af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe
Size

207KB
MD5

44d05efdad6fae86e907c7662427f70e
SHA1

4b1259dd6a883641ad39d202cd92a5e28108a6e2
SHA256

af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2
SHA512

5e40d9ce0257a2c9eee8b8245acb6ba0257c53b6dd6a4d6ffe409ebe4007722f7cbd81771719157effe1c5865deecde99be3b7ee9bdbe52b150203309ee723cc
SSDEEP

3072:wGuvHmSWf6TGAq+BOezpHw0MX2++9SEVjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo23:xuOyTGAv92EVjj+VPj92d62ASOwj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifleji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdffah32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldfhgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhmcck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkjegb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cblebgfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpodkdll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqjcgbbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpnepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcqgahoe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladhkmno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofgmib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Didjqoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hljnkdnk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmiealgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmiealgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keekjc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajhpbme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpihbjmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epaemojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcgjhega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iqpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjlaoioh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niglfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfkpnji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegchl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akogio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpnbmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fplnogmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegchl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdphnmjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmngm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljhchc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhofnpp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niihlkdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjlnhi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiccje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gddqejni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khakqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmghklif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfomda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnblm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imknli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blkgen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fempbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdodbf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlfjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifcben32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioffhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fplnogmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gckcap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iqfcbahb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhaope32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgbhdkml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capkim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lapopm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knpmhh32.exe

UPX dump on OEP (original entry point) 52 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023263-6.dat	UPX
behavioral2/memory/2404-7-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0007000000023263-8.dat	UPX
behavioral2/files/0x000900000002325c-14.dat	UPX
behavioral2/memory/4924-17-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x000900000002325e-23.dat	UPX
behavioral2/files/0x0008000000023258-31.dat	UPX
behavioral2/files/0x000a000000023264-39.dat	UPX
behavioral2/files/0x0007000000023266-46.dat	UPX
behavioral2/memory/220-49-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0007000000023269-55.dat	UPX
behavioral2/memory/3984-56-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x000700000002326b-63.dat	UPX
behavioral2/memory/4800-64-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x000700000002326d-71.dat	UPX
behavioral2/files/0x000700000002326d-73.dat	UPX
behavioral2/files/0x000700000002326f-79.dat	UPX
behavioral2/files/0x000a000000023259-87.dat	UPX
behavioral2/memory/2304-89-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0007000000023272-94.dat	UPX
behavioral2/memory/548-97-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0007000000023274-103.dat	UPX
behavioral2/files/0x0007000000023274-105.dat	UPX
behavioral2/files/0x0007000000023276-111.dat	UPX
behavioral2/files/0x0007000000023278-119.dat	UPX
behavioral2/files/0x000800000002327a-127.dat	UPX
behavioral2/files/0x0006000000022e9f-135.dat	UPX
behavioral2/files/0x000700000002327d-143.dat	UPX
behavioral2/files/0x000700000002327f-151.dat	UPX
behavioral2/files/0x0007000000023281-159.dat	UPX
behavioral2/files/0x0007000000023283-167.dat	UPX
behavioral2/files/0x0007000000023285-175.dat	UPX
behavioral2/files/0x0007000000023287-183.dat	UPX
behavioral2/files/0x0008000000023254-191.dat	UPX
behavioral2/memory/3616-192-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x000700000002328a-199.dat	UPX
behavioral2/memory/4124-201-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x000700000002328c-207.dat	UPX
behavioral2/files/0x000700000002328e-215.dat	UPX
behavioral2/files/0x0007000000023290-224.dat	UPX
behavioral2/files/0x0007000000023292-233.dat	UPX
behavioral2/files/0x0007000000023295-246.dat	UPX
behavioral2/files/0x0007000000023298-254.dat	UPX
behavioral2/files/0x000700000002329a-262.dat	UPX
behavioral2/files/0x00070000000232bd-362.dat	UPX
behavioral2/memory/6084-452-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/memory/6124-453-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x00080000000232dc-479.dat	UPX
behavioral2/files/0x00070000000232ee-504.dat	UPX
behavioral2/files/0x0007000000023322-682.dat	UPX
behavioral2/files/0x0007000000023384-1001.dat	UPX
behavioral2/files/0x00070000000233af-1142.dat	UPX

Executes dropped EXE 64 IoCs

pid	Process
2404	Oiccje32.exe
4924	Ppikbm32.exe
1788	Ppnenlka.exe
4444	Qamago32.exe
4576	Qiiflaoo.exe
220	Abcgjg32.exe
3984	Bdlfjh32.exe
4800	Bpedeiff.exe
2040	Ckpamabg.exe
4940	Calfpk32.exe
2304	Cgklmacf.exe
548	Dalofi32.exe
4128	Eahobg32.exe
2276	Fnffhgon.exe
1008	Gkefmjcj.exe
1156	Icogcjde.exe
3320	Infhebbh.exe
2520	Jnnnfalp.exe
4532	Jejbhk32.exe
3492	Jaqcnl32.exe
2816	Jlkafdco.exe
2456	Khabke32.exe
3208	Kalcik32.exe
3616	Lklnconj.exe
4124	Lbhool32.exe
4560	Maoifh32.exe
4900	Ocdgahag.exe
1420	Ofgmib32.exe
4392	Pfncia32.exe
4996	Akihcfid.exe
5024	Acbmjcgd.exe
5048	Almanf32.exe
1784	Bfhofnpp.exe
3292	Bpemkcck.exe
708	Bcbeqaia.exe
3560	Cbmlmmjd.exe
3932	Dpefaq32.exe
5144	Epaemojk.exe
5192	Eiijfd32.exe
5236	Ecdkdj32.exe
5280	Feimadoe.exe
5324	Gddqejni.exe
5364	Gjqinamq.exe
5404	Gcimfg32.exe
5444	Gjcfcakn.exe
5488	Gckjlf32.exe
5528	Gqagkjne.exe
5568	Hcbpme32.exe
5604	Hcembe32.exe
5648	Hcgjhega.exe
5692	Hdffah32.exe
5732	Ijfkpnji.exe
5772	Iqpclh32.exe
5824	Imfdaigj.exe
5868	Ijjekn32.exe
5908	Imknli32.exe
5948	Ifcben32.exe
5992	Jjakkmpk.exe
6044	Jcaeea32.exe
6084	Khakqo32.exe
6124	Keekjc32.exe
5184	Knpmhh32.exe
5244	Lmjcdd32.exe
5304	Ldfhgn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mhoimi32.dll	Becknc32.exe
File opened for modification	C:\Windows\SysWOW64\Igpkok32.exe	Iqfcbahb.exe
File opened for modification	C:\Windows\SysWOW64\Lmneemaq.exe	Ladhkmno.exe
File created	C:\Windows\SysWOW64\Bgjjoi32.exe	Pdbbfadn.exe
File created	C:\Windows\SysWOW64\Jijomapp.dll	Loniiflo.exe
File created	C:\Windows\SysWOW64\Jmmcgbnf.exe	Igpkok32.exe
File created	C:\Windows\SysWOW64\Emdplb32.dll	Lapopm32.exe
File created	C:\Windows\SysWOW64\Jpgcpo32.dll	Ifcben32.exe
File opened for modification	C:\Windows\SysWOW64\Meadlo32.exe	Mhmcck32.exe
File created	C:\Windows\SysWOW64\Gjdknjep.exe	Gckcap32.exe
File created	C:\Windows\SysWOW64\Jodamh32.dll	Dalofi32.exe
File opened for modification	C:\Windows\SysWOW64\Lbhool32.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Mobbdf32.exe	Mdmngm32.exe
File created	C:\Windows\SysWOW64\Mhmcck32.exe	Mobbdf32.exe
File opened for modification	C:\Windows\SysWOW64\Gegchl32.exe	Fpcdof32.exe
File created	C:\Windows\SysWOW64\Fefmmcgh.dll	af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe
File created	C:\Windows\SysWOW64\Jlkafdco.exe	Jaqcnl32.exe
File created	C:\Windows\SysWOW64\Epaemojk.exe	Dpefaq32.exe
File created	C:\Windows\SysWOW64\Jncemmid.dll	Feifgnki.exe
File created	C:\Windows\SysWOW64\Bcnehb32.dll	Okbhlm32.exe
File created	C:\Windows\SysWOW64\Hnkhdmeh.dll	Pgnblm32.exe
File created	C:\Windows\SysWOW64\Eahobg32.exe	Dalofi32.exe
File created	C:\Windows\SysWOW64\Khecje32.dll	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Maghkogk.dll	Pkjegb32.exe
File created	C:\Windows\SysWOW64\Oakaofpm.dll	Akogio32.exe
File created	C:\Windows\SysWOW64\Gknohl32.dll	Ciaddaaj.exe
File opened for modification	C:\Windows\SysWOW64\Ljhchc32.exe	Lapopm32.exe
File created	C:\Windows\SysWOW64\Ladhkmno.exe	Lcqgahoe.exe
File created	C:\Windows\SysWOW64\Kongimkh.dll	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Eiijfd32.exe	Epaemojk.exe
File created	C:\Windows\SysWOW64\Oebdml32.dll	Fpcdof32.exe
File created	C:\Windows\SysWOW64\Hjmkbk32.dll	Hqjcgbbo.exe
File created	C:\Windows\SysWOW64\Lelmqm32.dll	Iobmmoed.exe
File opened for modification	C:\Windows\SysWOW64\Hjlaoioh.exe	Hcaibo32.exe
File created	C:\Windows\SysWOW64\Igghilhi.exe	Hhehkepj.exe
File opened for modification	C:\Windows\SysWOW64\Eldlhckj.exe	Eblgon32.exe
File opened for modification	C:\Windows\SysWOW64\Gckjlf32.exe	Gjcfcakn.exe
File created	C:\Windows\SysWOW64\Gqagkjne.exe	Gckjlf32.exe
File created	C:\Windows\SysWOW64\Dacnkkem.dll	Jopiom32.exe
File opened for modification	C:\Windows\SysWOW64\Lapopm32.exe	Kpnepk32.exe
File created	C:\Windows\SysWOW64\Jnnnfalp.exe	Infhebbh.exe
File created	C:\Windows\SysWOW64\Cbmlmmjd.exe	Bcbeqaia.exe
File created	C:\Windows\SysWOW64\Qfhapinj.dll	Dpihbjmg.exe
File created	C:\Windows\SysWOW64\Feifgnki.exe	Fplnogmb.exe
File created	C:\Windows\SysWOW64\Gfdahb32.dll	Cnmebblf.exe
File created	C:\Windows\SysWOW64\Cidlgjgm.dll	Ijfkpnji.exe
File opened for modification	C:\Windows\SysWOW64\Lajhpbme.exe	Ldfhgn32.exe
File created	C:\Windows\SysWOW64\Fplnogmb.exe	Fibfbm32.exe
File created	C:\Windows\SysWOW64\Flekihpc.exe	Fekclnif.exe
File created	C:\Windows\SysWOW64\Lfjkngdo.dll	Jfjakgpa.exe
File opened for modification	C:\Windows\SysWOW64\Ijfkpnji.exe	Hdffah32.exe
File opened for modification	C:\Windows\SysWOW64\Jcihjl32.exe	Jgbhdkml.exe
File created	C:\Windows\SysWOW64\Modkhnci.dll	Mmdlflki.exe
File opened for modification	C:\Windows\SysWOW64\Dfqdid32.exe	Dhpdkm32.exe
File opened for modification	C:\Windows\SysWOW64\Dpnbmi32.exe	Didjqoae.exe
File created	C:\Windows\SysWOW64\Mdodbf32.exe	Mmdlflki.exe
File created	C:\Windows\SysWOW64\Qiiflaoo.exe	Qamago32.exe
File created	C:\Windows\SysWOW64\Omabnq32.dll	Mobbdf32.exe
File created	C:\Windows\SysWOW64\Gmjlak32.dll	Kfeagefd.exe
File created	C:\Windows\SysWOW64\Hcgjhega.exe	Hcembe32.exe
File created	C:\Windows\SysWOW64\Fcpfdg32.dll	Lmjcdd32.exe
File created	C:\Windows\SysWOW64\Achmpagb.dll	Glqkefff.exe
File created	C:\Windows\SysWOW64\Bfhofnpp.exe	Almanf32.exe
File created	C:\Windows\SysWOW64\Gnamkncf.dll	Feimadoe.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
7632	7840	WerFault.exe	279
440	7840	WerFault.exe	279

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blkgen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjepamq.dll"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgoj32.dll"	Adqeaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conpjg32.dll"	Gegchl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcaibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmghklif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkefmjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imknli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jncemmid.dll"	Feifgnki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akogio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbpeghpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaoemei.dll"	Kpnepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhmepaa.dll"	Hodqlq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igghilhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcefei32.dll"	Ioffhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgjjoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjieii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lapopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lapopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhmcck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjmpege.dll"	Bngfli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hljnkdnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmiealgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnffhgon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmedbiid.dll"	Imfdaigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcihjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acbmjcgd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckpamabg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcimfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifcben32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Igpkok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqgkidki.dll"	Maoifh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcbeqaia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhpdkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flopmh32.dll"	Fekclnif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndjec32.dll"	Mpnngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eblgon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loniiflo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgjjo32.dll"	Nockkcjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppklijpk.dll"	Blkgen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgbhdkml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijjekn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oeamcmmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ainnhdbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fekclnif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamiaq32.dll"	Jmmcgbnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjcfcakn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjcfcakn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knpmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijblcb32.dll"	Ladhkmno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfncia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjkng32.dll"	Pfmlok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bichcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Headnoed.dll"	Bbpeghpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ephgolkn.dll"	Bijncb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebdml32.dll"	Fpcdof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioffhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acffllhk.dll"	Ppnenlka.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2404	1152	af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe	99
PID 1152 wrote to memory of 2404	1152	af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe	99
PID 1152 wrote to memory of 2404	1152	af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe	99
PID 2404 wrote to memory of 4924	2404	Oiccje32.exe	100
PID 2404 wrote to memory of 4924	2404	Oiccje32.exe	100
PID 2404 wrote to memory of 4924	2404	Oiccje32.exe	100
PID 4924 wrote to memory of 1788	4924	Ppikbm32.exe	101
PID 4924 wrote to memory of 1788	4924	Ppikbm32.exe	101
PID 4924 wrote to memory of 1788	4924	Ppikbm32.exe	101
PID 1788 wrote to memory of 4444	1788	Ppnenlka.exe	102
PID 1788 wrote to memory of 4444	1788	Ppnenlka.exe	102
PID 1788 wrote to memory of 4444	1788	Ppnenlka.exe	102
PID 4444 wrote to memory of 4576	4444	Qamago32.exe	103
PID 4444 wrote to memory of 4576	4444	Qamago32.exe	103
PID 4444 wrote to memory of 4576	4444	Qamago32.exe	103
PID 4576 wrote to memory of 220	4576	Qiiflaoo.exe	104
PID 4576 wrote to memory of 220	4576	Qiiflaoo.exe	104
PID 4576 wrote to memory of 220	4576	Qiiflaoo.exe	104
PID 220 wrote to memory of 3984	220	Abcgjg32.exe	105
PID 220 wrote to memory of 3984	220	Abcgjg32.exe	105
PID 220 wrote to memory of 3984	220	Abcgjg32.exe	105
PID 3984 wrote to memory of 4800	3984	Bdlfjh32.exe	106
PID 3984 wrote to memory of 4800	3984	Bdlfjh32.exe	106
PID 3984 wrote to memory of 4800	3984	Bdlfjh32.exe	106
PID 4800 wrote to memory of 2040	4800	Bpedeiff.exe	107
PID 4800 wrote to memory of 2040	4800	Bpedeiff.exe	107
PID 4800 wrote to memory of 2040	4800	Bpedeiff.exe	107
PID 2040 wrote to memory of 4940	2040	Ckpamabg.exe	108
PID 2040 wrote to memory of 4940	2040	Ckpamabg.exe	108
PID 2040 wrote to memory of 4940	2040	Ckpamabg.exe	108
PID 4940 wrote to memory of 2304	4940	Calfpk32.exe	109
PID 4940 wrote to memory of 2304	4940	Calfpk32.exe	109
PID 4940 wrote to memory of 2304	4940	Calfpk32.exe	109
PID 2304 wrote to memory of 548	2304	Cgklmacf.exe	110
PID 2304 wrote to memory of 548	2304	Cgklmacf.exe	110
PID 2304 wrote to memory of 548	2304	Cgklmacf.exe	110
PID 548 wrote to memory of 4128	548	Dalofi32.exe	111
PID 548 wrote to memory of 4128	548	Dalofi32.exe	111
PID 548 wrote to memory of 4128	548	Dalofi32.exe	111
PID 4128 wrote to memory of 2276	4128	Eahobg32.exe	112
PID 4128 wrote to memory of 2276	4128	Eahobg32.exe	112
PID 4128 wrote to memory of 2276	4128	Eahobg32.exe	112
PID 2276 wrote to memory of 1008	2276	Fnffhgon.exe	113
PID 2276 wrote to memory of 1008	2276	Fnffhgon.exe	113
PID 2276 wrote to memory of 1008	2276	Fnffhgon.exe	113
PID 1008 wrote to memory of 1156	1008	Gkefmjcj.exe	114
PID 1008 wrote to memory of 1156	1008	Gkefmjcj.exe	114
PID 1008 wrote to memory of 1156	1008	Gkefmjcj.exe	114
PID 1156 wrote to memory of 3320	1156	Icogcjde.exe	115
PID 1156 wrote to memory of 3320	1156	Icogcjde.exe	115
PID 1156 wrote to memory of 3320	1156	Icogcjde.exe	115
PID 3320 wrote to memory of 2520	3320	Infhebbh.exe	116
PID 3320 wrote to memory of 2520	3320	Infhebbh.exe	116
PID 3320 wrote to memory of 2520	3320	Infhebbh.exe	116
PID 2520 wrote to memory of 4532	2520	Jnnnfalp.exe	117
PID 2520 wrote to memory of 4532	2520	Jnnnfalp.exe	117
PID 2520 wrote to memory of 4532	2520	Jnnnfalp.exe	117
PID 4532 wrote to memory of 3492	4532	Jejbhk32.exe	118
PID 4532 wrote to memory of 3492	4532	Jejbhk32.exe	118
PID 4532 wrote to memory of 3492	4532	Jejbhk32.exe	118
PID 3492 wrote to memory of 2816	3492	Jaqcnl32.exe	119
PID 3492 wrote to memory of 2816	3492	Jaqcnl32.exe	119
PID 3492 wrote to memory of 2816	3492	Jaqcnl32.exe	119
PID 2816 wrote to memory of 2456	2816	Jlkafdco.exe	120

C:\Users\Admin\AppData\Local\Temp\af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe
"C:\Users\Admin\AppData\Local\Temp\af843099eb67363f9727b6a2a028e3145b536b3bf34b676abdf8d2a63c8e7de2.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\Oiccje32.exe
  C:\Windows\system32\Oiccje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\Ppikbm32.exe
    C:\Windows\system32\Ppikbm32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\Ppnenlka.exe
      C:\Windows\system32\Ppnenlka.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\SysWOW64\Qamago32.exe
        
        C:\Windows\system32\Qamago32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Eahobg32.exe
        
        C:\Windows\system32\Eahobg32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Fnffhgon.exe
        
        C:\Windows\system32\Fnffhgon.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Gkefmjcj.exe
        
        C:\Windows\system32\Gkefmjcj.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Icogcjde.exe
        
        C:\Windows\system32\Icogcjde.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Infhebbh.exe
        
        C:\Windows\system32\Infhebbh.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Ofgmib32.exe
        
        C:\Windows\system32\Ofgmib32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Akihcfid.exe
        
        C:\Windows\system32\Akihcfid.exe
        31⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Acbmjcgd.exe
        
        C:\Windows\system32\Acbmjcgd.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Almanf32.exe
        
        C:\Windows\system32\Almanf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Bfhofnpp.exe
        
        C:\Windows\system32\Bfhofnpp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        35⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\SysWOW64\Bcbeqaia.exe
        
        C:\Windows\system32\Bcbeqaia.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        37⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\Epaemojk.exe
        
        C:\Windows\system32\Epaemojk.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Eiijfd32.exe
        
        C:\Windows\system32\Eiijfd32.exe
        40⤵
        Executes dropped EXE
        
        PID:5192
        
        C:\Windows\SysWOW64\Ecdkdj32.exe
        
        C:\Windows\system32\Ecdkdj32.exe
        41⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Windows\SysWOW64\Feimadoe.exe
        
        C:\Windows\system32\Feimadoe.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Gddqejni.exe
        
        C:\Windows\system32\Gddqejni.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5324
        
        C:\Windows\SysWOW64\Gjqinamq.exe
        
        C:\Windows\system32\Gjqinamq.exe
        44⤵
        Executes dropped EXE
        
        PID:5364
        
        C:\Windows\SysWOW64\Gcimfg32.exe
        
        C:\Windows\system32\Gcimfg32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Gjcfcakn.exe
        
        C:\Windows\system32\Gjcfcakn.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Gckjlf32.exe
        
        C:\Windows\system32\Gckjlf32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Gqagkjne.exe
        
        C:\Windows\system32\Gqagkjne.exe
        48⤵
        Executes dropped EXE
        
        PID:5528
        
        C:\Windows\SysWOW64\Hcbpme32.exe
        
        C:\Windows\system32\Hcbpme32.exe
        49⤵
        Executes dropped EXE
        
        PID:5568
        
        C:\Windows\SysWOW64\Hcembe32.exe
        
        C:\Windows\system32\Hcembe32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Hcgjhega.exe
        
        C:\Windows\system32\Hcgjhega.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5648
        
        C:\Windows\SysWOW64\Hdffah32.exe
        
        C:\Windows\system32\Hdffah32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Ijfkpnji.exe
        
        C:\Windows\system32\Ijfkpnji.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Iqpclh32.exe
        
        C:\Windows\system32\Iqpclh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5772
        
        C:\Windows\SysWOW64\Imfdaigj.exe
        
        C:\Windows\system32\Imfdaigj.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ijjekn32.exe
        
        C:\Windows\system32\Ijjekn32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Imknli32.exe
        
        C:\Windows\system32\Imknli32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Ifcben32.exe
        
        C:\Windows\system32\Ifcben32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Jjakkmpk.exe
        
        C:\Windows\system32\Jjakkmpk.exe
        59⤵
        Executes dropped EXE
        
        PID:5992
        
        C:\Windows\SysWOW64\Jcaeea32.exe
        
        C:\Windows\system32\Jcaeea32.exe
        60⤵
        Executes dropped EXE
        
        PID:6044
        
        C:\Windows\SysWOW64\Khakqo32.exe
        
        C:\Windows\system32\Khakqo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6084
        
        C:\Windows\SysWOW64\Keekjc32.exe
        
        C:\Windows\system32\Keekjc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6124
        
        C:\Windows\SysWOW64\Knpmhh32.exe
        
        C:\Windows\system32\Knpmhh32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Lmjcdd32.exe
        
        C:\Windows\system32\Lmjcdd32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Ldfhgn32.exe
        
        C:\Windows\system32\Ldfhgn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Lajhpbme.exe
        
        C:\Windows\system32\Lajhpbme.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5312
        
        C:\Windows\SysWOW64\Loniiflo.exe
        
        C:\Windows\system32\Loniiflo.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Mdmngm32.exe
        
        C:\Windows\system32\Mdmngm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Mobbdf32.exe
        
        C:\Windows\system32\Mobbdf32.exe
        69⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Mhmcck32.exe
        
        C:\Windows\system32\Mhmcck32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Meadlo32.exe
        
        C:\Windows\system32\Meadlo32.exe
        71⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Nahdapae.exe
        
        C:\Windows\system32\Nahdapae.exe
        72⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Najagp32.exe
        
        C:\Windows\system32\Najagp32.exe
        73⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Nockkcjg.exe
        
        C:\Windows\system32\Nockkcjg.exe
        74⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Nemchn32.exe
        
        C:\Windows\system32\Nemchn32.exe
        75⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Oacdmo32.exe
        
        C:\Windows\system32\Oacdmo32.exe
        76⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Oeamcmmo.exe
        
        C:\Windows\system32\Oeamcmmo.exe
        77⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Pfmlok32.exe
        
        C:\Windows\system32\Pfmlok32.exe
        78⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Pkjegb32.exe
        
        C:\Windows\system32\Pkjegb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Qbmpjkqk.exe
        
        C:\Windows\system32\Qbmpjkqk.exe
        80⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Adqeaf32.exe
        
        C:\Windows\system32\Adqeaf32.exe
        81⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ainnhdbp.exe
        
        C:\Windows\system32\Ainnhdbp.exe
        82⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Ankgpk32.exe
        
        C:\Windows\system32\Ankgpk32.exe
        83⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Aeeomegd.exe
        
        C:\Windows\system32\Aeeomegd.exe
        84⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Akogio32.exe
        
        C:\Windows\system32\Akogio32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Bichcc32.exe
        
        C:\Windows\system32\Bichcc32.exe
        86⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Bbpeghpe.exe
        
        C:\Windows\system32\Bbpeghpe.exe
        87⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Bijncb32.exe
        
        C:\Windows\system32\Bijncb32.exe
        88⤵
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Bngfli32.exe
        
        C:\Windows\system32\Bngfli32.exe
        89⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Blkgen32.exe
        
        C:\Windows\system32\Blkgen32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Becknc32.exe
        
        C:\Windows\system32\Becknc32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Cnlpgibd.exe
        
        C:\Windows\system32\Cnlpgibd.exe
        92⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\Ciaddaaj.exe
        
        C:\Windows\system32\Ciaddaaj.exe
        93⤵
        Drops file in System32 directory
        
        PID:844
        
        C:\Windows\SysWOW64\Cfedmfqd.exe
        
        C:\Windows\system32\Cfedmfqd.exe
        94⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\Cblebgfh.exe
        
        C:\Windows\system32\Cblebgfh.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5496
        
        C:\Windows\SysWOW64\Dbckcf32.exe
        
        C:\Windows\system32\Dbckcf32.exe
        96⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\Dhpdkm32.exe
        
        C:\Windows\system32\Dhpdkm32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Dfqdid32.exe
        
        C:\Windows\system32\Dfqdid32.exe
        98⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Dpihbjmg.exe
        
        C:\Windows\system32\Dpihbjmg.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Dfcqod32.exe
        
        C:\Windows\system32\Dfcqod32.exe
        100⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Dbjade32.exe
        
        C:\Windows\system32\Dbjade32.exe
        101⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Didjqoae.exe
        
        C:\Windows\system32\Didjqoae.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Dpnbmi32.exe
        
        C:\Windows\system32\Dpnbmi32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4944
        
        C:\Windows\SysWOW64\Fibfbm32.exe
        
        C:\Windows\system32\Fibfbm32.exe
        104⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Fplnogmb.exe
        
        C:\Windows\system32\Fplnogmb.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\Feifgnki.exe
        
        C:\Windows\system32\Feifgnki.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Flboch32.exe
        
        C:\Windows\system32\Flboch32.exe
        107⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Fekclnif.exe
        
        C:\Windows\system32\Fekclnif.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Flekihpc.exe
        
        C:\Windows\system32\Flekihpc.exe
        109⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Fempbm32.exe
        
        C:\Windows\system32\Fempbm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Fpcdof32.exe
        
        C:\Windows\system32\Fpcdof32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Gegchl32.exe
        
        C:\Windows\system32\Gegchl32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Glqkefff.exe
        
        C:\Windows\system32\Glqkefff.exe
        113⤵
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Gckcap32.exe
        
        C:\Windows\system32\Gckcap32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Gjdknjep.exe
        
        C:\Windows\system32\Gjdknjep.exe
        115⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Gpodkdll.exe
        
        C:\Windows\system32\Gpodkdll.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Hodqlq32.exe
        
        C:\Windows\system32\Hodqlq32.exe
        117⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Hjieii32.exe
        
        C:\Windows\system32\Hjieii32.exe
        118⤵
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Hcaibo32.exe
        
        C:\Windows\system32\Hcaibo32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Hjlaoioh.exe
        
        C:\Windows\system32\Hjlaoioh.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6844
        
        C:\Windows\SysWOW64\Hljnkdnk.exe
        
        C:\Windows\system32\Hljnkdnk.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Hcdfho32.exe
        
        C:\Windows\system32\Hcdfho32.exe
        122⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Hhaope32.exe
        
        C:\Windows\system32\Hhaope32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6964
        
        C:\Windows\SysWOW64\Hjpkjh32.exe
        
        C:\Windows\system32\Hjpkjh32.exe
        124⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Hqjcgbbo.exe
        
        C:\Windows\system32\Hqjcgbbo.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Hhehkepj.exe
        
        C:\Windows\system32\Hhehkepj.exe
        126⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Igghilhi.exe
        
        C:\Windows\system32\Igghilhi.exe
        127⤵
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Ihheqd32.exe
        
        C:\Windows\system32\Ihheqd32.exe
        128⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Iobmmoed.exe
        
        C:\Windows\system32\Iobmmoed.exe
        129⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Ifleji32.exe
        
        C:\Windows\system32\Ifleji32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Ioffhn32.exe
        
        C:\Windows\system32\Ioffhn32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Ijlkfg32.exe
        
        C:\Windows\system32\Ijlkfg32.exe
        132⤵
        
        PID:736
        
        C:\Windows\SysWOW64\Iqfcbahb.exe
        
        C:\Windows\system32\Iqfcbahb.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Igpkok32.exe
        
        C:\Windows\system32\Igpkok32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Jmmcgbnf.exe
        
        C:\Windows\system32\Jmmcgbnf.exe
        135⤵
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Jgbhdkml.exe
        
        C:\Windows\system32\Jgbhdkml.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Jcihjl32.exe
        
        C:\Windows\system32\Jcihjl32.exe
        137⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Jjcqffkm.exe
        
        C:\Windows\system32\Jjcqffkm.exe
        138⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Jopiom32.exe
        
        C:\Windows\system32\Jopiom32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Jfjakgpa.exe
        
        C:\Windows\system32\Jfjakgpa.exe
        140⤵
        Drops file in System32 directory
        
        PID:7020
        
        C:\Windows\SysWOW64\Jmdjha32.exe
        
        C:\Windows\system32\Jmdjha32.exe
        141⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Kfeagefd.exe
        
        C:\Windows\system32\Kfeagefd.exe
        142⤵
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Kpnepk32.exe
        
        C:\Windows\system32\Kpnepk32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6256
        
        C:\Windows\SysWOW64\Lapopm32.exe
        
        C:\Windows\system32\Lapopm32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Ljhchc32.exe
        
        C:\Windows\system32\Ljhchc32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Lcqgahoe.exe
        
        C:\Windows\system32\Lcqgahoe.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Ladhkmno.exe
        
        C:\Windows\system32\Ladhkmno.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Lmneemaq.exe
        
        C:\Windows\system32\Lmneemaq.exe
        148⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Mpnngh32.exe
        
        C:\Windows\system32\Mpnngh32.exe
        149⤵
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Migcpneb.exe
        
        C:\Windows\system32\Migcpneb.exe
        150⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Mmdlflki.exe
        
        C:\Windows\system32\Mmdlflki.exe
        151⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Mdodbf32.exe
        
        C:\Windows\system32\Mdodbf32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6412
        
        C:\Windows\SysWOW64\Mmghklif.exe
        
        C:\Windows\system32\Mmghklif.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Mfomda32.exe
        
        C:\Windows\system32\Mfomda32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Mmiealgc.exe
        
        C:\Windows\system32\Mmiealgc.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Mphamg32.exe
        
        C:\Windows\system32\Mphamg32.exe
        156⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Niglfl32.exe
        
        C:\Windows\system32\Niglfl32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Ndmpddfe.exe
        
        C:\Windows\system32\Ndmpddfe.exe
        158⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Niihlkdm.exe
        
        C:\Windows\system32\Niihlkdm.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7044
        
        C:\Windows\SysWOW64\Odhppclh.exe
        
        C:\Windows\system32\Odhppclh.exe
        160⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Okbhlm32.exe
        
        C:\Windows\system32\Okbhlm32.exe
        161⤵
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Opopdd32.exe
        
        C:\Windows\system32\Opopdd32.exe
        162⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Pgnblm32.exe
        
        C:\Windows\system32\Pgnblm32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7188
        
        C:\Windows\SysWOW64\Pjlnhi32.exe
        
        C:\Windows\system32\Pjlnhi32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7232
        
        C:\Windows\SysWOW64\Pdbbfadn.exe
        
        C:\Windows\system32\Pdbbfadn.exe
        165⤵
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        166⤵
        Modifies registry class
        
        PID:7344
        
        C:\Windows\SysWOW64\Bdphnmjk.exe
        
        C:\Windows\system32\Bdphnmjk.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7388
        
        C:\Windows\SysWOW64\Cnmebblf.exe
        
        C:\Windows\system32\Cnmebblf.exe
        168⤵
        Drops file in System32 directory
        
        PID:7440
        
        C:\Windows\SysWOW64\Cicjokll.exe
        
        C:\Windows\system32\Cicjokll.exe
        169⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\Capkim32.exe
        
        C:\Windows\system32\Capkim32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7556
        
        C:\Windows\SysWOW64\Deqqek32.exe
        
        C:\Windows\system32\Deqqek32.exe
        171⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\Dbgndoho.exe
        
        C:\Windows\system32\Dbgndoho.exe
        172⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Dhfcae32.exe
        
        C:\Windows\system32\Dhfcae32.exe
        173⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Eblgon32.exe
        
        C:\Windows\system32\Eblgon32.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7792
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        175⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7840 -s 412
        176⤵
        Program crash
        
        PID:7632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7840 -s 412
        176⤵
        Program crash
        
        PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7840 -ip 7840
1⤵
PID:8024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcgjg32.exe

Filesize
207KB

MD5
36ff80275d345814ab3dd21b47279df2

SHA1
8b502730b5b14c12636d527d9c0950a92edad671

SHA256
0e820b0102921025a2635d9939b4bd864ee9c361414845df41f4596cdfe5c2db

SHA512
ba46eb671918ea7751bcf8b814873092371d1142478c110beebfc255b12d2d6683a3f4a13dc6cea26c34c7ffd68570814b252f8c6ffadd90694591599aad567e

Download Submit
C:\Windows\SysWOW64\Acbmjcgd.exe

Filesize
207KB

MD5
4044f9d42923bd70529ff84a4c317809

SHA1
5fb638c2c6161b8be5a3dfb1cec269d56b955f96

SHA256
5c086f8c07fccd0b4479388f727d30137ad32bd35d85c2a5e6b50e49c6804df1

SHA512
48c4d5f97abff2b6aaa99718ee0392809851f89ab155d56c28b6ae58bacce4d6a55649f238ee6d83cd48b4463b28184f5af17d2a4e0b0fa98a545e6f091a3098

Download Submit
C:\Windows\SysWOW64\Akihcfid.exe

Filesize
207KB

MD5
c6920f691e77edb4bf716bd052eded18

SHA1
2dd3022d3be3420542da80a169697ae335b11bd5

SHA256
ef65b97eccf2a073c1336e3089f61eb828e0475334857ac0c79fd982982df1a3

SHA512
963d17cadc79a440259b71469978ba703267b93d4c2c2c1448e6adc8c3aae12663db8a7bacbac715597d3ba2ada81fbdd90ab69e84e55e8e53fb11f158aa09cc

Download Submit
C:\Windows\SysWOW64\Almanf32.exe

Filesize
207KB

MD5
27c6d5eaca70c6f7025c6a0a5f87aa64

SHA1
89e1f422b571fb3160c3c4be29a43ecbd4b9ecc9

SHA256
2aa9c2c7e81a49c89d36cdb4fb10dbb044964f29d3278609c9e87b4f019b78d4

SHA512
6d0995b1f8551eedad2e48b91071eda621e58ee65953a0a34ce8d151ab00214f702dcb02548057b6c8e9fed4490014f85e587a7db4465a45126567eb5bd21524

Download Submit
C:\Windows\SysWOW64\Bdlfjh32.exe

Filesize
207KB

MD5
f7008d13d8b425934bf9a592947425b3

SHA1
f11de3c17fb62eed95ee36f57ef2e1af52cdbc5e

SHA256
1e15d70da6a19c224c2557955fa20e1195e4412230f24cce0c8ceac6be1eea95

SHA512
f92334133078d19e63e101b158572ffbf763734bfb9bf5cf7e70e755cefe548587d58ebbf7a84cd45c30d850de5d1a4212a23a1a5b5e41aeae258a91e338af27

Download Submit
C:\Windows\SysWOW64\Bdphnmjk.exe

Filesize
192KB

MD5
7214202622fd4085420aa6504a401436

SHA1
1979ee32affe14124550f84ce4d61ba2f5ec922f

SHA256
53888858ad9a3a0fc14ec2fca77bafa7abcdd5f9ff3ead9a7798b53c62f3cf66

SHA512
ffa16a7567002af47d9eab7fb4b23c1371e23339200b90adde865e74da5c94748df9e925ed435b502785f2cba10989484e897ca8971a64511d454dd0cf24704a

Download Submit
C:\Windows\SysWOW64\Bpedeiff.exe

Filesize
207KB

MD5
cc9d26563d9ab84823c6d2edaf871bef

SHA1
5fe6d65c7a96f60cb8a7cb8ecd27ddd82a49c5be

SHA256
88fbde0b3cd30fce6ce243ef759fd9f218f0f08219cc0a74b3eb8030167f692a

SHA512
11cbf7616a95e6f7bb4f37a47137fdb5422fa659564338b4bed720a06c3bb3132f6f8ec7fe9242c99398fb2b78d2a38a59ab2a4c5bb946dadff420ac041a5c27

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
207KB

MD5
173d18b1b997a3bc7fd35efd4c7b26c7

SHA1
aeef442008f22c82957e3bb01888732a71f7a982

SHA256
11b6d14829f992abbb1e560d8a677c4cffca554903f5841938933e34c1fa6dab

SHA512
f6a6c88f76706698692c34642a9fb7fd17b64600a7c7ac837e968ecac7706b80b746e771cb2c6fbe77dbf7d16efa260a78095e11991bae20418a80abc9cfbd94

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
207KB

MD5
e2b53c126f34705f8f2f773e2b45f78d

SHA1
3cd70dac12b8b6ffd7702abd79f3e0da8284a78e

SHA256
63e7d8c34ca7c022871b01d924f830515667b62fae4a5e826ab2f5fcc0814028

SHA512
025dd967edc92f7a5b6ca732ea71dcc62847181da49c123036ca37a027fb81c4b305b6a00c0d7f1cbbd360608964736dcd3b2bf4897eddb42ac960011ca280cd

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
207KB

MD5
1661ef5db98ff6365ef0b0291c403075

SHA1
83d543d2da246124f2854f7ccf56568a6ef108cc

SHA256
ea97d0a758a8b49251ecf506400fe05a303707104b33373f2f1a8c33c9bcbf5b

SHA512
3aea64d5ebc7a58d05df649ff8f7c3e0265e014955a0aa5b971016a0a7117a92d6744b3196753d4d89ae5a404759438520c69d69998603b83cabc02d1ece76cb

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
14KB

MD5
e06c87bba236c5342a607a28f8ae767c

SHA1
6d129ef6fdabba9de6f75177ab25e8b7039f1ca7

SHA256
cc887f89a6ac00d1efddd7ebc9d9cf25b72f17d5fc8578e49222e42b31cf5157

SHA512
f0f597e5b160f6647978962a428a4a878cc70c94df5aba436514ed79bd3e06037e481bbe2af2d19663d148f26f6022f6f76637a311d0a40285cf4c4fff27f7ad

Download Submit
C:\Windows\SysWOW64\Dalofi32.exe

Filesize
207KB

MD5
e695afb8f523ae410c896065c0f9fdae

SHA1
05bbaf4364d93a2a8ab2da014e56c152727440b7

SHA256
8012cd9c4568a8ae9d1ca8d2d5927eaaa8c4b929a10eb5cae75a22a532515898

SHA512
b77baa1ef7fb774cdd899c6ade16e2020da678cf3058c65f832efb290e212b06faed1c7d0be074ab83d787a9461a2b076b6aff2b19f4a181c7c1c4f336192a61

Download Submit
C:\Windows\SysWOW64\Dhpdkm32.exe

Filesize
207KB

MD5
a6c35e3fa25e0b389f364f6b85959034

SHA1
77d3f1b8bc2eb954304f720a306cec032162b863

SHA256
6b986b3cdea84068155ada4d9a34baa52ec63de08860961b5af0a34f780b6413

SHA512
eabd1f481b30953ab5b9c1e47fce443283ae33495393b0a92625a3ba1252bcae3219c946a404e7a68c215d292a606b67682bdd09fb4a5d93b92bb0342e3dc397

Download Submit
C:\Windows\SysWOW64\Eahobg32.exe

Filesize
186KB

MD5
12be631007bcc915282d231c3b8175c3

SHA1
59183bd5a0a1b0de99c7141a2a6f818408b48301

SHA256
f6f63a99df7b48d7836b26afedb70964f5d925c7eecb9ab3c50bc00bd2ce33e8

SHA512
129fbcc9fa33a722cca70ccb2a16b5bd12c4fbbed6455dd708119ea51c55ae3293204f16f100ab782bf9b623f3f1456ea672e55b7e32ea268f03c96b1eeb5eaa

Download Submit
C:\Windows\SysWOW64\Eahobg32.exe

Filesize
207KB

MD5
a316ae240bb7e7d18fcca1ba6f841155

SHA1
710468444151d6b85eb0a29d10af33790871906f

SHA256
f0ab089ff014c0a8ae06fd708bb9306513517913e16aa3b7dcd0354fbf5b8cba

SHA512
a07a5cbaa24d800ae5c1237552d162b717c31f86f79b176928366ed89ae9184b673e09fb8ce5019c67faa2deefd77d00d32b65c975fbb584eb2d1c8a8233a0b1

Download Submit
C:\Windows\SysWOW64\Emkcbcna.dll

Filesize
7KB

MD5
ac23b6db5b209b060585a4baeb700255

SHA1
5da5eb602500f71d9379b582426e3e2573dc6c14

SHA256
6ed0033079678dd7e8b7eab14aed99d2c13417e5ea80d1d4d75fac67085de44c

SHA512
fc501a79d855c320712c28dfd03d9012585f436db666c71df362ef75e4202b843f0622f61d0ab4f8a2ffce9b20a296a342fe4a42f4501beafd49804432c92e74

Download Submit
C:\Windows\SysWOW64\Fnffhgon.exe

Filesize
207KB

MD5
39b21a70cfb039a1c9f12cfe38792369

SHA1
9dcfa210f623cea8c2edfdf66688f0e327793093

SHA256
54c8cf9996bdb803c25f4d55b5b8cb18be8505fb2f050d3d2479bd0bebcf0c93

SHA512
86c07c733dffaf1d2904512891924646cb5cfb93a95d75f9fa3b83f40449b97d539593cb0bf3e34a0d0414a210fa75809065a34f5837e37ef57bb4e2631065b3

Download Submit
C:\Windows\SysWOW64\Gkefmjcj.exe

Filesize
207KB

MD5
22a73fd964567642b46a3eeef58c7a3c

SHA1
711c149f88729dcdd77bccf9edeb68528f1171bc

SHA256
cdc82fbe64db6c6ccc88aa0cb1c7332653cc26e0551bdc739b7d499f3bb0c15c

SHA512
e0876c3bb12903ca3aaf3b6a1dd9ca5d29969725c83333883b5974a38a7c1daaba47e667f6bd1ac57c3b4ba0a944391411ce02762aae51c173a4ba20b2da0286

Download Submit
C:\Windows\SysWOW64\Hcbpme32.exe

Filesize
207KB

MD5
ac15c1e0fb020a297698ec028b381eae

SHA1
4685c9b280e6a24554d67f17555a81a8d9e596a8

SHA256
3ecbac04d5c20abd254b2b5b94146731290c115c88aef4b4b20bee639fc42005

SHA512
22e1476f5f0c8edcf4bcec8345ca316b9b6016a9a94893e6c661ee39eace300af9edcd079a295e7727ad94a2880f0a30eaa14ff879b7e8ff7cd3bf925b420943

Download Submit
C:\Windows\SysWOW64\Icogcjde.exe

Filesize
207KB

MD5
23d316889054f6ee84d1b9dfa30a6566

SHA1
22c810af8923548525dbca5a741e2646e5cdbbc5

SHA256
bccfaf9aa05bb2b6c654cf3c42acf57a76cb1a73c8dbf99d265e387d4c123e01

SHA512
60ef794fc9acb667b05d715a33026f16dde2039c81efe4560033d4b81c7dd7d5a0f788773e197005903f65eb91c8dfc662299f6cf0a474314daa3682059b4365

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
128KB

MD5
7330a2cfeee443a7ab9899192044b172

SHA1
108ac2b06c1aff3a25ec2b4bb63f52777db29641

SHA256
9fb495a699875379c5a95a7c9fc768eaab7cef717de75d8e539df54060b69d7f

SHA512
a68f5bda88d901ee15abd8dcc27ee97909ffe6075d04364a4b9dd17aa21739eed946b4242fcde8cc26bcb399605102ae1f3a5e64fe28906fe84e0e8f5245863b

Download Submit
C:\Windows\SysWOW64\Infhebbh.exe

Filesize
207KB

MD5
ac554655d63421e8d79cff961c94ac9f

SHA1
1d0ca6a7dec6a6ee40f69bcdf923c1d4130c0d73

SHA256
9074a75198bf3228624c2c4a4efc4a88da62d102dca8d3cbb096839f78a04298

SHA512
21a35f18fe90dd9af53c9fc20b6b38e5006f8db0fdb546e8464b74c2ace0d7778582e5de21162f27aa658bb8a3ba50b19d0e094da04a0df578f248fb1fcfa7ca

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
207KB

MD5
d9a8f8a041e68d2ec5a4ec5a9d84afa7

SHA1
65ee8eeb8d4a387eaedb3669a2f01431b4991d46

SHA256
aa17e45986c2b92905cb11b60a44aeafe7a8e89a9cd26cb46eb701d95a375959

SHA512
de318b01a6fbab47126cc43916c9ffa836cc97ddd45a14dc62463c295bdde5033ee25b54510df8c9ff23fc496abe3b16e09f2450c56abd3dd154178b278a6181

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
207KB

MD5
90c8d45f181474aae8f6da48513d11fa

SHA1
b4911d720e53fcb3465fdfbd206a01c81d7ebee6

SHA256
239708b3e2196a4c788e147500214ec1eb1b294ff97b6d692251d836eb968bb0

SHA512
b343160a358ba8214d0cfa7a5d99564f669e4c1a98ba74339c8d11b857a86977830038e6d69c1077366fcc77c0e465c83f4926f3e4b4209e91f4b143b79c5fd0

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
207KB

MD5
bc199ba9109a0a4e997085a03a4335d3

SHA1
51d517b76033f9b826f4716fa37493c7fd63c7db

SHA256
da51c7754c35c076708c1e248661abaf72175080f0d41570a2aa2f4e9dddcde0

SHA512
a09e04b5361dd66f23e641ebab7f1b5bdad2d70706a4c5a37bdf09e454ddef21d9d2119814088c36f849c5173b2b6e5f4dd43065df52e50b28fd0fb5c799d735

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
207KB

MD5
abd28c0429096b3a88b5f38fa08e9fbe

SHA1
99a37dd99ec4b3c90c8d166d5b3a93e1de1823b8

SHA256
1cc14ee806da48bfaedfc0ec9daa602b9f2f99968bd07da164cfe089e6ce3b8b

SHA512
c6a7db679e6b3896aa2eb65a771c3f308a10df49c00ed09c9d3275fad2680745031189758c60bfc345c320ac431c85f7b3db2fd238ee06e42af656594b00a4b8

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
207KB

MD5
cdd67208c421a17bda98fc45956a8d3c

SHA1
e0dad668d5481fbaa1d6777b237535c802003b41

SHA256
bc21a9fb0685e8e362caa947ae9f72797a9d0d49b95d915ebee01c56a419d2c1

SHA512
8789f1734dfbaa66a8df299f22b9fe6c125945d1b58ad8dbb4756678a45472d21098609e4eab73a8621121bbb0c4d0218f7ef324d8021180543c1690dece9045

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
207KB

MD5
5411c9377ec082c69229a9ba18b297c0

SHA1
8f0e0115c7f06e43cd437732119b97b5d29d1532

SHA256
5c28fbfd3fff1abbb76413ad334b4f0cf25c0e796a1d84151ef91c8e19ed7063

SHA512
7442f988dfb1c69016928cdb188e87617da71205ce9ebdd8fe828df0939393c34c5bb8d37f5c3fb0a55b3228c4df01793bb32458ad1f367315984346b6ad6922

Download Submit
C:\Windows\SysWOW64\Lbhool32.exe

Filesize
207KB

MD5
164b0793a326efc44bcc61b9f67df9e2

SHA1
02acd0160371144c7c3da5c65f454918a00a1adb

SHA256
ec4bb46c2af39e01b482fc5fafa478b3912ee352517db71b2abd3bcecd1e462d

SHA512
14e6e57471253320c039c8c87025983945d89b7a370f946ba21ebc1d3e972ef0469fd0ac1559ab6af642f69d53edde92337ff08a34e33708d2f1db66d8e67a0e

Download Submit
C:\Windows\SysWOW64\Lcqgahoe.exe

Filesize
207KB

MD5
218573aa0a94b8dddbb392fed07f3198

SHA1
59cf7c6bd4f05d9ca7665a442a2409e6bfa1375f

SHA256
5148add6d828d8521ece1842694a9a34539cf23b920e9e8d2b100d39ee88cec6

SHA512
97e2af52fbe916261e2a9efeb6537825168aba7524242f0876f9bc173141bc23dba7c4059df6935aabf705a5945ba2a11ead1869b3f9992d7033ab4a473a7c3d

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
207KB

MD5
e25d2af4bdb7561db51d12f79fc17273

SHA1
13c62afa1be7398a0c2cf1bd3d381bab4bf4fc25

SHA256
95b9b99a988c2f7f57d141fcf04c6d3412e78b9288c96045c5575e7adadee201

SHA512
32cae642d0afbb48dac90115d288889dea76a9b53f9876a1f896d19d2608d40a3871dfe419f090cdeede1c661f07afadeb1dfd8393b3a12fe6523df282d288fb

Download Submit
C:\Windows\SysWOW64\Loniiflo.exe

Filesize
207KB

MD5
e9437fb9918568e5c575b6959ee48ce7

SHA1
a4feb5fe5416d1954c285d199089304ad174f1be

SHA256
09884380f8fadc9c01689ff036cb5b9047f7f256783a3d4df941098ad5ec0dc4

SHA512
0025e839bba87e6541ddb38166699def2233cf2f67445d7432f0779e99a46822a6a7ec63d55a7f1d1900244967339b949caed53f6920b591db203d38b5449bb2

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
207KB

MD5
b92ff89e10d340065cf265d9c70adf56

SHA1
979a6252f8b9e0495465e36eb69f456c028463c6

SHA256
ab23f54a99719647aa477387467f4ac24f549c5e73652fbc03935a40dee8cd9d

SHA512
f3eb6506613eadea4e13dcb9fc54c75f15ed72c1bb397f1f77c183cb7f201c2d36e69412486e54a04024eab689eab7a13100cd0ba4067bea3077cf260f638ac8

Download Submit
C:\Windows\SysWOW64\Meadlo32.exe

Filesize
207KB

MD5
08ae718659a54a04d319cb4bf08922ed

SHA1
cacbfd1cb1a25898f4a7f96a56cc387425aa1849

SHA256
7c78fd84c317cedce708c1482fe13129e917956721442627f49d58a550e87d2d

SHA512
11e36fd2cc254a6c5723964425e99c44f7c53e62782655aa5dcae733d3298994004213e357c75e5ba40ce511c02b4a116fa73cd9685eb30c162b0300638680b6

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
207KB

MD5
32b8a99f840f52515033bca2bb596656

SHA1
3a0747987341fba240b3a3f248d45332778c679c

SHA256
6a77e57a198929a50beb1a0cf7a73395d6c1ec207165206e3e68b6b4f067aeda

SHA512
ace8792818bfda89a6b29af89936b16d7a77a1e1b0c77c8c8e8dc9304a6d8ab8488677316366adfbaaf654c06b39d452abaf5ea67abdf7c0f8c7b913e0ba5d86

Download Submit
C:\Windows\SysWOW64\Ofgmib32.exe

Filesize
207KB

MD5
3917d84266a9c75c26f02294b779b1a7

SHA1
761d96d794442d1957b32bad792d0e8f70e6893d

SHA256
2cfdced40864207b822e6bff9d8a722e791cd467b7398959b56852ab0eacc277

SHA512
29b596130ed27eafb4cbf0564b86a3193b61720262133e5bb8d30395ef1581d5baf867718436202a12492d331fd8e4454d334cc3b316cf3383560b0370d3c2c6

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
175KB

MD5
8aa1a6d12da6586c461af4229626886a

SHA1
98105de578c605cc9c260a782ff8a39d8b324e65

SHA256
f61bcf32984ede95e29f785b03ffeb686ffc959268a3ff04730a1d81d752283f

SHA512
55fb141237e91b2e33a77154414c99bf244331f627458ec369ccec7fae065832ce114a692f81da253bf042b733c7ed5c7a4bf9eb0e5239427875a20597d787ab

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
207KB

MD5
dc6f678918adec570789bb75d66257ce

SHA1
6fedf4b1dee04be59b5a70a1b89c747cca2ddbe4

SHA256
e3202ec1e05b72189bcef24ec394af130ee3c4a6223b5239c4f49956ffb9163c

SHA512
ea4f08fad527d1135a5c3a65d9b5d6381f76d5bc14c073283c94d9c76806b5efdec3897467af9b18cb6173f8947b0eff8177af7a0830361de6812c18658fbf87

Download Submit
C:\Windows\SysWOW64\Pfncia32.exe

Filesize
207KB

MD5
d1d0f31974eadc13a53a4b2210dfda85

SHA1
bb0d5d760ef3ffae46254c7cf5cd3e4ea9d3569f

SHA256
416ab306a967b9e8496f56d41006aed83f625a43fdf499f5369a5ed063ed54b0

SHA512
4f930bd4b2fe43085caee1594f0c4f700f372a03fcf6c0a0ac62a052cdcc5c1b135d824580915dc8109bd9893aba7f7279d29a824ed722261e5db7ed3cfd9aff

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
207KB

MD5
18457af44ea28f22eb453da2947201ff

SHA1
5cfc163342ba3ed3027087bfaea3b282cdb209bc

SHA256
b8cd93c73b469377cfe155ebf46c2c5ca6f34d437c68079063469e2a67520189

SHA512
f5a96acafbd4e1f3956a3a83672995fce18653ea2fc2a1b52e31f7a70d1b69ece819f1bf231f7c6c99669a2123008d436347a5e7917a731584550c34b5ff6f18

Download Submit
C:\Windows\SysWOW64\Ppnenlka.exe

Filesize
207KB

MD5
ef3628c5f3fa7f61eeab8bb76a93cde0

SHA1
77b9b446e7df33106a402bd8876b52179f657447

SHA256
35b28f0175fa9a703b21b0ba64d52af2f49c90525167341e4b05ffb6174f4007

SHA512
acc11d94e8f04439a7df11b1ff173588179ecce9db26c6d4ef0842ede46aff4075b322174461d4702288e3276655a30dc58d926ba7eac153d0bd088a368d3377

Download Submit
C:\Windows\SysWOW64\Qamago32.exe

Filesize
207KB

MD5
9dccd7b43562ce924208326dbe7fadce

SHA1
271b5c66617eec291387e762587b288571746546

SHA256
c2c2a6bfd45cbbce1242d72d6145cd42e1768a797d9b842bb5725dfcd2094695

SHA512
e42098c6f23967dd689f62a6e94c020b8ab459d249ee271dd1870203c4596aad34fc69b67c93a1cce4a4ed149672a3c0f0981777c21c72e257dfb11f746e56a6

Download Submit
C:\Windows\SysWOW64\Qiiflaoo.exe

Filesize
207KB

MD5
c96dfec676a3052308bd66fc5b761a34

SHA1
2f75a9e34db0c120b1a861a7002c0e2f4717ae94

SHA256
a3ac21f90616391bb0ae67b222b539297f047f0fe55333f15c8a0b92f0607195

SHA512
26d5b8e9b8394b93fd78aba33d197ddcef8da2c9dd04fac0107a885abd9fb0ba446c4598663fe5569a5902f5aa9bf8532ca87ddbc9c25a866ed2c088243d80eb

Download Submit
memory/220-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/548-97-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/708-290-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1008-120-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1152-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1156-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1420-227-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1784-271-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1788-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2040-72-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-112-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2304-89-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2404-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2456-176-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2520-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2816-169-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3208-184-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3292-278-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3320-137-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3492-161-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3560-292-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3616-192-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3932-300-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3984-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4124-201-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4128-104-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4392-244-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4444-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4532-153-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4560-208-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4576-41-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4800-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4900-222-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4924-17-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4940-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4996-247-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5024-256-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5048-263-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5144-305-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5192-311-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5236-322-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5244-471-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5280-327-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5304-476-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5312-478-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5324-331-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5364-337-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5404-343-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5444-349-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5528-361-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5568-367-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5604-373-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5648-379-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5692-391-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5732-397-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5772-398-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5824-405-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5868-411-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5908-417-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5948-428-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5992-437-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/6044-446-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/6084-452-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/6124-453-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads