e5877002bc9f60a7bc5520e69408f02d9f64ec4ef8abf98e87d3985aaf4ec437

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5877002bc9f60a7bc5520e69408f02d9f64ec4ef8abf98e87d3985aaf4ec437.exe
Size

89KB
MD5

42895f3c035d25be58d21a5acc933a0d
SHA1

8bd078a1d91e70684112ccd0a9be79fd3f3ef131
SHA256

e5877002bc9f60a7bc5520e69408f02d9f64ec4ef8abf98e87d3985aaf4ec437
SHA512

73a60ca7f32373ab3f3b7c576dc1e7e73172c6a8062eb240ba611c25cab055fa342a63007cb800c89c3b8d24709a660a8b9407892f3b1abb6a25224076ebe0fe
SSDEEP

1536:MGh7qiLTlIVMl5MwKjQlNA73NDXA8jVGrl6PgfRQUR+KRFR3RzR1URJrCiuiNj51:DWoxpDMxS6R9Gr4PgfeUjb5ZXUf2iuO7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dbocfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Joqafgni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klggli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlppno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckboblp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlgepanl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahokfag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jemfhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kofkbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lckboblp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nblolm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eblimcdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnajppda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jocnlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Joqafgni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgplado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eiokinbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpbflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fnnjmbpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnajppda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkhgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eblimcdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnfbcbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fngcmcfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oonlfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mofmobmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnangaoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpanan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opbean32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbjddh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgdpni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe

Executes dropped EXE 64 IoCs

pid	Process
1280	Ddgplado.exe
4856	Dnbakghm.exe
3456	Dfnbgc32.exe
3976	Eiokinbk.exe
1292	Efblbbqd.exe
2912	Eblimcdf.exe
1676	Ebnfbcbc.exe
4108	Fpbflg32.exe
4552	Fngcmcfe.exe
1132	Fnipbc32.exe
1300	Fnnjmbpm.exe
2940	Gldglf32.exe
1432	Geohklaa.exe
3896	Holfoqcm.exe
4480	Hmpcbhji.exe
2916	Hbohpn32.exe
524	Iepaaico.exe
4608	Iedjmioj.exe
4620	Imnocf32.exe
4528	Jcmdaljn.exe
4408	Jlgepanl.exe
4912	Kgdpni32.exe
4992	Kpanan32.exe
5036	Kofkbk32.exe
1212	Kngkqbgl.exe
4296	Lnangaoa.exe
4024	Mnegbp32.exe
1156	Mfqlfb32.exe
4940	Mjodla32.exe
4692	Mjaabq32.exe
1072	Mfhbga32.exe
4968	Nnafno32.exe
3852	Njjdho32.exe
3972	Nmkmjjaa.exe
2724	Ojomcopk.exe
1820	Onocomdo.exe
4428	Omdppiif.exe
4180	Ppgegd32.exe
4876	Phajna32.exe
4420	Pffgom32.exe
3700	Panhbfep.exe
972	Qpcecb32.exe
2468	Ahmjjoig.exe
4432	Aknbkjfh.exe
1860	Amnlme32.exe
4308	Amqhbe32.exe
3284	Aaoaic32.exe
1096	Bkibgh32.exe
944	Bogkmgba.exe
1412	Bknlbhhe.exe
1568	Bkphhgfc.exe
3360	Cammjakm.exe
2344	Caojpaij.exe
2252	Cnfkdb32.exe
1680	Cgnomg32.exe
808	Chnlgjlb.exe
1712	Dkndie32.exe
3112	Ddgibkpc.exe
3012	Dakikoom.exe
4252	Dnajppda.exe
3156	Dbocfo32.exe
2028	Dkhgod32.exe
5052	Eqgmmk32.exe
776	Ehpadhll.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jlgepanl.exe	Jcmdaljn.exe
File created	C:\Windows\SysWOW64\Chnlgjlb.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Qedegh32.dll	Onocomdo.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Phajna32.exe
File created	C:\Windows\SysWOW64\Bkibgh32.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Ihbponja.exe	Ilkoim32.exe
File opened for modification	C:\Windows\SysWOW64\Eiokinbk.exe	Dfnbgc32.exe
File created	C:\Windows\SysWOW64\Cmcgolla.dll	Fnnjmbpm.exe
File opened for modification	C:\Windows\SysWOW64\Kngkqbgl.exe	Kofkbk32.exe
File opened for modification	C:\Windows\SysWOW64\Omdppiif.exe	Onocomdo.exe
File opened for modification	C:\Windows\SysWOW64\Panhbfep.exe	Pffgom32.exe
File created	C:\Windows\SysWOW64\Fqbliicp.exe	Fgjhpcmo.exe
File created	C:\Windows\SysWOW64\Eiokinbk.exe	Dfnbgc32.exe
File created	C:\Windows\SysWOW64\Lhnjoi32.dll	Fngcmcfe.exe
File created	C:\Windows\SysWOW64\Ekoglqie.dll	Kgdpni32.exe
File created	C:\Windows\SysWOW64\Bgicnp32.dll	Dakikoom.exe
File created	C:\Windows\SysWOW64\Jocnlg32.exe	Jekjcaef.exe
File opened for modification	C:\Windows\SysWOW64\Obgohklm.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Eblimcdf.exe	Efblbbqd.exe
File opened for modification	C:\Windows\SysWOW64\Fnnjmbpm.exe	Fnipbc32.exe
File opened for modification	C:\Windows\SysWOW64\Jocnlg32.exe	Jekjcaef.exe
File created	C:\Windows\SysWOW64\Kcoccc32.exe	Joekag32.exe
File created	C:\Windows\SysWOW64\Dckahb32.dll	Jlgepanl.exe
File opened for modification	C:\Windows\SysWOW64\Gngeik32.exe	Ggkqgaol.exe
File created	C:\Windows\SysWOW64\Ganldgib.exe	Fgcjfbed.exe
File created	C:\Windows\SysWOW64\Ifolcq32.dll	Lnangaoa.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Ofkhal32.dll	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Cinclj32.dll	Ddgibkpc.exe
File opened for modification	C:\Windows\SysWOW64\Iijfhbhl.exe	Hbnaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Jlbejloe.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Aaeidf32.dll	Klggli32.exe
File opened for modification	C:\Windows\SysWOW64\Mpeiie32.exe	Mofmobmo.exe
File opened for modification	C:\Windows\SysWOW64\Mfhbga32.exe	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Bgemej32.dll	Nnafno32.exe
File created	C:\Windows\SysWOW64\Oajgdm32.dll	Pbekii32.exe
File created	C:\Windows\SysWOW64\Pbjddh32.exe	Pmkofa32.exe
File created	C:\Windows\SysWOW64\Njljch32.exe	Nfihbk32.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Jlbejloe.exe	Ipkdek32.exe
File created	C:\Windows\SysWOW64\Kgdpni32.exe	Jlgepanl.exe
File opened for modification	C:\Windows\SysWOW64\Mjodla32.exe	Mfqlfb32.exe
File opened for modification	C:\Windows\SysWOW64\Fngcmcfe.exe	Fpbflg32.exe
File created	C:\Windows\SysWOW64\Cnfkdb32.exe	Caojpaij.exe
File created	C:\Windows\SysWOW64\Heegad32.exe	Hahokfag.exe
File created	C:\Windows\SysWOW64\Fiboaq32.dll	Ddgplado.exe
File created	C:\Windows\SysWOW64\Ebnfbcbc.exe	Eblimcdf.exe
File created	C:\Windows\SysWOW64\Cimjkpjn.dll	Hbnaeh32.exe
File created	C:\Windows\SysWOW64\Nmqmbmdf.dll	Ebnfbcbc.exe
File created	C:\Windows\SysWOW64\Hemikcpm.dll	Kofkbk32.exe
File created	C:\Windows\SysWOW64\Likage32.dll	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Ojnkocdc.dll	Mnegbp32.exe
File created	C:\Windows\SysWOW64\Ppgegd32.exe	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Phajna32.exe
File created	C:\Windows\SysWOW64\Npakijcp.dll	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Opbean32.exe	Oifppdpd.exe
File created	C:\Windows\SysWOW64\Cocopa32.dll	Eblimcdf.exe
File created	C:\Windows\SysWOW64\Mfhbga32.exe	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Gnobcjlg.dll	Fgcjfbed.exe
File created	C:\Windows\SysWOW64\Ghojbq32.exe	Gngeik32.exe
File opened for modification	C:\Windows\SysWOW64\Oonlfo32.exe	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Fnipbc32.exe	Fngcmcfe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5452	6092	WerFault.exe	210

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlbejloe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Edionhpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddgplado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofljo32.dll"	Nblolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll"	Geohklaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkibgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jekjcaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eblimcdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll"	Ojomcopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqgmmk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichelm32.dll"	Joekag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll"	Iepaaico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imnocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amnlme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnafno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjaonjaj.dll"	Eomffaag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fgjhpcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahkpm32.dll"	Ipkdek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebnfbcbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll"	Jcmdaljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemikcpm.dll"	Kofkbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlbejloe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcclncbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdflknog.dll"	Mapppn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnajppda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbocfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehpadhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajgdm32.dll"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddgplado.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kngkqbgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fgjhpcmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgpamjnb.dll"	Ggkqgaol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglafhih.dll"	Ihbponja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lomjicei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlgepanl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpojkp32.dll"	Bknlbhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Likage32.dll"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll"	Opbean32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnobcjlg.dll"	Fgcjfbed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acankf32.dll"	Dnajppda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipkdek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkdjo32.dll"	Mfhbga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpaoan32.dll"	Fkmjaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picoja32.dll"	Iijfhbhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilkoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmjja32.dll"	Jekjcaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpapnfhg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1280	228	e5877002bc9f60a7bc5520e69408f02d9f64ec4ef8abf98e87d3985aaf4ec437.exe	90
PID 228 wrote to memory of 1280	228	e5877002bc9f60a7bc5520e69408f02d9f64ec4ef8abf98e87d3985aaf4ec437.exe	90
PID 228 wrote to memory of 1280	228	e5877002bc9f60a7bc5520e69408f02d9f64ec4ef8abf98e87d3985aaf4ec437.exe	90
PID 1280 wrote to memory of 4856	1280	Ddgplado.exe	91
PID 1280 wrote to memory of 4856	1280	Ddgplado.exe	91
PID 1280 wrote to memory of 4856	1280	Ddgplado.exe	91
PID 4856 wrote to memory of 3456	4856	Dnbakghm.exe	92
PID 4856 wrote to memory of 3456	4856	Dnbakghm.exe	92
PID 4856 wrote to memory of 3456	4856	Dnbakghm.exe	92
PID 3456 wrote to memory of 3976	3456	Dfnbgc32.exe	93
PID 3456 wrote to memory of 3976	3456	Dfnbgc32.exe	93
PID 3456 wrote to memory of 3976	3456	Dfnbgc32.exe	93
PID 3976 wrote to memory of 1292	3976	Eiokinbk.exe	94
PID 3976 wrote to memory of 1292	3976	Eiokinbk.exe	94
PID 3976 wrote to memory of 1292	3976	Eiokinbk.exe	94
PID 1292 wrote to memory of 2912	1292	Efblbbqd.exe	95
PID 1292 wrote to memory of 2912	1292	Efblbbqd.exe	95
PID 1292 wrote to memory of 2912	1292	Efblbbqd.exe	95
PID 2912 wrote to memory of 1676	2912	Eblimcdf.exe	96
PID 2912 wrote to memory of 1676	2912	Eblimcdf.exe	96
PID 2912 wrote to memory of 1676	2912	Eblimcdf.exe	96
PID 1676 wrote to memory of 4108	1676	Ebnfbcbc.exe	97
PID 1676 wrote to memory of 4108	1676	Ebnfbcbc.exe	97
PID 1676 wrote to memory of 4108	1676	Ebnfbcbc.exe	97
PID 4108 wrote to memory of 4552	4108	Fpbflg32.exe	98
PID 4108 wrote to memory of 4552	4108	Fpbflg32.exe	98
PID 4108 wrote to memory of 4552	4108	Fpbflg32.exe	98
PID 4552 wrote to memory of 1132	4552	Fngcmcfe.exe	99
PID 4552 wrote to memory of 1132	4552	Fngcmcfe.exe	99
PID 4552 wrote to memory of 1132	4552	Fngcmcfe.exe	99
PID 1132 wrote to memory of 1300	1132	Fnipbc32.exe	100
PID 1132 wrote to memory of 1300	1132	Fnipbc32.exe	100
PID 1132 wrote to memory of 1300	1132	Fnipbc32.exe	100
PID 1300 wrote to memory of 2940	1300	Fnnjmbpm.exe	101
PID 1300 wrote to memory of 2940	1300	Fnnjmbpm.exe	101
PID 1300 wrote to memory of 2940	1300	Fnnjmbpm.exe	101
PID 2940 wrote to memory of 1432	2940	Gldglf32.exe	102
PID 2940 wrote to memory of 1432	2940	Gldglf32.exe	102
PID 2940 wrote to memory of 1432	2940	Gldglf32.exe	102
PID 1432 wrote to memory of 3896	1432	Geohklaa.exe	103
PID 1432 wrote to memory of 3896	1432	Geohklaa.exe	103
PID 1432 wrote to memory of 3896	1432	Geohklaa.exe	103
PID 3896 wrote to memory of 4480	3896	Holfoqcm.exe	104
PID 3896 wrote to memory of 4480	3896	Holfoqcm.exe	104
PID 3896 wrote to memory of 4480	3896	Holfoqcm.exe	104
PID 4480 wrote to memory of 2916	4480	Hmpcbhji.exe	105
PID 4480 wrote to memory of 2916	4480	Hmpcbhji.exe	105
PID 4480 wrote to memory of 2916	4480	Hmpcbhji.exe	105
PID 2916 wrote to memory of 524	2916	Hbohpn32.exe	106
PID 2916 wrote to memory of 524	2916	Hbohpn32.exe	106
PID 2916 wrote to memory of 524	2916	Hbohpn32.exe	106
PID 524 wrote to memory of 4608	524	Iepaaico.exe	107
PID 524 wrote to memory of 4608	524	Iepaaico.exe	107
PID 524 wrote to memory of 4608	524	Iepaaico.exe	107
PID 4608 wrote to memory of 4620	4608	Iedjmioj.exe	108
PID 4608 wrote to memory of 4620	4608	Iedjmioj.exe	108
PID 4608 wrote to memory of 4620	4608	Iedjmioj.exe	108
PID 4620 wrote to memory of 4528	4620	Imnocf32.exe	109
PID 4620 wrote to memory of 4528	4620	Imnocf32.exe	109
PID 4620 wrote to memory of 4528	4620	Imnocf32.exe	109
PID 4528 wrote to memory of 4408	4528	Jcmdaljn.exe	110
PID 4528 wrote to memory of 4408	4528	Jcmdaljn.exe	110
PID 4528 wrote to memory of 4408	4528	Jcmdaljn.exe	110
PID 4408 wrote to memory of 4912	4408	Jlgepanl.exe	111

C:\Users\Admin\AppData\Local\Temp\e5877002bc9f60a7bc5520e69408f02d9f64ec4ef8abf98e87d3985aaf4ec437.exe
"C:\Users\Admin\AppData\Local\Temp\e5877002bc9f60a7bc5520e69408f02d9f64ec4ef8abf98e87d3985aaf4ec437.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SysWOW64\Ddgplado.exe
  C:\Windows\system32\Ddgplado.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\Dnbakghm.exe
    C:\Windows\system32\Dnbakghm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\Dfnbgc32.exe
      C:\Windows\system32\Dfnbgc32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Windows\SysWOW64\Eiokinbk.exe
        
        C:\Windows\system32\Eiokinbk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3976
      - C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Eblimcdf.exe
        
        C:\Windows\system32\Eblimcdf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Ebnfbcbc.exe
        
        C:\Windows\system32\Ebnfbcbc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Fpbflg32.exe
        
        C:\Windows\system32\Fpbflg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Fngcmcfe.exe
        
        C:\Windows\system32\Fngcmcfe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Fnipbc32.exe
        
        C:\Windows\system32\Fnipbc32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Gldglf32.exe
        
        C:\Windows\system32\Gldglf32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Iepaaico.exe
        
        C:\Windows\system32\Iepaaico.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Jlgepanl.exe
        
        C:\Windows\system32\Jlgepanl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Kgdpni32.exe
        
        C:\Windows\system32\Kgdpni32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Kpanan32.exe
        
        C:\Windows\system32\Kpanan32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Kofkbk32.exe
        
        C:\Windows\system32\Kofkbk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Kngkqbgl.exe
        
        C:\Windows\system32\Kngkqbgl.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\Mfqlfb32.exe
        
        C:\Windows\system32\Mfqlfb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        34⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        39⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        43⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        47⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        52⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        55⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        57⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Dakikoom.exe
        
        C:\Windows\system32\Dakikoom.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Dnajppda.exe
        
        C:\Windows\system32\Dnajppda.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Dbocfo32.exe
        
        C:\Windows\system32\Dbocfo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Eqgmmk32.exe
        
        C:\Windows\system32\Eqgmmk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Ehpadhll.exe
        
        C:\Windows\system32\Ehpadhll.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Eqlfhjig.exe
        
        C:\Windows\system32\Eqlfhjig.exe
        66⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Eomffaag.exe
        
        C:\Windows\system32\Eomffaag.exe
        67⤵
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Edionhpn.exe
        
        C:\Windows\system32\Edionhpn.exe
        68⤵
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Fgjhpcmo.exe
        
        C:\Windows\system32\Fgjhpcmo.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Fqbliicp.exe
        
        C:\Windows\system32\Fqbliicp.exe
        70⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Fgcjfbed.exe
        
        C:\Windows\system32\Fgcjfbed.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Ganldgib.exe
        
        C:\Windows\system32\Ganldgib.exe
        73⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Ggkqgaol.exe
        
        C:\Windows\system32\Ggkqgaol.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Gngeik32.exe
        
        C:\Windows\system32\Gngeik32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ghojbq32.exe
        
        C:\Windows\system32\Ghojbq32.exe
        76⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\Heegad32.exe
        
        C:\Windows\system32\Heegad32.exe
        78⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Hlppno32.exe
        
        C:\Windows\system32\Hlppno32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        80⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Hbnaeh32.exe
        
        C:\Windows\system32\Hbnaeh32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Iijfhbhl.exe
        
        C:\Windows\system32\Iijfhbhl.exe
        82⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ilkoim32.exe
        
        C:\Windows\system32\Ilkoim32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Ihbponja.exe
        
        C:\Windows\system32\Ihbponja.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Iialhaad.exe
        
        C:\Windows\system32\Iialhaad.exe
        85⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Ipkdek32.exe
        
        C:\Windows\system32\Ipkdek32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Jlbejloe.exe
        
        C:\Windows\system32\Jlbejloe.exe
        87⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Joqafgni.exe
        
        C:\Windows\system32\Joqafgni.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Jekjcaef.exe
        
        C:\Windows\system32\Jekjcaef.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Jocnlg32.exe
        
        C:\Windows\system32\Jocnlg32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Jemfhacc.exe
        
        C:\Windows\system32\Jemfhacc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Joekag32.exe
        
        C:\Windows\system32\Joekag32.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Kcoccc32.exe
        
        C:\Windows\system32\Kcoccc32.exe
        93⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Klggli32.exe
        
        C:\Windows\system32\Klggli32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        95⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        96⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Lomjicei.exe
        
        C:\Windows\system32\Lomjicei.exe
        97⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Lckboblp.exe
        
        C:\Windows\system32\Lckboblp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4288
        
        C:\Windows\SysWOW64\Mapppn32.exe
        
        C:\Windows\system32\Mapppn32.exe
        99⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Mpapnfhg.exe
        
        C:\Windows\system32\Mpapnfhg.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Mofmobmo.exe
        
        C:\Windows\system32\Mofmobmo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Mpeiie32.exe
        
        C:\Windows\system32\Mpeiie32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        103⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Njljch32.exe
        
        C:\Windows\system32\Njljch32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        107⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Oonlfo32.exe
        
        C:\Windows\system32\Oonlfo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Opbean32.exe
        
        C:\Windows\system32\Opbean32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ppdbgncl.exe
        
        C:\Windows\system32\Ppdbgncl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Pmkofa32.exe
        
        C:\Windows\system32\Pmkofa32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Pbjddh32.exe
        
        C:\Windows\system32\Pbjddh32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        117⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 412
        118⤵
        Program crash
        
        PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 6092 -ip 6092
1⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:5368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akcaoeoo.dll

Filesize
7KB

MD5
6938e7b1c4b3ea6cae207c9286ac63ce

SHA1
e6cc69d7a6d1fdb2dd69d6636a1b09c4c3705e05

SHA256
36f8c663b0889b41ef9fd1d7df8ea100c4c58d21c7705688cb8503fa239d93e0

SHA512
7427d3d34edd6865e5fb5b87ff18e60179a196e065858b1b939f26ea420aa05ce9d8c4467ee32373e3c46d9e94c59075fee9f570a26ed7a210b2cd555c2af794

Download Submit
C:\Windows\SysWOW64\Bogkmgba.exe

Filesize
89KB

MD5
22eec4d45c4bf4959206ade8b41202a9

SHA1
482e386c46fb7eca3348913f25addc2ca7bdcb30

SHA256
3b9c35f6c897d890cc3b24e8937bb8eff9f933b778106eab09a8e1ddf42d0463

SHA512
574570dbabfaf8d3da8993730792c127a6cbcac831b3252f247320e5ecac28a27bba634502e607558749550823f800f8d9d56264b4404241f33e790e75d23d44

Download Submit
C:\Windows\SysWOW64\Cammjakm.exe

Filesize
89KB

MD5
b75010c94b3048ad7c996227017bc612

SHA1
5f56984f993ba6625b3950ec4e7ecee9e30653d0

SHA256
02175b8fd3e6a7a5385d5f303724f26cdee08c3818c238695c4c35c10bc13a23

SHA512
677b07982bd13a7bd606bcf71a38c61e7ed5ce894c6af6d37217182baab2b89cdb3a1767153449587420258aa44cc1f332fa7c336e2633563273a18d1ebb5409

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
89KB

MD5
39e079e8aab11929f9f020cae8b94e26

SHA1
c1a3f73cfceed866a953333c72e5c98da2c4b0f6

SHA256
537374f83a58d0e7e7b9d72d225c97e9fdba7b87d58b5c1ee3007167028028da

SHA512
d92bd8e029bf7a10f4fc0c5d6cc8f6989348e5b0d940490b8a76307e0532f0ff8c35cd4e89fd4ecf313b77daaa569c59142b56810f515eecd7f58a65c10cd2aa

Download Submit
C:\Windows\SysWOW64\Ddgplado.exe

Filesize
89KB

MD5
fb2230fdf989a26f4d57c3447ef37c76

SHA1
398ce461a6d1c8c04c74f94ab2ba1551d57c3893

SHA256
8a25e9f90eba91319c4ef41367c83e887776d657ab57c6b970e5fb535c436a53

SHA512
fd1b0a372139e8cdb6502d9b2ead08e6975db913a303c1f04a1d4f4cd19f270e434b384ea9c2958506eea4c4475954697e903a8cab6101621b5230153fed9ec0

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
89KB

MD5
4c1894d0c2315636d25745f99e991b8b

SHA1
aea3c8011491932a24ebd7226ef2ebb77c669354

SHA256
5eff059e75df189ee12f4c60225b06eda144d16c397893b45809f450ec53696d

SHA512
dcc7411016ab3393eeec5570b3fffef6cff521a00b1d095942d48d7c3b57d8804cbd9152869f9512c899b37bc3e0d6b4c0213be9a3fd3841f1df396fe883748c

Download Submit
C:\Windows\SysWOW64\Dnajppda.exe

Filesize
89KB

MD5
d042c7737312a57b01eac53871e04bac

SHA1
4509ef6fd0b3576d3cf635c62465af55209f1e2f

SHA256
372e799baac63dcb71e9516723da34752aef206f370b4c8c67416ddaaf697f18

SHA512
991435fd1e45969948a67b262e7a78079fb8dc4bd7e9ecba044bb85bf06b32029856fde999a61b8c0e658467ff7e1d5d59f164922c70dd49db0f5d9122c34723

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
89KB

MD5
c67628b302405782873ef82934d958c3

SHA1
87ea4682317df7ffd898496ff3ba2247bd5a7340

SHA256
85172035b7336ebcf78c21c50b0df410de7dbe23cd01c76fd5df35dab41d86e2

SHA512
5125f1474b59041c4cc143cdf5f1ff01ff0b7450a75be16496cf595ec887a9f7b8c1e69a5f5390c90834569f1ed15336efadd468ed207a5790d1fb987bce6a3b

Download Submit
C:\Windows\SysWOW64\Eblimcdf.exe

Filesize
89KB

MD5
23e4c69ff72660e34499f106bc6e27c5

SHA1
372c9220772ed33b8163cc3fbc8b5554c777b308

SHA256
ead714f75cef4d46fb8a3600c1a4fc1db20f054edd8f96575051d0bcae528677

SHA512
8f482280cd74e4e213e8e74aa971a618fa344e7b951889144c94f4a31e0b43a3492f90f545a74e9aa41265cb6c9947456f2c5aced29d77bd89b223523fdd3d1f

Download Submit
C:\Windows\SysWOW64\Ebnfbcbc.exe

Filesize
89KB

MD5
18ceb9e501ee4c9c489ae2d3c8c22be7

SHA1
8cd51f4ef7cc0ebcf3b6de6b2d93ab319c2b23fe

SHA256
2d1f9f9fccba33ac04361bb766772e6fd04fde2c7bcbb7968c59789360d0e862

SHA512
3a26488b67755352b45769fdb2ee518818a2f480ce6b2bc44964265c365e840e24dfc68af15fa1d826d93e1344ed08d55cbe62c7e9c6348c0cc16d4ef75c4371

Download Submit
C:\Windows\SysWOW64\Efblbbqd.exe

Filesize
89KB

MD5
cf7c2190eb65dfbcd207e95ea90d5581

SHA1
f66051115be4e4b51268f3908f953a8d1746cdb0

SHA256
7958512f4d979d39ea7f37239a931339d2d42a86ca46e155d2d8b15105fb8207

SHA512
a81b488aaebbed445ebe69b74ba74adf6336fd34442fab454dae34dcbf6ed42100887c47c512423f3ec254a839d08f021d99b08070751cfd72fe1af30f7fb77f

Download Submit
C:\Windows\SysWOW64\Ehpadhll.exe

Filesize
89KB

MD5
d3f5226533cef2464a1b2851f100ceb9

SHA1
4defb92da2ee8958a5ac61c9add5f3982f40aa4d

SHA256
cd18c7556599c2fe62041b4e53a0ecd2069c8925a667a06d1f4c6989d678a289

SHA512
18710ebc2d143a9d398ecb67a66d7ce5328bbe03b64f9941e70ecc30879d6423c116ec4ed059ff65b24ab3fbaf6cbe41280fc6e9234d2048d6edfe6e866dcfa4

Download Submit
C:\Windows\SysWOW64\Eiokinbk.exe

Filesize
89KB

MD5
91e1311881a35095831f0a5a48542861

SHA1
87565f7a5286d6385342ce4253415ae6ff835878

SHA256
7bf2707f064fcfe7b440982ff5b9dbbcea01e6d9354301dfe4a0030a7e5d7a7e

SHA512
e36f65ae6cef573bece6291e274811c65d514b32c7b10a1adcef9829cd27c3f8e62589e465753c35898050cb528c957ee53af019b5fd277e0d986bda25c89761

Download Submit
C:\Windows\SysWOW64\Fgcjfbed.exe

Filesize
89KB

MD5
8343ce2e6c44c3f971428af32f074323

SHA1
33619282a5ab75107a67f8df9769189ac217999a

SHA256
6929b6a96451a719f39bceb6af77e8ec30c24484899edffec9492dc2cd2e50e3

SHA512
64906b853cd3348117172dd6bd2384140299177236ec4752672617801d6f6bc34ac8f530e6a0cb6445fcac7115559842ddd194aa18c2433da645c6d915fb90e9

Download Submit
C:\Windows\SysWOW64\Fngcmcfe.exe

Filesize
89KB

MD5
6d00da7969b569c3bf9d6d1d52d15433

SHA1
7a2262caf8de7e5a845b6ed46fbaf798535a7b89

SHA256
9e859d9d64f3bfe9a4e870fae3dc096a7a02078b41b22d260bbdd6d3f15ed64e

SHA512
f37a622844c1b42cf66ade7fbc3c4774f8e783c9122d8913adc9418b893b3526b5a60b4845edc740ef7e97c8452003d328e3bdf277e774930617e71116a28bdf

Download Submit
C:\Windows\SysWOW64\Fnipbc32.exe

Filesize
89KB

MD5
0a1b90622739e8dd39a78ca372c8db38

SHA1
9244580601261b22a1cb86db93430f91df6d36ce

SHA256
0ea79425cf20cbc6a38e67047929c0b897121e219388f2dd128ba15e74790880

SHA512
e793ca021d1c0609e0190287a464edbde2371389db09bb0c7f761ad160100a004cc4ccad7ca3b03276d5fa89b22289dff305e997610bc187793238a0ba65bb60

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
89KB

MD5
8a327fc9c4d30c1eb68b2df806b72279

SHA1
baa76c38b23d0489faa2a768e21ca2d4c25945b3

SHA256
ed6729a88b2031876f59a3af66c21246a104cb47466e2d0f27c214f7cf2fe0e9

SHA512
c1a4c2efa9fc2b7c911e7ce29ccacc428f34a69a28dbdab9d8e7c6f62659354373496998eaa4f1d1866b77f4ec2ded648e87c736a7e4c8bd1519c815171205f5

Download Submit
C:\Windows\SysWOW64\Fpbflg32.exe

Filesize
89KB

MD5
4b3ae51ce8cd99e7a6badbdf1a87552f

SHA1
a67c5eafa18a0b4110f06a0f6e2a20b98655c6f2

SHA256
d09798d0fdabf2d4ad99d59ecb9e723b330bdc27e43ed4c0277f44b04df04711

SHA512
3d133dc1bacc58400d7ea2484cf4b1140b7d0cda76420456e62acfe2f1d795c063fc8450bf13df3aeaecb1ca9f285d8fbd1ba21d437b33940e6c8dfaf63db0b6

Download Submit
C:\Windows\SysWOW64\Geohklaa.exe

Filesize
89KB

MD5
941cbd25f1912d6d4f791d1f50f4bf46

SHA1
db19f1245e8f8002ded1ab5bbda6dd4b24747635

SHA256
75deec40c5c11b71f0a638e05e7ae779e2a10a4abc2ee77b36c335d127485d42

SHA512
cbcbff71ab9ad316d53df56d748d2eaa0808bd7bd23d0c053d279ce01777d3845ce93e5fa25b938e761409862024dabb1446b26f9e44d9c9142c80b580080f4f

Download Submit
C:\Windows\SysWOW64\Ggkqgaol.exe

Filesize
89KB

MD5
e89f6e4d643b9b1b01095dc8ca3bafaf

SHA1
70f95aef2b25193ed79477a3b28555988971ef8c

SHA256
a2c4c1fb311287c0555e422d2b0509ac231f4f796e13975545e883789f58cb5d

SHA512
f1a177861e644a8b5c2edd48b4f99aa7459f6518d5af36970b02e21c1e59eff0412836865138392bd8f3b951aa9aeca684c4b703b37473014b560096de8ae08e

Download Submit
C:\Windows\SysWOW64\Gldglf32.exe

Filesize
89KB

MD5
21191c13292fb1deb8666a138e5f8f15

SHA1
13b800bc6f955c56c530c2b393a66109b1723b1e

SHA256
024ee56384ae1b117b0af895a28ae0cbaa1184fd5bff34297c8c12681643d237

SHA512
4e5c80a9c522e9a3afc1f894c731c63a89369b97c86d199c035a871ba98c4408772d769786b336dab83ffbd4c2ce59feb0a4297b79be1dfd6cb1d1dc406ce48d

Download Submit
C:\Windows\SysWOW64\Hbnaeh32.exe

Filesize
89KB

MD5
eac94ec0fb1ffd26537ea1ee7e1ba7f9

SHA1
e10209c29975395275abf292e09abf6e711534fc

SHA256
9adcb9da13fc063f2bab83363c1a0c27819d02dadd0ff47860e1eee528d6f394

SHA512
4f3802ceda77763665eaf5a0720a207ba2197a48bca9c9c5ec286e98c523eff5127c5dfe7b50d7e660247a639bd9c145bfcab8cd069910ea95382737e1af0d99

Download Submit
C:\Windows\SysWOW64\Hbohpn32.exe

Filesize
89KB

MD5
8d56f73d501ddd38e0742bbdb5ce817e

SHA1
86109be031c96b3470de2238ce3b0724752a77c5

SHA256
5be93b720f2ae2dd9ad5b891a132f134fd4dc800dbb1c54259d05474a61b5793

SHA512
9367949bf00422c2374c4dc84069e9d74930038fb9883ecfcd880818d5e50ff5988409df026642ef1cfa4efead3008f68ad69173db8a19661cb74addcd291a24

Download Submit
C:\Windows\SysWOW64\Hmpcbhji.exe

Filesize
89KB

MD5
80c9a3351525a05a0ef329e8ba4b9d25

SHA1
5a482993c60eda4611e2ec8f3bf58cb53d19e6ef

SHA256
25aa8a0b1b4f9013b919eaa62e9c1ccefdfc101e9d0362024eb62c187dfd79c0

SHA512
f9a811feda417ad9db31b12516f4f27e5462728aaf15f3fa2a89df6f3a6994d988eb24180cda03aa06a74a84f826bdb472e18b0f3549314278068bb77c606a4b

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe

Filesize
89KB

MD5
560aeea26e3613398fb07ab21f6a0e92

SHA1
92fb529fb6ea6336e49cb52b41d0228d271bb325

SHA256
d1013afd7b2a445d4cd2f6bce6bf934b1bf8bbb7bda2bf5dc89b75fbd0705745

SHA512
00f1011acf4e5617c0153adee7bf3fa1dfd25c9eac2f6bbb201677002627171a6072f65d6be2a1549b8482164afbf86302d1a72dea1e6fe5314d47751edaa5b0

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
89KB

MD5
23eb5338dcd3d2a3bb2ff245b61afe3f

SHA1
5dd0249d77d46bb4ba601e9beb4f23726e4c525b

SHA256
6378681d8117d7dab9da2aa8bef6c65d10ca87701771207745a53eeffdc837e2

SHA512
5b80aedbef60a5df86f894575b720debb00b16f0f3798c4e6ca7bab43ca9b43192bfb9bcad323b093c239eed36084e3a15ae4c209c376bc2aac50e5026ea8bae

Download Submit
C:\Windows\SysWOW64\Iepaaico.exe

Filesize
89KB

MD5
c91b203231a268ca694f99a3aa89f186

SHA1
40407ca1c8021b303497007fae5a374b41546f7e

SHA256
1a3aa2581be0cc54dbe658d89bbf5b20ae2edf6b19282563631a4b9f8421ac7c

SHA512
655c43228f4f2386edbaa205b0378d545deb33e42545d239d24edf1457956957a900c83f11411327e9619292085b847ce0f35e4983a456f04457fcb8728b8aab

Download Submit
C:\Windows\SysWOW64\Imnocf32.exe

Filesize
89KB

MD5
10a2b9d0b82f4b976426cff8bc574316

SHA1
410c626bde1846e1dda58691f976463846308749

SHA256
3e488e70336716f3b1266693e511743c9c84dbfd59ed89605a1a63371f45ceec

SHA512
d7c52a73ab3cab740cd6d244d1c86fb702f9567b3337fe5a7e899dd05c21fd7859dfff2d90b506dda234c83d7eb5939b416cb9ed606a1fec850996ce6e09d9fc

Download Submit
C:\Windows\SysWOW64\Jcmdaljn.exe

Filesize
89KB

MD5
3ebcf73753b2c007f3fc7a849538f996

SHA1
0b96aef2215bf62ad83b66f2f8e244dcea5eae02

SHA256
f53b661262e7cc84ae1527f730aa352af7d5d2b826e40b62fbc768524ae52cba

SHA512
c0af9d8a11e3ded123ecbda442a7899ed2c8917cfffc89a3eb5adf301e6755bc75b165778edd7ce99701669db3e4cf6d491596688a1c716837d2d786a13bba12

Download Submit
C:\Windows\SysWOW64\Jlgepanl.exe

Filesize
89KB

MD5
e613e1050447b1b64e1688e47f1fde0c

SHA1
ab39e24a2cc418aec6542f121fc30a44488765ef

SHA256
48ac6a5bd52147fb2538afbe751985cb0c0bebcc215ae3eb0404a888502e406b

SHA512
43f6c66e5010f353f7850b6b3738de4ea1cb1bdca08124779922fba429b1ca7790e016a7ab903f8678313af31a8d5834d0406e2082f431d420251d3ba53d3118

Download Submit
C:\Windows\SysWOW64\Kgdpni32.exe

Filesize
89KB

MD5
f2dc1d7f8f42ceabbe1da7ba114befae

SHA1
67149760be9fb4ea555efc3c3c33ed8e031dda97

SHA256
1f9b7eaaa9d96c442522cff130bcd0a467d3ed2ebe9c4e1c8c76b2f4394a0b28

SHA512
d8c32afaf001afeb34d9c651a30c7c4f21395af578870d09d6dd09599d17903bb9ca242c583b3a3c808630bdfe8c00541f8e5455851cd067802c45602d9bf1b6

Download Submit
C:\Windows\SysWOW64\Kngkqbgl.exe

Filesize
89KB

MD5
547515b73d36a917b3ef7258c90369c4

SHA1
bf6548ec8cfc901a82743205ee3200e66013c7a1

SHA256
06026aeaedb99e210da286e4aab2dab20031641761b8c176faf2806436c4e145

SHA512
f95d12a70c3100babd6ad322309dfdd7135a533f182de5529bcb108e853383f741a60478991b9f92d4450dc4149bd8938f7021d180726f97863bad753138eeb6

Download Submit
C:\Windows\SysWOW64\Kofkbk32.exe

Filesize
89KB

MD5
0ab36276371285ba652d13efcb6975f4

SHA1
87d3b4606e0a0a757e42cf358236a12fd3259099

SHA256
a159ca24bbbe0fb9c4a85bd069593db7d34c88e015a06698b02789b10f35a100

SHA512
2fad9897f2d4c472eed17b0f43c4a81c9f4d377f0151c3edea44ce014e59124a839894ee353e6e2c16db9a28713e79a7e1a11a011d16a5ce69a22ccdad61600b

Download Submit
C:\Windows\SysWOW64\Kpanan32.exe

Filesize
89KB

MD5
9289029e0455d6923397246435b53f0a

SHA1
a4e03867fad2c46da96e6ead1eb3f41138b2561c

SHA256
d6d79d00785639fa6fbd9b380cbc690f0ac74f89007ce0f014f47e8febadb463

SHA512
3ef32894a0a0cd1036466339f1349e84cdea2db6220aedbaf197863a639fbc19cb8711dc5a7be8b07755bdf905dafb7c39e5facbd35e96cd9b48cb56060d17e1

Download Submit
C:\Windows\SysWOW64\Lcclncbh.exe

Filesize
89KB

MD5
4a8f413672dde5faf59093081c958b8b

SHA1
c8511b2b4f7b4b689ea0de1aae827f5a213128eb

SHA256
c1f14fbb3b15a0c484a4e52d4da2415c2c70680f394b6508235848e1587d6b6f

SHA512
b5ca799af1f432177b57c9a81aa19809d5c25fd65e9cacb697b7199955d25e32f21fc1d9e9a5298f2885e1775e0e7661dc5d071c1c74e559e2b6988e31cda7b8

Download Submit
C:\Windows\SysWOW64\Lnangaoa.exe

Filesize
89KB

MD5
8f6453c0c4818c5504944a123a17fb79

SHA1
c57b4a8f365882b39ddc8d6386002e5fc99e7dff

SHA256
a92a8dfed283668612568c1ab20ad176bacb8f1dd2e628a42499b89e38e42569

SHA512
d90dec7e55749f83f1b62792624711c646b328e9ff3111cdd191a3a84878c4e0baa37cc9e8bb7f9c1bc8799f0f8e3d55dcfa9895c44d56776be6eb947110a186

Download Submit
C:\Windows\SysWOW64\Lomjicei.exe

Filesize
89KB

MD5
0aa487543578fa64a8e3c565210e417a

SHA1
96b16853aaf481d2a524e5bc51461c7f28e39dfa

SHA256
f70cb7ba259b2797f24cd17cdee59a19da0dc19f9ae57497ce46a5fb126400a3

SHA512
de012922900828dfdeaee96aa4023289b97cb0733ea7e0095e8623f73fc6e46d445799c09108c49ad7481b2e4077d454e4e46020857374fc00fa4afa61173abb

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
89KB

MD5
43f539e5c8f7e377ea8220e77b13a291

SHA1
94a89836a856966b558c327921dd2b82614a020b

SHA256
97be3be568b55a0771272835325bd75ea4c436c61aee4dfa7b22aaa6926abe7b

SHA512
aa090fdc0bfc04ad34184c6f40a1f7af116f22479ece76c1a31f58cc4331ccae5bb9752f688a85e8f4ff068fe9d43221ebcbc10f185827ec259bbe89020a5cba

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
89KB

MD5
6b4810a1afec5b6ea15b1ab1436dae01

SHA1
b9f3ab1a8d88662929f408667474f78d22f32be5

SHA256
302d06680d88090e49829402f00632670de94590bb649fac0cbf785344cb4ffc

SHA512
58d3ff0a3ce77b3ace87595927e614c74025c0d18b88891a17d7e9cea9898dd35dbaed26dc15d2b5e1289b1bc4c15d5dfac83f726d1fe5a28a9d7be8bc4bb0dd

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
89KB

MD5
fca495b36db895242b0a3f2045a80739

SHA1
3d7c4cc17ac1a27d9975b01446469e519b6f2e3c

SHA256
ffa6045d268a64759ff85b0953ee85da91d0132426d486f68d3082e620649ef0

SHA512
da7cd2a8b0e95e24243e7c4d9d19d0e276b75b27492ca3e31627bda283b057dcd478c6e504dc5801a69308efb43c38ddc2c35c14b5cbe8d9d844835e71fcab22

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
89KB

MD5
2d3efe73789ce0b595077726b9182782

SHA1
bb89a8e94569e4ee79a049ffb4bff6e24ca43349

SHA256
93b8e45b50664f051e2378e175e87ec2b2e2fd0e7544b120ba8271cbe6743d89

SHA512
676e7c91b9d7c758f71866b47e098332090e72b70d979df1b23d62b8e4a688878f4a58be0b7b85c9e6b504e02a3169c56e2f81a13ccc3463e472d2d1c35f33f7

Download Submit
C:\Windows\SysWOW64\Mnegbp32.exe

Filesize
89KB

MD5
1af0d1743e3998ed81074b029067fbf1

SHA1
2f79fec134ef29b3d0bf58247cf2250677c45317

SHA256
4eec2375886a806907b0f61b2f6f5ffe71b152521e9e6d1b4c1787b4d081b9e5

SHA512
ee37216b53e01a3f737bb08bd9025cff85a8b1212c9ce31c396b9e21faaec0a68e08002685a3fd335df6612ade5134dabd9cab11dd863a8ce076f63220265aa1

Download Submit
C:\Windows\SysWOW64\Mpeiie32.exe

Filesize
89KB

MD5
932c996090666bddbcf4c711d4b54a41

SHA1
84c3b611f8e4e063910d9cb90333687245abeb73

SHA256
97057245a909f9d1d1f94d60ff82e0d1e2954f480f6cf748a114ac0f0363d7a1

SHA512
820f4fa62793bbaac97cbfbe53a9666ad856b3596e20a7958275dc83055bb22140fee0234f1b14836c14fc80605e70e75ee86d9810883ee0b793c80d99c7eb27

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
89KB

MD5
421d848c40a9aa632e2a4c58af7b32e6

SHA1
daa26c33c393bd7652b03e3ba81420441cdb7963

SHA256
ce073465b5400edd3b3cdb68b414182d31b500d568e0ec41a598db5fcdf859fa

SHA512
246e99ef6a5ec3b51e6880f1e9172a1c55e8de56557be3d065e76d88426240020b58171b9a526bc7eb77db6df3a6313be9f3e9f7dafff905de471e9243da02bd

Download Submit
C:\Windows\SysWOW64\Onocomdo.exe

Filesize
89KB

MD5
4a61b9f810051738c2c650a6aa05b9ef

SHA1
a7fecfb88ab720ae095c6b177ba2d00f07ed462b

SHA256
dc1f82b77d25d37d8dd70933a793c8f60635c04fc88c5dacc25f1be7043f8b63

SHA512
a10e5d2967c8f6773b144a615b5b66dc1d51c3df5874217975ce2e8f22686a2cfeff24cb2ea8db999ed6385b94bb4d5aad48a691f6e4c64c8d3172a71fe7dbc5

Download Submit
C:\Windows\SysWOW64\Oonlfo32.exe

Filesize
89KB

MD5
78c0e534c44492271ed81a34a8ff9f78

SHA1
6e866ce5b699247c9fa306c4cd61d04d9db7235e

SHA256
cb16cbafc42649e09a1d309bee02a2c04ee334d81c47136a48cd440f774c8d23

SHA512
9648c970a68218f611d38358824d5015083de5f790b83936e6b8327919dcdf8207449c30a1b50291705aeee35feb319f0ef4868c02d4ef8199c9c31fb4f1f3df

Download Submit
C:\Windows\SysWOW64\Opbean32.exe

Filesize
89KB

MD5
58f44c55dc2fe00ae07900c53a732f6c

SHA1
4dbc5600e49716e64b6813125a99a98ee2411f0e

SHA256
615435af9b12dce5c09e8e8b5a4c04ec6c04d57599afba7c8630e7b2ae842ea1

SHA512
58681d646c9165b808388763b23e0501e6fc6c2b2bfffbb221352d095c24f17b4f6a4bd39dfbdc595ae93d8721fc16ee14fbfe17001766768c0fbe1fd8c52ece

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
89KB

MD5
68d29d3e69b12a1d726e3bd214344a4f

SHA1
37f990cf8d122d9d2ceacb86c2ce19f991bc8265

SHA256
ce60909b65ff02c1cf42c4f40c05635452ae2d7cfc1bc8f1c18771472b0766fe

SHA512
8f232d3cbd26020fd614c7bc98e22980780839d821735b1a12ed87d89735b8aa9d7086be47288a200637c14acb1d4831787f38d830f5dba422e613d40f8d2a75

Download Submit
memory/228-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/228-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/524-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/524-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/944-398-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1096-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1132-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1156-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1156-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1212-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1212-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1280-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1280-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1432-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1676-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1676-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1820-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1860-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2724-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2916-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-384-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3360-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3852-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3896-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3896-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3972-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3976-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4108-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4108-64-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4180-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4180-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4408-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4408-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4432-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4552-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4552-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4608-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4620-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4620-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4876-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4912-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4968-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads