2cf689acd6f2360a3d408e99110a9993c8b9a80ea3c5f9f2d07467b82127857e8733117659d0238f0a3c52075b7159ffc1adc3ee5e73b49c16c44bb7

Download Submit
C:\Windows\SysWOW64\Pfcjojbg.exe
Filesize
50KB

MD5
00a69e792285386fb1a15ee07b5d97c0

SHA1
1c80fe43de6c2aa3c60c85e868ae9426a2820f1a

SHA256
bcc95850edcbdf2cf1e25b34b393db8f225effdd07a11372f11d6cdfb7e662f8

SHA512
0bede06c2cf689acd6f2360a3d408e99110a9993c8b9a80ea3c5f9f2d07467b82127857e8733117659d0238f0a3c52075b7159ffc1adc3ee5e73b49c16c44bb7

Download Submit
C:\Windows\SysWOW64\Pimmpfep.exe
Filesize
50KB

MD5
657cf3bcb0ed83a8c1f2ed6cc0629181

SHA1
6736371c2b58edd0e02b0bd3b0993cc81f913f27

SHA256
40f9839202ebfd28e96efa2decd72d5dd1c1b6582005fbbe80e08f7ea8f5d267

SHA512
fb1848472b275d532baed9e40cfd030bdd53a3cbdd487b567e9a5aeb67ded4b05d6a4553115d19131c480b5c7e53e8ab4959a1d2400c7b202d0bb3ef888306f8

Download Submit
C:\Windows\SysWOW64\Pimmpfep.exe
Filesize
50KB

MD5
657cf3bcb0ed83a8c1f2ed6cc0629181

SHA1
6736371c2b58edd0e02b0bd3b0993cc81f913f27

SHA256
40f9839202ebfd28e96efa2decd72d5dd1c1b6582005fbbe80e08f7ea8f5d267

SHA512
fb1848472b275d532baed9e40cfd030bdd53a3cbdd487b567e9a5aeb67ded4b05d6a4553115d19131c480b5c7e53e8ab4959a1d2400c7b202d0bb3ef888306f8

Download Submit
C:\Windows\SysWOW64\Pmflkepl.exe
Filesize
50KB

MD5
336f7dd18debc212587377707525163c

SHA1
fcbe3d4e7f991f261ace24c4e6ca15195e8c76e3

SHA256
e310aef24a5be608682f3db09661d86267858aaab5711d939a7c72ece56852ff

SHA512
fdb3cbe278984ea313cdd4ad85382fe770ac26f65f04f48de0b55b305a35ee3c148d853b81a844fdb06cfed9be80989d909c626a174ec2fba70630058343c7a1

Download Submit
C:\Windows\SysWOW64\Pmflkepl.exe
Filesize
50KB

MD5
336f7dd18debc212587377707525163c

SHA1
fcbe3d4e7f991f261ace24c4e6ca15195e8c76e3

SHA256
e310aef24a5be608682f3db09661d86267858aaab5711d939a7c72ece56852ff

SHA512
fdb3cbe278984ea313cdd4ad85382fe770ac26f65f04f48de0b55b305a35ee3c148d853b81a844fdb06cfed9be80989d909c626a174ec2fba70630058343c7a1

Download Submit
C:\Windows\SysWOW64\Pocpgnjp.exe
Filesize
50KB

MD5
389b22ca1cfe6bc1394bb172b520c154

SHA1
b274cb15a9a18fe3d93230e9a77e5252d0403b53

SHA256
efbe38bd79bb0cc098f5198d9722957c82056aab109e5085e2edcc3f3904800b

SHA512
92e2a5f326f50dce58a014ca49c5094c1ac335c8b28721899d1b1101ce8494f628f18d7d57490f845015a289a7b99ca10d980f0401962f372b8d29e44f356aab

Download Submit
C:\Windows\SysWOW64\Pocpgnjp.exe
Filesize
50KB

MD5
389b22ca1cfe6bc1394bb172b520c154

SHA1
b274cb15a9a18fe3d93230e9a77e5252d0403b53

SHA256
efbe38bd79bb0cc098f5198d9722957c82056aab109e5085e2edcc3f3904800b

SHA512
92e2a5f326f50dce58a014ca49c5094c1ac335c8b28721899d1b1101ce8494f628f18d7d57490f845015a289a7b99ca10d980f0401962f372b8d29e44f356aab

Download Submit
C:\Windows\SysWOW64\Ppblaaab.exe
Filesize
50KB

MD5
261df48db95daa49cb1154a6151013c9

SHA1
8436802ee924733fe59085d2fc4dfaeb8e80e900

SHA256
8883296606d3f0ae32fcba03c4dfb5078ff235331bd87613c530230dd520afce

SHA512
40d3417a3782e3d12d04111a2c33170e02890c05e66c2aedbae99e976deda877d059d31e6f2d173f9739359901a5b6724186266dc62712d4d06ad9b63ae36f89

Download Submit
C:\Windows\SysWOW64\Ppblaaab.exe
Filesize
50KB

MD5
261df48db95daa49cb1154a6151013c9

SHA1
8436802ee924733fe59085d2fc4dfaeb8e80e900

SHA256
8883296606d3f0ae32fcba03c4dfb5078ff235331bd87613c530230dd520afce

SHA512
40d3417a3782e3d12d04111a2c33170e02890c05e66c2aedbae99e976deda877d059d31e6f2d173f9739359901a5b6724186266dc62712d4d06ad9b63ae36f89

Download Submit
C:\Windows\SysWOW64\Qeigpfgo.exe
Filesize
50KB

MD5
1975d5258cc1b5ad3bae24042ce83be1

SHA1
88f3f5887104266f81eacdcb7e6bf493287753ac

SHA256
84fc6f55539f84592f57e43f1a5ac934a7f123596a47b35a4edac136da8e7cb2

SHA512
be4fd1db1cdb53c6129c558d33efd344c6bb60263c1a3116b592eafb044d5cf43428c04c2bcf0489e0792d8fd3dd9c454f210ef526479904dae150e6755a2f7a

Download Submit
C:\Windows\SysWOW64\Qeigpfgo.exe
Filesize
50KB

MD5
1975d5258cc1b5ad3bae24042ce83be1

SHA1
88f3f5887104266f81eacdcb7e6bf493287753ac

SHA256
84fc6f55539f84592f57e43f1a5ac934a7f123596a47b35a4edac136da8e7cb2

SHA512
be4fd1db1cdb53c6129c558d33efd344c6bb60263c1a3116b592eafb044d5cf43428c04c2bcf0489e0792d8fd3dd9c454f210ef526479904dae150e6755a2f7a

Download Submit
memory/320-151-0x0000000000000000-mapping.dmp

Download
memory/320-175-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/376-300-0x0000000000000000-mapping.dmp

Download
memory/376-310-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/424-258-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/424-232-0x0000000000000000-mapping.dmp

Download
memory/448-301-0x0000000000000000-mapping.dmp

Download
memory/448-311-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/744-190-0x0000000000000000-mapping.dmp

Download
memory/744-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1148-193-0x0000000000000000-mapping.dmp

Download
memory/1148-213-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1156-215-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1156-196-0x0000000000000000-mapping.dmp

Download
memory/1192-318-0x0000000000000000-mapping.dmp

Download
memory/1256-217-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1256-199-0x0000000000000000-mapping.dmp

Download
memory/1268-256-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1268-229-0x0000000000000000-mapping.dmp

Download
memory/1280-269-0x0000000000000000-mapping.dmp

Download
memory/1280-270-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1312-255-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1312-226-0x0000000000000000-mapping.dmp

Download
memory/1432-307-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1432-294-0x0000000000000000-mapping.dmp

Download
memory/1480-262-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1480-244-0x0000000000000000-mapping.dmp

Download
memory/1536-284-0x0000000000000000-mapping.dmp

Download
memory/1536-293-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1548-210-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1548-187-0x0000000000000000-mapping.dmp

Download
memory/1556-247-0x0000000000000000-mapping.dmp

Download
memory/1556-263-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1644-291-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1644-282-0x0000000000000000-mapping.dmp

Download
memory/1660-297-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1660-287-0x0000000000000000-mapping.dmp

Download
memory/1692-292-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1692-283-0x0000000000000000-mapping.dmp

Download
memory/1828-157-0x0000000000000000-mapping.dmp

Download
memory/1828-177-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2196-178-0x0000000000000000-mapping.dmp

Download
memory/2196-208-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2204-241-0x0000000000000000-mapping.dmp

Download
memory/2204-261-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2296-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2296-321-0x0000000000000000-mapping.dmp

Download
memory/2536-238-0x0000000000000000-mapping.dmp

Download
memory/2536-260-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2584-223-0x0000000000000000-mapping.dmp

Download
memory/2584-254-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2804-205-0x0000000000000000-mapping.dmp

Download
memory/2804-220-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-272-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-271-0x0000000000000000-mapping.dmp

Download
memory/2916-166-0x0000000000000000-mapping.dmp

Download
memory/2916-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2924-306-0x0000000000000000-mapping.dmp

Download
memory/2924-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2976-163-0x0000000000000000-mapping.dmp

Download
memory/2976-182-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2980-184-0x0000000000000000-mapping.dmp

Download
memory/2980-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3128-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3128-288-0x0000000000000000-mapping.dmp

Download
memory/3192-319-0x0000000000000000-mapping.dmp

Download
memory/3196-286-0x0000000000000000-mapping.dmp

Download
memory/3196-296-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3284-142-0x0000000000000000-mapping.dmp

Download
memory/3284-172-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3468-279-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3468-277-0x0000000000000000-mapping.dmp

Download
memory/3604-252-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3604-212-0x0000000000000000-mapping.dmp

Download
memory/3696-305-0x0000000000000000-mapping.dmp

Download
memory/3696-315-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3868-257-0x0000000000000000-mapping.dmp

Download
memory/3868-267-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3904-265-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3904-250-0x0000000000000000-mapping.dmp

Download
memory/4036-174-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4036-148-0x0000000000000000-mapping.dmp

Download
memory/4040-281-0x0000000000000000-mapping.dmp

Download
memory/4040-290-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4080-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4080-154-0x0000000000000000-mapping.dmp

Download
memory/4156-280-0x0000000000000000-mapping.dmp

Download
memory/4156-289-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4256-139-0x0000000000000000-mapping.dmp

Download
memory/4256-171-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4340-202-0x0000000000000000-mapping.dmp

Download
memory/4340-219-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4348-275-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4348-273-0x0000000000000000-mapping.dmp

Download
memory/4392-285-0x0000000000000000-mapping.dmp

Download
memory/4392-295-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4424-133-0x0000000000000000-mapping.dmp

Download
memory/4424-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4484-251-0x0000000000000000-mapping.dmp

Download
memory/4484-266-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4504-317-0x0000000000000000-mapping.dmp

Download
memory/4524-136-0x0000000000000000-mapping.dmp

Download
memory/4524-170-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4568-274-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4568-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4604-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4604-160-0x0000000000000000-mapping.dmp

Download
memory/4644-299-0x0000000000000000-mapping.dmp

Download
memory/4644-308-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4680-309-0x0000000000000000-mapping.dmp

Download
memory/4680-323-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4692-302-0x0000000000000000-mapping.dmp

Download
memory/4692-312-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4696-313-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4696-303-0x0000000000000000-mapping.dmp

Download
memory/4756-253-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4756-218-0x0000000000000000-mapping.dmp

Download
memory/4800-278-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4800-276-0x0000000000000000-mapping.dmp

Download
memory/4840-259-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4840-235-0x0000000000000000-mapping.dmp

Download
memory/4972-173-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4972-145-0x0000000000000000-mapping.dmp

Download
memory/5020-268-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5020-320-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5020-264-0x0000000000000000-mapping.dmp

Download
memory/5088-314-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5088-304-0x0000000000000000-mapping.dmp

Download