9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689.exe
Size

377KB
MD5

c36526b1cbc570b13df6e2d6ceb9c2c3
SHA1

b36411de7a8e9d246fa7cb72018d9d665e0aba50
SHA256

9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689
SHA512

d825ceda5a7a3df6def7b1db16cc44dc7060e9d2ab943e27dd99f09e470c83d9b45e874510c862aefebbc89451e250ae8c0b6705461c029097012e5c9a537980
SSDEEP

6144:K0bBhLcEP/Np5OBGSgnohijgAUv5fKx/SgnohignC5V:vpO+dMTv5i1dayV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfembo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hofdacke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeqmoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkfoeega.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipknlb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icplcpgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghopckpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmjdjgjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehimanbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcfqfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbdgfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnidn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmncnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gohhpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcdmga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdqgmmjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbbkaako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmlpoqpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iifokh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpebpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchhggno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gohhpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcpclbfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe

UPX dump on OEP (original entry point) 58 IoCs

resource	yara_rule
behavioral2/memory/4592-6-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x000700000002321c-15.dat	UPX
behavioral2/memory/228-21-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x000700000002321e-23.dat	UPX
behavioral2/files/0x0007000000023220-32.dat	UPX
behavioral2/files/0x0007000000023222-39.dat	UPX
behavioral2/files/0x0007000000023224-45.dat	UPX
behavioral2/files/0x0007000000023226-53.dat	UPX
behavioral2/files/0x0007000000023228-61.dat	UPX
behavioral2/files/0x000700000002322a-69.dat	UPX
behavioral2/files/0x000700000002322c-75.dat	UPX
behavioral2/files/0x000700000002322e-83.dat	UPX
behavioral2/files/0x0007000000023230-89.dat	UPX
behavioral2/files/0x0007000000023232-97.dat	UPX
behavioral2/files/0x0007000000023234-103.dat	UPX
behavioral2/memory/1640-108-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x0008000000023215-119.dat	UPX
behavioral2/files/0x0007000000023243-161.dat	UPX
behavioral2/files/0x0007000000023247-175.dat	UPX
behavioral2/files/0x0007000000023249-182.dat	UPX
behavioral2/files/0x000700000002324d-195.dat	UPX
behavioral2/files/0x000700000002324f-202.dat	UPX
behavioral2/files/0x0007000000023255-224.dat	UPX
behavioral2/files/0x0007000000023257-231.dat	UPX
behavioral2/files/0x0007000000023253-217.dat	UPX
behavioral2/files/0x0007000000023251-210.dat	UPX
behavioral2/files/0x000700000002324b-189.dat	UPX
behavioral2/files/0x0007000000023245-168.dat	UPX
behavioral2/files/0x0007000000023241-154.dat	UPX
behavioral2/files/0x000700000002323f-147.dat	UPX
behavioral2/files/0x000700000002323d-140.dat	UPX
behavioral2/files/0x000700000002323b-133.dat	UPX
behavioral2/files/0x0007000000023239-126.dat	UPX
behavioral2/files/0x0007000000023236-112.dat	UPX
behavioral2/memory/4956-59-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/1968-51-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x000700000002321a-8.dat	UPX
behavioral2/memory/4564-330-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4228-336-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/3052-355-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/1424-375-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/564-389-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/3976-410-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4380-424-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4596-431-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/5020-453-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/1768-465-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/1648-481-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/3200-489-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/3184-500-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/1572-506-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/2464-516-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/4100-518-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/1544-541-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/2228-559-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/files/0x00070000000232c5-560.dat	UPX
behavioral2/memory/1856-569-0x0000000000400000-0x000000000048A000-memory.dmp	UPX
behavioral2/memory/1512-577-0x0000000000400000-0x000000000048A000-memory.dmp	UPX

Executes dropped EXE 64 IoCs

pid	Process
3988	Eamhodmf.exe
228	Ehgqln32.exe
4232	Eoaihhlp.exe
3976	Ehimanbq.exe
1968	Ecoangbg.exe
4956	Eemnjbaj.exe
5056	Elgfgl32.exe
656	Eepjpb32.exe
1640	Fljcmlfd.exe
1360	Fcckif32.exe
3212	Fhqcam32.exe
2468	Fkopnh32.exe
4564	Fcfhof32.exe
4228	Fdgdgnbm.exe
3316	Fchddejl.exe
4448	Fdialn32.exe
2760	Flqimk32.exe
952	Fkffog32.exe
3052	Fbpnkama.exe
3972	Fhjfhl32.exe
1176	Gkhbdg32.exe
3440	Gbbkaako.exe
4732	Gdqgmmjb.exe
3456	Glhonj32.exe
2396	Gofkje32.exe
1424	Gbdgfa32.exe
4892	Ghopckpi.exe
1532	Gohhpe32.exe
2812	Gdeqhl32.exe
3112	Gmlhii32.exe
564	Gcfqfc32.exe
2252	Gfembo32.exe
4464	Gcimkc32.exe
1508	Gfgjgo32.exe
4536	Hiefcj32.exe
4528	Hkdbpe32.exe
2524	Hckjacjg.exe
3656	Hihbijhn.exe
2016	Hkfoeega.exe
4756	Hcmgfbhd.exe
2836	Hbpgbo32.exe
1168	Hijooifk.exe
808	Hkikkeeo.exe
3944	Hcpclbfa.exe
4000	Hfnphn32.exe
4556	Himldi32.exe
4080	Hofdacke.exe
4660	Hbeqmoji.exe
1516	Hioiji32.exe
4968	Hmjdjgjo.exe
4980	Hcdmga32.exe
3416	Iiaephpc.exe
4896	Ipknlb32.exe
780	Iehfdi32.exe
4380	Iifokh32.exe
2032	Ibnccmbo.exe
4428	Icnpmp32.exe
4596	Icplcpgo.exe
3132	Jimekgff.exe
2456	Jcbihpel.exe
5060	Jioaqfcc.exe
3892	Jcgbco32.exe
1160	Jehokgge.exe
3088	Jcioiood.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hijooifk.exe	Hbpgbo32.exe
File created	C:\Windows\SysWOW64\Eghpcp32.dll	Mmpijp32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Hcdmga32.exe	Hmjdjgjo.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Mckemg32.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Hfnphn32.exe	Hcpclbfa.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Ooajidfn.dll	Icplcpgo.exe
File opened for modification	C:\Windows\SysWOW64\Kmncnb32.exe	Klngdpdd.exe
File opened for modification	C:\Windows\SysWOW64\Melnob32.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Elgfgl32.exe	Eemnjbaj.exe
File opened for modification	C:\Windows\SysWOW64\Jcioiood.exe	Jehokgge.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Phaedfje.dll	Jimekgff.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ehgqln32.exe	Eamhodmf.exe
File created	C:\Windows\SysWOW64\Aomaga32.dll	Lepncd32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Hihbijhn.exe	Hckjacjg.exe
File opened for modification	C:\Windows\SysWOW64\Ehimanbq.exe	Eoaihhlp.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mibpda32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Gfembo32.exe	Gcfqfc32.exe
File opened for modification	C:\Windows\SysWOW64\Himldi32.exe	Hfnphn32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Odkjng32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Fcckif32.exe	Fljcmlfd.exe
File created	C:\Windows\SysWOW64\Geplnioe.dll	Fdgdgnbm.exe
File created	C:\Windows\SysWOW64\Hafgeo32.dll	Gcfqfc32.exe
File opened for modification	C:\Windows\SysWOW64\Gcimkc32.exe	Gfembo32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Hcdmga32.exe	Hmjdjgjo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6908	6728	WerFault.exe	271

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iifokh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjccol.dll"	Eemnjbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedoeq32.dll"	Hiefcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciglpe32.dll"	Hkfoeega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipknlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijlbqboa.dll"	Hihbijhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbpgbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hofdacke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcckif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll"	Ibnccmbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jehokgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhcgd32.dll"	Gdeqhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhqcam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hijooifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaiann32.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naqcfnjk.dll"	Fcfhof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdckfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbpgbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfgkj32.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epbahkcp.dll"	Fkopnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhjfhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoogcin.dll"	Hcpclbfa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 3988	4592	9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689.exe	87
PID 4592 wrote to memory of 3988	4592	9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689.exe	87
PID 4592 wrote to memory of 3988	4592	9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689.exe	87
PID 3988 wrote to memory of 228	3988	Eamhodmf.exe	88
PID 3988 wrote to memory of 228	3988	Eamhodmf.exe	88
PID 3988 wrote to memory of 228	3988	Eamhodmf.exe	88
PID 228 wrote to memory of 4232	228	Ehgqln32.exe	89
PID 228 wrote to memory of 4232	228	Ehgqln32.exe	89
PID 228 wrote to memory of 4232	228	Ehgqln32.exe	89
PID 4232 wrote to memory of 3976	4232	Eoaihhlp.exe	90
PID 4232 wrote to memory of 3976	4232	Eoaihhlp.exe	90
PID 4232 wrote to memory of 3976	4232	Eoaihhlp.exe	90
PID 3976 wrote to memory of 1968	3976	Ehimanbq.exe	91
PID 3976 wrote to memory of 1968	3976	Ehimanbq.exe	91
PID 3976 wrote to memory of 1968	3976	Ehimanbq.exe	91
PID 1968 wrote to memory of 4956	1968	Ecoangbg.exe	92
PID 1968 wrote to memory of 4956	1968	Ecoangbg.exe	92
PID 1968 wrote to memory of 4956	1968	Ecoangbg.exe	92
PID 4956 wrote to memory of 5056	4956	Eemnjbaj.exe	93
PID 4956 wrote to memory of 5056	4956	Eemnjbaj.exe	93
PID 4956 wrote to memory of 5056	4956	Eemnjbaj.exe	93
PID 5056 wrote to memory of 656	5056	Elgfgl32.exe	94
PID 5056 wrote to memory of 656	5056	Elgfgl32.exe	94
PID 5056 wrote to memory of 656	5056	Elgfgl32.exe	94
PID 656 wrote to memory of 1640	656	Eepjpb32.exe	95
PID 656 wrote to memory of 1640	656	Eepjpb32.exe	95
PID 656 wrote to memory of 1640	656	Eepjpb32.exe	95
PID 1640 wrote to memory of 1360	1640	Fljcmlfd.exe	96
PID 1640 wrote to memory of 1360	1640	Fljcmlfd.exe	96
PID 1640 wrote to memory of 1360	1640	Fljcmlfd.exe	96
PID 1360 wrote to memory of 3212	1360	Fcckif32.exe	97
PID 1360 wrote to memory of 3212	1360	Fcckif32.exe	97
PID 1360 wrote to memory of 3212	1360	Fcckif32.exe	97
PID 3212 wrote to memory of 2468	3212	Fhqcam32.exe	98
PID 3212 wrote to memory of 2468	3212	Fhqcam32.exe	98
PID 3212 wrote to memory of 2468	3212	Fhqcam32.exe	98
PID 2468 wrote to memory of 4564	2468	Fkopnh32.exe	99
PID 2468 wrote to memory of 4564	2468	Fkopnh32.exe	99
PID 2468 wrote to memory of 4564	2468	Fkopnh32.exe	99
PID 4564 wrote to memory of 4228	4564	Fcfhof32.exe	100
PID 4564 wrote to memory of 4228	4564	Fcfhof32.exe	100
PID 4564 wrote to memory of 4228	4564	Fcfhof32.exe	100
PID 4228 wrote to memory of 3316	4228	Fdgdgnbm.exe	101
PID 4228 wrote to memory of 3316	4228	Fdgdgnbm.exe	101
PID 4228 wrote to memory of 3316	4228	Fdgdgnbm.exe	101
PID 3316 wrote to memory of 4448	3316	Fchddejl.exe	102
PID 3316 wrote to memory of 4448	3316	Fchddejl.exe	102
PID 3316 wrote to memory of 4448	3316	Fchddejl.exe	102
PID 4448 wrote to memory of 2760	4448	Fdialn32.exe	103
PID 4448 wrote to memory of 2760	4448	Fdialn32.exe	103
PID 4448 wrote to memory of 2760	4448	Fdialn32.exe	103
PID 2760 wrote to memory of 952	2760	Flqimk32.exe	104
PID 2760 wrote to memory of 952	2760	Flqimk32.exe	104
PID 2760 wrote to memory of 952	2760	Flqimk32.exe	104
PID 952 wrote to memory of 3052	952	Fkffog32.exe	105
PID 952 wrote to memory of 3052	952	Fkffog32.exe	105
PID 952 wrote to memory of 3052	952	Fkffog32.exe	105
PID 3052 wrote to memory of 3972	3052	Fbpnkama.exe	106
PID 3052 wrote to memory of 3972	3052	Fbpnkama.exe	106
PID 3052 wrote to memory of 3972	3052	Fbpnkama.exe	106
PID 3972 wrote to memory of 1176	3972	Fhjfhl32.exe	107
PID 3972 wrote to memory of 1176	3972	Fhjfhl32.exe	107
PID 3972 wrote to memory of 1176	3972	Fhjfhl32.exe	107
PID 1176 wrote to memory of 3440	1176	Gkhbdg32.exe	108

C:\Users\Admin\AppData\Local\Temp\9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689.exe
"C:\Users\Admin\AppData\Local\Temp\9c3886718987ac0ba7021579f320f2ea1920c7b43317d2d677ad8e5381b18689.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\SysWOW64\Eamhodmf.exe
  C:\Windows\system32\Eamhodmf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\Ehgqln32.exe
    C:\Windows\system32\Ehgqln32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\Eoaihhlp.exe
      C:\Windows\system32\Eoaihhlp.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\SysWOW64\Ehimanbq.exe
        
        C:\Windows\system32\Ehimanbq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
      - C:\Windows\SysWOW64\Ecoangbg.exe
        
        C:\Windows\system32\Ecoangbg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Eemnjbaj.exe
        
        C:\Windows\system32\Eemnjbaj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Elgfgl32.exe
        
        C:\Windows\system32\Elgfgl32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Eepjpb32.exe
        
        C:\Windows\system32\Eepjpb32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Fljcmlfd.exe
        
        C:\Windows\system32\Fljcmlfd.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Fcckif32.exe
        
        C:\Windows\system32\Fcckif32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Fhqcam32.exe
        
        C:\Windows\system32\Fhqcam32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Fkopnh32.exe
        
        C:\Windows\system32\Fkopnh32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Fcfhof32.exe
        
        C:\Windows\system32\Fcfhof32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Fchddejl.exe
        
        C:\Windows\system32\Fchddejl.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Fdialn32.exe
        
        C:\Windows\system32\Fdialn32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Flqimk32.exe
        
        C:\Windows\system32\Flqimk32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Fbpnkama.exe
        
        C:\Windows\system32\Fbpnkama.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Fhjfhl32.exe
        
        C:\Windows\system32\Fhjfhl32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Gkhbdg32.exe
        
        C:\Windows\system32\Gkhbdg32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Gbbkaako.exe
        
        C:\Windows\system32\Gbbkaako.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Glhonj32.exe
        
        C:\Windows\system32\Glhonj32.exe
        25⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Gofkje32.exe
        
        C:\Windows\system32\Gofkje32.exe
        26⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Gbdgfa32.exe
        
        C:\Windows\system32\Gbdgfa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Ghopckpi.exe
        
        C:\Windows\system32\Ghopckpi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Gohhpe32.exe
        
        C:\Windows\system32\Gohhpe32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Gmlhii32.exe
        
        C:\Windows\system32\Gmlhii32.exe
        31⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Gcfqfc32.exe
        
        C:\Windows\system32\Gcfqfc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\Gfembo32.exe
        
        C:\Windows\system32\Gfembo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        34⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Gfgjgo32.exe
        
        C:\Windows\system32\Gfgjgo32.exe
        35⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Hiefcj32.exe
        
        C:\Windows\system32\Hiefcj32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Hkdbpe32.exe
        
        C:\Windows\system32\Hkdbpe32.exe
        37⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Hihbijhn.exe
        
        C:\Windows\system32\Hihbijhn.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Hkfoeega.exe
        
        C:\Windows\system32\Hkfoeega.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\Hbpgbo32.exe
        
        C:\Windows\system32\Hbpgbo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        44⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Hcpclbfa.exe
        
        C:\Windows\system32\Hcpclbfa.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        47⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Hbeqmoji.exe
        
        C:\Windows\system32\Hbeqmoji.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        50⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Hmjdjgjo.exe
        
        C:\Windows\system32\Hmjdjgjo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Hcdmga32.exe
        
        C:\Windows\system32\Hcdmga32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        53⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Ipknlb32.exe
        
        C:\Windows\system32\Ipknlb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Iehfdi32.exe
        
        C:\Windows\system32\Iehfdi32.exe
        55⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\Iifokh32.exe
        
        C:\Windows\system32\Iifokh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Icplcpgo.exe
        
        C:\Windows\system32\Icplcpgo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        61⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        63⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Jehokgge.exe
        
        C:\Windows\system32\Jehokgge.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        66⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:972
        
        C:\Windows\SysWOW64\Klngdpdd.exe
        
        C:\Windows\system32\Klngdpdd.exe
        68⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Kmncnb32.exe
        
        C:\Windows\system32\Kmncnb32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2176
        
        C:\Windows\SysWOW64\Lbjlfi32.exe
        
        C:\Windows\system32\Lbjlfi32.exe
        70⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        71⤵
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Lpcfkm32.exe
        
        C:\Windows\system32\Lpcfkm32.exe
        72⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\Lpebpm32.exe
        
        C:\Windows\system32\Lpebpm32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1648
        
        C:\Windows\SysWOW64\Lmiciaaj.exe
        
        C:\Windows\system32\Lmiciaaj.exe
        75⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        76⤵
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Mmlpoqpg.exe
        
        C:\Windows\system32\Mmlpoqpg.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4224
        
        C:\Windows\SysWOW64\Mchhggno.exe
        
        C:\Windows\system32\Mchhggno.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3184
        
        C:\Windows\SysWOW64\Mibpda32.exe
        
        C:\Windows\system32\Mibpda32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        82⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        83⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        84⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        85⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        86⤵
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        88⤵
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        89⤵
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4636
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        91⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        92⤵
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        95⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        96⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        97⤵
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        99⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        100⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        103⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        107⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        109⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        111⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        112⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        115⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        116⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        120⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        122⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        123⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        124⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        126⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        127⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        129⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        130⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        134⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        136⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        137⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        138⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        140⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        141⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        142⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        143⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        145⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        148⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        149⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6204
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        154⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6384
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        158⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        159⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6652
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        163⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        164⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        165⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        166⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        167⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7072
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        172⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7160
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        174⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        175⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        176⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        177⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        179⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        180⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        181⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6728 -s 396
        182⤵
        Program crash
        
        PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6728 -ip 6728
1⤵
PID:6868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:6180

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:6976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eamhodmf.exe

Filesize
377KB

MD5
bc597cf5c95943ae8ff140dc55050f30

SHA1
633d5929bd8af7259cb44b455fbf0fce0c7f8182

SHA256
67c36612bd7f8991580f3f866da0be1f68a11d93390455ceb6ae5ec16b7117dc

SHA512
71b96405dd0cf09f81a049f28e0017f231f4c2d61d2acf7444f0581d513f6d51c0343e19eded026b56590ef40d05a586cdc675bef5c9477020f85e548678f7c6

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
377KB

MD5
4c24b903bf1c953ea1e045c7dd73e20b

SHA1
38a6f45ae2826d07052b1d844aac2e40ab53b10f

SHA256
737f3eb0d19b7fe6a2c931ea927feb85e85196433ffe578b2abe7ef100004cc3

SHA512
7cc03505188d0538de5f119b743c697df5edc70be459be3b34b1f8e633b74edff018405272b93458c087e2aa519ba81c6e97af38c40f040f5e5cbd04d60ec354

Download Submit
C:\Windows\SysWOW64\Eemnjbaj.exe

Filesize
377KB

MD5
91c348ee009aa1cc9e857ab83c7c1552

SHA1
7188cafab1e6de24d5ab23437abb98c0d9de40ff

SHA256
685177daa122bcb977f0005a568e419e62b62e11093750d7e0346b675dc8e85d

SHA512
bd7ccafebe5be8c62f7ed81a84a11900e321f5bd8aba31cb712e6070a0b2434746fee6f29b13c5750689e87b37d6cd1e33534fc319b4fb56455b38ffafe1517d

Download Submit
C:\Windows\SysWOW64\Eepjpb32.exe

Filesize
377KB

MD5
f7f98507ed23b27e7ace4e02eee94a90

SHA1
e0ee9fbb1816e512322f8c6da45503137428a327

SHA256
fbe12f5c27c05484609652ea16d15f5b3fa7597e59965efc4234902c0ed1fc65

SHA512
3e7dc04dcb8eaf972b6828560d8d062d7ebaa2b6d2c12fe99208db4ee10f98303bfbc0858183565d17fa4ecc9636e6de8efd178c3db78f77e8e7127937a3b2f7

Download Submit
C:\Windows\SysWOW64\Ehgqln32.exe

Filesize
377KB

MD5
de80bdfb47e080cbadfc1d1e95abd194

SHA1
ab5fe5342637de87a629b30ac1efdb449747c2ff

SHA256
1899b0026d70db6ffce9f4fc24e3d609c2ee57e28bfae67dd12b8dbefacae11e

SHA512
966d0bca29ffbb431d7b732f7e88eee143d7916f5d0d6ac08070f9a5cafe71fc364af6e7cd531216b6aeb5a7afe806e1b8c4d60049fb18e345540c70dcb39f8b

Download Submit
C:\Windows\SysWOW64\Ehimanbq.exe

Filesize
377KB

MD5
6e26f70d50618694a7368d4ca0cf9d4f

SHA1
0d684dca2067e361958adeba8ad04eb18ab1cea3

SHA256
5679b61b2a00250e8cd63864d7444a170d114f3c96cbaf6e3b94799bf4e3d5ef

SHA512
695be088e8e96780f66e0e22cae4171d3d874ee9320e72632f315a54dc3140c3d79c6448f717c75dbed98f6c89fd7cc95f7501312f2255584f676e86245fd8cc

Download Submit
C:\Windows\SysWOW64\Elgfgl32.exe

Filesize
377KB

MD5
3cdf45fa56985c4317e778e02dbc36d8

SHA1
34b0f93dee113fadc76e21e37f4df0dc993fe22f

SHA256
cef5d43fcddae2e4e25e806166d1a281acce7277d06761e83c457d754f1499ff

SHA512
5df4fbb2db01387330137da0983d61132b7ada1cb7cfec429cbe1d8247dc780568854827d2bbbef6478258540ede1e6c096f7a416e30a77c2be1ec0bc9bf8f44

Download Submit
C:\Windows\SysWOW64\Eoaihhlp.exe

Filesize
377KB

MD5
96c5e6914e62cf14f1984f1b2cee5b76

SHA1
d2b18f41fffd311faece58ba83b74add86b2d9ea

SHA256
c6318746407229b0521195a866a9ad0b9f44f891950b42d8c89f738acad7eede

SHA512
8b6cf7c411fe6dbc8e2b05cd940470602e3221b6c3c6e19bb2812cb7b36cdfa6ac9861f9fcb90a6510cdc1a1fcda97c82ad6359ce33566ac09aebf42a702db89

Download Submit
C:\Windows\SysWOW64\Fbpnkama.exe

Filesize
377KB

MD5
4ea32376ddb91bf326f262ec59a2f3e8

SHA1
9f4ff9b04a8de5897c6dba995295b2c9994f3dc8

SHA256
5b629a5e08ff317bb7e57c26f854568f21139b5425de1be312ccbd3c57b0addb

SHA512
b0f8d7e13f5138735e8320932224b34b3d96219f7e4b656af60d7e8853296b51c662a701a266e71562bfa46fa2d5e3f91e7a589ccad6f688cd6fde23d63e9d92

Download Submit
C:\Windows\SysWOW64\Fcckif32.exe

Filesize
377KB

MD5
5b773935ffa4ef81e9f6be960b16031a

SHA1
d5177499c1cebe1dc178cc3101c58cd033e0825a

SHA256
f77389804c0955759287f709d3b27868a15ac2c47aa562b0ce194a253ffe0fc2

SHA512
aa426bc216cd2db3d827d48e16f545c8ee4adec03642a5ff3faa3fe3bad94ebaafad2bf20b59a87bec12827bab432465faac45b7aac4904ce4a6c3bc619a4abf

Download Submit
C:\Windows\SysWOW64\Fcfhof32.exe

Filesize
377KB

MD5
a7c156aa792803ca0710703a9617f4ea

SHA1
39a69129285ba617aac5d7a41ec10bf2a4240dc0

SHA256
9178eb86ded9574f8deca5738058d0c1fc97331fbb35a1d0d336606d94d84dd6

SHA512
ac18ffc12f18ec2c70b44cc96f52bc61fe2290f9e4e536b7343a6524347a5167065843fa9d3906657f12dd03bf4577159e98550b52874925c33780cd1a52bdcc

Download Submit
C:\Windows\SysWOW64\Fchddejl.exe

Filesize
377KB

MD5
ff5929167a97509abc9d40b171ca1ad0

SHA1
1471ce39e3cb9c576d0161b7c097da5b33f04eab

SHA256
56d48f9ffff5a637d5cc4ceca1a095c95dbf6a25c6eeba303e4c1523df01d0e6

SHA512
1d5d8268eee90a39d03b3a7bc730f89645868267783f2db6b8bb26b4eea9c4ebba4aec35557b2164abeb2c8647ebd3d0e57c4eff6c8a895e422e014eb9ac24bb

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
377KB

MD5
d244c053b90f4979174e91541e794405

SHA1
85d10fa60c27698154767dd1b8861399edee1e85

SHA256
18ce51b674f1f53188088e320d16078a6c9ee3ab0513e7c4cc823cc977f8c1e8

SHA512
c8573891df4a966fad4889c1c90615f7eadd70c88bff6f51a7411c62ca8e964ce7e1c02ab43ef7297dad2554bb0cc653a7425111f1c704a6c976b95c67282b25

Download Submit
C:\Windows\SysWOW64\Fdialn32.exe

Filesize
377KB

MD5
8e8a18804733cb30d90cf45e6112b242

SHA1
d872b034c41bfa29a4b04d86fee02759ff20473c

SHA256
cb24e069fdb283e19744fcfa79a3266d1434c545d9a02dabb01fa3d98607f908

SHA512
8d68ef6d7cb683e247bd7f46217c9955ffc5cd6383385949e97e173f104b13d0cea5441ef513abe2f568f070128eee13217d5adb51ddd7f7ee5d9d9ea9d467a7

Download Submit
C:\Windows\SysWOW64\Fhjfhl32.exe

Filesize
377KB

MD5
d9295982efbac62232c3701e6fca04ff

SHA1
9e2a85f6fa911add4121d5e3256fbd7d6690cdc1

SHA256
f623be7192a1a35fd892389188a63c596f2676e6640646498988422f4fa96f4a

SHA512
7ba7a917540c878f0620e3a4847babfd7e0334a32726bb74d766e90fffddae04c4de598b2a70dbffa03325b43ad638fdc0ce2063ca26bf8d65f7b5568484dab1

Download Submit
C:\Windows\SysWOW64\Fhqcam32.exe

Filesize
377KB

MD5
de5cc5225256bd5a52e75860be506c2f

SHA1
d5deee621cef9ddffd3932f0023cf92c4d8e4ec3

SHA256
9b9bf4a667204fa04e057a781d55ed0b7309e97243e770d03d48f7f254af9733

SHA512
07ee593dee8a84b7c457e692948b89727b700017a4b16d1abff3c30fd8e4ea1ff7100bb491a2a0a8e3e3a61fa919e3a8a77f461951d8767cd0008c89bc1d4c70

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
377KB

MD5
2a2dba50aa0e3bd3b3c4531ce20b8e5e

SHA1
cc86b64c0b3eb108c71f1a2103799807a06395b7

SHA256
9421de433fca4200bb0e81b0588fa565b739ca71ef6310ed3c43f62907870568

SHA512
6e04a12a4fef0fd04373ba8243c39d85e623eeb40bb3471e4588fbf78f679c24a9f26f7549fc28cd3193c975320fe46b386d9207971cf1f1db3ddae19eb73df1

Download Submit
C:\Windows\SysWOW64\Fkopnh32.exe

Filesize
377KB

MD5
f317a446353e835ee9502bae9f577318

SHA1
8cb9fd091d811a7e1ee9785687dc69e4690ada26

SHA256
b010b73dd546e65ad52eab605ec8553e9dafe9f4b982fd98badc87d32715b16e

SHA512
edcf3668c099edebc3601ec431dddeb39ff22dcfdec1f59218e48155db227e01d6e59cf28589ccbb16ec73207f8cf828918ef5905094e75e81a79e1581d46a90

Download Submit
C:\Windows\SysWOW64\Fljcmlfd.exe

Filesize
377KB

MD5
fd032ccac693ce15b8b951f9d4f46ed1

SHA1
bc1f88b85a343627452d1e0a6205a5c4d68fd5d7

SHA256
52a1d204388752321ef63be0d7e6026f58a78aa2260982d98583931bbf6be281

SHA512
c00038efa0088f729dab1596d3ce6bd6b8a7bac345884f505801f6ae2d6eebb4dffca92d1821a0c0044c8887401ef46fb3fcae58e46f08beb388bace1652016f

Download Submit
C:\Windows\SysWOW64\Flqimk32.exe

Filesize
377KB

MD5
b8bca0b421fa65093c3345064967f9a8

SHA1
74350235e8eec101a8dbbed49926dd8b4a29820c

SHA256
40b00b79d6f900a8ade488e908b26277a2905bc89ce3d476deee705186d4fa64

SHA512
11924ad1d76d8ee97f1a736f6e8d37a2de4e6293785d320ed56b82075af2654834720d4682d6540fb0831657275d6aa72de21b95b8eea17932fa9ebd022942e4

Download Submit
C:\Windows\SysWOW64\Gbbkaako.exe

Filesize
377KB

MD5
910807e3859ba95b6c7796912b2c4a69

SHA1
d7aed386329b7d1548adce6b8676a4c22e740de5

SHA256
b29fd07b0545fd9aa7647e89dedb3fcb48769dc1003400993421c8b7cf5046fe

SHA512
2288a0fff9451d681a9e636346a3cf0cc5927c163e559b32e02133e2847999124c62c92412a37eb71dd2919ad8138495723df489f95b672adf0f590134a9a6cc

Download Submit
C:\Windows\SysWOW64\Gbdgfa32.exe

Filesize
377KB

MD5
5e0d66e238c4d69f934ed86f4ffb0e29

SHA1
a4a0591ce8632bd640e49952b67a42eae0cf2c8c

SHA256
36da6c51f67b5728f5b6afcfbe2e38937ce3f1281e9892a9659609111a481f04

SHA512
de67d1d9c4f7e73c2745705331befb1c988c2ce94d92e5a105e0179d9020c77fbd397bf561c2234ffaacd3f25d9bd441893ecc15b41be1f2e0b7f12b45aa568f

Download Submit
C:\Windows\SysWOW64\Gcfqfc32.exe

Filesize
377KB

MD5
8a677317f72f243965b67958fd6048aa

SHA1
7e662a62b70f9d17f5f79c6919f8fa515d495d4b

SHA256
1a3f00fede1ad0010a899447e1eb0e407e53bb1207ac369d7b4d58319f36af82

SHA512
4e682f654f8985635f87e3cba37d4f957b8a309277d2c59611ee838390ff0e1f18cbe6d8811197221ba0d5896ccc47bf72de40d92172057e690ab4b5fc929729

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
377KB

MD5
0ad51cb379ecd3e116c034b0b2e6c008

SHA1
6f538d0bd1c8c367b8264dd4336b872da09be894

SHA256
6eab431ae6731a8b376780e91b3d1f6bdcce166691b5f27366c60bf784520ba1

SHA512
dc61abda5803feab21856a4e60b3320772b30962fdad474d97945635daa86b24b915e3342c87987e51a979f13e083a71c90efef620603cbb5f76f495bfd99315

Download Submit
C:\Windows\SysWOW64\Gdqgmmjb.exe

Filesize
377KB

MD5
6f1018439816e6cd996253050d410e4b

SHA1
76546052f1e82486ce8567140481ceb50cd90582

SHA256
9313fb2241be84b3032d7116b6c421dc8e4db495233ccfa6e5e49458a3510397

SHA512
9d70808e262e2aff1b4afbe3ba1f93a38987d01c0c3b4d961039ffc54da31e4cf3685780676db2326240fee9d7147695633323b7e56fe89dfff93d0768020b60

Download Submit
C:\Windows\SysWOW64\Gfembo32.exe

Filesize
377KB

MD5
11505acc7e676ab86a7d9a053a558824

SHA1
39d13dee470570f2be4fbcb4a54bd2ebb4d87bdb

SHA256
1c42e697dc932120d5ec82c60483e4df0f79e987306af72404d92debd4b271af

SHA512
6d8b3335c0eb3bdc57a8675e7802a6482c4e0453fb536ed55cc3fd100d4763d06dbfb3998a016ae647c3509ba38d5a0a5c8d8c804e69b2621da82e161b00898f

Download Submit
C:\Windows\SysWOW64\Ghopckpi.exe

Filesize
377KB

MD5
5f4f8cadcb0e0fb84ebea25e96ef8017

SHA1
99b68d74e740e9ef588714406dbeeec43e06f9b3

SHA256
57f01d15949716088bd46a3e5147e8092aa63cf9e290aaee45dd96eb395eb1f7

SHA512
5d6c32a901f93110014531e413465ed9ee97ec7760c316347c3f2a223ce099d5762e43061e551f466cc96accd492688afd92190988092eebb8496c2509095154

Download Submit
C:\Windows\SysWOW64\Gkhbdg32.exe

Filesize
377KB

MD5
e60ded7af2973857aaf85bfbb89f788e

SHA1
4e56dabee4725783f2f8ad9070bea72f406e844b

SHA256
9515166fe5a483ffd1d3677e3563055bd6931d05f877fc93505c32a70a94c67a

SHA512
151f2759854b0d97a789ed5e538443d01e1ef4435c0727cb7fa1963f8512334bcd9da483f15cce230d1eb8e8ccb32114b51f924f2e59a83200574936b5ee22cc

Download Submit
C:\Windows\SysWOW64\Glhonj32.exe

Filesize
377KB

MD5
60d2afecf8a14efadca0f2ad6b2ea566

SHA1
ff829ef9c5b5555faa7c35739af18b979765d658

SHA256
f0eae3799cef731650557312bcbbc782bf16f67c445935ebfc2a17f85718acbf

SHA512
0380a9249033808da33e80bd7bb11b4a8bcb3cf3268c1ea6ccbe69634788c44a23f2bb12a393890e8cdc9b7f4edc0f528429a9b236cfa675ebd4d52d67e114f5

Download Submit
C:\Windows\SysWOW64\Gmlhii32.exe

Filesize
377KB

MD5
6d51f2b44fac4bba7935d9360f1511bb

SHA1
1ded7c6ab469c711ba21aabf40a251cb33478ade

SHA256
5614de2a6a1fa312f26d6eaab1807ab2b93a8dac4ce64fc41fc4adececc00fbc

SHA512
8094a310843e720edbcbfdc23361bca108f3d18c5f5a82798d9e6233024f672aa5ab52bb0ef49b5713c153ddbb6f1724fc298d426e8237661dde1e26e98d66bd

Download Submit
C:\Windows\SysWOW64\Gofkje32.exe

Filesize
377KB

MD5
78cd9edfcfe06c0e8bff43a5bb7c2709

SHA1
9f733247f2f27ed79f23af5824ae262b04a17724

SHA256
7f544e1a6a58343a15b03398ff98cd5aa64617f6f57c6d23f4534ee653dc33a4

SHA512
6986ea2a1d64daa3f6029417c18e5132b494c15ddfee5943bdee452fcf8021f7a0594db7884b2a93830615f1aaeda025ee6afb771024da8ee506302149c3f36a

Download Submit
C:\Windows\SysWOW64\Gohhpe32.exe

Filesize
377KB

MD5
1f8b29eb1cc43570a4960c1499ead0a2

SHA1
f1b6202c30c544ab745119e2ca339458372a6f8b

SHA256
b0b63f57751d2c7e7ca21a23cf05640d40d8a279507282ec11199ac35532f4b3

SHA512
b0e0a9fb39dcc0981906dc22b492f5e3c203752c69c0257a23a8d7b5f0d5624d056417c6041dc9a2fc0951696dae71a7bcc2dbcc035afc2c8a4591940def2af9

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
377KB

MD5
0f9d2416e50c8bf2a405e89577153481

SHA1
9facc7cfaec7ac9cb7aec3ae45c55a0d87bde246

SHA256
00b9eed582f7cb674363b0b6832f197ef17d91f123366aa10b285e3a6cb11f5b

SHA512
57a24e8ea3707332ac907f13402762a825eaf1265554e3c20534769356418cb3414293e74d5c66cdd5cea67e2ff65592c797825a4d12f42bfc2322be014d7c5d

Download Submit
memory/228-21-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/564-389-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/656-417-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/952-354-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/972-435-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1176-360-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1360-322-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1424-375-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1508-395-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1512-577-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1516-404-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1532-381-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1544-541-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1572-506-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1640-108-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1648-481-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1672-483-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1768-465-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1848-535-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1856-569-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1968-51-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2176-452-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2228-559-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2252-393-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2396-370-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2464-516-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2468-329-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2608-471-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2760-348-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3052-355-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3068-551-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3084-529-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3088-434-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3112-383-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3184-500-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3200-489-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3212-323-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3440-361-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3456-367-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3680-441-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3892-433-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3976-410-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3988-9-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4100-518-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4228-336-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4232-29-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4380-424-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4448-337-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4536-397-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4564-330-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4592-6-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4592-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4592-459-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4596-431-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4636-571-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4660-398-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4732-363-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4820-553-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4896-419-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4956-59-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4980-418-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5020-453-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5056-411-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5060-432-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads