4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe
Size

385KB
MD5

bd0458c5ff9d0623f52c9df805014aa2
SHA1

7830f3b51797a34d3f2532919db172e84b299fab
SHA256

4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6
SHA512

f9eb00fcdc522d1a61d94f14ed16a5f52e9b1710a67c035f07e588b590239a2ab056fb856aca4245c03519fa87eb6bb2f193e852a5a5ca97f3dc94922b1ed62b
SSDEEP

12288:rsGpGRzNy59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SL:QbNy7oWypy7o3y7Ey7oAy7oZyUy7o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlikkkhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdlmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iefgbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbnaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padnaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedccfqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdehlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmfnd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojemig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbjcljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekonpckp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlikkkhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lchfib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgbqkhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiekog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdndloi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koonge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geldkfpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdlmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khiofk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jebfng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eomffaag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiekog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqjbddpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbnlaldg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eklajcmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Foclgq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgjhpcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlppno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe

Detects executables built or packed with MPress PE compressor 56 IoCs

resource	yara_rule
behavioral2/files/0x001000000002324d-7.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3940-9-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000023266-15.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002326a-23.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4596-25-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002326d-31.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002326f-40.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023271-46.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023273-54.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023275-62.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023277-70.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023279-78.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002327b-87.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5340-81-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002327d-95.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000a00000001ea83-103.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023281-111.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023283-119.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023285-127.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023287-135.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023289-143.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002328b-152.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002328d-159.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002328f-167.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023291-175.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023294-183.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023296-191.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023298-199.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002329a-207.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002329c-215.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002329e-223.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232a0-231.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232a2-239.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232a4-247.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232a6-255.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1752-256-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3404-287-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232b2-288.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3416-293-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2204-299-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/6140-311-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232b9-312.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/6136-317-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3020-323-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1452-329-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232bf-330.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4904-341-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5084-348-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232d3-391.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/5940-438-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/6016-451-0x0000000000400000-0x000000000048B000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232eb-467.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232f7-506.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x00070000000232fb-520.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002331f-633.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002332c-670.dat	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 64 IoCs

pid	Process
3940	Hmdlmg32.exe
3620	Ipeeobbe.exe
4596	Imiehfao.exe
4972	Iedjmioj.exe
1100	Iefgbh32.exe
924	Iplkpa32.exe
4252	Jiglnf32.exe
5392	Jofalmmp.exe
5628	Jebfng32.exe
5340	Jedccfqg.exe
5396	Kgdpni32.exe
4532	Kpoalo32.exe
560	Kfpcoefj.exe
4544	Nmbjcljl.exe
5952	Njmqnobn.exe
5976	Omnjojpo.exe
5828	Ocjoadei.exe
5560	Opqofe32.exe
3860	Ofmdio32.exe
5528	Oabhfg32.exe
4668	Pnkbkk32.exe
5600	Pplobcpp.exe
5256	Qjfmkk32.exe
432	Qjiipk32.exe
2440	Aknbkjfh.exe
6068	Adfgdpmi.exe
2164	Aaldccip.exe
3084	Bmeandma.exe
4816	Bgnffj32.exe
1852	Bhmbqm32.exe
2640	Bkphhgfc.exe
1752	Cggimh32.exe
4248	Ckgohf32.exe
2600	Cdpcal32.exe
2588	Coegoe32.exe
1480	Dnmaea32.exe
3404	Dgeenfog.exe
3416	Ddifgk32.exe
2204	Dgjoif32.exe
2040	Ddnobj32.exe
6140	Dkhgod32.exe
6136	Eklajcmc.exe
3020	Ekonpckp.exe
1452	Eomffaag.exe
4904	Eiekog32.exe
4092	Fgjhpcmo.exe
5084	Fndpmndl.exe
4964	Foclgq32.exe
3984	Fbdehlip.exe
1052	Fbgbnkfm.exe
4832	Gpmomo32.exe
4040	Gejhef32.exe
4572	Geldkfpi.exe
2556	Gbpedjnb.exe
2244	Ghojbq32.exe
5556	Hioflcbj.exe
1524	Hbgkei32.exe
5336	Hlppno32.exe
4608	Hnphoj32.exe
3272	Hhimhobl.exe
5920	Hbnaeh32.exe
5940	Ilfennic.exe
6016	Ipdndloi.exe
3960	Iimcma32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Omnjojpo.exe	Njmqnobn.exe
File opened for modification	C:\Windows\SysWOW64\Qjiipk32.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Coegoe32.exe
File opened for modification	C:\Windows\SysWOW64\Fgjhpcmo.exe	Eiekog32.exe
File opened for modification	C:\Windows\SysWOW64\Kibeoo32.exe	Klndfj32.exe
File opened for modification	C:\Windows\SysWOW64\Lhcali32.exe	Lcfidb32.exe
File opened for modification	C:\Windows\SysWOW64\Oiagde32.exe	Nbnlaldg.exe
File created	C:\Windows\SysWOW64\Ojemig32.exe	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Iimcma32.exe	Ipdndloi.exe
File created	C:\Windows\SysWOW64\Pmkofa32.exe	Pfagighf.exe
File opened for modification	C:\Windows\SysWOW64\Ipeeobbe.exe	Hmdlmg32.exe
File created	C:\Windows\SysWOW64\Panlem32.dll	Hhimhobl.exe
File created	C:\Windows\SysWOW64\Jlgfga32.dll	Koonge32.exe
File opened for modification	C:\Windows\SysWOW64\Kcmfnd32.exe	Khgbqkhj.exe
File created	C:\Windows\SysWOW64\Bfmpaf32.dll	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Omnjojpo.exe	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Ogpmdqpl.dll	Ddifgk32.exe
File opened for modification	C:\Windows\SysWOW64\Hnphoj32.exe	Hlppno32.exe
File created	C:\Windows\SysWOW64\Kgdpni32.exe	Jedccfqg.exe
File created	C:\Windows\SysWOW64\Gaagdbfm.dll	Opqofe32.exe
File created	C:\Windows\SysWOW64\Ichqihli.dll	Adfgdpmi.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Fmamhbhe.dll	Cdpcal32.exe
File opened for modification	C:\Windows\SysWOW64\Foclgq32.exe	Fndpmndl.exe
File created	C:\Windows\SysWOW64\Lindkm32.exe	Lljdai32.exe
File created	C:\Windows\SysWOW64\Lpefcn32.dll	Iplkpa32.exe
File opened for modification	C:\Windows\SysWOW64\Opqofe32.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Cjceejee.dll	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Gejhef32.exe	Gpmomo32.exe
File created	C:\Windows\SysWOW64\Coffgmig.dll	Geldkfpi.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Ojemig32.exe
File opened for modification	C:\Windows\SysWOW64\Pfagighf.exe	Padnaq32.exe
File created	C:\Windows\SysWOW64\Jedccfqg.exe	Jebfng32.exe
File opened for modification	C:\Windows\SysWOW64\Cdpcal32.exe	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Hbgkei32.exe	Hioflcbj.exe
File opened for modification	C:\Windows\SysWOW64\Jemfhacc.exe	Jocnlg32.exe
File opened for modification	C:\Windows\SysWOW64\Dnmaea32.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Mcfbkpab.exe	Mhanngbl.exe
File opened for modification	C:\Windows\SysWOW64\Nbnlaldg.exe	Mqjbddpl.exe
File created	C:\Windows\SysWOW64\Cohddjgl.dll	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Njmqnobn.exe	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Lcccepbd.dll	Qjiipk32.exe
File created	C:\Windows\SysWOW64\Bmeandma.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Mbgeqmjp.exe	Mpeiie32.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Jiglnf32.exe	Iplkpa32.exe
File created	C:\Windows\SysWOW64\Dgeenfog.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Dkhgod32.exe	Ddnobj32.exe
File opened for modification	C:\Windows\SysWOW64\Mqjbddpl.exe	Mcfbkpab.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Qckcba32.dll	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Fbgdmb32.dll	Ddnobj32.exe
File created	C:\Windows\SysWOW64\Mpeiie32.exe	Mpclce32.exe
File opened for modification	C:\Windows\SysWOW64\Pmkofa32.exe	Pfagighf.exe
File opened for modification	C:\Windows\SysWOW64\Jedccfqg.exe	Jebfng32.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbnkfm.exe	Fbdehlip.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqaf32.exe	Iolhkh32.exe
File created	C:\Windows\SysWOW64\Gcilohid.dll	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Fndpmndl.exe	Fgjhpcmo.exe
File created	C:\Windows\SysWOW64\Plgdqf32.dll	Foclgq32.exe
File created	C:\Windows\SysWOW64\Gifffn32.dll	Hnphoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mhanngbl.exe	Mbgeqmjp.exe
File opened for modification	C:\Windows\SysWOW64\Iefgbh32.exe	Iedjmioj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2776	4360	WerFault.exe	209

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilfennic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpbgeaba.dll"	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll"	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjiipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggocdgo.dll"	Hlppno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcfidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcoejf32.dll"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcfbkpab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imiehfao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iplkpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjllddpj.dll"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghojbq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleggmck.dll"	Lljdai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggdhe32.dll"	Hbgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jocnlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimldogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll"	Imiehfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhimhobl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klndfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnbidcgp.dll"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlppno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilfennic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iolhkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpekmi32.dll"	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfpcoefj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgeenfog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imiehfao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfljc32.dll"	Fbdehlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpnakk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llobhg32.dll"	Dgeenfog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekonpckp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eomffaag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Foclgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diadam32.dll"	Lcfidb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lchfib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coegoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahfmjddg.dll"	Kpccmhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilpfgkh.dll"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgjoif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgjhpcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fndpmndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifffn32.dll"	Hnphoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpemq32.dll"	Jpbjfjci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khiofk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3940	5012	4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe	91
PID 5012 wrote to memory of 3940	5012	4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe	91
PID 5012 wrote to memory of 3940	5012	4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe	91
PID 3940 wrote to memory of 3620	3940	Hmdlmg32.exe	92
PID 3940 wrote to memory of 3620	3940	Hmdlmg32.exe	92
PID 3940 wrote to memory of 3620	3940	Hmdlmg32.exe	92
PID 3620 wrote to memory of 4596	3620	Ipeeobbe.exe	93
PID 3620 wrote to memory of 4596	3620	Ipeeobbe.exe	93
PID 3620 wrote to memory of 4596	3620	Ipeeobbe.exe	93
PID 4596 wrote to memory of 4972	4596	Imiehfao.exe	94
PID 4596 wrote to memory of 4972	4596	Imiehfao.exe	94
PID 4596 wrote to memory of 4972	4596	Imiehfao.exe	94
PID 4972 wrote to memory of 1100	4972	Iedjmioj.exe	95
PID 4972 wrote to memory of 1100	4972	Iedjmioj.exe	95
PID 4972 wrote to memory of 1100	4972	Iedjmioj.exe	95
PID 1100 wrote to memory of 924	1100	Iefgbh32.exe	96
PID 1100 wrote to memory of 924	1100	Iefgbh32.exe	96
PID 1100 wrote to memory of 924	1100	Iefgbh32.exe	96
PID 924 wrote to memory of 4252	924	Iplkpa32.exe	97
PID 924 wrote to memory of 4252	924	Iplkpa32.exe	97
PID 924 wrote to memory of 4252	924	Iplkpa32.exe	97
PID 4252 wrote to memory of 5392	4252	Jiglnf32.exe	98
PID 4252 wrote to memory of 5392	4252	Jiglnf32.exe	98
PID 4252 wrote to memory of 5392	4252	Jiglnf32.exe	98
PID 5392 wrote to memory of 5628	5392	Jofalmmp.exe	99
PID 5392 wrote to memory of 5628	5392	Jofalmmp.exe	99
PID 5392 wrote to memory of 5628	5392	Jofalmmp.exe	99
PID 5628 wrote to memory of 5340	5628	Jebfng32.exe	100
PID 5628 wrote to memory of 5340	5628	Jebfng32.exe	100
PID 5628 wrote to memory of 5340	5628	Jebfng32.exe	100
PID 5340 wrote to memory of 5396	5340	Jedccfqg.exe	101
PID 5340 wrote to memory of 5396	5340	Jedccfqg.exe	101
PID 5340 wrote to memory of 5396	5340	Jedccfqg.exe	101
PID 5396 wrote to memory of 4532	5396	Kgdpni32.exe	102
PID 5396 wrote to memory of 4532	5396	Kgdpni32.exe	102
PID 5396 wrote to memory of 4532	5396	Kgdpni32.exe	102
PID 4532 wrote to memory of 560	4532	Kpoalo32.exe	103
PID 4532 wrote to memory of 560	4532	Kpoalo32.exe	103
PID 4532 wrote to memory of 560	4532	Kpoalo32.exe	103
PID 560 wrote to memory of 4544	560	Kfpcoefj.exe	104
PID 560 wrote to memory of 4544	560	Kfpcoefj.exe	104
PID 560 wrote to memory of 4544	560	Kfpcoefj.exe	104
PID 4544 wrote to memory of 5952	4544	Nmbjcljl.exe	105
PID 4544 wrote to memory of 5952	4544	Nmbjcljl.exe	105
PID 4544 wrote to memory of 5952	4544	Nmbjcljl.exe	105
PID 5952 wrote to memory of 5976	5952	Njmqnobn.exe	106
PID 5952 wrote to memory of 5976	5952	Njmqnobn.exe	106
PID 5952 wrote to memory of 5976	5952	Njmqnobn.exe	106
PID 5976 wrote to memory of 5828	5976	Omnjojpo.exe	107
PID 5976 wrote to memory of 5828	5976	Omnjojpo.exe	107
PID 5976 wrote to memory of 5828	5976	Omnjojpo.exe	107
PID 5828 wrote to memory of 5560	5828	Ocjoadei.exe	108
PID 5828 wrote to memory of 5560	5828	Ocjoadei.exe	108
PID 5828 wrote to memory of 5560	5828	Ocjoadei.exe	108
PID 5560 wrote to memory of 3860	5560	Opqofe32.exe	109
PID 5560 wrote to memory of 3860	5560	Opqofe32.exe	109
PID 5560 wrote to memory of 3860	5560	Opqofe32.exe	109
PID 3860 wrote to memory of 5528	3860	Ofmdio32.exe	110
PID 3860 wrote to memory of 5528	3860	Ofmdio32.exe	110
PID 3860 wrote to memory of 5528	3860	Ofmdio32.exe	110
PID 5528 wrote to memory of 4668	5528	Oabhfg32.exe	111
PID 5528 wrote to memory of 4668	5528	Oabhfg32.exe	111
PID 5528 wrote to memory of 4668	5528	Oabhfg32.exe	111
PID 4668 wrote to memory of 5600	4668	Pnkbkk32.exe	112

C:\Users\Admin\AppData\Local\Temp\4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe
"C:\Users\Admin\AppData\Local\Temp\4a94062de7352fd7e907270d32702cbf65377e992240498a377ce8e56cd6f2b6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\Hmdlmg32.exe
  C:\Windows\system32\Hmdlmg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\Ipeeobbe.exe
    C:\Windows\system32\Ipeeobbe.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\SysWOW64\Imiehfao.exe
      C:\Windows\system32\Imiehfao.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5392
        
        C:\Windows\SysWOW64\Jebfng32.exe
        
        C:\Windows\system32\Jebfng32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5628
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5340
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5396
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5952
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5976
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5828
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5560
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5528
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        29⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        33⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Dgeenfog.exe
        
        C:\Windows\system32\Dgeenfog.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Ddifgk32.exe
        
        C:\Windows\system32\Ddifgk32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Ddnobj32.exe
        
        C:\Windows\system32\Ddnobj32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6140
        
        C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6136
        
        C:\Windows\SysWOW64\Ekonpckp.exe
        
        C:\Windows\system32\Ekonpckp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Foclgq32.exe
        
        C:\Windows\system32\Foclgq32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        51⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\SysWOW64\Gpmomo32.exe
        
        C:\Windows\system32\Gpmomo32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4832
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        53⤵
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Geldkfpi.exe
        
        C:\Windows\system32\Geldkfpi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        55⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Hioflcbj.exe
        
        C:\Windows\system32\Hioflcbj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Hbgkei32.exe
        
        C:\Windows\system32\Hbgkei32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Hnphoj32.exe
        
        C:\Windows\system32\Hnphoj32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Hhimhobl.exe
        
        C:\Windows\system32\Hhimhobl.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5920
        
        C:\Windows\SysWOW64\Ilfennic.exe
        
        C:\Windows\system32\Ilfennic.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Ipdndloi.exe
        
        C:\Windows\system32\Ipdndloi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        65⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\Ipgkjlmg.exe
        
        C:\Windows\system32\Ipgkjlmg.exe
        66⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Iolhkh32.exe
        
        C:\Windows\system32\Iolhkh32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ibjqaf32.exe
        
        C:\Windows\system32\Ibjqaf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Jpnakk32.exe
        
        C:\Windows\system32\Jpnakk32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        70⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        72⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        73⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4008
        
        C:\Windows\SysWOW64\Jimldogg.exe
        
        C:\Windows\system32\Jimldogg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        77⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Koonge32.exe
        
        C:\Windows\system32\Koonge32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Khgbqkhj.exe
        
        C:\Windows\system32\Khgbqkhj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Kcmfnd32.exe
        
        C:\Windows\system32\Kcmfnd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3208
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        82⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\Kpccmhdg.exe
        
        C:\Windows\system32\Kpccmhdg.exe
        83⤵
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Kadpdp32.exe
        
        C:\Windows\system32\Kadpdp32.exe
        84⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\Lljdai32.exe
        
        C:\Windows\system32\Lljdai32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Lindkm32.exe
        
        C:\Windows\system32\Lindkm32.exe
        86⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Lcfidb32.exe
        
        C:\Windows\system32\Lcfidb32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        88⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1644
        
        C:\Windows\SysWOW64\Lhgkgijg.exe
        
        C:\Windows\system32\Lhgkgijg.exe
        91⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        93⤵
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Mbgeqmjp.exe
        
        C:\Windows\system32\Mbgeqmjp.exe
        96⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Mcfbkpab.exe
        
        C:\Windows\system32\Mcfbkpab.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Mqjbddpl.exe
        
        C:\Windows\system32\Mqjbddpl.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Nbnlaldg.exe
        
        C:\Windows\system32\Nbnlaldg.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        101⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        102⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4440
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Ojemig32.exe
        
        C:\Windows\system32\Ojemig32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        108⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Pfagighf.exe
        
        C:\Windows\system32\Pfagighf.exe
        110⤵
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        111⤵
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        112⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        115⤵
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        116⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 408
        117⤵
        Program crash
        
        PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4360 -ip 4360
1⤵
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
385KB

MD5
582457ba773728118ac66eae612bdd5c

SHA1
28970cb000784bc8a50b835733dd525dd0a89b8c

SHA256
e583bd70e19aefb23b68619b2c3a122545960f6863c5f512861c7af5c0b4e59e

SHA512
44e88caa58bd339e9e4f72f54585364cf7392b642ef68cd3b7b73dc0a89005ff8688f5754efc5854c53d1eb61ac73d72c8b4d4f962a06ba5d9bc1c2265f128ee

Download Submit
C:\Windows\SysWOW64\Adfgdpmi.exe

Filesize
385KB

MD5
af397656ab8e8f3e7c05e602b954a963

SHA1
c284b7da02448460d4d77bb2b1f890b1e9a1a9b9

SHA256
843d2ac2eb778feda704169efca81f2c2844218105839669c0f34c3b28f04ec8

SHA512
de1f96e60f26b50239f6d18e68b38ce825985c2c097d4816ccf2bb8077aacdb6d231cfcda1ab227743aa6c04d3b7928fb712fe73957ef6603b7c67ae2caceb56

Download Submit
C:\Windows\SysWOW64\Aknbkjfh.exe

Filesize
385KB

MD5
0a8653292cfb9bea7d6d818afd924cb9

SHA1
e21e82f2170e67d781546b19707b5f7fa81e6300

SHA256
181b7a95ab570ecc7ef68ee20f02e41f6a2f5c49958075760750cbeb0050ce1c

SHA512
6ef6406f9c6860d5b1bdc4dd19914c0125a697c3db7ce16ea9a7e974eb71ccd8e7858dfc684e294556fa5baaacc3077981c9a635fe4e808515fe79e10e14a1b9

Download Submit
C:\Windows\SysWOW64\Bgnffj32.exe

Filesize
385KB

MD5
9f5f3e75e30e730d84d90721c76a5651

SHA1
d6d3864ad9a308e7c737b1c8b7ccea5e256d3eec

SHA256
bb0b17c6dc496ac7ce5c328bd6dcc95226d88e14916f319e3b060a6adc93116d

SHA512
e3cae5d8d9e436157910911ba1e8dfa1896eaaf5186e85b6e28c12780f2f72c3ddfd0a8645e62432f091b316f35ad1e5431c732a89f498e6e03bdd64242f90d2

Download Submit
C:\Windows\SysWOW64\Bhmbqm32.exe

Filesize
385KB

MD5
f824abfb5d1fc1e58731b87300a0d77c

SHA1
19308c7d5643c6c03647c40f93da6699e8710da4

SHA256
879dc3f814d796599c67e92fa18ca82989dad16af042ab0d9e2af506205695ae

SHA512
508f64b0a6d8ef755689d61def5a0821adffbd2cf0cf9e6d12047a8d4e9aae4c6ed5ee5e74ac918b0d480bc51f9a4227565a10b9b3722639af6a4b72057fdc9c

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
385KB

MD5
9842c62d9ffe1f9c5bb84b41a4bc2c22

SHA1
176ec0048c3709cb4f531e4aa94f35d65b4be93e

SHA256
d80678016a8b85f62834601c0c2577d4424a9b0c47e0c09854163db6b83c56af

SHA512
1cab6d1dcc21d342b7fa1a43a91e89cf5bd6ae5c3074cb1633d6eb5c017718485f979b3833248beb6f913daf3b63b22ed2cec059105b3dd24501af9593cdb90f

Download Submit
C:\Windows\SysWOW64\Bmeandma.exe

Filesize
385KB

MD5
677dc1d53bca3d02642616cb1149e7ae

SHA1
8479a14efc7b73ae92b5d85c7eac225ea938e38f

SHA256
57e6f1bf6d9b8b730371b5eeb4c25866b3601562d11912ccd772c8a02fd24683

SHA512
75a73ea76d2a84c59b17d62ab8349479375288e9936afe0df2debde7fc4059d17f0f82a86149cac18810ed9562a98c999c2fc62e880b1cc2fbe481394ff334bf

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe

Filesize
385KB

MD5
afbed580bd8ddc35bee22e3207030216

SHA1
6937066bf5600a75bfe1ea71809751934be61273

SHA256
87daba3543c708940be165f59dd6976d036c58a8c35bc245ecd2497f46722351

SHA512
c1fc793476fd45f5d4649647b3dc1ec65d5f88a6842ed68c0ea9996167b692fbe8d0319052d5fd73a3267037b188d6c0ecf6b85f30cf826475428d0a0dd97b5e

Download Submit
C:\Windows\SysWOW64\Ddifgk32.exe

Filesize
385KB

MD5
ce02f36d4cd755c1384c3d7b46d0b08c

SHA1
a3595f34b202ca6d5e9e266d1237ae0f17cacd17

SHA256
2163ee65443187a33c9a63f2e98959543cf593afbfd2711ff35eb7f6d811b65e

SHA512
fb3e2048c5dc14d3a1600c7ef749b0db94516309ec7f81e15535b4ee0e37aa319b276688b33c3b95473dd75170b9671b242391b60309f5eb76fe1dc140978363

Download Submit
C:\Windows\SysWOW64\Eiekog32.exe

Filesize
385KB

MD5
edc5c43a4d9f0b2b6bc592812d8e90a9

SHA1
bb3b6cc7d6b63f2be4ee074cf9d9e869872a6ef1

SHA256
2104916f6ae2b8b4db10a5e45e76dce85b99e8785f996cc1920f0fe410ba9dd8

SHA512
f3c77a625d0c3602b49b3afdb2f0bdb22f25ff23e95fd5e22e1ad8887cac8591b70332e988bb864d7a4b8a0a0337a9d09f8f77927b049c3669e028c3ce217fdc

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe

Filesize
385KB

MD5
2a7d6af3df6ce949d3ea5f345ac12c20

SHA1
ec8580f5ef7a0418c66bd5dbfd6d075763ac3a71

SHA256
975c13592ff47e95ccc6715e1e215321e7a0d84029b63010f53ae6fa3baa89d7

SHA512
e5778ed67e3f0dbc698695d4dbad7399573472f08b9d9f320da5d3364450404a5f3a98f87ef563730eb0b57d4d0342e1e9fc614081ebab3d13727407c976c3e5

Download Submit
C:\Windows\SysWOW64\Ghojbq32.exe

Filesize
385KB

MD5
0945d60184adec7524052a2b78be2430

SHA1
436028ecbd075e95d8ac4440c464e35378f04e15

SHA256
b200ed2fe320ab066f3829d9abc20a6966aba9f5abddfacb24ec879f66e26055

SHA512
e05968418c0d94e1c104a9e417e87fa7cc078a8986cad14210803726e5a70da26ccdc0dc2e5bcbf3a700cd9c047933388641fe1c35f423ce3bb9d0d77a1f5177

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
385KB

MD5
0f511eac7175cd30542366845df2422a

SHA1
926c5cc238ff6f3dca970275978d3be8fa7f8a0a

SHA256
1bf8a4df993ed4d641c869b661f4a8084fde3aa238ab0bb6c41d428f3b0c9140

SHA512
b82676adada5ce196339711ba969108c2065ab20fe89ffb9d1a48f31ed88c39fa9a4181cd43005de25e126d569637d9a6bfb1d9b0be954de48a76b4798a85923

Download Submit
C:\Windows\SysWOW64\Ibjqaf32.exe

Filesize
385KB

MD5
ab391474c5ed53a4ceac13760e6db5be

SHA1
0d29aec31c518970be2e86a60e164a169b8800ff

SHA256
d8972908159e2ae454696bf29be01ae157e163138a203adb8aa65849111581de

SHA512
1943737f0b7a72fffaaa0769a95a673d1f5ee64d1269bea98434d2499106fd53a21539ced06855dd6dbef603211e5e81db9eb0d8d71497d66a1ab72309c6872d

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
385KB

MD5
bf5cbc73d19df327b6ca123b2cf5b93a

SHA1
127563cd73174315ce2707a2e17fb6ed21ec6fab

SHA256
489a7a6e75bf2c9a1d0972def8c3438c0ed0e21e65374c5aff0374c8d7913efd

SHA512
6fd1f747868a506a4c39d7cd91d51a57381b36a3d5cbed5838f09e36aa505a22ce35d4262dd6e515dfc58a52bc2ffba467ff44fdb100f5d1f6104d5d81a124d1

Download Submit
C:\Windows\SysWOW64\Iefgbh32.exe

Filesize
385KB

MD5
9ae729acc97ee169740a4f0a832075d9

SHA1
a5041414c46558377977c800388af2c753f223f8

SHA256
78cab189d9fb21a0ec4c1974ff0b6aebb3c64740236b675c73e9fdd80891b293

SHA512
ba4e30ba92cdcf240bf7881258e143020f4b957a9241cbf627c623759bd57ce0bd1007de9445ceb8a57ced4c183e1c7852da01382f81614a1b75ee4360930db4

Download Submit
C:\Windows\SysWOW64\Imiehfao.exe

Filesize
385KB

MD5
e1fdc9adca8dad6715377f372b157e80

SHA1
c250f726eb507725bc8f21ce8d81760bfaf5ef4e

SHA256
85713ce5205dd3480675143d4295bed6005b6e7aaa56aac1b76e29e1270b92a1

SHA512
7dc29008accd8b97cc53babbfaddc8fd819886cb6403034ab68b7748567b2411e29639ab70d1695d6bd7084ccbf7cbbcf4300368a81aad380897c24b17ad2c12

Download Submit
C:\Windows\SysWOW64\Ipeeobbe.exe

Filesize
385KB

MD5
0616cb057d88fd5e053cf2a147b3f3d5

SHA1
12ce9921491628c1e8136e88460ad8eaa071dadb

SHA256
874d69be432ac6b520a3e13aeb340ca92f272f3d9d4d669904725db32610feae

SHA512
dd59b545da42419328a43de1937338b0cefbb4b74009840f446d5ad2583e735ef09682c07f3c3d102cc2f0b2f8f553785531ccda00a116c1dd9904ff3db142c4

Download Submit
C:\Windows\SysWOW64\Iplkpa32.exe

Filesize
385KB

MD5
64999e9cd6c02c141041b4f17010e511

SHA1
1ce9cb6bb9c6bc75594d667c874ff73dd8dcf380

SHA256
60354747e53554423b7077a2290906d30d70d12ee13e166e0fd8f94ecbd783bd

SHA512
4b507460f20685a6c3e3d1fb4841e85d9cbc1d26a275221116beba00d4cc20e9e6e1039d364fb0c18ba9b352b2fa467cbbd526f4ba1d24b78a37f3a6b015360c

Download Submit
C:\Windows\SysWOW64\Jebfng32.exe

Filesize
385KB

MD5
c735ac7e2afa3040db937c6aa319283b

SHA1
6ac78248599c91e09d4a713265203a6015d92e39

SHA256
277ae26549cc324633483628cefbcb3066a35d67865c55e17d1fbf61c16e53bd

SHA512
86b267bc56c1336c97e9afebae57948b3ff54cd82243e99de2a87a32c8ec459a946fab1f8a6efe1200bf210415ae770fb66f63b81d2022d8b5f01eef4030912b

Download Submit
C:\Windows\SysWOW64\Jedccfqg.exe

Filesize
385KB

MD5
9a7394eaed30ba36c0924987bd4a4cf0

SHA1
73ae9e98d62ae0f66483f5b778dfed588470d027

SHA256
86887e8f1e96a3f0ff49c7000dd0a18a8d3a9c72cd1662b48c58d0b546a0c7bd

SHA512
79095cb70ccc025b908bd62a2725d2a760fc40013d33cb36f56d5779dcfc0e2907e380209fb0964bfd5ed5c4fa80f999a925c932900f0fda2923436f774447d1

Download Submit
C:\Windows\SysWOW64\Jiglnf32.exe

Filesize
385KB

MD5
6d7ad3d9671603c7ad746303716cd96d

SHA1
d7d6d494d6909c9e6712218f82ffc424a7322141

SHA256
9c4bac309e93d79895b487b6da70f241f3259ac29592a5208f01a9eb519cea29

SHA512
09a850aabbb7ca5d5999a3beb1c8099b445169ad57629b57dc7aafa80e69e61bd7d4c89a80b297466fcd8c9198b26d68e2847e77f90dc7f934d76e143ea31aaf

Download Submit
C:\Windows\SysWOW64\Jlikkkhn.exe

Filesize
385KB

MD5
283ba7e3460afca9b5e4b63a2636354e

SHA1
47a54384bcfa61de175d03783caf51a39eb2876e

SHA256
b3418d4e244b6c8107c5e074b25c31205f5eafbb6568a26e1d20da1954b95b90

SHA512
24fb32f4d85db2f121ea33808fbc46c48e16ded59178f6ddcadf3faedc5f4bba0a2ea9dcaf45f4b859d15e761a19d2b61cc1bc4a9de7f628d705d4ca8bce96ab

Download Submit
C:\Windows\SysWOW64\Jofalmmp.exe

Filesize
385KB

MD5
f5d931233e471ed796a5ab705a7a1f0d

SHA1
7055f8e8fbab9c18d9213617f49251ade543379d

SHA256
340eb1f381d13f45228f1be17a94373501e2387ce61f1e4dbb20ec4fe77978f5

SHA512
50ce9aa44c477e5b5f99afbce46ab41ed2d3db680c7136813a580725f9b93bcafee65f3f6b0e2f5a98dd2b8fdeeb392e2b6b56f016401acfb4c4278bb9e0718b

Download Submit
C:\Windows\SysWOW64\Kfpcoefj.exe

Filesize
385KB

MD5
7d08f7445f92f82285809c5d14320562

SHA1
69888084b4915af1a904d38b54f98dd8c7900e22

SHA256
88cad630975c662da1918c71c389e3205384c7bea293da1686607e74e2f19460

SHA512
ec79ca3276b66f49ba51d46bfe114a7f9955fd8fcf56757bfaf159c146e6af40d652cb3a4e0bdd0bd86f427abea40e1388c8900363d860abdb99576a9fefccfe

Download Submit
C:\Windows\SysWOW64\Kgdpni32.exe

Filesize
385KB

MD5
e30f976bdd7d795c6fa778986f07a745

SHA1
eb8bc77da898be85270cb465804d49859ac180d7

SHA256
4dccb591baaba467500862ed4fdb496a07439af947f9038d410c4829affadc0f

SHA512
8ed8cb41accbf6184e482e5da6461044fd3a6772aaebae5587b64a64e13944cad57c769e060da9c91aa6dd5359356e886b5ec655a321807a47bb17cd6752af86

Download Submit
C:\Windows\SysWOW64\Klndfj32.exe

Filesize
385KB

MD5
07bce85e472c1c9f310db312ac8ea7b5

SHA1
addb1b018f691c05e9c4c454b25b5928a78698f6

SHA256
8ee1c01ca22dbe4ac7e826ad844d7cda033782684074b6127d2732b6cbb0ab0e

SHA512
abdefa0c74c235e6dc67303009fd56324f4383d60f8bbda7818a664e5d10356b9e340efecdceedff77e7dcebea5893aa78eb5095be872fc6e2cf67238e9a4b8d

Download Submit
C:\Windows\SysWOW64\Kpoalo32.exe

Filesize
385KB

MD5
09b6ed650a70b279df619c31eefa7f54

SHA1
316a1e61a64fa1f68471e72f28393c7ab3e26f92

SHA256
c0d7ade8b5e77a5bdebbe67a9f15c877e586e85d74ed808dc579da206b65e748

SHA512
e647e0c920297f8d9be7aa840af70d2b140bdecf3dcf59df1d88003d57e26a26d0ed977683a7f3880a45258c21dc555106cebbe0d778b10458ceeee41cb1b1c5

Download Submit
C:\Windows\SysWOW64\Mpclce32.exe

Filesize
385KB

MD5
622f8eddf3eb3f612e0e50312f0e40b2

SHA1
0e6cc170d313d93e606aff2841b8db699678385d

SHA256
b3e2fc87584c05c7de151cd310719db942010fe580b096e8700178a6366f12a2

SHA512
8c19b9de08c5da8eb29d116844a3dad0bc0ba3744dc607e1c99b22b7d6dc2e066299580b13f9d3366858674a55f14e3448dd0863ad1178d3ae2439778a6fc335

Download Submit
C:\Windows\SysWOW64\Nbnlaldg.exe

Filesize
385KB

MD5
7f00054ed1b3261eae1ada1245890a73

SHA1
ede179f6bc86b41fc900fea8901a4b051ca06e06

SHA256
3b6ca242ad8b2703a55cc12f3cfb065158862033d8d29ecd60fdd0a6cd1205ab

SHA512
969161749c3dfb03731a9041b5427f0fd9bae4d7c1ac5031b40a5ce94d0c16ac25bcf6da3f018a41d8349cda6b6386af97ef045becc4ff549efeb36fe5e6988c

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
385KB

MD5
b939ca9fa12439353fd432bd85a9da18

SHA1
c041696674c32a52e2e1fd9914b948ce30411db4

SHA256
6ad11762a79073cfd899ca8407a82f180ec61b29a902659e66703f3f70adc7ce

SHA512
6a4954b516c249f64e834775aa4d72b84b5084d8cfd690ec38c3f80217b690cb2ac644bedab9dd778f71587aaee90576b0026ef5c4d234d32f208fc12bbec0ee

Download Submit
C:\Windows\SysWOW64\Nmbjcljl.exe

Filesize
385KB

MD5
5c9c1ae512550985324a3ef9a7dd7a51

SHA1
8d025f02dbd86d45aea737222f321a7b1f411137

SHA256
424ac8b4d6e88f4ede141f196652d2d660e08641fe218a02f9d428b7e6412bba

SHA512
28d930a8cfc504bfe6cbcf0e72b4695f43afb2862b67136d2a6c24dc9635684b10a2feb9e4830e175176d11e3626f7494ddfadca5eb7517c6897c2bc644e166f

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
385KB

MD5
9bdb39149b612ff76ff5a89734d5415d

SHA1
39a1add2746602d89ee16c7bca6a99875eb152c5

SHA256
ed0490c7ce849c50f3c273712786456b37ff9f26c7912a315b4f888ed4d7746e

SHA512
fd66dd307222875f796441021c5e5315bc48faa8e656212c2f4b67e9413d11f9ad91b5b37f4a504e7552763f27c39da150a68e3aa10cf3f92dbde7c7d47fa658

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
385KB

MD5
48fb08ee27763cf6558ec1b4c622c50c

SHA1
edee13dda9e5f7bfed6994e46b6f4376078869ed

SHA256
2bd6489ebd9f93d8729d7c7264bee902bb1166c97a69b3f80a4efe822b504db0

SHA512
515f856b6985815e9782b956f3781f7561f256e22e90509e10adfd35ed7b7e089e12e07949af433e70c1f64a1ed3637b5928b5e4163f66d7793aea9ec9f012de

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
385KB

MD5
47a7a03cf8534a8cf13ab8ab38942cbf

SHA1
3409a9b5ce2a00ed4854c9032249c3e865d28a77

SHA256
4eb6e8401e8e62e09e9b80a6fb135675d3e21b06cd8cf8544e7b8ad31061cb2f

SHA512
dff0be905d80a2a4fde893bce873899c2e81e902917b5a34a4142a67d8cd76a36112c11cd6d0f4fc4be643084ed2fb85add48b2ac103bc43d87357ed044f3cea

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
385KB

MD5
e6620cb3f5f9657004e5050706b28238

SHA1
5a95df5e1b7d844c8a23c47530e8ea8ac105827b

SHA256
3bc71e5ab19de2c89837f90a72ed6b371e368ac878e345cd1d5e09d4535b8522

SHA512
11770e7668e941138387213fc9e09fed260c58cd7fcb44aaa4d82de0ad9763f455ac4d25f076102e5c83e7dc4903ef0f267690e24b8aaba4ba62b4a23a54d26e

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
385KB

MD5
aa8a6e2b32491b4402b5b275393dea5c

SHA1
9dcb926219ece96e530aa8b540d27f66e9a75032

SHA256
1d93e05349e94cb895d07fe46c1eee25f79898e59fa1bcf318d237392e497110

SHA512
70798a45fb780da16d9c792d16e7f7b75586fed76f6417be36a10a0565896ed4019febd4e00e054cbdffe7e38c50e434d8ee9f164e75a29ff3dd1b7ba3022b7b

Download Submit
C:\Windows\SysWOW64\Pnkbkk32.exe

Filesize
385KB

MD5
24eeeb0c36556278e7544b26aa3d8d90

SHA1
d43d33d7a354b156aea14889ba95eda710812653

SHA256
f1835c122efbdac04f26b5c5db8c1f6494b74f690a8acb69ecf125c7abd49064

SHA512
ddd5cc80b705103705c5c525fcb8d442141622eb9ecca8f475bc442331e3f4ac06d94dacacf2b6f77f807f060a9d7126e457a9e9d0d7140409b726fcf523d8f5

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
385KB

MD5
96a04715bed9e8c49f3d332b25647318

SHA1
7a517bfeff63613009ee1c670762281abd58b895

SHA256
b4678e76274d07f14d50e8617d81ee082a946c60319857994773a5682286f72b

SHA512
57dc85a534392aa264b7831ad26cf466365a104084ca1f91e772ebce41dc3b34480f9cba39426bcd4875a567f1b4fc684549fa48567a8efe203ee0a24e4a4bc6

Download Submit
C:\Windows\SysWOW64\Qjfmkk32.exe

Filesize
385KB

MD5
690f09d8dd95444feb9baac54857ab4c

SHA1
1ffbe85cea6caffbb7191f98de59a69443dd708b

SHA256
2fbf31c16d70d0da0024110c55c50ab2ee27904e3e218afe45d6a0bd471c605a

SHA512
353a6bf288c7d701e4fb46d4d19e0637407f3affaae2732b8cb44dd446533bf65192d997715529de63b8a1988c10c366dd25bd03b493177a3679bdec11be8998

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
385KB

MD5
a568dbf3b472b4b6e81b2e2f30e71558

SHA1
261a752cf519648af51579fab71f28e0d48c4617

SHA256
da94653c0f65ca8969b54430080a08c9fff6fcd96365b37452d301e3afedf88d

SHA512
d4e0ea14f639538760a179517f051654da2f8f6fdbbd896c51bb91c389ec5adccda76b0425e12b7651cf39417e371c9c53467883d0ee055d94769d687c62eec5

Download Submit
memory/432-192-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/560-104-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/924-48-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1052-366-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1452-329-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1480-281-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1524-408-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1752-256-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1852-240-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2040-305-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2164-216-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2204-299-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2244-401-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2440-201-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2556-390-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2588-275-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2600-269-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2640-249-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3020-323-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3084-225-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3272-425-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3404-287-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3416-293-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3620-17-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3860-153-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3940-9-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3984-360-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4040-378-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4092-342-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4248-267-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4252-55-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4532-97-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4544-112-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4572-384-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4596-25-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4668-169-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4816-233-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4832-372-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4904-341-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4964-354-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4972-32-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5012-79-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5012-1-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5012-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5084-348-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5256-185-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5336-414-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5340-81-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5392-63-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5396-88-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5528-160-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5556-406-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5560-145-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5600-176-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5628-72-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5828-136-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5920-431-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5940-438-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5952-120-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/5976-128-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/6016-451-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/6068-208-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/6136-317-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/6140-311-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads