054bab8ace84b09a59d08ca835781489f84c087408b30f5bba0e00bee3cf8ba0

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054bab8ace84b09a59d08ca835781489f84c087408b30f5bba0e00bee3cf8ba0.exe
Size

80KB
MD5

13c0946814a7d22d201bad5e29a1b389
SHA1

93ebdd742cc6393dc3bdb82ad2fb602df78945ae
SHA256

054bab8ace84b09a59d08ca835781489f84c087408b30f5bba0e00bee3cf8ba0
SHA512

322935e98ccd1e57c064ec32915ae3ef00e1e57fd704355a2261ac9b537052cc50687b1e89bcc84ec93c0657ac74f8be1a77fb29f9ab8ef9d5a5fa645a5ccf82
SSDEEP

1536:sE7ZqiH/y/teIMIRqQzkJ3ELWw2LpJ9VqDlzVxyh+CbxMa:sEE8IMDQIaWhpJ9IDlRxyhTb7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoclopne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeiodek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggkqgaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjeiodek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqoloc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glhimp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjaleemj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gikdkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impliekg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgmjmjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glbjggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdpni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filapfbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gikdkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjlalkmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbccge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfnamjhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iibccgep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gejhef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nblolm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkdpbpih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnbicff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcapicdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimqajgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnlkfal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidben32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcapicdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llnnmhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmodajm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqaiecjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piapkbeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppcmeem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggnadib.exe

Executes dropped EXE 64 IoCs

pid	Process
4160	Flkdfh32.exe
1264	Glbjggof.exe
892	Gppcmeem.exe
1404	Gpbpbecj.exe
908	Gikdkj32.exe
1692	Gimqajgh.exe
4980	Hedafk32.exe
2916	Holfoqcm.exe
1116	Hplbickp.exe
620	Hpnoncim.exe
3424	Hoclopne.exe
2696	Hmdlmg32.exe
2384	Imgicgca.exe
1792	Ipgbdbqb.exe
2044	Ilnbicff.exe
4084	Iibccgep.exe
2672	Impliekg.exe
3568	Jcoaglhk.exe
2456	Jgmjmjnb.exe
2148	Jgpfbjlo.exe
376	Jgbchj32.exe
4308	Kgdpni32.exe
220	Kjeiodek.exe
1444	Kcmmhj32.exe
1160	Kcbfcigf.exe
4296	Lcdciiec.exe
4468	Lfgipd32.exe
3180	Lnangaoa.exe
1592	Mgloefco.exe
3288	Mgnlkfal.exe
1112	Mjodla32.exe
4140	Mgbefe32.exe
2168	Nnojho32.exe
4504	Nggnadib.exe
1712	Nqpcjj32.exe
4608	Ncqlkemc.exe
1972	Nagiji32.exe
3204	Ojdgnn32.exe
4632	Oclkgccf.exe
1144	Ogjdmbil.exe
3916	Omgmeigd.exe
4212	Pnfiplog.exe
5040	Pjmjdm32.exe
3120	Pdjgha32.exe
4248	Qfkqjmdg.exe
2972	Qmgelf32.exe
1400	Amjbbfgo.exe
4584	Aoioli32.exe
3272	Ahaceo32.exe
3620	Akblfj32.exe
4692	Amcehdod.exe
1484	Bpfkpp32.exe
4352	Bphgeo32.exe
1976	Bhblllfo.exe
1652	Bajqda32.exe
224	Cammjakm.exe
2512	Chiblk32.exe
3880	Cnfkdb32.exe
1520	Cpfcfmlp.exe
4728	Dgcihgaj.exe
1148	Dahmfpap.exe
4332	Dkcndeen.exe
3400	Doagjc32.exe
3064	Eqdpgk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Odaodc32.dll	Ggkqgaol.exe
File opened for modification	C:\Windows\SysWOW64\Obqanjdb.exe	Oiagde32.exe
File created	C:\Windows\SysWOW64\Dahcld32.dll	Ilnbicff.exe
File created	C:\Windows\SysWOW64\Oiagde32.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Amjbbfgo.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Cpfcfmlp.exe
File opened for modification	C:\Windows\SysWOW64\Nqoloc32.exe	Nqmojd32.exe
File opened for modification	C:\Windows\SysWOW64\Glbjggof.exe	Flkdfh32.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Nnojho32.exe
File created	C:\Windows\SysWOW64\Binlfp32.dll	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Oclkgccf.exe	Ojdgnn32.exe
File opened for modification	C:\Windows\SysWOW64\Kemooo32.exe	Kidben32.exe
File created	C:\Windows\SysWOW64\Ahaceo32.exe	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Ebdlangb.exe	Eqdpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Enpfan32.exe	Edeeci32.exe
File created	C:\Windows\SysWOW64\Halhfe32.exe	Heegad32.exe
File created	C:\Windows\SysWOW64\Gkdpbpih.exe	Gejhef32.exe
File created	C:\Windows\SysWOW64\Glbjggof.exe	Flkdfh32.exe
File opened for modification	C:\Windows\SysWOW64\Hmdlmg32.exe	Hoclopne.exe
File created	C:\Windows\SysWOW64\Qgnnai32.dll	Mgnlkfal.exe
File opened for modification	C:\Windows\SysWOW64\Qmgelf32.exe	Qfkqjmdg.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Cpfcfmlp.exe
File opened for modification	C:\Windows\SysWOW64\Gkdpbpih.exe	Gejhef32.exe
File created	C:\Windows\SysWOW64\Aglmllpq.dll	Iafkld32.exe
File opened for modification	C:\Windows\SysWOW64\Jgpfbjlo.exe	Jgmjmjnb.exe
File opened for modification	C:\Windows\SysWOW64\Ojdgnn32.exe	Nagiji32.exe
File created	C:\Windows\SysWOW64\Gbfnjgdn.dll	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Ibgdlg32.exe	Ibegfglj.exe
File created	C:\Windows\SysWOW64\Gbnblldi.dll	Glhimp32.exe
File created	C:\Windows\SysWOW64\Kcjjhdjb.exe	Kibeoo32.exe
File created	C:\Windows\SysWOW64\Lplfcf32.exe	Llnnmhfe.exe
File created	C:\Windows\SysWOW64\Njljch32.exe	Nfnamjhk.exe
File created	C:\Windows\SysWOW64\Hpnoncim.exe	Hplbickp.exe
File created	C:\Windows\SysWOW64\Hhaljido.dll	Jgpfbjlo.exe
File created	C:\Windows\SysWOW64\Mgbefe32.exe	Mjodla32.exe
File created	C:\Windows\SysWOW64\Hiebgmkm.dll	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Hcmhel32.dll	Ibgdlg32.exe
File created	C:\Windows\SysWOW64\Llnnmhfe.exe	Lpgmhg32.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Piapkbeg.exe
File created	C:\Windows\SysWOW64\Gmhgag32.dll	Hoclopne.exe
File created	C:\Windows\SysWOW64\Ldjcfk32.dll	Kjeiodek.exe
File created	C:\Windows\SysWOW64\Gddedlaq.dll	Kcbfcigf.exe
File created	C:\Windows\SysWOW64\Ndjaei32.dll	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Cammjakm.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Eqdpgk32.exe	Doagjc32.exe
File created	C:\Windows\SysWOW64\Jgbchj32.exe	Jgpfbjlo.exe
File created	C:\Windows\SysWOW64\Peaggfjj.dll	Lnangaoa.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Pdjgha32.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Enpfan32.exe	Edeeci32.exe
File created	C:\Windows\SysWOW64\Ibqnkh32.exe	Halhfe32.exe
File created	C:\Windows\SysWOW64\Eeeaodnk.dll	Lpgmhg32.exe
File created	C:\Windows\SysWOW64\Hlhmjl32.dll	Pbekii32.exe
File created	C:\Windows\SysWOW64\Ncqlkemc.exe	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Biepfnpi.dll	Ibegfglj.exe
File opened for modification	C:\Windows\SysWOW64\Kidben32.exe	Kcjjhdjb.exe
File created	C:\Windows\SysWOW64\Mgccelpk.dll	Mjlalkmd.exe
File opened for modification	C:\Windows\SysWOW64\Iibccgep.exe	Ilnbicff.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5320	5952	WerFault.exe	206

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnokmj32.dll"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll"	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibqnkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjidgkog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jifecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdoljdi.dll"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpnoncim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impliekg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckahb32.dll"	Jgbchj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhqamj.dll"	Nqoloc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcoaglhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glhimp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amjbbfgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enpfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpaqbf32.dll"	Heegad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglmllpq.dll"	Iafkld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flkdfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gikdkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilnbicff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmlag32.dll"	Ihdldn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llnnmhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafep32.dll"	Mhjhmhhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbccge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjhmhhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfnamjhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpbpbecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iibccgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peaggfjj.dll"	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gokbgpeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgqin32.dll"	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajbghaq.dll"	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fegbnohh.dll"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnmog32.dll"	Glbjggof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Holfoqcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjmj32.dll"	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjdipap.dll"	Lcdciiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlmchoan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibgdlg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbepme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggnadib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgmjm32.dll"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iafkld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmojd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll"	Jgmjmjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgmjmjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gejhef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Halhfe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4160	1496	054bab8ace84b09a59d08ca835781489f84c087408b30f5bba0e00bee3cf8ba0.exe	89
PID 1496 wrote to memory of 4160	1496	054bab8ace84b09a59d08ca835781489f84c087408b30f5bba0e00bee3cf8ba0.exe	89
PID 1496 wrote to memory of 4160	1496	054bab8ace84b09a59d08ca835781489f84c087408b30f5bba0e00bee3cf8ba0.exe	89
PID 4160 wrote to memory of 1264	4160	Flkdfh32.exe	90
PID 4160 wrote to memory of 1264	4160	Flkdfh32.exe	90
PID 4160 wrote to memory of 1264	4160	Flkdfh32.exe	90
PID 1264 wrote to memory of 892	1264	Glbjggof.exe	91
PID 1264 wrote to memory of 892	1264	Glbjggof.exe	91
PID 1264 wrote to memory of 892	1264	Glbjggof.exe	91
PID 892 wrote to memory of 1404	892	Gppcmeem.exe	92
PID 892 wrote to memory of 1404	892	Gppcmeem.exe	92
PID 892 wrote to memory of 1404	892	Gppcmeem.exe	92
PID 1404 wrote to memory of 908	1404	Gpbpbecj.exe	93
PID 1404 wrote to memory of 908	1404	Gpbpbecj.exe	93
PID 1404 wrote to memory of 908	1404	Gpbpbecj.exe	93
PID 908 wrote to memory of 1692	908	Gikdkj32.exe	94
PID 908 wrote to memory of 1692	908	Gikdkj32.exe	94
PID 908 wrote to memory of 1692	908	Gikdkj32.exe	94
PID 1692 wrote to memory of 4980	1692	Gimqajgh.exe	95
PID 1692 wrote to memory of 4980	1692	Gimqajgh.exe	95
PID 1692 wrote to memory of 4980	1692	Gimqajgh.exe	95
PID 4980 wrote to memory of 2916	4980	Hedafk32.exe	96
PID 4980 wrote to memory of 2916	4980	Hedafk32.exe	96
PID 4980 wrote to memory of 2916	4980	Hedafk32.exe	96
PID 2916 wrote to memory of 1116	2916	Holfoqcm.exe	97
PID 2916 wrote to memory of 1116	2916	Holfoqcm.exe	97
PID 2916 wrote to memory of 1116	2916	Holfoqcm.exe	97
PID 1116 wrote to memory of 620	1116	Hplbickp.exe	98
PID 1116 wrote to memory of 620	1116	Hplbickp.exe	98
PID 1116 wrote to memory of 620	1116	Hplbickp.exe	98
PID 620 wrote to memory of 3424	620	Hpnoncim.exe	99
PID 620 wrote to memory of 3424	620	Hpnoncim.exe	99
PID 620 wrote to memory of 3424	620	Hpnoncim.exe	99
PID 3424 wrote to memory of 2696	3424	Hoclopne.exe	100
PID 3424 wrote to memory of 2696	3424	Hoclopne.exe	100
PID 3424 wrote to memory of 2696	3424	Hoclopne.exe	100
PID 2696 wrote to memory of 2384	2696	Hmdlmg32.exe	101
PID 2696 wrote to memory of 2384	2696	Hmdlmg32.exe	101
PID 2696 wrote to memory of 2384	2696	Hmdlmg32.exe	101
PID 2384 wrote to memory of 1792	2384	Imgicgca.exe	102
PID 2384 wrote to memory of 1792	2384	Imgicgca.exe	102
PID 2384 wrote to memory of 1792	2384	Imgicgca.exe	102
PID 1792 wrote to memory of 2044	1792	Ipgbdbqb.exe	103
PID 1792 wrote to memory of 2044	1792	Ipgbdbqb.exe	103
PID 1792 wrote to memory of 2044	1792	Ipgbdbqb.exe	103
PID 2044 wrote to memory of 4084	2044	Ilnbicff.exe	104
PID 2044 wrote to memory of 4084	2044	Ilnbicff.exe	104
PID 2044 wrote to memory of 4084	2044	Ilnbicff.exe	104
PID 4084 wrote to memory of 2672	4084	Iibccgep.exe	105
PID 4084 wrote to memory of 2672	4084	Iibccgep.exe	105
PID 4084 wrote to memory of 2672	4084	Iibccgep.exe	105
PID 2672 wrote to memory of 3568	2672	Impliekg.exe	106
PID 2672 wrote to memory of 3568	2672	Impliekg.exe	106
PID 2672 wrote to memory of 3568	2672	Impliekg.exe	106
PID 3568 wrote to memory of 2456	3568	Jcoaglhk.exe	107
PID 3568 wrote to memory of 2456	3568	Jcoaglhk.exe	107
PID 3568 wrote to memory of 2456	3568	Jcoaglhk.exe	107
PID 2456 wrote to memory of 2148	2456	Jgmjmjnb.exe	108
PID 2456 wrote to memory of 2148	2456	Jgmjmjnb.exe	108
PID 2456 wrote to memory of 2148	2456	Jgmjmjnb.exe	108
PID 2148 wrote to memory of 376	2148	Jgpfbjlo.exe	109
PID 2148 wrote to memory of 376	2148	Jgpfbjlo.exe	109
PID 2148 wrote to memory of 376	2148	Jgpfbjlo.exe	109
PID 376 wrote to memory of 4308	376	Jgbchj32.exe	110

C:\Users\Admin\AppData\Local\Temp\054bab8ace84b09a59d08ca835781489f84c087408b30f5bba0e00bee3cf8ba0.exe
"C:\Users\Admin\AppData\Local\Temp\054bab8ace84b09a59d08ca835781489f84c087408b30f5bba0e00bee3cf8ba0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\Flkdfh32.exe
  C:\Windows\system32\Flkdfh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\Glbjggof.exe
    C:\Windows\system32\Glbjggof.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\Gppcmeem.exe
      C:\Windows\system32\Gppcmeem.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Windows\SysWOW64\Gpbpbecj.exe
        
        C:\Windows\system32\Gpbpbecj.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Gimqajgh.exe
        
        C:\Windows\system32\Gimqajgh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Hplbickp.exe
        
        C:\Windows\system32\Hplbickp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Hpnoncim.exe
        
        C:\Windows\system32\Hpnoncim.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Imgicgca.exe
        
        C:\Windows\system32\Imgicgca.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ipgbdbqb.exe
        
        C:\Windows\system32\Ipgbdbqb.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Impliekg.exe
        
        C:\Windows\system32\Impliekg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:220
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        25⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Lfgipd32.exe
        
        C:\Windows\system32\Lfgipd32.exe
        28⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        30⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2168
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        37⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        47⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        51⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        53⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        56⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        58⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Dkcndeen.exe
        
        C:\Windows\system32\Dkcndeen.exe
        63⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Doagjc32.exe
        
        C:\Windows\system32\Doagjc32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Eqdpgk32.exe
        
        C:\Windows\system32\Eqdpgk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Ebdlangb.exe
        
        C:\Windows\system32\Ebdlangb.exe
        66⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        67⤵
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        68⤵
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Fgmdec32.exe
        
        C:\Windows\system32\Fgmdec32.exe
        69⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3704
        
        C:\Windows\SysWOW64\Gokbgpeg.exe
        
        C:\Windows\system32\Gokbgpeg.exe
        71⤵
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        72⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\Gejhef32.exe
        
        C:\Windows\system32\Gejhef32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4404
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:720
        
        C:\Windows\SysWOW64\Glhimp32.exe
        
        C:\Windows\system32\Glhimp32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Hlmchoan.exe
        
        C:\Windows\system32\Hlmchoan.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Ibqnkh32.exe
        
        C:\Windows\system32\Ibqnkh32.exe
        80⤵
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Iafkld32.exe
        
        C:\Windows\system32\Iafkld32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Ibegfglj.exe
        
        C:\Windows\system32\Ibegfglj.exe
        82⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Ibgdlg32.exe
        
        C:\Windows\system32\Ibgdlg32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        84⤵
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Jifecp32.exe
        
        C:\Windows\system32\Jifecp32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Jpbjfjci.exe
        
        C:\Windows\system32\Jpbjfjci.exe
        86⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jbccge32.exe
        
        C:\Windows\system32\Jbccge32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Jbepme32.exe
        
        C:\Windows\system32\Jbepme32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Kibeoo32.exe
        
        C:\Windows\system32\Kibeoo32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Kcjjhdjb.exe
        
        C:\Windows\system32\Kcjjhdjb.exe
        90⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Kidben32.exe
        
        C:\Windows\system32\Kidben32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Kemooo32.exe
        
        C:\Windows\system32\Kemooo32.exe
        92⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Kcapicdj.exe
        
        C:\Windows\system32\Kcapicdj.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5532
        
        C:\Windows\SysWOW64\Lpepbgbd.exe
        
        C:\Windows\system32\Lpepbgbd.exe
        94⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Lpgmhg32.exe
        
        C:\Windows\system32\Lpgmhg32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Llnnmhfe.exe
        
        C:\Windows\system32\Llnnmhfe.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Lplfcf32.exe
        
        C:\Windows\system32\Lplfcf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Lcmodajm.exe
        
        C:\Windows\system32\Lcmodajm.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Mhjhmhhd.exe
        
        C:\Windows\system32\Mhjhmhhd.exe
        99⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Mjidgkog.exe
        
        C:\Windows\system32\Mjidgkog.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Mjlalkmd.exe
        
        C:\Windows\system32\Mjlalkmd.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Mqhfoebo.exe
        
        C:\Windows\system32\Mqhfoebo.exe
        102⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        103⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Nqmojd32.exe
        
        C:\Windows\system32\Nqmojd32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Nqoloc32.exe
        
        C:\Windows\system32\Nqoloc32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Nfnamjhk.exe
        
        C:\Windows\system32\Nfnamjhk.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Piapkbeg.exe
        
        C:\Windows\system32\Piapkbeg.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        116⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 400
        117⤵
        Program crash
        
        PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5952 -ip 5952
1⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:5888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amcehdod.exe

Filesize
80KB

MD5
b6f22debdcb483c2894a2b2389572413

SHA1
fe7a7a025253eb1afefb8783265ac3e7d44680d7

SHA256
9c6f6b6b7b7b80c237bcaa809901e49924bdd6b0a13d61e63ce0030c8ba31bdf

SHA512
a311f1ef24c28fa74495275bdbffc7bab74623c34ddbcf6dff59220b603c1a3b032658d6255474dfcc862c1b473e9c2deddd174dfdad2dc8c2afda8497b7d2b9

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
80KB

MD5
ba5109a75b798d4a1155ed360eeb0680

SHA1
002ddd75202b7f17a6b86ae1cd99d5fc69fa616d

SHA256
77915d2e792b60faaee0ada9133c1578a573426f0e9d50f070ed881f5fec844e

SHA512
b5f532abe6b5127ce8d2f7667f74d5daccd4192fa94a52abfb5d9ba60202a377445fe60c61afd9ae466527a71f96e0978826b25c4b38de9948c614d423f76586

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
80KB

MD5
db46b9afcc9028deb367c60eebd95fd2

SHA1
b9fd1c4c95ee80922f93806c18ac75b81d36e23d

SHA256
bdf13b5e394af60b8b38494bd83a5f674607e49cdd5cc4a6e715527460401532

SHA512
2bb74e6dcb5c3a1bcabffa21fd3eb94de44e441add44f7dca5792da58a2b2a9952ca0177621ded52d091729642171907a7817a7d63bb8182ced9b7aa203f7f87

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
80KB

MD5
14ba9734976d5f317c8bcd6e1bd2b480

SHA1
25552cde3cfb64a09bb4c88939b82b134e4d9b01

SHA256
27eda2d193246e375e8d9a474576d151b98b4301660aa79cc65c1dac808b9270

SHA512
63b8081cbc2501a9199f4f23c2c1227ee55efb6dda01c1f5d0104e9aa62a0b0c2f93e61599c97affc463896393b7ecb7c656b9793f687c16d1d9f7568cbd9253

Download Submit
C:\Windows\SysWOW64\Dkcndeen.exe

Filesize
80KB

MD5
2f7d9727a68529b934731ca22c1b2919

SHA1
483dea31bce6fe4eac8fefec33c6f56c4578fb2a

SHA256
c0df8b3594103fdfb807a89a92b38f1d262af11aea8c3be44acd67553704024c

SHA512
a0406a3140d70cf3389126b2c311c175cb85ce2d7b3e01515bbe7fbd3424726abb9853338dfa0a27ff78d5058f578a3f6ac3f178656050359063045517377fe7

Download Submit
C:\Windows\SysWOW64\Edeeci32.exe

Filesize
80KB

MD5
8bc8d74f6f7d02fc044309cf0419ec41

SHA1
c9c0493e907058e9bba2d13337d17aceebbb57db

SHA256
2757f73306e965a7538c9f03c8c45135779503ee34a9d0a9bce0cf2ae535f925

SHA512
a81c4303297cc6f12abb5469acb7de1ee7fdb7f0be5e4d39f9717b874659a098e403fc16cc30afc3ef439cfcf87a9cb1b48197031bcaeb16140ba6bdfef80a9e

Download Submit
C:\Windows\SysWOW64\Flkdfh32.exe

Filesize
80KB

MD5
f2fd09806b0a0905643be4fe1d27fe2e

SHA1
3311bd4462583c90ebd659e7e9c00cd32f42c481

SHA256
941820869d7ff0e73f8208f8dd3916aed43d866ad0eef9a0657dcef7d1292721

SHA512
5c14a70d85d65aa081957f4fbd14ae2f99e6d1d89e2b3eae3cf37ed49866e7f2963c3a343c278ccaa9966bab195d20ae194380f5b9ffc7503741d5f938c0d0cc

Download Submit
C:\Windows\SysWOW64\Ggkqgaol.exe

Filesize
80KB

MD5
b8f00adda4c3cfe0bd81d3e7638e058b

SHA1
b004eb27080cce03eb37f2c3c3f64c439742fcac

SHA256
b94f984fed85c11218137fa7087c3c1290d8c3c26c450743686f9a7206fc6b4b

SHA512
46e3d097df5217b66e9d30eb368d4822516afe8d4b843594d0fa422bfe11de03ed762a764429be2ba4a7f1eca0e38d4e871aeee278901be0dd839df9e66117a2

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
80KB

MD5
95455aa9bbe8e5a3d97e22a81bbb9a1c

SHA1
da00a783c9b57cd5349cac763896f9920e4cabdc

SHA256
7958afb5292d4505cb7a947aaa14fd0a79657213798542569002e5fa702d3d4f

SHA512
b7ae422a46f7f69ee144574cb85abf8e6be5bd61898d9895da8c49248cffc74578c6d880c4a92f0a9620328d5c72714e4164baab871fde3d5c156265f862e43c

Download Submit
C:\Windows\SysWOW64\Gimqajgh.exe

Filesize
80KB

MD5
e600751b019c442478ffcda104cec363

SHA1
98005451f9a5af944120acb8e07068c787026e00

SHA256
41c5c65b0967cad81415c9b91bdc080a632562250722a6e39b2f3a453f614440

SHA512
e35bb0455d9747bf24e5a2750641e4e3a25741ea8c775257fdbd3c82976aee11dec1a5e5e470c54e58b0ef1a90716d9e8e4fc1a552628364a9c826a848fc94c1

Download Submit
C:\Windows\SysWOW64\Glbjggof.exe

Filesize
80KB

MD5
cb6f49e7be00a69899ae05eba2f0687b

SHA1
8ae08cf52eb91c55d2fc602cb74b1c08b8920c31

SHA256
9a496dc63d8ae27bd179459ba48b38ca23100f89d44e09a02063494f6da20f17

SHA512
222c78434a2a5ca7d2c35dfbfdc6007dc6baefc085646d1c135adb27470d124acf22cf67639aa38a4955cff47273dcfd7ba6cadd737f4aa2c7dc6de1c14ceae5

Download Submit
C:\Windows\SysWOW64\Gpbpbecj.exe

Filesize
80KB

MD5
c598ec7cd6ae6e2a1f2ff7ca119d27be

SHA1
f5bc788468d0af409e86eebaa71d7a66ffe2095c

SHA256
5c1c9186f6f828e8954853754b8becba99a8c53709a7453025df3217913cbb22

SHA512
33c7b3fe3ee1a638ddf8967c33fcf2228ce8d89c6e0ffba7a7a4f48f357a02108678102efac6adee71018aa611f2c12bea8c534e33ee43cbad774dcdd1bfbdce

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
80KB

MD5
5677dd1357fed6454f60eb687f51e034

SHA1
4cace47925b70991e3e77bf3fbf67d7dc034c6cc

SHA256
d74968f474d925ef13a0d1945bd78d5a946ff563b8411c22af272842517c1cdb

SHA512
730488a4169ba3cd7a4ce9f9ceb4894724b09a5f60c7f9716b160f06560660306fc8e75dd77c430010b063ba79727bec69a1e7f7153569897bcc48d167c55e18

Download Submit
C:\Windows\SysWOW64\Halhfe32.exe

Filesize
80KB

MD5
5e8ee8ce77038402b02c0a17097c8e4c

SHA1
7b4aa2a466dc4bdbb9d741e8b00c832752f5c301

SHA256
2dc1cb9c186680836f7818a363bf5b00f89586dab19d4b1d6eada2eacf076f4f

SHA512
ad0b7d4afc4498e8f4c03b817ef3e9db4caaa3d7ad75589d2244d86a0de4517613c5e48f1b24045123dde555e5e16919e93ad608cd96a4f75875e24d2ee90d71

Download Submit
C:\Windows\SysWOW64\Hedafk32.exe

Filesize
80KB

MD5
b3cf46a72dc66d36ea8b7eb880f53509

SHA1
fc318bac714e32eec181e76450f76796bddb71b8

SHA256
55fddc4da1d11c4fb481fe6edc8153a5f79675d0bdc86b66c655b548fb49b879

SHA512
5a9f7e3bd44a43669c8a1585034568bc6c8ea49cc98e21b41f69728e63e3b13595f94eea6cf37701e78ae6832185b92f47b4f2b6e6436fbab0fd3ec716d74968

Download Submit
C:\Windows\SysWOW64\Hmdlmg32.exe

Filesize
80KB

MD5
37f7ea9c8fbcd7b4ba8428df0ae17262

SHA1
29030d189c99b926dcbc527a8459d754b2870659

SHA256
042a836b70a77e929667d2bd4c011143d6d6dd63ff355fadd0fbf99e623c2ee6

SHA512
7f8f012da549c8d68517f8e0da46d4af080b5947564ed08b016a03bdaac6185e09da70989e3e1bd0234a8d70a774cd51c39b529a8a57bada954a1908994d59b3

Download Submit
C:\Windows\SysWOW64\Hoclopne.exe

Filesize
80KB

MD5
93ff6005cd3f5518bfe466844d967d3c

SHA1
d4de6bb20e7f88230df1fed532c267c24d21b730

SHA256
6ade03e7ebb39f723166ee381ab9e8b185357fafcdcdd94acf8b19963fec350c

SHA512
3437783d00e473c4312787f1e9adc2893e02265dc434c3e0a1b11f2e81dc058c95539c035eeac0955f26fd87f6b0edc3d35fcf0f69f2dbf55a9338fb70c38e1f

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe

Filesize
80KB

MD5
f0f76bb0b710103342a91fd30e362571

SHA1
2633964bfae61e80f2dab0a9a3a6230031a4bc73

SHA256
3a6deb3968a8f675cec69e63f7eba9903b28a7a616863023cc9193fc74b94ad6

SHA512
143d134885c8bf3c8e5aee6c2214c24209f4d4ff57df585c9ab2194d9d00fd9c7a41c4e5b3de65b189657e311b53eea662f886e37a513a37abbb1d8cf36e29a8

Download Submit
C:\Windows\SysWOW64\Hplbickp.exe

Filesize
80KB

MD5
2c5dc9c9698b92cd072f3c7fb90c2d91

SHA1
0ebe9ed9f03a9d53a777b026ce3dbe9df9c24a44

SHA256
6faee7d89426e7fbf56651e2c5bced01fc3323ed97b54cd836a62450d36948e6

SHA512
945724e381a415204f83b3485567641b91d4032299e26fb43cc8542d13f2bf4c33358e328e065d77d667b36c581eea8853dbe6dfdbfcfabaa455f500e030dc05

Download Submit
C:\Windows\SysWOW64\Hpnoncim.exe

Filesize
80KB

MD5
0affeaecd020631f77d9fb55aa78ca29

SHA1
67b357bca056ab5356c40faa4b8c26f769e16c30

SHA256
f383b809b60292859fa29ea046145bb342bc9a8b7e8217990ec70d7174653c83

SHA512
6a787743cd14c6aa67cda687c3a9e350ed408ef59a6b9ff5896d0abcdaef2abcfdad6e532ced4ae6b4f27e620974419377052f0fb0493c68386f8bd288e51589

Download Submit
C:\Windows\SysWOW64\Iafkld32.exe

Filesize
80KB

MD5
a0389689b5691f5a641f326dfcd77dc3

SHA1
fb951ed3061a98eb4f818486d7670d54219cfa61

SHA256
97e418bd768cb0c19a618d5efc3113c2774019f8109b4e7ccf120245ab1f35e9

SHA512
085932a5f8e3bce9e8721ddc64d6096e7d92a46454c4ad60229ab3d204aa7b509e6846a97f55d7041fb62cd2c0424f5ec8dfab681a8ac581b10dfaed0b95c4cd

Download Submit
C:\Windows\SysWOW64\Iibccgep.exe

Filesize
80KB

MD5
60fe146d33a623b1e171bd19cfe511c7

SHA1
b792f6c0679ca5664c32d31fbd0190e7e6312353

SHA256
00ce5e90a6091006702b5ecf2cb2e15247bcfcd4476d93f156e382afdb283f78

SHA512
0e35fc6f832e7d62302396a0abdf75d82b61c8fef44414c74c8662b7462c86089700bb72595bd0b3e391d47db8f2127b3939471bcd1e1deb08f95ff351831f20

Download Submit
C:\Windows\SysWOW64\Ilnbicff.exe

Filesize
80KB

MD5
fef4a5f3a05e74f9a14fdbc2213b68a6

SHA1
45632eaeaa3d33f75cb2bf122f929bd7fcd8ead7

SHA256
294a5602ab204f4ea399a03f92eafb9508865b87507a8c8283ae03307c6cd824

SHA512
d05c9ffff026fb742079a97d720df4a2f1b874ddf82a00b51ba932bd7d42e2bcb3f57345dad9291a8b0baab37181686d83d095e68c184b0feb66e2af8693048a

Download Submit
C:\Windows\SysWOW64\Imgicgca.exe

Filesize
80KB

MD5
e90c7c920b084fbf8d7dd93638b00bc6

SHA1
30b4dc7985640698bdbf0f22cb6d994bba0d4163

SHA256
d399405670cca48501100aadd24ee179a9f9383dbc0dd087cca1688bce063335

SHA512
4c06bdd6833983a671a2eddc6e3c0e483b6ef149c4ccce566f61c244014afecc67c9b21a88e8a99213f9653f2140497098333f22904ea5b0137b409f3fe07832

Download Submit
C:\Windows\SysWOW64\Impliekg.exe

Filesize
80KB

MD5
9c1e6f8aa9723cc57faacabab6821f42

SHA1
643979b74abf4e68432d8dcedfff9a21c032dac4

SHA256
b1e938192f2cd7e8f787e1ba53d04095540415b1189271a764417aec596bdc64

SHA512
22545f78e80b71997e022de6270b53076ed8e8d3ee6c36f3850834b26e636899771727ed7ad31ddbd30e6bc8c578c2671bf42c79dc40b947c91c07309b1a3c49

Download Submit
C:\Windows\SysWOW64\Ipgbdbqb.exe

Filesize
80KB

MD5
71e45ced0a2f89599e939d4d6042c6da

SHA1
ec7ddf9817c419eedfee816a3cb334557d9dcf92

SHA256
c0aefed93c86533e330639f47aa2f3c0585c488b497bcc3b2ab03c94ce7e87c6

SHA512
fbfcc71c2136e252badea1e2ef3ca8cf8222999b4881c6aae963574800e2d999c53529e9228a3a0162f5a4baec8b59d772347e99b4dee879698fdbcee8b3ef4d

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
80KB

MD5
466255335f2fbb6dc8551189eb82ff67

SHA1
2137c64aafe018276d86ede7c4cee63ca9c0dfdb

SHA256
060789e83f6a306606baef086d6ba959cbd983d3578064e45ae99deb276d2258

SHA512
971f86f6146cf1b550e14a36d615359521fa43fad850d4588a08fdf076ebfa172c5289ed55e6498a0ec3fb43b82266b474c6e0127cdc48ef2dbf86237e17efb4

Download Submit
C:\Windows\SysWOW64\Jgbchj32.exe

Filesize
80KB

MD5
1ebb26baf6d99c8296889fddcd5092ac

SHA1
2a0a54c0418ca650fe927668068a19cd413a8c88

SHA256
d866a3c12cdd6e8df76db380ace6b6561ec4e35c1a8a9d84c22849c27303eec1

SHA512
b024a196ba5c3aad23b7aca42850163334ce6ef8a7768244a3e00564053af68e4eab6b1f5bff87542af32af1ac577444cc26bfd1f936f869d547ec0b0c9f3e95

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe

Filesize
80KB

MD5
6416d2552f4c27f798d19bf7585f86e4

SHA1
3ffa6c8d6a5d96fc0fdcdac936cbb04c62b489cb

SHA256
f0436e99f079bbf21f08031d1d18b10ea3b52ad460b26036ca435fc66875c16d

SHA512
1560a8ea7961c449dd89d10b94515a6346e0c7328d07c8cb1f1fa814fcbd10ffde416e8b32f5262e951a31ab18396b544aa1e9e4466109b8cc76a367481d7101

Download Submit
C:\Windows\SysWOW64\Jgpfbjlo.exe

Filesize
80KB

MD5
c4827f90560d2bbe14229b3c5cb53276

SHA1
4bb855b17f14876d49b24bd7375942ce630be905

SHA256
6d23c854586bd9ce702c582a12fa1a6c91b9ba94e01820b358a0ecb3e946376b

SHA512
e80bd3d1936c36f42cb9813567ce6a4ec36ea1e3fc4531664586c24a273a2224800aed7aad0bb38f84c31314411dc19cfe8bfa63122605c40cb632247da6a681

Download Submit
C:\Windows\SysWOW64\Jifecp32.exe

Filesize
80KB

MD5
b905bfea7a5511b2e11a6449cdc4c3d6

SHA1
5a65a27d44edfd4ed6c4d9bc527a9b2704722d74

SHA256
1a0f6f7e627fa41d92bf745908767ad2d43e7e8e9dffc4e52c94de1e9eb3fd41

SHA512
bd45cf76c3042437d4e5a285aba02135d9c42340d777c559f10ae096257946a001c135279a65024caead8c9fc6772744069bdc52270cddac8b3234e781ebf917

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
80KB

MD5
c3a86d7c5f25cd96b9f0074aff5cf1d9

SHA1
1389e8219dc2dd91d7fe215d68ba4f473a93fb4e

SHA256
2cce76a603e078357d067c7f89fc2871702cac481bc24220222cdc3b96f0c356

SHA512
2ca848ec17f3e494a81823b4a196794b9f324871e7d37252e1f8c72ef172ae3ac2bc59637aa8e63daea598ec49040233ec64720c611f1519fd1646b1a264f19c

Download Submit
C:\Windows\SysWOW64\Kcmmhj32.exe

Filesize
80KB

MD5
b906b7884983b2750375e5a26953a393

SHA1
7e046f6f6f850ef6065627fe02fc7aaac3339ae7

SHA256
53dd2d8d9ccb91f1b85afa3877e63414c4089e74cb9f0e2e29c276f989da00e8

SHA512
8a14225951590f151d2964c647c241eb9526785ae94706f74fea8c081d7f9535dee318e9ebe0df7f79c56b3bbc67a49f2ab79f5d7db7524b01e2c40ef83a1571

Download Submit
C:\Windows\SysWOW64\Kemooo32.exe

Filesize
80KB

MD5
2dc1f6b59816e56b9de7da2a199538b2

SHA1
46a1daa7749397d51a1a556e8412ee127b644439

SHA256
291511fd158fce1d22b41a40a3f16b58e8c0d052cbf223ccf83c8b12201dc63e

SHA512
2c64458cb4fc4ab26df6745784af3a673864bf19b3989d5933b084d41c84e859c3d3af927c792f65758cc143e35ccb2c64872a99c6ae6bb23e8ac53d71d2e934

Download Submit
C:\Windows\SysWOW64\Kgdpni32.exe

Filesize
80KB

MD5
648bf3055a719e010cbc769d2c27d4ac

SHA1
f8e8eaa5c5f7eea71fe859e213ae23aa8ad15526

SHA256
d375f2ee9fb5df342b957ed536b1331322b5186793fbdb5c6ad7a397ab600498

SHA512
5d8df164b4a6792345eb52b8620149365b3a53362f12e736c6e580563dcb8b3502460a4ebc558412cdf84bb4584c0dccdcaac26e8d5793ae7ddc28ea526607c3

Download Submit
C:\Windows\SysWOW64\Kjeiodek.exe

Filesize
80KB

MD5
d7d381737f5ff1531eaeb33f09216aa7

SHA1
077a5fb255d3480f9e2d4aa23c0146d2e2aad24c

SHA256
fd99063a41407679bd118dc28e0621c3b236c773bc85e64cb1a787d1a822c998

SHA512
9aaa7e3bf2b737c8017150aa6cf0fc6c29f293524c217df75f87c7a589ff2da1f05c0ef0d31eb007c4be82fd49db293c9b2d484646113d6ff9271c5f159f953a

Download Submit
C:\Windows\SysWOW64\Lcdciiec.exe

Filesize
80KB

MD5
8f09b254e5debb5fbf2b909ab6d5a555

SHA1
a185b9f0a45cff1665a43361d6d335cc4f955fc6

SHA256
8b1f875bcad5189fc410d7eae1d1ee731471c8db937c5a33ea8d0936a4fc4b21

SHA512
15b722ff3078ba335580679beb53cfcead8644e49b28693b2dc21cc5b7fcd7be1e7cd224a48d1fcf8e40f10ac8c4574c79bcda504eae5d7cc2034272603886ca

Download Submit
C:\Windows\SysWOW64\Lfgipd32.exe

Filesize
80KB

MD5
784e2c4cfdda82d54778b8a0289caa52

SHA1
d6bcf5d0251a266d4afcf56474b773065e32c8b8

SHA256
2bf9fd67abebeb3322955e69a2028d1cf2f6f9c437de002c253c5f967cae0a69

SHA512
c31fe453c59da08f06dee226b11042811433f5c6ef0ba04bd1e5915b87dae4a438f582ea971e6debeb7f2d2fe8d9f6d9747f18b8a551acddc2e8b943bc288e2e

Download Submit
C:\Windows\SysWOW64\Llnnmhfe.exe

Filesize
80KB

MD5
2dda95a44f107cd150f0e837e43979d7

SHA1
dc251588b3ebd5d486dbc607ddf7baf434ba2b67

SHA256
106c1fbce10aef3395634e74f9dcc4eec23991add4016788a21fd6f8c92d4782

SHA512
7afc0ace015464b39b60d3a51a3124de3b2b787724fac1ef833819f195f14e25d8edf1ed63a6b16e714ac76ab459528b8b5aeedc854f0d3b04c4e2db843b3587

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
80KB

MD5
96c82badb551c01235abcc83a123cba6

SHA1
e70082c378c0b4c2966448d4e13fed3155cb9f2e

SHA256
0bd937bce2b62df52f14b5bf555f065d0cb31894056597d7e73b56dd89b91a14

SHA512
588359dbad1d7235ac5ad1d8647a1b4b36e41010995d8c5ce2b01a7806972c7e61dfaabdfc9ceb4a32c2a3d0c2c16d5cc190d778faabf560284754014a2f5aeb

Download Submit
C:\Windows\SysWOW64\Lpepbgbd.exe

Filesize
80KB

MD5
383a6b10a414495a25ca9d268e98dc9f

SHA1
8ebee8aac0490a17538b07b85812fdbde501ca4c

SHA256
e19d46e48e167d985ac548e7a02bda9670807d702964cef83bbfa65328d33847

SHA512
3cdd929cc04a0c298316193ca296c6f63068f5b432c27adfe72c145ffdce2adf686920a99b230a452d1c3c812ae0831565a17d6b9b1b8392fee873266d80f45d

Download Submit
C:\Windows\SysWOW64\Mgbefe32.exe

Filesize
80KB

MD5
6026a19c8a25661542e931d146bdab4b

SHA1
a5f8eb4b11807daa3175a63d53035c12e79b4e77

SHA256
6418d8c6deeda9666f44c907edc3113b88e6e176bbcc8bdef2d548990c468728

SHA512
05608d29865551b8d9838985e03b50f064d4c45d0561c5a70e6c60da4d4ef548575c21a0925195c617e56d00628d78c7158ec12bad30e35f13ec6b7db15bad50

Download Submit
C:\Windows\SysWOW64\Mgloefco.exe

Filesize
80KB

MD5
684be1841ab1848c4e46c00f6315b57f

SHA1
0c85663943b141b7dede5c17349e90b91b04e154

SHA256
7d9d8c62669cd582817397300b89bceeab655142d6106ee76927496103128779

SHA512
5fe8308283eb6f63bd410229d59540866f40cb228a565b17401abbc52f14a3ff890394799d38db996f6de9a5c5108030130a3e9edd112f2ef8702a8f66744ecf

Download Submit
C:\Windows\SysWOW64\Mgnlkfal.exe

Filesize
80KB

MD5
53c0044893bcba2f6ed48c9d191c6bab

SHA1
e245e856647717bb882e1a775cedc7c5bb6504e6

SHA256
e132218dd140f5b6ca0dc931d37747e773ca88792b15dab22cefc30a15a8baa6

SHA512
eba429177c29985f1c81d7732a6608c09626aae981d5b119ae15f304f873195be435e78bbd0ef16df54d80639c32fbeb7aaef76d8cd8c31e7563d625a6354cea

Download Submit
C:\Windows\SysWOW64\Mjidgkog.exe

Filesize
80KB

MD5
b5d54413e858e485c0c8ec0fe7bad13e

SHA1
2de7e8897024a6cba23e2e73ff19192fb88d9e9f

SHA256
20b2c26b67e564300f3fb65e02df7e4a7459fe841ed697e4884d8b8e509b9f7a

SHA512
44288c9f3a0b37789516901dd668a0ee46021a7e61c3996dd17f17b3d7397ff20e1dc8a9352da4d7a1950e1bd6b7396b51c2c9e32b4584831828ac134c106607

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
80KB

MD5
91043f8f516db7a1963dff2db3fdd1ce

SHA1
01f05de867d0277f0a5605297c8857f1fe3d6ab8

SHA256
d219c21d21c4f180e5d4b995a3d75022b8b410624fb38dd1cf7aa69cae193281

SHA512
b1f32cdb8335c9505a6c2065edf68eeb53534aaf5dd11ecbbbe7a6f6d75cb6eb34104b34902d3f39cd0a2e620e4803dd6887a3cf5284e81c76bcd51ed60f3be8

Download Submit
C:\Windows\SysWOW64\Nfnamjhk.exe

Filesize
80KB

MD5
b5bba82b399664fb850d3cf8432842ea

SHA1
27a913fc850655eb13eb911170db1f55a0d332a1

SHA256
99143c246bd4684281e89fb09ae8e1e44f82ad1ae91e47fd03d49f6e1140ebef

SHA512
dc3ff57fae59e12162c1d3d8f2dad3621c73c5c7552198abb677006e9763a5246022e3facfe74389b14e61053f9c2bc5385c9c434bf821f85130603e1fb0333e

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
80KB

MD5
1d27f67211e396d6975186efc08bc903

SHA1
b084f7892d12e55910fcbb5d84323bc6233a0a57

SHA256
f12e635f1072435d3deef976f27944c590e66091c68efadf8e52dd1f3f1e9f59

SHA512
b72a045ab897212b00282eb7c30da7c8966f57d05b689fca261096d02e33dfe25385e636479004fb99c7096d6d60e90e6048b0e44d8fa3f8f5b60aab80a68bdb

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
80KB

MD5
88da04db0d01c60e50c752b17fdc4a84

SHA1
60e801a31d0f071c177abcddff2181e691ac18a2

SHA256
4694748fa3e7c48b8b3c128150c04c30d5ff612667f1f1105dfc7d1006db5225

SHA512
8d3a62fe978a24834ad9a2ace0321a3e03ae04464d4287ebeb401735881c0fda80da12cb6f7dde864a4ab3bc96834219dc4216a00f9f7a7dd54a15b31b7c37fb

Download Submit
C:\Windows\SysWOW64\Pdjgha32.exe

Filesize
80KB

MD5
bc6b984b56722b43675a83fd6c0c59a5

SHA1
96183182040df4ff8e48b281733b17e53c5b0f20

SHA256
858285dfde3888293ed5868cf7102cb29b5a6373426236f29b53c708205cb662

SHA512
f21a783ea2b972615631afd8b35f4fde9510cd36c068918281088c6e030fa773326ac02b3b856346b8be7f67421feff6bf93155822b37dadec246a6e73138a08

Download Submit
C:\Windows\SysWOW64\Pjaleemj.exe

Filesize
80KB

MD5
724850c39c545f02635da991dadb6756

SHA1
0edc2d2306645819826444970812f67c47a88ad9

SHA256
bed370e8e56ef15798a18ebda1ad0672b250e612f3470d154ee577d72f3f39cf

SHA512
c14f571dbd5029170b30313c4eb2d58d7110608b3930a5ccb37e385d793c522c9671dea57e92ee410b2fc2ab957004ec1d0ddda19f43469bead02b825f9e8ea9

Download Submit
memory/220-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/376-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/620-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/720-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1112-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1116-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1148-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1160-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1236-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1264-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1268-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1712-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-564-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2148-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2168-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2384-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2456-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2916-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3120-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3204-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3272-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3424-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3568-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3608-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3700-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3880-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4084-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4140-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4692-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4712-522-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4880-528-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5168-574-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5216-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5260-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads