7a724e8d39d17513e7eb360267882e9950cdac8153aa4455a85825753c74f66c

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a724e8d39d17513e7eb360267882e9950cdac8153aa4455a85825753c74f66c.exe
Size

80KB
MD5

6472b12f6a9b46ceadc7eaf207a7c710
SHA1

2339717cb74d7ea0d91574d225734b968f836282
SHA256

7a724e8d39d17513e7eb360267882e9950cdac8153aa4455a85825753c74f66c
SHA512

68f3b3dc83c1dfe8b52822d168f5d1d31f6cb5b857f5f70d64f90381b6c4aec1fa04c8d51e997a6ca9cf8a40b8fc1d63f105e5d64e5cc94a524ddb8f18bfd3af
SSDEEP

1536:Xs6FFAy0FQfk3Np/maJMBV5YMkhohBE8VGh:X9FAyy7abRUAEQGh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpgind32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjjbjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeandma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjblje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibfnqmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Geaepk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgjndno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcmdaljn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmgelf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gncchb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhdkknd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlnjbedi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcnpn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfhgkmpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnegbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okkdic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifcgion.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdnbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeandma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmojkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlnjbedi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifomll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaekqhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjjbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanfen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpkibf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqhdbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omqmop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiahnnph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffqhcq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hedafk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqkqhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiahnnph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iipfmggc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiloco32.exe

Executes dropped EXE 64 IoCs

pid	Process
4940	Nnfgcd32.exe
460	Neclenfo.exe
3768	Oeehkn32.exe
2772	Omqmop32.exe
1408	Oanfen32.exe
3604	Ojgjndno.exe
3376	Ojigdcll.exe
2492	Okkdic32.exe
2088	Poimpapp.exe
2928	Pmoiqneg.exe
2676	Dhclmp32.exe
4904	Dijbno32.exe
3880	Eiloco32.exe
3844	Ebdcld32.exe
316	Ekmhejao.exe
2124	Eiahnnph.exe
3556	Efeihb32.exe
3152	Eejeiocj.exe
3564	Feoodn32.exe
1624	Fmhdkknd.exe
3428	Ffqhcq32.exe
988	Ffceip32.exe
4716	Fpkibf32.exe
5036	Gmojkj32.exe
3972	Gncchb32.exe
2576	Gmdcfidg.exe
5004	Gnepna32.exe
5060	Gikdkj32.exe
3548	Geaepk32.exe
3948	Gpgind32.exe
4168	Hedafk32.exe
3832	Hlnjbedi.exe
4956	Hfcnpn32.exe
1212	Hmmfmhll.exe
1000	Hffken32.exe
4164	Hlbcnd32.exe
3476	Hfhgkmpj.exe
4784	Hifcgion.exe
1780	Hbohpn32.exe
1856	Hmdlmg32.exe
3952	Ifmqfm32.exe
1948	Iliinc32.exe
1232	Ifomll32.exe
4400	Illfdc32.exe
4476	Ibfnqmpf.exe
4344	Iipfmggc.exe
2908	Ipjoja32.exe
3560	Iidphgcn.exe
1224	Jcmdaljn.exe
1112	Jpaekqhh.exe
5108	Jgkmgk32.exe
3004	Jofalmmp.exe
876	Johnamkm.exe
1844	Jinboekc.exe
1256	Jedccfqg.exe
4840	Kpjgaoqm.exe
3504	Kjblje32.exe
1368	Kpmdfonj.exe
4128	Kodnmkap.exe
3488	Kjjbjd32.exe
5048	Lqhdbm32.exe
4908	Lgbloglj.exe
3372	Lqkqhm32.exe
4952	Lmdnbn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgnlkfal.exe	Mnegbp32.exe
File opened for modification	C:\Windows\SysWOW64\Nggnadib.exe	Mfhbga32.exe
File created	C:\Windows\SysWOW64\Ofkgcobj.exe	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Ppolhcnm.exe	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Fpkibf32.exe	Ffceip32.exe
File created	C:\Windows\SysWOW64\Kjblje32.exe	Kpjgaoqm.exe
File created	C:\Windows\SysWOW64\Efeihb32.exe	Eiahnnph.exe
File created	C:\Windows\SysWOW64\Hdbplg32.dll	Fpkibf32.exe
File created	C:\Windows\SysWOW64\Fpejkd32.dll	Gncchb32.exe
File created	C:\Windows\SysWOW64\Jinboekc.exe	Johnamkm.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Bmeandma.exe
File opened for modification	C:\Windows\SysWOW64\Omqmop32.exe	Oeehkn32.exe
File opened for modification	C:\Windows\SysWOW64\Oanfen32.exe	Omqmop32.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Ldldehjm.dll	Hedafk32.exe
File opened for modification	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mmkdcm32.exe
File created	C:\Windows\SysWOW64\Lfebfnqn.dll	Gpgind32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmfmhll.exe	Hfcnpn32.exe
File opened for modification	C:\Windows\SysWOW64\Gmojkj32.exe	Fpkibf32.exe
File opened for modification	C:\Windows\SysWOW64\Gmdcfidg.exe	Gncchb32.exe
File opened for modification	C:\Windows\SysWOW64\Pdenmbkk.exe	Pnifekmd.exe
File opened for modification	C:\Windows\SysWOW64\Aphnnafb.exe	Ahmjjoig.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Chfhllkp.dll	Hlnjbedi.exe
File opened for modification	C:\Windows\SysWOW64\Kpmdfonj.exe	Kjblje32.exe
File created	C:\Windows\SysWOW64\Hlnjbedi.exe	Hedafk32.exe
File opened for modification	C:\Windows\SysWOW64\Ifomll32.exe	Iliinc32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpcdg32.exe	Lncjlq32.exe
File opened for modification	C:\Windows\SysWOW64\Ofkgcobj.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Kmephjke.dll	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Ebjkfjbc.dll	Omqmop32.exe
File created	C:\Windows\SysWOW64\Igpoaebh.dll	Poimpapp.exe
File created	C:\Windows\SysWOW64\Jedccfqg.exe	Jinboekc.exe
File created	C:\Windows\SysWOW64\Qmfqknfm.dll	Lqkqhm32.exe
File created	C:\Windows\SysWOW64\Ifolcq32.dll	Mcpcdg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoiqneg.exe	Poimpapp.exe
File opened for modification	C:\Windows\SysWOW64\Efeihb32.exe	Eiahnnph.exe
File created	C:\Windows\SysWOW64\Iidphgcn.exe	Iibccgep.exe
File created	C:\Windows\SysWOW64\Mnjqmpgg.exe	Mmkdcm32.exe
File created	C:\Windows\SysWOW64\Dddjmo32.dll	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Poimpapp.exe	Okkdic32.exe
File opened for modification	C:\Windows\SysWOW64\Ebdcld32.exe	Eiloco32.exe
File created	C:\Windows\SysWOW64\Ikgbdnie.dll	Ibfnqmpf.exe
File created	C:\Windows\SysWOW64\Fgeaiknl.dll	Kpmdfonj.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Cdmfllhn.exe
File opened for modification	C:\Windows\SysWOW64\Neclenfo.exe	Nnfgcd32.exe
File opened for modification	C:\Windows\SysWOW64\Hbohpn32.exe	Hifcgion.exe
File created	C:\Windows\SysWOW64\Mqkiok32.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Hiebgmkm.dll	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Lgbloglj.exe	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Imnbiq32.dll	Mnegbp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqbpojnp.exe	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Fidhnlin.dll	Pccahbmn.exe
File created	C:\Windows\SysWOW64\Gnepna32.exe	Gmdcfidg.exe
File created	C:\Windows\SysWOW64\Hohahelb.dll	Hfhgkmpj.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Bdmmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Cdmfllhn.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Dgegjnih.dll	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Kioghlbd.dll	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Kghfphob.dll	Iidphgcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5580	5960	WerFault.exe	204

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgjndno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iliinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iipfmggc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiebgmkm.dll"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Poimpapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmhdkknd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnlkfal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hponje32.dll"	Ojigdcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcnpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifomll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbloglj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll"	Okkdic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eiahnnph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmqfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpopokm.dll"	Feoodn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekfjcc32.dll"	Iliinc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Illfdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll"	Iibccgep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidphgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olieecnn.dll"	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglpdp32.dll"	Kpjgaoqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggnadib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpkibf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbohpn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll"	Phcgcqab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmjlphl.dll"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmenh32.dll"	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofpnmakg.dll"	Efeihb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmmfmhll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjblje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minqeaad.dll"	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglbla32.dll"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfookdli.dll"	Nnfgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffqhcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobfelii.dll"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keldkigj.dll"	Oanfen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Geaepk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Johnamkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmdfonj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdpachh.dll"	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekmhejao.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 4940	1312	7a724e8d39d17513e7eb360267882e9950cdac8153aa4455a85825753c74f66c.exe	90
PID 1312 wrote to memory of 4940	1312	7a724e8d39d17513e7eb360267882e9950cdac8153aa4455a85825753c74f66c.exe	90
PID 1312 wrote to memory of 4940	1312	7a724e8d39d17513e7eb360267882e9950cdac8153aa4455a85825753c74f66c.exe	90
PID 4940 wrote to memory of 460	4940	Nnfgcd32.exe	91
PID 4940 wrote to memory of 460	4940	Nnfgcd32.exe	91
PID 4940 wrote to memory of 460	4940	Nnfgcd32.exe	91
PID 460 wrote to memory of 3768	460	Neclenfo.exe	92
PID 460 wrote to memory of 3768	460	Neclenfo.exe	92
PID 460 wrote to memory of 3768	460	Neclenfo.exe	92
PID 3768 wrote to memory of 2772	3768	Oeehkn32.exe	93
PID 3768 wrote to memory of 2772	3768	Oeehkn32.exe	93
PID 3768 wrote to memory of 2772	3768	Oeehkn32.exe	93
PID 2772 wrote to memory of 1408	2772	Omqmop32.exe	94
PID 2772 wrote to memory of 1408	2772	Omqmop32.exe	94
PID 2772 wrote to memory of 1408	2772	Omqmop32.exe	94
PID 1408 wrote to memory of 3604	1408	Oanfen32.exe	95
PID 1408 wrote to memory of 3604	1408	Oanfen32.exe	95
PID 1408 wrote to memory of 3604	1408	Oanfen32.exe	95
PID 3604 wrote to memory of 3376	3604	Ojgjndno.exe	96
PID 3604 wrote to memory of 3376	3604	Ojgjndno.exe	96
PID 3604 wrote to memory of 3376	3604	Ojgjndno.exe	96
PID 3376 wrote to memory of 2492	3376	Ojigdcll.exe	97
PID 3376 wrote to memory of 2492	3376	Ojigdcll.exe	97
PID 3376 wrote to memory of 2492	3376	Ojigdcll.exe	97
PID 2492 wrote to memory of 2088	2492	Okkdic32.exe	98
PID 2492 wrote to memory of 2088	2492	Okkdic32.exe	98
PID 2492 wrote to memory of 2088	2492	Okkdic32.exe	98
PID 2088 wrote to memory of 2928	2088	Poimpapp.exe	99
PID 2088 wrote to memory of 2928	2088	Poimpapp.exe	99
PID 2088 wrote to memory of 2928	2088	Poimpapp.exe	99
PID 2928 wrote to memory of 2676	2928	Pmoiqneg.exe	100
PID 2928 wrote to memory of 2676	2928	Pmoiqneg.exe	100
PID 2928 wrote to memory of 2676	2928	Pmoiqneg.exe	100
PID 2676 wrote to memory of 4904	2676	Dhclmp32.exe	101
PID 2676 wrote to memory of 4904	2676	Dhclmp32.exe	101
PID 2676 wrote to memory of 4904	2676	Dhclmp32.exe	101
PID 4904 wrote to memory of 3880	4904	Dijbno32.exe	102
PID 4904 wrote to memory of 3880	4904	Dijbno32.exe	102
PID 4904 wrote to memory of 3880	4904	Dijbno32.exe	102
PID 3880 wrote to memory of 3844	3880	Eiloco32.exe	103
PID 3880 wrote to memory of 3844	3880	Eiloco32.exe	103
PID 3880 wrote to memory of 3844	3880	Eiloco32.exe	103
PID 3844 wrote to memory of 316	3844	Ebdcld32.exe	104
PID 3844 wrote to memory of 316	3844	Ebdcld32.exe	104
PID 3844 wrote to memory of 316	3844	Ebdcld32.exe	104
PID 316 wrote to memory of 2124	316	Ekmhejao.exe	105
PID 316 wrote to memory of 2124	316	Ekmhejao.exe	105
PID 316 wrote to memory of 2124	316	Ekmhejao.exe	105
PID 2124 wrote to memory of 3556	2124	Eiahnnph.exe	106
PID 2124 wrote to memory of 3556	2124	Eiahnnph.exe	106
PID 2124 wrote to memory of 3556	2124	Eiahnnph.exe	106
PID 3556 wrote to memory of 3152	3556	Efeihb32.exe	107
PID 3556 wrote to memory of 3152	3556	Efeihb32.exe	107
PID 3556 wrote to memory of 3152	3556	Efeihb32.exe	107
PID 3152 wrote to memory of 3564	3152	Eejeiocj.exe	108
PID 3152 wrote to memory of 3564	3152	Eejeiocj.exe	108
PID 3152 wrote to memory of 3564	3152	Eejeiocj.exe	108
PID 3564 wrote to memory of 1624	3564	Feoodn32.exe	109
PID 3564 wrote to memory of 1624	3564	Feoodn32.exe	109
PID 3564 wrote to memory of 1624	3564	Feoodn32.exe	109
PID 1624 wrote to memory of 3428	1624	Fmhdkknd.exe	110
PID 1624 wrote to memory of 3428	1624	Fmhdkknd.exe	110
PID 1624 wrote to memory of 3428	1624	Fmhdkknd.exe	110
PID 3428 wrote to memory of 988	3428	Ffqhcq32.exe	111

C:\Users\Admin\AppData\Local\Temp\7a724e8d39d17513e7eb360267882e9950cdac8153aa4455a85825753c74f66c.exe
"C:\Users\Admin\AppData\Local\Temp\7a724e8d39d17513e7eb360267882e9950cdac8153aa4455a85825753c74f66c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\Nnfgcd32.exe
  C:\Windows\system32\Nnfgcd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\Neclenfo.exe
    C:\Windows\system32\Neclenfo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Windows\SysWOW64\Oeehkn32.exe
      C:\Windows\system32\Oeehkn32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Windows\SysWOW64\Omqmop32.exe
        
        C:\Windows\system32\Omqmop32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\Oanfen32.exe
        
        C:\Windows\system32\Oanfen32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Ojgjndno.exe
        
        C:\Windows\system32\Ojgjndno.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ojigdcll.exe
        
        C:\Windows\system32\Ojigdcll.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Okkdic32.exe
        
        C:\Windows\system32\Okkdic32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Poimpapp.exe
        
        C:\Windows\system32\Poimpapp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Pmoiqneg.exe
        
        C:\Windows\system32\Pmoiqneg.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Dijbno32.exe
        
        C:\Windows\system32\Dijbno32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Eiloco32.exe
        
        C:\Windows\system32\Eiloco32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Ebdcld32.exe
        
        C:\Windows\system32\Ebdcld32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Ekmhejao.exe
        
        C:\Windows\system32\Ekmhejao.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Efeihb32.exe
        
        C:\Windows\system32\Efeihb32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Eejeiocj.exe
        
        C:\Windows\system32\Eejeiocj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Feoodn32.exe
        
        C:\Windows\system32\Feoodn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Fmhdkknd.exe
        
        C:\Windows\system32\Fmhdkknd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Ffqhcq32.exe
        
        C:\Windows\system32\Ffqhcq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Ffceip32.exe
        
        C:\Windows\system32\Ffceip32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\Fpkibf32.exe
        
        C:\Windows\system32\Fpkibf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4716
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\Gmdcfidg.exe
        
        C:\Windows\system32\Gmdcfidg.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        28⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Gikdkj32.exe
        
        C:\Windows\system32\Gikdkj32.exe
        29⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Gpgind32.exe
        
        C:\Windows\system32\Gpgind32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Hedafk32.exe
        
        C:\Windows\system32\Hedafk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\Hfcnpn32.exe
        
        C:\Windows\system32\Hfcnpn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Hmmfmhll.exe
        
        C:\Windows\system32\Hmmfmhll.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Hffken32.exe
        
        C:\Windows\system32\Hffken32.exe
        36⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        37⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Hifcgion.exe
        
        C:\Windows\system32\Hifcgion.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\Hbohpn32.exe
        
        C:\Windows\system32\Hbohpn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Hmdlmg32.exe
        
        C:\Windows\system32\Hmdlmg32.exe
        41⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\Ifmqfm32.exe
        
        C:\Windows\system32\Ifmqfm32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Iliinc32.exe
        
        C:\Windows\system32\Iliinc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Ibfnqmpf.exe
        
        C:\Windows\system32\Ibfnqmpf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ipjoja32.exe
        
        C:\Windows\system32\Ipjoja32.exe
        48⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        49⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Iidphgcn.exe
        
        C:\Windows\system32\Iidphgcn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Jcmdaljn.exe
        
        C:\Windows\system32\Jcmdaljn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        53⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Johnamkm.exe
        
        C:\Windows\system32\Johnamkm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Jedccfqg.exe
        
        C:\Windows\system32\Jedccfqg.exe
        57⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\Kpjgaoqm.exe
        
        C:\Windows\system32\Kpjgaoqm.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Kjblje32.exe
        
        C:\Windows\system32\Kjblje32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Lqkqhm32.exe
        
        C:\Windows\system32\Lqkqhm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Lmdnbn32.exe
        
        C:\Windows\system32\Lmdnbn32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        67⤵
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\Mcpcdg32.exe
        
        C:\Windows\system32\Mcpcdg32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Mgnlkfal.exe
        
        C:\Windows\system32\Mgnlkfal.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        72⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        74⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        75⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        76⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        79⤵
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        80⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        81⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        85⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        87⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        90⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        95⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        98⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        103⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        105⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        108⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        111⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        112⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        114⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 400
        115⤵
        Program crash
        
        PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5960 -ip 5960
1⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adkqoohc.exe

Filesize
80KB

MD5
ad47d8ddf9176eaa10997bba68583328

SHA1
d58cf12d7f517fc420dcf91604723c35e001f28a

SHA256
00a4f7336ea5ee898fcd7d6862699e975e7c67c14eb2f01ba8541b9f794f19e3

SHA512
03ae7d10775d1ec619f6229365292172d0854bdef45ce13764ca42dc5b5a9f5996920c2513d36cf19ca11a45e8772ab8e1c51f26e7b9b7f9491ad1b269394563

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
80KB

MD5
fa0cd9499adb51d098456cf846bcf949

SHA1
4c16d9f40c71d6486b15e8bc2413d2ebdbe90947

SHA256
987a22c2867cd43139b7d780f69d579568a66350c729131888f0a06cc59a3413

SHA512
b0ccb5e59e64accef36c2115a39a9c12ec7e23bb605a171af3cb0011872bfeb9c925ea21ed86e8858770d211fbe65270c0e13157f43262be70352e1f9c799281

Download Submit
C:\Windows\SysWOW64\Bmeandma.exe

Filesize
80KB

MD5
1094365d66e3ed9e2dd0b1c2d6d90ef3

SHA1
a9fa16d7f172f11ff134d881b791ab0eb50133b9

SHA256
7fe30806041adc5cf059ad2373825a982a30fbb0014891c1addae3952cd3a657

SHA512
9f8d65f0f17fbe3faa2d0dd975f68b76d1b8ec4568a9f12e9a5d79a456eee5b88bdfa2f34c3165435a21fdb42938ee2ec98ed082ad4994021c5f85cc5e3e3992

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
80KB

MD5
7efa878395ac276674cca514851d2c93

SHA1
7b4fa1f8ad7b124f68b4a384fcc323dca57ed790

SHA256
7cc4cf5d4c82e0a0da7db3d4c4fd81ce1a8ca7f8050cb0e80fe2ee8bd8b20239

SHA512
876929d3a4a05f47955abd30c5aa0bce59d97b6f75637f7343f11132fe3d34854451c0053edfc7924c3b0b1592d801ce348a2d657d687798664f1cfc10c4bcd9

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
80KB

MD5
9b8bb60b5f348c55056746f77b1d9248

SHA1
af6af77fd08f9eab666274f648fcf0fb6ab981ba

SHA256
84101173849d180f1ed4391b77697446991d87e1cbbcefcfea9ecd00d56b9a6c

SHA512
66104b37a01afcdf910026720b456f3efcd684d599ac365ad1df83c421539293afaa0ac6be4adfc8922f98acd4dc4b0f004ef231ba4c9f7ca55d86a857b0a3d7

Download Submit
C:\Windows\SysWOW64\Dhclmp32.exe

Filesize
80KB

MD5
c0d0bcb7587999a11bb8a3bec148a256

SHA1
5cc4a0b0a37fbc279d2c8df9f0de43c6e764cba7

SHA256
8eae911dabeeec7c1e37e37cab4f0e83675e9c407daf6874c8f92ed976352a0b

SHA512
30d7df426e59107ac5523c4d1ea99595db5fe0ea33659b7f48d2e02e9e2f1abf90840692d6a6f0faacce38487b2c5fb837d9862d4e205b8a5b2ca19306cba8aa

Download Submit
C:\Windows\SysWOW64\Dijbno32.exe

Filesize
80KB

MD5
aa6d4d23f6ae11437f26fda293ca9345

SHA1
c350981349421384159a9ed1eb3e4ad4b60bcca3

SHA256
537df8d4b017d3e35dee343ea95bc6be5470ffd3616a187bc67b19ed7cf605d6

SHA512
45cc951d86bd5ca86c2d5d70f8457d6586fc1d09a7254d5e5e16dcd1cc0338a7527be229eafdd1100665406ff3e22ffea3153f2a3e06d46e320678442a5b598c

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
80KB

MD5
2c02555b9506b25efbdf86885bebc248

SHA1
ac7b7ea51ccf19e8938dd4fc59490890fe72ddc7

SHA256
6a343d7e4fb0d125dff6d4f782ee69501cd0ade2ccbc94b63ef38fa6ee8d8305

SHA512
9d20208baa589d600692020772f2016155f6daf3d6802aeb55fa0ea47cbc222e8cc93a51afe1e5f1e6e6df19f8fa0c80b123e8aa3751abb44ebacfc8d82e897f

Download Submit
C:\Windows\SysWOW64\Ebdcld32.exe

Filesize
80KB

MD5
9c0101df2a20ef00abed4a597aa8ef7c

SHA1
fc87a073341fa60b3b830469540978817d28a215

SHA256
a588af5dc330c4878b89178e654c392f30dac3fe5f092e87e232b6bd4b709866

SHA512
1684343786aab36777d642ee5654f47cb9d41f9be511f585023245a5f6fedbdd5d87dedd92f00f617d4a53d15e7ae0097089c4596ba2c955e12e78ca33a1f04e

Download Submit
C:\Windows\SysWOW64\Eejeiocj.exe

Filesize
80KB

MD5
e8f4e60147f5fec40a484fb649a0b647

SHA1
dd752ecb819582d948a9cc9fc05cea49b042934f

SHA256
f1adae765cea762e961c1b4e731c8c3e83e9020a61e304c8100af0abeae1cb64

SHA512
6de104b45375c58218d0c18fb6ab1852bfd1c8a81197134c7ab59644a61e6e02a6c188d39ee0ba5aed04a76a36714f32877b152d6b5467587115bdff807c834e

Download Submit
C:\Windows\SysWOW64\Efeihb32.exe

Filesize
80KB

MD5
4d2d5b478d2e74082b4fc6a42c00ea3d

SHA1
14b2398a293f89c20b2a415eaddfbdc7cc427ee8

SHA256
c87b780a575653068093b24e22c315b6b4f1650635b9bf013481858d2687ebe8

SHA512
11cd01ecbac394d02345977b8bfb9cae6ba0e9621f751f8572e9ba896c3e7a15fdb0417e49f90436310566ea37f8a96d64b9050e3eb26ff8aa0176daf4bc1c67

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
80KB

MD5
d0c14d2651a2518bc0f86cf31d2a07be

SHA1
fd43888ab317045863b2ede0a26e5e3c192959a6

SHA256
39831e0d8880a02b492938f2dea4e57a423df6780f841138ff5fd72cdece03e3

SHA512
9e63e136e28bfc2f08daf3f1b45337563b28444a82d06df5555e662916cb8ea46b9ba45887370a61329819b22d4ee2e58d006f9c600200e2f89f39c52def3146

Download Submit
C:\Windows\SysWOW64\Eiloco32.exe

Filesize
80KB

MD5
84cbd5164c2e67e7bdf9f12747aae00e

SHA1
8928432ced43be4eea0849d398dbafbe849a87ac

SHA256
b67a4662d672a9ae64afe43db18177c30feea682fba8e422bda04e2276fb766e

SHA512
578058039f7114aba0938109f691627495e07ac98497a794426375291bb736dbc72df329a9e3e3d3d35c283010e0dcbdf07f38ef7047f37fa13cabccf2cd41cd

Download Submit
C:\Windows\SysWOW64\Ekmhejao.exe

Filesize
80KB

MD5
d7c76ea86c4b13350d27c8796d612a80

SHA1
fc42da98f4c774fa8ddd21489bb48ab0826a8d01

SHA256
402ae723b7a8449fc38841146e6026cbae26f9ea355f349de53f8e38b6f2f69e

SHA512
a75bac9d170d937ffa0236a112166d7b39ca416aa401dfba3031adb2e27c7f7bb53ecbcad9b13331c6c4ee4a0e0c68e1ac1d7370decb9e5c29a5edd1a8a253f4

Download Submit
C:\Windows\SysWOW64\Feoodn32.exe

Filesize
80KB

MD5
3f868b10025f384700f7dce061d94f02

SHA1
b9894ad782ae710a434a6f2d04d8de3912f8da56

SHA256
27a0366d50ccf784a7701677cb5e09f635f7d20a232a8de0e645c96842848492

SHA512
0725cbd1ade971bc0e4d62a9fdba8b12dcfc1d5d79357f8de9254d8bc18d9928f51cf685b08e73270c690fc5658bfade170d85cfff4f593a61db49b8ab7cfbc3

Download Submit
C:\Windows\SysWOW64\Ffceip32.exe

Filesize
80KB

MD5
5d007184ebc485936aab6cef5214a58a

SHA1
41382b694ef0ba50f891a3034ee4cd6a21eeaca8

SHA256
fcc876abed462f88377b2e9f842e5aa19eb2540dec99f6cfa46d822f7c69734c

SHA512
391b543dbb0c7452c204f6f90c92357474f08a371a1d365c1013100c0b6760a069331d9eb0c507c0ea6ae1493f51ff8203dd0b414995f9c91cd9d9d7bd90e824

Download Submit
C:\Windows\SysWOW64\Ffqhcq32.exe

Filesize
80KB

MD5
ce9c15d43e06c7d725234b876b4f8755

SHA1
f0246e2022d89a1d48bc86ec61a15694bde5a24b

SHA256
79c95123d1eabf4d0e35d2e932b0c20a43097ba9f3b54117fe8ff6aea5d58e79

SHA512
d27630dbb20a576d5e3f71beea884c09b2e58f10b8bdea5e54978769247989062e956f160178a05af9d9e19fccc38befd5e04ce371d5d8a146127acda8cefc3a

Download Submit
C:\Windows\SysWOW64\Fmhdkknd.exe

Filesize
80KB

MD5
e88c83000ed0044ca3d4001b960e588e

SHA1
cd474573e91028661dc93ef2f55ea2472c0cc9f8

SHA256
ff4cb41d682b304f5eaae1e79f504173159502001569d96f2f8488b10ea8be96

SHA512
551dd829c1cbee85734e562e14ce90e5b66280f3df68833003a90b3782d5c6b4f09ee968221769e1cf01d4d429584383f5c03fc785bdc2e48492559178fcd785

Download Submit
C:\Windows\SysWOW64\Fpkibf32.exe

Filesize
80KB

MD5
16fa40baa4c2cd721ffdc63e48b94dd4

SHA1
0621abd91acead88757c4a54d28d3c80c6256547

SHA256
1f50396a8b0235e1da34f5413f6ef33191691266b493470337eb0de533523bfd

SHA512
45553a077978b8c9650e086dc6f7065329f6f5668afc808e323e9c71429cad2a5a4c1a8bae53e7f30f51dd198cefa0b950aa3d0e466bce62f571a8e7ba082984

Download Submit
C:\Windows\SysWOW64\Geaepk32.exe

Filesize
80KB

MD5
38e8f6bb43ab0207f04336535eb19896

SHA1
84d281e0db3adf68ac0bdaf579a77c680f22687e

SHA256
5afb905109f5112deffdfdce5f3e28b3058f1793bb80f7fe9916fdf739bc7c97

SHA512
91eca9730327dfc6b5dbe642ea7ee3843d7ac6e0d7b9d0db18c1fafe93420a47e265c66ec691cb43e4390d0740e1fc3370a4a0c1c8bb7f3310c3b56ed8c29b29

Download Submit
C:\Windows\SysWOW64\Gikdkj32.exe

Filesize
80KB

MD5
f0179ddcc9c628f507972317fede1550

SHA1
b256299ad2adf9a60fc56b564a98284f51fae785

SHA256
a69d221786607bac963bf1220e7da90d77e01715582c80bc18bd1c129b9df3fb

SHA512
8248706e3d7232753187a7a3aaa99774c3dcbf912b1676c4f0c8e5f0c4ebb5d83e6eca7886a83cc2fd4ddc69a92374a6c193f1c238ba5f22bd676dee774f34f7

Download Submit
C:\Windows\SysWOW64\Gmdcfidg.exe

Filesize
80KB

MD5
2e580cc6895ddd6d3c7fc910e23b7d67

SHA1
517d2c3511c325e43a8d04193ac800dd1c2114a3

SHA256
eafbe492d63bcd3e7680eb6e8855116c3344d23394d3fc174eb2531010c7d502

SHA512
814b1794e6a72c9338e9db57fca9e2eaa9e4f7c953292beff5dd76ede23efc946d4ca1fcd275d7e4b3f5e1cc58a2b86499698ac7044f168a2559ba44ed022f44

Download Submit
C:\Windows\SysWOW64\Gmojkj32.exe

Filesize
80KB

MD5
7fc55670244bb945c4f9bc957e6110b9

SHA1
5fe6e3a0aefcdc18ee4e7ed3deabc59cc473173d

SHA256
799b0ca5ddaec9ca66e2d983dc94e9138261b65094a614fcee5ab4ad9353179a

SHA512
1b4cabde56cfcfec288acd23caaae4cab61f01965c1dc33938d3da89fa832b62cce1f316ef4e169de4b12a1ce267622890c5289222fc95c587d1f048253bb749

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
80KB

MD5
4533bb56b814bd5cffc05b5cba924132

SHA1
3d5f0c1b49afd02ab237dea5dc18c81e76a91fb7

SHA256
8ff3f6cef20dcb22ae96dd6ec27d8905b47f18f2c1ff23345f150890848755b3

SHA512
3716434d66acd54852d1df1331e4dd036231a11331180188463d16163cb251dce18ec7c4e3b52a3a622451ffca53a9745a2654cc9a1602e059a84b8cd74ff65c

Download Submit
C:\Windows\SysWOW64\Gnepna32.exe

Filesize
80KB

MD5
4c92470da4040cf447a8ac50f8a1ab22

SHA1
47ffd383562d150b7349038840ddca7002a463b7

SHA256
468311162e3ac22c91da07e2dbb7900880f1309cd301ccc0e24a40321ab1c01a

SHA512
96d7b682248619f7a2f3986baa5e1d670441cd112751cc06d2f9bc03202a21252a81ca10cbba8c7cb9d4e233dce3bc6027d620bc839d695d0083f371b0fc62ad

Download Submit
C:\Windows\SysWOW64\Gpgind32.exe

Filesize
80KB

MD5
753faeb9946f604f253edaf45219a7d2

SHA1
0eef4769d936a36fce09ca79d78f87cbecf68a28

SHA256
067b4a96aa8e488b01a84e21374ef4b0050a9c87bc2a77c367c9a8a3a0a3de84

SHA512
e7e6d706fc5a49e8db8c02333817eb19799651c2ba8dc5a4c52a535d983fbe45d099cd341877867c10a2e4d34fc7d4c2c218f67a5e9347d7e667432db24a9678

Download Submit
C:\Windows\SysWOW64\Hedafk32.exe

Filesize
80KB

MD5
50421413bc2a40425ec578cfe0891f3c

SHA1
9adf2a8c80c1eb0d6bb5862469b6131ec52714d9

SHA256
9a96e0a0c43feb96fdb392e98dce6258063e5edd120ae9dd1b674d06d8820c18

SHA512
b1ab46cad1683ab92f2ef86f76fca7faf3846a8cd6df3a163570609920a8543cb3a7f86fa61f50bcce41ca35551b9f6cc81551d339f99d2e31f0357fb3c95bb1

Download Submit
C:\Windows\SysWOW64\Hffken32.exe

Filesize
80KB

MD5
6fa1ca450db2907af5cf4baa57b44540

SHA1
907390572cb31149fdfcad0aff810d15947369a9

SHA256
e0af5612064c91cdfd2c54fd52a7a5f019fb25ff083600eef7895bdf7b142377

SHA512
7fa04c5b9188d506bb7dfc910493ee72ad5f0bac2109c6827d206d11660e734993d74def57b7aeb474cb9d677ad522e127a3234ae1f0d72ba7ae1fd2b36c551f

Download Submit
C:\Windows\SysWOW64\Hifcgion.exe

Filesize
80KB

MD5
97a74d0eeb18a7301e7b252e47455503

SHA1
5522ea7b0eafacdd240fb13230eef5d9217afc9c

SHA256
1f4a947bb7d5eaaa856f0fc2fe402f8e2b90c1c4a652fbf07ad1fe2c312d10c1

SHA512
a4517d897883584cd4d8f1342e6aa9ee091ef9e4ab17c79f0e6ecee5a4ea5191944231eb6ccd4bb53c2b0e38c896f30f947c6273d0496b92a030680083b2bc9d

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
80KB

MD5
e8b1c7a0a3ec0c7f861481d904197055

SHA1
1f26242f3964f46331c0fcfad70ab8fcacb24acd

SHA256
2c70630b06b6eb501163f151e4d758c8b04c7af3efbd7fe431a34cd6241fc8e8

SHA512
0ef82fb78b9a1ab2773154fcb252f6b957d36214fafc5145375cc33e370f79490550cc155666b167307d2ad9c4c4070fb4da5d11850f4e3d0a6ed7149c71a044

Download Submit
C:\Windows\SysWOW64\Ifmqfm32.exe

Filesize
80KB

MD5
fe1b88be2abc80ad217d9f79ccbf5fca

SHA1
71c493621c4c1f254a91b4c29cd06716765a562e

SHA256
4be7d65a203e361136d4d993f39e0a0cff6ca1619ba5ab27b97615a1ff3d8b0f

SHA512
05834cf20887b818ab86fd0e5c5b4f08847c226f8a300f97fd840b65848c06827d6a35ca0ce0b1a4e597cf135fc9018a584f0705f20e9766c6728c27574f73c8

Download Submit
C:\Windows\SysWOW64\Ifomll32.exe

Filesize
80KB

MD5
c5b31b60e2abec53442b28bd00efe48b

SHA1
6cc928688e16e761965a0ea5c4236211646ae84f

SHA256
e060bfdd2c0ce24770df17a33ca57e93aa966f57687029c4eb4b3cf1f63d4028

SHA512
1737878b8cb9c0189405e55fe02f8885d799d418281e457e5021841cda86c2eb4f232e09bc452cd1f0dca06eb752634889f61e32b20722192e18fc5c6eef8d00

Download Submit
C:\Windows\SysWOW64\Ipjoja32.exe

Filesize
80KB

MD5
eb5d7cd396720e1e788877087bc01d58

SHA1
6211db8317b06e6e94a5c2f248f97e36f324b938

SHA256
c1b979acd9026a165e1730e62a0e5940af9ae76b45cb247f717d5d6f68982f93

SHA512
077a1156a50d980e8983c37365e732757c83a07ef92dbae1672abe32d9acc10f5ce1b51e5bc0dfb4d92f8a164aabb2f24c58fa2cd10cda641f9e5ac902ef0699

Download Submit
C:\Windows\SysWOW64\Jofalmmp.exe

Filesize
80KB

MD5
46464c5e6ec8569a31e6ea9c5daa7514

SHA1
feeedd4f9a657d3021c36043d76d590e329f65b9

SHA256
957a8f955496f0d9c6c20d16d6fd3fc55619dbbda8a37ce439bc0cd8cf55717e

SHA512
65617ee63050b16bd213e1f65848835160841bdee8ba8784191c78d08c58bdd3f064ec8ab61db8ce5aecf6bd8044e34cf85a564fb0a203b29dfa1dc1af600603

Download Submit
C:\Windows\SysWOW64\Kpjgaoqm.exe

Filesize
80KB

MD5
b4bc2762db6d68a9c41a1e3af501ecad

SHA1
cf6f8b12722822c56b0843d577c9f29604168c3f

SHA256
6561b13c08cb24452a02eb67e4d5a8e5a5d2dd10b04fb52e6166f0abc5daab6b

SHA512
bd1cdb75483c5b6ccfa31bccc3fa0ac95f065a423844a728c839c830fc72e15f479e76eaa2215bbf7e4aedfb722c689d70584f851b401ae376eb8886f856540a

Download Submit
C:\Windows\SysWOW64\Kpmdfonj.exe

Filesize
80KB

MD5
e20028a002bb6148c68dece4892bacd0

SHA1
dad2771e274a64da70aa44ff07ab5b146d30d02c

SHA256
19bd43663c7d339081b13a3daa7be98a41fbd136c8fc6e30f78a799b769c6518

SHA512
a8e220c19dda0626bafa95e984c35c32e9e374750ff1f2d747b3a9e75808d89dd1780895ef98922289e141e4815c8c4bee38e7c9f5309b2c03ad94445b8ecf5e

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
80KB

MD5
39c8ca31c8aa959e8fb6d790fac0e1ed

SHA1
a278f732eb28aa03555619812d45d9d2bb9bd589

SHA256
d4342142c4a8e38f7b4e44222e54474e7344592d5f0fcb65bbdd878776c766ba

SHA512
bf1f772674ede8ef5cd212a1e54b4a5e8cd6ef22d111102916b9fc5485749f1274c562d42f5fcd53b78df455a2fed2b2def2f5d070ac9e20eb3f087c0c0c4436

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
80KB

MD5
8d26a9035f7e95de73f16e589ef1e308

SHA1
3d35a4e887834092081ed341d67d5b95438faead

SHA256
e3af965cd6d3f2ab0876f7ff5ecae6cdc103322ec9604db21d51bc9090b58e0a

SHA512
b3f2084fcfed5224f45d197baf6e3c34a9e9ee687527ecaf136110eca8c91e7a84c70fd7857148599589a12c8c95305acb3cf158c6df5c428b01221240018041

Download Submit
C:\Windows\SysWOW64\Neclenfo.exe

Filesize
80KB

MD5
c11443ef37fdb102ea3ddb8183e1f030

SHA1
ba159731de1f0f0ff3e0c01fbed4fa4bccdc6220

SHA256
756aa44039eacf85f35a81ccc9ebba046b97e7e24bb06a39fca356a2812e79f9

SHA512
31cf4758b6628a90a4490544c0ba6687012f906fec7b93d225cf8d158c9c78e5e03db69b43922cce3e5fcb539ccd83dda848b9d6e1b9ac7862325756623ed06f

Download Submit
C:\Windows\SysWOW64\Nnfgcd32.exe

Filesize
80KB

MD5
2587c8864a636dde136a921a473e876c

SHA1
f06f6738290afa376287eb04e23f4a4b4619e3d4

SHA256
ebbf8483a37e16040bff0c051cc7b3da31fa81a8598745e9a9674c744c55ac91

SHA512
22a63ff4211e05dea296d6be62dd0cbb3c258b21973aa5d263b56b1b480bb102562ae768288cd1894b742b62ab047a1cd914916dff330183e3abbca50ea44bcf

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
80KB

MD5
c13582506f8e3701b5a27dd057978a28

SHA1
b0d0dd0ad522bdff57d5756427cd3e8a2de24b8b

SHA256
62f32a02c37e03997e3af786f084af05e9983e9354e46d837dae94ca89bb3385

SHA512
5010a3ed6686f9d34556c94f32e7d6a1ffc612d050fb8f7c4cf71e607431201fe1325eb692097ecdbffd98322c228a75d3feadcfa616bc8c02e6ad3749a7d39c

Download Submit
C:\Windows\SysWOW64\Oanfen32.exe

Filesize
80KB

MD5
163a8c864ecb6097f77509438be6e7a2

SHA1
b44e8003edb9cfd761ecc7c568063a6d453cf5f4

SHA256
d59d3e3f3c93a7ffc58af0f96a63f17e71b79b72e35dc5224088dab8498135ca

SHA512
a5e013288519276bc51083c6cd3f8b58bab0fd145d7f00291f50290193e849cedd2d6871591299e1552557fc8cce08c568d7a5d01cd83fd3e68fbdd385cd50b1

Download Submit
C:\Windows\SysWOW64\Oeehkn32.exe

Filesize
80KB

MD5
9e6a1729b9d2bbe663f6fb4c82cfff29

SHA1
2af2a1097dbe6f8a50f300996c348b779d326c7e

SHA256
48acfc56365b846a342a19a45cb4bfed4b2493cb8253e567bb81e362d9af9737

SHA512
46eb9e3247cbed2cfc893b6d11ae3083b786ce4aa12173f51e1b16eeca987e5e758c599c4a23c9288ffcfcda1b25c498c41c9e7831fbea48bd37c216d14384e0

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
80KB

MD5
f05e640a09854c48daa8b316f7317499

SHA1
322c8679c8c2a7e69fe967e5d97dbe12155f0546

SHA256
2b4ba9a0ebc8986c74748447bb793aedc18b08073c427abd29310d1c400f552d

SHA512
a6906bb161bc0044d4569c85c3a5f6c3e8936e4786bff14fa770fbe71e59aecb9b08fe3a80dbf981e35a600e240de6085567601247ff9bc84b9a17d699bfa4ef

Download Submit
C:\Windows\SysWOW64\Ojgjndno.exe

Filesize
80KB

MD5
a78c837ade718d6e20ecb1347669bb65

SHA1
b40436518de4995a4a0ce63c27c44af5b8300c74

SHA256
1f8c80c6d843a58973aa742ed0d984e026d8e9500f43202f75948a9f724a24f6

SHA512
530fca96a2c92107d17c17a3234fb2f1a282455e40141d73fc97d43d83619db0fc0089d1bc737b6ce6840da0d7029bdda43ac5467ebe4e08a9bef8087775b8f7

Download Submit
C:\Windows\SysWOW64\Ojigdcll.exe

Filesize
80KB

MD5
d6365040ffdbd2ccda04d52736b5df81

SHA1
9298f19ff41eb15eb94ea5d62349ceb815c86d04

SHA256
fa3a39d86fcfdde76033c081d4326be0ae84325779c723086ffd6589617a197b

SHA512
89de818e92d9ae1ef49b60fce8975145e92e49adc1a6ccca1727e76b4fbff1be55aaca463ae93ac878a328b886043963c03cc678bf7cf18f68c7b5336c4996be

Download Submit
C:\Windows\SysWOW64\Okkdic32.exe

Filesize
80KB

MD5
38a38e6d8c89179cefa5824f4a017875

SHA1
ab96a5bf6f771eeaae238520cc55325acd91eb6b

SHA256
e64d105cc3b09ff9ca1a608644f7034b7f825293c67eed562e6a3cbe62a893c5

SHA512
6deab67f1da8554d40a673228d57bd2e5e73d2d7f3f82b29c0876778b4c5a66fbc2892d982ddcec8c900dc6572128c0e36eb24565d0d99d27d87d381a77b73f4

Download Submit
C:\Windows\SysWOW64\Omqmop32.exe

Filesize
80KB

MD5
41168d5a34f3a69fe136bd651f64139c

SHA1
588b6c1b862e0f812faf61a179e8602e35c9eb44

SHA256
125b3f4c71f61275aec7de68ce1c949c32cd2421fad1dbad655f5cff3f55e85b

SHA512
47316ff53ae885563e30df23c1dfb95b8683694d79a4aa1ca6e6561b4bcf25e46af6e0eb124b58329cf2322cafa0a44818d76af01c21445bd8ac78cc4e9b81b0

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
80KB

MD5
c19c10a8d71c619ca0f5b4810dbf9610

SHA1
1d0edd625d5e250e331ec79993eceac875a52eac

SHA256
82c7578676a453527cd08e52d9ee7eafad5c4bdc1461b9486738f3569614bf58

SHA512
1eb15e9ecafdf06dc84a6a0cc47bef6e066d7f87b5289214a326406256af9f326a35d6181276dd8c2a83a90694833874c8097c9b53dc59316ba67002e6109eeb

Download Submit
C:\Windows\SysWOW64\Pmoiqneg.exe

Filesize
80KB

MD5
56b484194e37968c173288c79827a3e2

SHA1
3b30d408506aa5915684c9feac38660081d5b5ac

SHA256
f74d04a04bf5a9157954c7ef323437ad6793184c5e9fa316611589e5130861e9

SHA512
46f23e9fae0a28cfb4077d1e1e276673a0eef088702786a99f3c8cf8fa8578d38265192e504cf182dcc472143e54767a60c0115261d8880a8d2fdb2a326ce575

Download Submit
C:\Windows\SysWOW64\Poimpapp.exe

Filesize
80KB

MD5
d00f8ed7df26ffdc6716e5127f0591b5

SHA1
e65d84d844809890a039ddb259dfe0719a2aef1b

SHA256
161dae9a4be9347cda58add1e67b84318f0719770f98610864baa40900e28342

SHA512
886c63ac63f073c2a41e1467baa03bf6858bc43b0a062e93a8e0d0d5c4e6d7209519a48707ded6aaedb5bc96bb4abd87e7f21852327539eb5a4bfbc19e5195ca

Download Submit
memory/316-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/460-547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/460-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/732-525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/988-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1000-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1112-365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1212-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1224-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-395-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1624-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1948-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2576-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-561-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3152-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3356-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3428-167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3488-425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3556-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3560-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-575-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-554-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3832-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3880-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3972-200-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4128-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4164-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4280-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4344-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4716-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4840-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4908-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4952-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4960-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5140-534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5184-541-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5228-548-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5272-555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5316-562-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5360-569-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5404-576-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5452-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads