667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0

Analysis

max time kernel
141s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exe
Size

80KB
MD5

094f13de7c15a9f3db15ae688c54cc10
SHA1

3055c8ca6d9284b00cbee7c45ae8b9351fc28106
SHA256

667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0
SHA512

97168aa44be756cc9543996d045f63cbe0aa41462545092a76d7fbeef848789508aaa2ed8361e77f4661ffaede800d190af871fea5f8f0e5bea602ca1b9af10b
SSDEEP

1536:aGfQUClZjvsVtuf5aLo/WAwMB75xA2L+2S5DUHRbPa9b6i+sIk:52ZDKtS54o/XrBfxXS5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Afkipi32.exeGkcdfl32.exePnfdnnbo.exeJkomhhae.exeCefoni32.exeKhhaanop.exeLennpb32.exeLijlii32.exeFidbgm32.exePjlnhi32.exe667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exeLkppchfi.exeMmebpbod.exeJkfcigkm.exeBhgjcmfi.exeGkhbbi32.exeHcgjhega.exeHjlaoioh.exeEimelg32.exeKbedaand.exeNbjpjl32.exeIholohii.exeJaljbmkd.exeAioebj32.exeHcifmdeo.exeQjeaog32.exePfbfjk32.exeDgdgijhp.exeIqfcbahb.exeGmfkjl32.exeKmkpipaf.exeMaeaajpl.exeLhpnlclc.exeGaffbg32.exeJkhpogij.exeDhbqalle.exeEblgon32.exeBelemd32.exeFhiinbdo.exeFkbkoo32.exeBbeobhlp.exePiaiqlak.exeLckglc32.exeJfdafa32.exeKilphk32.exeOmcbkl32.exeKdjhkp32.exeGgdbmoho.exeOgbbqo32.exeIhgnfnjl.exeFdbkja32.exeJokpcmmj.exeEhhpge32.exeCpcila32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkipi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkcdfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdnnbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkomhhae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cefoni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khhaanop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lennpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijlii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidbgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjlnhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkppchfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmebpbod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfcigkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhgjcmfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkhbbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcgjhega.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lennpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjlaoioh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eimelg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbedaand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijlii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbjpjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifmdeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjeaog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbfjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iqfcbahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmfkjl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkpipaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maeaajpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcgjhega.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfcigkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaffbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkhpogij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhbqalle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eblgon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkppchfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belemd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhiinbdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbjpjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkbkoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbeobhlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckglc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdafa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilphk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdjhkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggdbmoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbbqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihgnfnjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjlaoioh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jokpcmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehhpge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifmdeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belemd32.exe

Executes dropped EXE 64 IoCs

Processes:

Fdbkja32.exeGkhbbi32.exeHeepfn32.exeIholohii.exeJaljbmkd.exeJeaiij32.exeKlddlckd.exeLhpnlclc.exeNefdbekh.exeOmcbkl32.exePiaiqlak.exeAioebj32.exeAidomjaf.exeBlknpdho.exeCefoni32.exeCdlhgpag.exeCpcila32.exeDgdgijhp.exeEpaemojk.exeEcanojgl.exeEcdkdj32.exeFdhail32.exeFgncff32.exeGcimfg32.exeGmfkjl32.exeHcgjhega.exeHcifmdeo.exeKmlgcf32.exeKjbdbjbi.exeKdjhkp32.exeKhhaanop.exeLennpb32.exeLkppchfi.exeMaoakaip.exeMmebpbod.exeOnakco32.exePoagma32.exePnfdnnbo.exePfbfjk32.exeQbmpjkqk.exeAfkipi32.exeBelemd32.exeBbeobhlp.exeCblebgfh.exeDhbqalle.exeEpbkhhel.exeEfampahd.exeFidbgm32.exeGebimmco.exeGgdbmoho.exeHcommoin.exeHjlaoioh.exeImcqacfq.exeIqfcbahb.exeJokpcmmj.exeJikjmbmb.exeKmkpipaf.exeLcealh32.exeMaeaajpl.exeOgbbqo32.exeOnqdhh32.exePjlnhi32.exeQjeaog32.exeAgiahlkf.exe

pid	process
2248	Fdbkja32.exe
4348	Gkhbbi32.exe
1468	Heepfn32.exe
4268	Iholohii.exe
3440	Jaljbmkd.exe
3576	Jeaiij32.exe
4572	Klddlckd.exe
1172	Lhpnlclc.exe
1400	Nefdbekh.exe
2516	Omcbkl32.exe
4616	Piaiqlak.exe
1376	Aioebj32.exe
644	Aidomjaf.exe
812	Blknpdho.exe
4416	Cefoni32.exe
4988	Cdlhgpag.exe
3320	Cpcila32.exe
4940	Dgdgijhp.exe
864	Epaemojk.exe
4152	Ecanojgl.exe
3732	Ecdkdj32.exe
4012	Fdhail32.exe
1972	Fgncff32.exe
4600	Gcimfg32.exe
4408	Gmfkjl32.exe
940	Hcgjhega.exe
2136	Hcifmdeo.exe
2672	Kmlgcf32.exe
832	Kjbdbjbi.exe
748	Kdjhkp32.exe
216	Khhaanop.exe
4476	Lennpb32.exe
4496	Lkppchfi.exe
1416	Maoakaip.exe
436	Mmebpbod.exe
836	Onakco32.exe
5080	Poagma32.exe
4360	Pnfdnnbo.exe
672	Pfbfjk32.exe
3396	Qbmpjkqk.exe
4732	Afkipi32.exe
4396	Belemd32.exe
2252	Bbeobhlp.exe
640	Cblebgfh.exe
960	Dhbqalle.exe
2592	Epbkhhel.exe
1548	Efampahd.exe
2908	Fidbgm32.exe
4956	Gebimmco.exe
1340	Ggdbmoho.exe
452	Hcommoin.exe
1424	Hjlaoioh.exe
4468	Imcqacfq.exe
376	Iqfcbahb.exe
1576	Jokpcmmj.exe
3080	Jikjmbmb.exe
2540	Kmkpipaf.exe
3912	Lcealh32.exe
2816	Maeaajpl.exe
1116	Ogbbqo32.exe
1708	Onqdhh32.exe
3532	Pjlnhi32.exe
4352	Qjeaog32.exe
624	Agiahlkf.exe

Drops file in System32 directory 64 IoCs

Processes:

Iholohii.exeCefoni32.exeFgncff32.exePfbfjk32.exeKoiejemn.exe667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exeEcdkdj32.exeKdjhkp32.exeOnakco32.exeKkofofbb.exeOgbbqo32.exeEblgon32.exeEelpqi32.exeCdlhgpag.exeEcanojgl.exeCblebgfh.exeDhbqalle.exeKmkpipaf.exeGikbneio.exeMpenmadn.exeEfampahd.exeGgdbmoho.exeCbknhqbl.exeGkcdfl32.exeKlddlckd.exeCpcila32.exeHcommoin.exeJkhpogij.exeNpgjbabk.exeEpaemojk.exeIhgnfnjl.exeJfdafa32.exeIkmpcicg.exeKmlgcf32.exeKjbdbjbi.exeKhhaanop.exeHkjjfkcm.exeBbeobhlp.exeFidbgm32.exeMaeaajpl.exeGkhbbi32.exeGebimmco.exeOnqdhh32.exeEimelg32.exeFhiinbdo.exeFdbkja32.exeNefdbekh.exeAioebj32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Pakfglam.dll	Iholohii.exe
File opened for modification	C:\Windows\SysWOW64\Cdlhgpag.exe	Cefoni32.exe
File created	C:\Windows\SysWOW64\Gcimfg32.exe	Fgncff32.exe
File created	C:\Windows\SysWOW64\Qbmpjkqk.exe	Pfbfjk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkofofbb.exe	Koiejemn.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exe
File opened for modification	C:\Windows\SysWOW64\Fdhail32.exe	Ecdkdj32.exe
File created	C:\Windows\SysWOW64\Pelkha32.dll	Kdjhkp32.exe
File created	C:\Windows\SysWOW64\Eipbcl32.dll	Onakco32.exe
File opened for modification	C:\Windows\SysWOW64\Lckglc32.exe	Kkofofbb.exe
File opened for modification	C:\Windows\SysWOW64\Onqdhh32.exe	Ogbbqo32.exe
File created	C:\Windows\SysWOW64\Ehhpge32.exe	Eblgon32.exe
File created	C:\Windows\SysWOW64\Eimelg32.exe	Eelpqi32.exe
File created	C:\Windows\SysWOW64\Cpcila32.exe	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Nnomjn32.dll	Ecanojgl.exe
File opened for modification	C:\Windows\SysWOW64\Dhbqalle.exe	Cblebgfh.exe
File created	C:\Windows\SysWOW64\Epbkhhel.exe	Dhbqalle.exe
File created	C:\Windows\SysWOW64\Kofhqmba.dll	Kmkpipaf.exe
File opened for modification	C:\Windows\SysWOW64\Gaffbg32.exe	Gikbneio.exe
File created	C:\Windows\SysWOW64\Npgjbabk.exe	Mpenmadn.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Cdlhgpag.exe
File created	C:\Windows\SysWOW64\Fidbgm32.exe	Efampahd.exe
File opened for modification	C:\Windows\SysWOW64\Hcommoin.exe	Ggdbmoho.exe
File opened for modification	C:\Windows\SysWOW64\Eblgon32.exe	Cbknhqbl.exe
File created	C:\Windows\SysWOW64\Hkjjfkcm.exe	Gkcdfl32.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Dgdgijhp.exe	Cpcila32.exe
File created	C:\Windows\SysWOW64\Hgnlgdfg.dll	Hcommoin.exe
File opened for modification	C:\Windows\SysWOW64\Ehhpge32.exe	Eblgon32.exe
File created	C:\Windows\SysWOW64\Bdnhjgbo.dll	Jkhpogij.exe
File created	C:\Windows\SysWOW64\Nbjpjl32.exe	Npgjbabk.exe
File created	C:\Windows\SysWOW64\Johmahhb.dll	Epaemojk.exe
File created	C:\Windows\SysWOW64\Dhbqalle.exe	Cblebgfh.exe
File opened for modification	C:\Windows\SysWOW64\Fidbgm32.exe	Efampahd.exe
File opened for modification	C:\Windows\SysWOW64\Ikmpcicg.exe	Ihgnfnjl.exe
File created	C:\Windows\SysWOW64\Pfffnphj.dll	Jfdafa32.exe
File opened for modification	C:\Windows\SysWOW64\Jkomhhae.exe	Ikmpcicg.exe
File created	C:\Windows\SysWOW64\Qlhomk32.dll	Kkofofbb.exe
File created	C:\Windows\SysWOW64\Kjbdbjbi.exe	Kmlgcf32.exe
File created	C:\Windows\SysWOW64\Ippephla.dll	Kjbdbjbi.exe
File opened for modification	C:\Windows\SysWOW64\Lennpb32.exe	Khhaanop.exe
File created	C:\Windows\SysWOW64\Gdffjckl.dll	Gikbneio.exe
File opened for modification	C:\Windows\SysWOW64\Ihgnfnjl.exe	Hkjjfkcm.exe
File created	C:\Windows\SysWOW64\Cblebgfh.exe	Bbeobhlp.exe
File created	C:\Windows\SysWOW64\Ffdcne32.dll	Fidbgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbbqo32.exe	Maeaajpl.exe
File created	C:\Windows\SysWOW64\Gaffbg32.exe	Gikbneio.exe
File opened for modification	C:\Windows\SysWOW64\Heepfn32.exe	Gkhbbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ggdbmoho.exe	Gebimmco.exe
File opened for modification	C:\Windows\SysWOW64\Pjlnhi32.exe	Onqdhh32.exe
File opened for modification	C:\Windows\SysWOW64\Fkbkoo32.exe	Eimelg32.exe
File created	C:\Windows\SysWOW64\Akcnekdp.dll	Mpenmadn.exe
File created	C:\Windows\SysWOW64\Cdlhgpag.exe	Cefoni32.exe
File created	C:\Windows\SysWOW64\Emjfif32.dll	Bbeobhlp.exe
File opened for modification	C:\Windows\SysWOW64\Femigg32.exe	Fhiinbdo.exe
File opened for modification	C:\Windows\SysWOW64\Gkhbbi32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Omcbkl32.exe	Nefdbekh.exe
File created	C:\Windows\SysWOW64\Kfhfap32.dll	Aioebj32.exe
File opened for modification	C:\Windows\SysWOW64\Kdjhkp32.exe	Kjbdbjbi.exe
File opened for modification	C:\Windows\SysWOW64\Lcealh32.exe	Kmkpipaf.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exe
File opened for modification	C:\Windows\SysWOW64\Cpcila32.exe	Cdlhgpag.exe
File opened for modification	C:\Windows\SysWOW64\Poagma32.exe	Onakco32.exe
File created	C:\Windows\SysWOW64\Jkomhhae.exe	Ikmpcicg.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5880 5632 WerFault.exe Nleaha32.exe

pid	pid_target	process	target process
5880	5632	WerFault.exe	Nleaha32.exe

Modifies registry class 64 IoCs

Processes:

Omcbkl32.exeFgncff32.exeMaoakaip.exeIhgnfnjl.exeEcanojgl.exeEblgon32.exeFkbkoo32.exeNbjpjl32.exeEpaemojk.exeEcdkdj32.exeLkppchfi.exeOnakco32.exeEfampahd.exeAidomjaf.exeCefoni32.exeFhiinbdo.exeJeaiij32.exePfbfjk32.exeBbeobhlp.exeIqfcbahb.exeLcealh32.exeFiclmf32.exeKkofofbb.exeHcifmdeo.exeOnqdhh32.exeMpbaga32.exeMmebpbod.exeGebimmco.exeMaeaajpl.exeGaffbg32.exeGhbkdald.exeQbmpjkqk.exeHcommoin.exePjlnhi32.exeFdbkja32.exeGkhbbi32.exeQjeaog32.exeIkmpcicg.exeKilphk32.exeDgdgijhp.exeFdhail32.exeImcqacfq.exeJokpcmmj.exeBlknpdho.exeJikjmbmb.exeKdjhkp32.exeEhhpge32.exeGkcdfl32.exeHkjjfkcm.exeJaljbmkd.exeHcgjhega.exeBelemd32.exeEpbkhhel.exeKhhaanop.exeCblebgfh.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knojng32.dll"	Omcbkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgncff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maoakaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihgnfnjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecanojgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnlnaiq.dll"	Eblgon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkbkoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niaekl32.dll"	Nbjpjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epaemojk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecanojgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecdkdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkppchfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onakco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajbfppjh.dll"	Efampahd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladlqj32.dll"	Cefoni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhiinbdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghkogk.dll"	Pfbfjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbeobhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iqfcbahb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcealh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ficlmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkofofbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnomjn32.dll"	Ecanojgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcifmdeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onqdhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpbaga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmebpbod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbkgiif.dll"	Gebimmco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maeaajpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggehilne.dll"	Gaffbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghbkdald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbjpjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnnqk32.dll"	Qbmpjkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcommoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeodp32.dll"	Pjlnhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficlmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedlic32.dll"	Gkhbbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjeaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikmpcicg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilphk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdgijhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afoaho32.dll"	Fdhail32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imcqacfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jokpcmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkbkoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkkbg32.dll"	Blknpdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cefoni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epaemojk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kehmcnda.dll"	Jikjmbmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdjhkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehhpge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkcdfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfoamm32.dll"	Hkjjfkcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcgjhega.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belemd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epbkhhel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khhaanop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnafolo.dll"	Maoakaip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cblebgfh.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exeFdbkja32.exeGkhbbi32.exeHeepfn32.exeIholohii.exeJaljbmkd.exeJeaiij32.exeKlddlckd.exeLhpnlclc.exeNefdbekh.exeOmcbkl32.exePiaiqlak.exeAioebj32.exeAidomjaf.exeBlknpdho.exeCefoni32.exeCdlhgpag.exeCpcila32.exeDgdgijhp.exeEpaemojk.exeEcanojgl.exeEcdkdj32.exe

description	pid	process	target process
PID 5064 wrote to memory of 2248	5064	667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exe	Fdbkja32.exe
PID 5064 wrote to memory of 2248	5064	667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exe	Fdbkja32.exe
PID 5064 wrote to memory of 2248	5064	667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exe	Fdbkja32.exe
PID 2248 wrote to memory of 4348	2248	Fdbkja32.exe	Gkhbbi32.exe
PID 2248 wrote to memory of 4348	2248	Fdbkja32.exe	Gkhbbi32.exe
PID 2248 wrote to memory of 4348	2248	Fdbkja32.exe	Gkhbbi32.exe
PID 4348 wrote to memory of 1468	4348	Gkhbbi32.exe	Heepfn32.exe
PID 4348 wrote to memory of 1468	4348	Gkhbbi32.exe	Heepfn32.exe
PID 4348 wrote to memory of 1468	4348	Gkhbbi32.exe	Heepfn32.exe
PID 1468 wrote to memory of 4268	1468	Heepfn32.exe	Iholohii.exe
PID 1468 wrote to memory of 4268	1468	Heepfn32.exe	Iholohii.exe
PID 1468 wrote to memory of 4268	1468	Heepfn32.exe	Iholohii.exe
PID 4268 wrote to memory of 3440	4268	Iholohii.exe	Jaljbmkd.exe
PID 4268 wrote to memory of 3440	4268	Iholohii.exe	Jaljbmkd.exe
PID 4268 wrote to memory of 3440	4268	Iholohii.exe	Jaljbmkd.exe
PID 3440 wrote to memory of 3576	3440	Jaljbmkd.exe	Jeaiij32.exe
PID 3440 wrote to memory of 3576	3440	Jaljbmkd.exe	Jeaiij32.exe
PID 3440 wrote to memory of 3576	3440	Jaljbmkd.exe	Jeaiij32.exe
PID 3576 wrote to memory of 4572	3576	Jeaiij32.exe	Klddlckd.exe
PID 3576 wrote to memory of 4572	3576	Jeaiij32.exe	Klddlckd.exe
PID 3576 wrote to memory of 4572	3576	Jeaiij32.exe	Klddlckd.exe
PID 4572 wrote to memory of 1172	4572	Klddlckd.exe	Lhpnlclc.exe
PID 4572 wrote to memory of 1172	4572	Klddlckd.exe	Lhpnlclc.exe
PID 4572 wrote to memory of 1172	4572	Klddlckd.exe	Lhpnlclc.exe
PID 1172 wrote to memory of 1400	1172	Lhpnlclc.exe	Nefdbekh.exe
PID 1172 wrote to memory of 1400	1172	Lhpnlclc.exe	Nefdbekh.exe
PID 1172 wrote to memory of 1400	1172	Lhpnlclc.exe	Nefdbekh.exe
PID 1400 wrote to memory of 2516	1400	Nefdbekh.exe	Omcbkl32.exe
PID 1400 wrote to memory of 2516	1400	Nefdbekh.exe	Omcbkl32.exe
PID 1400 wrote to memory of 2516	1400	Nefdbekh.exe	Omcbkl32.exe
PID 2516 wrote to memory of 4616	2516	Omcbkl32.exe	Piaiqlak.exe
PID 2516 wrote to memory of 4616	2516	Omcbkl32.exe	Piaiqlak.exe
PID 2516 wrote to memory of 4616	2516	Omcbkl32.exe	Piaiqlak.exe
PID 4616 wrote to memory of 1376	4616	Piaiqlak.exe	Aioebj32.exe
PID 4616 wrote to memory of 1376	4616	Piaiqlak.exe	Aioebj32.exe
PID 4616 wrote to memory of 1376	4616	Piaiqlak.exe	Aioebj32.exe
PID 1376 wrote to memory of 644	1376	Aioebj32.exe	Aidomjaf.exe
PID 1376 wrote to memory of 644	1376	Aioebj32.exe	Aidomjaf.exe
PID 1376 wrote to memory of 644	1376	Aioebj32.exe	Aidomjaf.exe
PID 644 wrote to memory of 812	644	Aidomjaf.exe	Blknpdho.exe
PID 644 wrote to memory of 812	644	Aidomjaf.exe	Blknpdho.exe
PID 644 wrote to memory of 812	644	Aidomjaf.exe	Blknpdho.exe
PID 812 wrote to memory of 4416	812	Blknpdho.exe	Cefoni32.exe
PID 812 wrote to memory of 4416	812	Blknpdho.exe	Cefoni32.exe
PID 812 wrote to memory of 4416	812	Blknpdho.exe	Cefoni32.exe
PID 4416 wrote to memory of 4988	4416	Cefoni32.exe	Cdlhgpag.exe
PID 4416 wrote to memory of 4988	4416	Cefoni32.exe	Cdlhgpag.exe
PID 4416 wrote to memory of 4988	4416	Cefoni32.exe	Cdlhgpag.exe
PID 4988 wrote to memory of 3320	4988	Cdlhgpag.exe	Cpcila32.exe
PID 4988 wrote to memory of 3320	4988	Cdlhgpag.exe	Cpcila32.exe
PID 4988 wrote to memory of 3320	4988	Cdlhgpag.exe	Cpcila32.exe
PID 3320 wrote to memory of 4940	3320	Cpcila32.exe	Dgdgijhp.exe
PID 3320 wrote to memory of 4940	3320	Cpcila32.exe	Dgdgijhp.exe
PID 3320 wrote to memory of 4940	3320	Cpcila32.exe	Dgdgijhp.exe
PID 4940 wrote to memory of 864	4940	Dgdgijhp.exe	Epaemojk.exe
PID 4940 wrote to memory of 864	4940	Dgdgijhp.exe	Epaemojk.exe
PID 4940 wrote to memory of 864	4940	Dgdgijhp.exe	Epaemojk.exe
PID 864 wrote to memory of 4152	864	Epaemojk.exe	Ecanojgl.exe
PID 864 wrote to memory of 4152	864	Epaemojk.exe	Ecanojgl.exe
PID 864 wrote to memory of 4152	864	Epaemojk.exe	Ecanojgl.exe
PID 4152 wrote to memory of 3732	4152	Ecanojgl.exe	Ecdkdj32.exe
PID 4152 wrote to memory of 3732	4152	Ecanojgl.exe	Ecdkdj32.exe
PID 4152 wrote to memory of 3732	4152	Ecanojgl.exe	Ecdkdj32.exe
PID 3732 wrote to memory of 4012	3732	Ecdkdj32.exe	Fdhail32.exe

C:\Users\Admin\AppData\Local\Temp\667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exe
"C:\Users\Admin\AppData\Local\Temp\667f34e754fe5533c8145fdf9010c9d1b8db691b394f1d3d1a8fe10b67da2da0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\Fdbkja32.exe
C:\Windows\system32\Fdbkja32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\Gkhbbi32.exe
C:\Windows\system32\Gkhbbi32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\Heepfn32.exe
C:\Windows\system32\Heepfn32.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\Iholohii.exe
C:\Windows\system32\Iholohii.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\Jaljbmkd.exe
C:\Windows\system32\Jaljbmkd.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\Jeaiij32.exe
C:\Windows\system32\Jeaiij32.exe
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\Klddlckd.exe
C:\Windows\system32\Klddlckd.exe
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\Lhpnlclc.exe
C:\Windows\system32\Lhpnlclc.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\Nefdbekh.exe
C:\Windows\system32\Nefdbekh.exe
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\Omcbkl32.exe
C:\Windows\system32\Omcbkl32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\Piaiqlak.exe
C:\Windows\system32\Piaiqlak.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\Aioebj32.exe
C:\Windows\system32\Aioebj32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\Aidomjaf.exe
C:\Windows\system32\Aidomjaf.exe
14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\Blknpdho.exe
C:\Windows\system32\Blknpdho.exe
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\Cefoni32.exe
C:\Windows\system32\Cefoni32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\Cdlhgpag.exe
C:\Windows\system32\Cdlhgpag.exe
17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\Cpcila32.exe
C:\Windows\system32\Cpcila32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\Dgdgijhp.exe
C:\Windows\system32\Dgdgijhp.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\Epaemojk.exe
C:\Windows\system32\Epaemojk.exe
20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\Ecanojgl.exe
C:\Windows\system32\Ecanojgl.exe
21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\Ecdkdj32.exe
C:\Windows\system32\Ecdkdj32.exe
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\Fdhail32.exe
C:\Windows\system32\Fdhail32.exe
23⤵
- Executes dropped EXE
- Modifies registry class
PID:4012

C:\Windows\SysWOW64\Fgncff32.exe
C:\Windows\system32\Fgncff32.exe
24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1972

C:\Windows\SysWOW64\Gcimfg32.exe
C:\Windows\system32\Gcimfg32.exe
25⤵
- Executes dropped EXE
PID:4600

C:\Windows\SysWOW64\Gmfkjl32.exe
C:\Windows\system32\Gmfkjl32.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4408

C:\Windows\SysWOW64\Hcgjhega.exe
C:\Windows\system32\Hcgjhega.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:940

C:\Windows\SysWOW64\Hcifmdeo.exe
C:\Windows\system32\Hcifmdeo.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2136

C:\Windows\SysWOW64\Kmlgcf32.exe
C:\Windows\system32\Kmlgcf32.exe
29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2672

C:\Windows\SysWOW64\Kjbdbjbi.exe
C:\Windows\system32\Kjbdbjbi.exe
30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832

C:\Windows\SysWOW64\Kdjhkp32.exe
C:\Windows\system32\Kdjhkp32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:748

C:\Windows\SysWOW64\Khhaanop.exe
C:\Windows\system32\Khhaanop.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:216

C:\Windows\SysWOW64\Lennpb32.exe
C:\Windows\system32\Lennpb32.exe
33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4476

C:\Windows\SysWOW64\Lkppchfi.exe
C:\Windows\system32\Lkppchfi.exe
34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4496

C:\Windows\SysWOW64\Maoakaip.exe
C:\Windows\system32\Maoakaip.exe
35⤵
- Executes dropped EXE
- Modifies registry class
PID:1416

C:\Windows\SysWOW64\Mmebpbod.exe
C:\Windows\system32\Mmebpbod.exe
36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:436

C:\Windows\SysWOW64\Onakco32.exe
C:\Windows\system32\Onakco32.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:836

C:\Windows\SysWOW64\Poagma32.exe
C:\Windows\system32\Poagma32.exe
38⤵
- Executes dropped EXE
PID:5080

C:\Windows\SysWOW64\Pnfdnnbo.exe
C:\Windows\system32\Pnfdnnbo.exe
39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4360

C:\Windows\SysWOW64\Pfbfjk32.exe
C:\Windows\system32\Pfbfjk32.exe
40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:672

C:\Windows\SysWOW64\Qbmpjkqk.exe
C:\Windows\system32\Qbmpjkqk.exe
41⤵
- Executes dropped EXE
- Modifies registry class
PID:3396

C:\Windows\SysWOW64\Afkipi32.exe
C:\Windows\system32\Afkipi32.exe
42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4732

C:\Windows\SysWOW64\Belemd32.exe
C:\Windows\system32\Belemd32.exe
43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4396

C:\Windows\SysWOW64\Bbeobhlp.exe
C:\Windows\system32\Bbeobhlp.exe
44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2252

C:\Windows\SysWOW64\Cblebgfh.exe
C:\Windows\system32\Cblebgfh.exe
45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:640

C:\Windows\SysWOW64\Dhbqalle.exe
C:\Windows\system32\Dhbqalle.exe
46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:960

C:\Windows\SysWOW64\Epbkhhel.exe
C:\Windows\system32\Epbkhhel.exe
47⤵
- Executes dropped EXE
- Modifies registry class
PID:2592

C:\Windows\SysWOW64\Efampahd.exe
C:\Windows\system32\Efampahd.exe
48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1548

C:\Windows\SysWOW64\Fidbgm32.exe
C:\Windows\system32\Fidbgm32.exe
49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2908

C:\Windows\SysWOW64\Gebimmco.exe
C:\Windows\system32\Gebimmco.exe
50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4956

C:\Windows\SysWOW64\Ggdbmoho.exe
C:\Windows\system32\Ggdbmoho.exe
51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1340

C:\Windows\SysWOW64\Hcommoin.exe
C:\Windows\system32\Hcommoin.exe
52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:452

C:\Windows\SysWOW64\Hjlaoioh.exe
C:\Windows\system32\Hjlaoioh.exe
53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\Imcqacfq.exe
C:\Windows\system32\Imcqacfq.exe
54⤵
- Executes dropped EXE
- Modifies registry class
PID:4468

C:\Windows\SysWOW64\Iqfcbahb.exe
C:\Windows\system32\Iqfcbahb.exe
55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:376

C:\Windows\SysWOW64\Jokpcmmj.exe
C:\Windows\system32\Jokpcmmj.exe
56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1576

C:\Windows\SysWOW64\Jikjmbmb.exe
C:\Windows\system32\Jikjmbmb.exe
57⤵
- Executes dropped EXE
- Modifies registry class
PID:3080

C:\Windows\SysWOW64\Kmkpipaf.exe
C:\Windows\system32\Kmkpipaf.exe
58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2540

C:\Windows\SysWOW64\Lcealh32.exe
C:\Windows\system32\Lcealh32.exe
59⤵
- Executes dropped EXE
- Modifies registry class
PID:3912

C:\Windows\SysWOW64\Maeaajpl.exe
C:\Windows\system32\Maeaajpl.exe
60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2816

C:\Windows\SysWOW64\Ogbbqo32.exe
C:\Windows\system32\Ogbbqo32.exe
61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1116

C:\Windows\SysWOW64\Onqdhh32.exe
C:\Windows\system32\Onqdhh32.exe
62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1708

C:\Windows\SysWOW64\Pjlnhi32.exe
C:\Windows\system32\Pjlnhi32.exe
63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3532

C:\Windows\SysWOW64\Qjeaog32.exe
C:\Windows\system32\Qjeaog32.exe
64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4352

C:\Windows\SysWOW64\Agiahlkf.exe
C:\Windows\system32\Agiahlkf.exe
65⤵
- Executes dropped EXE
PID:624

C:\Windows\SysWOW64\Bhgjcmfi.exe
C:\Windows\system32\Bhgjcmfi.exe
66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3484

C:\Windows\SysWOW64\Bbbkbbkg.exe
C:\Windows\system32\Bbbkbbkg.exe
67⤵
PID:2232

C:\Windows\SysWOW64\Cbknhqbl.exe
C:\Windows\system32\Cbknhqbl.exe
68⤵
- Drops file in System32 directory
PID:4456

C:\Windows\SysWOW64\Eblgon32.exe
C:\Windows\system32\Eblgon32.exe
69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3344

C:\Windows\SysWOW64\Ehhpge32.exe
C:\Windows\system32\Ehhpge32.exe
70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1112

C:\Windows\SysWOW64\Eelpqi32.exe
C:\Windows\system32\Eelpqi32.exe
71⤵
- Drops file in System32 directory
PID:4536

C:\Windows\SysWOW64\Eimelg32.exe
C:\Windows\system32\Eimelg32.exe
72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2632

C:\Windows\SysWOW64\Fkbkoo32.exe
C:\Windows\system32\Fkbkoo32.exe
73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2964

C:\Windows\SysWOW64\Ficlmf32.exe
C:\Windows\system32\Ficlmf32.exe
74⤵
- Modifies registry class
PID:3736

C:\Windows\SysWOW64\Fhiinbdo.exe
C:\Windows\system32\Fhiinbdo.exe
75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3104

C:\Windows\SysWOW64\Femigg32.exe
C:\Windows\system32\Femigg32.exe
76⤵
PID:3916

C:\Windows\SysWOW64\Gikbneio.exe
C:\Windows\system32\Gikbneio.exe
77⤵
- Drops file in System32 directory
PID:1844

C:\Windows\SysWOW64\Gaffbg32.exe
C:\Windows\system32\Gaffbg32.exe
78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4712

C:\Windows\SysWOW64\Ghbkdald.exe
C:\Windows\system32\Ghbkdald.exe
79⤵
- Modifies registry class
PID:1948

C:\Windows\SysWOW64\Gkcdfl32.exe
C:\Windows\system32\Gkcdfl32.exe
80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4912

C:\Windows\SysWOW64\Hkjjfkcm.exe
C:\Windows\system32\Hkjjfkcm.exe
81⤵
- Drops file in System32 directory
- Modifies registry class
PID:3048

C:\Windows\SysWOW64\Ihgnfnjl.exe
C:\Windows\system32\Ihgnfnjl.exe
82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2072

C:\Windows\SysWOW64\Ikmpcicg.exe
C:\Windows\system32\Ikmpcicg.exe
83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1616

C:\Windows\SysWOW64\Jkomhhae.exe
C:\Windows\system32\Jkomhhae.exe
84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028

C:\Windows\SysWOW64\Jfdafa32.exe
C:\Windows\system32\Jfdafa32.exe
85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1620

C:\Windows\SysWOW64\Jkfcigkm.exe
C:\Windows\system32\Jkfcigkm.exe
86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3604

C:\Windows\SysWOW64\Jkhpogij.exe
C:\Windows\system32\Jkhpogij.exe
87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2248

C:\Windows\SysWOW64\Kilphk32.exe
C:\Windows\system32\Kilphk32.exe
88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5136

C:\Windows\SysWOW64\Kbedaand.exe
C:\Windows\system32\Kbedaand.exe
89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5184

C:\Windows\SysWOW64\Kiomnk32.exe
C:\Windows\system32\Kiomnk32.exe
90⤵
PID:5228

C:\Windows\SysWOW64\Koiejemn.exe
C:\Windows\system32\Koiejemn.exe
91⤵
- Drops file in System32 directory
PID:5272

C:\Windows\SysWOW64\Kkofofbb.exe
C:\Windows\system32\Kkofofbb.exe
92⤵
- Drops file in System32 directory
- Modifies registry class
PID:5316

C:\Windows\SysWOW64\Lckglc32.exe
C:\Windows\system32\Lckglc32.exe
93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5360

C:\Windows\SysWOW64\Lijlii32.exe
C:\Windows\system32\Lijlii32.exe
94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5408

C:\Windows\SysWOW64\Mpbaga32.exe
C:\Windows\system32\Mpbaga32.exe
95⤵
- Modifies registry class
PID:5452

C:\Windows\SysWOW64\Mpenmadn.exe
C:\Windows\system32\Mpenmadn.exe
96⤵
- Drops file in System32 directory
PID:5496

C:\Windows\SysWOW64\Npgjbabk.exe
C:\Windows\system32\Npgjbabk.exe
97⤵
- Drops file in System32 directory
PID:5540

C:\Windows\SysWOW64\Nbjpjl32.exe
C:\Windows\system32\Nbjpjl32.exe
98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5584

C:\Windows\SysWOW64\Nleaha32.exe
C:\Windows\system32\Nleaha32.exe
99⤵
PID:5632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 400
100⤵
- Program crash
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5632 -ip 5632
1⤵
PID:5732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agiahlkf.exe

Filesize
80KB

MD5
aeabfdd0e6b0b2296d49b145310eadf7

SHA1
9c0c1c45b25223573c3dcc22bf83b9ca75fd54e8

SHA256
d432b43b76121b43b0f08a6109c1f55a2416be47094c19812202c8e95d334c3b

SHA512
3d8ca453851e352ba1240e5a523d2a073dcd5b95f5de31dcc1d965166cbd3ee050ea984c0e34bc80c748e0b6129de79867f39b7518ec57c454215b457ef736c4

Download Submit
C:\Windows\SysWOW64\Aidomjaf.exe

Filesize
80KB

MD5
277728b85839d5a328eb18060114b646

SHA1
e13d7e38f628160aa97760ffc491fed2b5fddb08

SHA256
0814eaa2dcfc651d78a48ae39c269a8bb6e31c14fba5d705f52d01c560815924

SHA512
e9442817490e984b2a09830206a4b259ddc481988268b4bac57fce156ee612e5d209f2010e014049e3d682926b9978db0912864ae0144b8c5ca93b638d057997

Download Submit
C:\Windows\SysWOW64\Aioebj32.exe

Filesize
80KB

MD5
7a570ad39a35e8c9eea71fc39de0d525

SHA1
88d6e19302b69f7a3cf800bdb64169809f638e34

SHA256
fe9b5b8e75ac3de86ad946d86b57b419a868012eedb01a53c49596623ca7134c

SHA512
2063f06ef9d80c17e02d4395e9802eff6f9f8a037c78e0e913c16a29f6d627e7ab761e770cbb722e3b45c83c5227bd085f3b02d5b7791c8f20543ac1932aec95

Download Submit
C:\Windows\SysWOW64\Bbeobhlp.exe

Filesize
80KB

MD5
f4a7fa54b1a581e2fd77d6b5f7442e93

SHA1
1949b3a5e1fdf0c54911d0a3b695e4710d2b0d9f

SHA256
6fe5fbfad83eb9edd98656426a618d03654058e22cb4f0b444e47456226fa90e

SHA512
3affbe79c5dd62710cb4bedc564058fb054c7812cbdd87621aca06b51823e4702e9edc25670c51d0d5f2f11bce8afd4b0bc9bc422267c5939e01939ced1452ca

Download Submit
C:\Windows\SysWOW64\Blknpdho.exe

Filesize
80KB

MD5
98d6e915e131a552f3eed473f931efec

SHA1
0b933e125fa22479e6b43b6c9acdc8f887956ce2

SHA256
56695bb62287bb9ed4b91361abfb208b1d7009384ab5da158adbeeec0636fa21

SHA512
613875cd2b1b5bb9176720f3325ec2aba774eae0a679031afda074295b24183975e0e7c1f5184b17cbf913f2fffdcc7f9c07fd24c73ec7ab884ad6ae19a66985

Download Submit
C:\Windows\SysWOW64\Cdlhgpag.exe

Filesize
80KB

MD5
226f68d6f1e802a5b3bc9bce2590fe41

SHA1
9f5c961993a9bb73ddbb0de9294aef459d8a9b27

SHA256
0172064f3de8a96c1c38b5412f29da43e9f73ea0f4574d309951aa86af1ca3e6

SHA512
a953976c5b07d7b2c115892d176b13e67ea352560a502f86c865ff97b859dba059c3ff88c5a1ff86fc33b96ff3aa84a2d6394af7485f1b2c9899d822cf9ad5a5

Download Submit
C:\Windows\SysWOW64\Cefoni32.exe

Filesize
80KB

MD5
6dc7abd2b43e408cebe0e203bb40c541

SHA1
0d8f0d5b805cdd64509a7a4838e43b54f33ffad0

SHA256
956ea77f36c29e4506546d5965cd48b0744242e7189e772ce8d8bc0b9c5cbc08

SHA512
9acef9cccf63bacb91ae9becce9fc309f641ab2a7113d2c717eb82e7b867c93d12fe45ee8f5410fabc7fd9a877af9432042a099b557356fe34223caf02438c97

Download Submit
C:\Windows\SysWOW64\Cpcila32.exe

Filesize
80KB

MD5
33996a148d11bd25bf9a07d36919692e

SHA1
4bddd7bd17d6f85e579809d05ff781e1972b8a81

SHA256
7baffc87062f48097f64569a5001122a2a592cce6bed121b8d3b94ade8e9d453

SHA512
f64da1ecd7358e2add3be24ebbce10e8e8bd94f9d0401edcf573db3196ac1dcbee99611a6ee118bbd7313f037455f4f0be50fa97368ac23aa623604d376bda08

Download Submit
C:\Windows\SysWOW64\Dgdgijhp.exe

Filesize
80KB

MD5
8c25d886a944b1b5f5d314813e38cd5d

SHA1
c68805549e07682aea46086c1ca3df7c430fb16a

SHA256
d12543691b63e7688596d062eb9d97103ce690d85fa4b0691f8a97d5f6a4af32

SHA512
3c1df18195205ef75eb9ba610907af46eb753ceaa21942c8eaa76dc4926d78b1ed7f5acb00a46364e31a1464ae0ce8c9fc1cb039d3501dd86b72bee319ccd88d

Download Submit
C:\Windows\SysWOW64\Ecanojgl.exe

Filesize
80KB

MD5
f722c080290edbfea259186eacbe0a85

SHA1
8d297b4277e480ca7e442c402caa6eb7ae999113

SHA256
6ee9e8081e3cbdb5735fe2865dc99c8a2298b760a3e1412962166ef4efaa50d7

SHA512
484e88fbf31b5bab6dd60329407dc42e3b81d2dce1fb05b0b2ed86bdbce00413af33266b7f9c58aaedd63b72787709d8bd44ac76766998d03501932659982529

Download Submit
C:\Windows\SysWOW64\Ecdkdj32.exe

Filesize
80KB

MD5
4eb25087cb1fc8f903e4ff868dfdc46e

SHA1
5c14d254e6111c96d877b0e94fdd0a845a697340

SHA256
c29a574aa7ddd41f350c6ee6816c0b3dd37f691a36348cda9ace035e682742e2

SHA512
cd5ab8fe4a0d725f2f20e35de32941fed48efa2b93fc8b86665b899d7f919a8934236a709cc33dfdca7c0d8b1b08fa6ed6b3e37df5678725d2e3da912a0c4ea4

Download Submit
C:\Windows\SysWOW64\Eimelg32.exe

Filesize
80KB

MD5
858766c09e13e1b75eb6b95963b6cf65

SHA1
c401746c46982643bb179725e3405619c4e24373

SHA256
7ff1f83766b040b3947763a7423360dfd6340d688d5f5ef2e4e1d098d683161c

SHA512
1262c463229d778680a871fe187e0759a12eb1e6e70a349e0ff4085c0aa7a3333f00e0acdfc28c23c19a2b7ff112ae66967eda3918b64ef9cdf2197afb07a06d

Download Submit
C:\Windows\SysWOW64\Epaemojk.exe

Filesize
80KB

MD5
37d8a36649836f19759abda556fcab42

SHA1
d43780490a915e32f38fbb8a14dc26c7fd3ca246

SHA256
fbc5a4866f01aff4a7f37f42634126d25fa8f27d1d75c7dddbc5a1dc2ef351c5

SHA512
60750836d9c3758c9b7164f6958fc215c4d07d8d59b4d5e4d1541b0f77a732f948a76c9fa512f983ca2ccb67c4eff27075210888e52594eec941e57db2f2153e

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
80KB

MD5
0d304c4d077c1a5222d05838fcc5d470

SHA1
4af28d3190a0d9501e0a6cd3d453193a776c764c

SHA256
06bb3d23948194d0fb6d92bf0cd51c96e923b28c24b67d9e5329afec779ae284

SHA512
8dc609f9be8da3432510a35924afac4fd41419379d050306625f3f62f75f52280174298f3a0876dbd63606646ecc37f409bfeeb653cae16acaf4a9672c22e93b

Download Submit
C:\Windows\SysWOW64\Fdhail32.exe

Filesize
80KB

MD5
c524ecd80def1a0304d68832abc4f3dc

SHA1
4dbd299b8e583500736224aeb834714d1a0b9510

SHA256
7792824e5a988db945633bca88fe3d542a0fb44b1836c1922573af0cf4f8f1ce

SHA512
f2207e2df0bca86488ff2892830c491a6058f17263805ddf018d1f381c87b436d65bde974ab22ee238559f5ec22673e29ef1f249093ec568b0623e6620c106af

Download Submit
C:\Windows\SysWOW64\Femigg32.exe

Filesize
80KB

MD5
f8d7cf93ef3ef069c3e0a07952e8bcfd

SHA1
8f50ecf54daf1cd778e5cdf9bf9fc8e020f75265

SHA256
8f11cd50be0be3dea7dcc968790193a7e970cf0e7e734a3a3b6da6e32e7caf2a

SHA512
17444538aeafa4fae56309b290498d0d2749e1cb4ad51ae79ba7534b5e29348ab4897f3e4edc2fa8c2c0351ed2f470d76655af9633ebe21e13a4226940206fd2

Download Submit
C:\Windows\SysWOW64\Fgncff32.exe

Filesize
80KB

MD5
549af8f31284be4a950658845de205b5

SHA1
7d7acd5d7616238c80e09f56364582360f7abd44

SHA256
4ad154de3ce7f374110d2c555876623f0759932085357d7a86ef440dcea45c7f

SHA512
dda4553cfe95af02c165d56fa4a70a159c836e149fa5cce26449c3830fa0eeb158051f65817e0032d2da10e52338ea537b53cca53dd3893476306fadf1b59b81

Download Submit
C:\Windows\SysWOW64\Gcimfg32.exe

Filesize
80KB

MD5
c99fa8cd96ac9130a72cf0b91c693102

SHA1
b5575e5c2f079fd829e901115892bae69cb579f3

SHA256
c7d50a8f4fc472405310c51b193cae8f65217c7059cc5a5b483b025f4e2692ef

SHA512
9dcf435e9f05d2edee0db00971ec9099727348c58987e4b16c579d3396f962ef1da11b2f89a7c735302f61d019c7b2ba3d1d46704cf7916abef5bdec71451a7f

Download Submit
C:\Windows\SysWOW64\Ghbkdald.exe

Filesize
80KB

MD5
3f54eb3dc76a94db9b2d7ab730022653

SHA1
2455ed83db831d0acfe277d3abb4dfca32fdc29f

SHA256
11363e11d29d5e21a69e0b37a6d006d84352019eeff373d39e02f2e09c077656

SHA512
dcf7cb2cc41906092810d67bd7ef6241f853be745545d98d69f1a41b64642e993733934017f264e59d1c4c99c09b6346d77a11498603f8ffde99e2084257ad70

Download Submit
C:\Windows\SysWOW64\Gkcdfl32.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Gkhbbi32.exe

Filesize
80KB

MD5
151ce1da0e37602f434375cd6b4546b6

SHA1
73b6c5310ee26da475a16988903cb38358b11665

SHA256
27308c37e9e2c57efc9577c5087a0c67823a6ad9c2543c48c75dd933fb544c72

SHA512
bf2fc97e77258e0a6c331ad4fe1bd46ebc7e0819f5199bb5d95ed51a3625e8881c13744da5c20217371473a90ba6aa040c2766124a1d28a4c4aa685cd9a0a7f5

Download Submit
C:\Windows\SysWOW64\Gmfkjl32.exe

Filesize
80KB

MD5
9905348d5db3921c2520dfdbae7c9921

SHA1
c87b96ed5a1aeb6524afdd0c4bd8f5a66029617b

SHA256
608f54d65c6ce2588147b0e6488c4f8f0cc059ba8fdc794528ea58d02d2ab54d

SHA512
af4a026dde189a82fdd4d85a2391b045e0f7c14ed54d4e99fe673118fa9621ac3b27eebe39524f689b3b396d12249df2b40b4151cb9cc24e26b9d2526885a7c3

Download Submit
C:\Windows\SysWOW64\Hcgjhega.exe

Filesize
80KB

MD5
0ba1f24915c8318380d8ec44a5142838

SHA1
0c95c704da4f911c4a4943ec53cc035bc155319e

SHA256
d8fa4d78f8e4e4aee8d994026c53c419038fe3add0151403e3e7cdae5d685978

SHA512
b1977f6bf52c952744a7ab23c3193cf8be03bb885a5edc4af06f0d4afdd8f59b563d8e63f6650590a8ca47e811f46d8af1ae05b4256d9792541641bca74e773c

Download Submit
C:\Windows\SysWOW64\Hcifmdeo.exe

Filesize
80KB

MD5
156d3c51229d171349d5d67bfed04c11

SHA1
9038e64a322b6a79ae178c941b415111059aa9eb

SHA256
77b0feaaed113e401d818df227e4d868217b66e9261deda4983943e798d1178f

SHA512
24608b26b3fe490e3636fba5478c8fe49cb8300de8abeee1ac2d4f453f32f1d9c2e495b98f5a7ad459f64f3db467f661ecfedecf7cd2fd42d42c4db7ce85f90b

Download Submit
C:\Windows\SysWOW64\Heepfn32.exe

Filesize
80KB

MD5
be2d89eda90af92e9289ab69dee3107c

SHA1
20a8d05c63d510e5ff9ffd4c4086f9d8716c32a5

SHA256
9940308727fc9b92550997f55b686623075006913b0f30e6939c2a033b038098

SHA512
83fd5bff4177ea451a20c72c2a8e032f851d98a7437b5953b7144186c008c4a05a7c16d54cae4defcdd3a03692733c74914ffed297cd295e8cef9d94e4b66beb

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
80KB

MD5
7aadc7712c1a64451c1549b6af6a903a

SHA1
94e8657240bcbe59c8d1790374ae6b1bcdd03c96

SHA256
df668b977b27b92e37b0e60382cda34e070ce38203caeb4c8152b495fd43ac85

SHA512
fec91bfa0593821965bb1e0c238b0e34729f57eb314804e7a0038377a87ca2fa351394db769a90683a63fcf903941a264f316fd88cc9b7c1d5e89850fd700a3e

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
80KB

MD5
866c7f592e3e091b03466572dd25961d

SHA1
7d024ec84b5dabcc5314d10e7929403e174043cf

SHA256
8f3ec7ff539ec5155574ff65806afe2df51851567a433ca2480fde1d5bf7cdc0

SHA512
789236ba58fc49fdd6bc331bbee35def971bad1918f20cf7fe58087a8856925a59a7f8c432e62ba8559bbe1ad830509ba9957152375a8de7bc5adf33dd1eae7a

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
80KB

MD5
d71e3b41a211b825e62c2898a97b2d80

SHA1
5a3b3be7838bb88818d2c1fa3dd00fda0457cddf

SHA256
96c58792219af62d9d7155769c71970b78624e0dd44385c3799335ca5b44ebfa

SHA512
b5fa3409378be57b98c8628af325908a88646935a432665cfa32d32840a91d0329fde357ccadd8da2eb18de8922cfd015c0ebabe292aef59151b9e825cba5080

Download Submit
C:\Windows\SysWOW64\Jfdafa32.exe

Filesize
80KB

MD5
361e875481df5025ee431fcc905b0758

SHA1
0724ce70f82b84c975de03094006f38d2d016a41

SHA256
eb9e13a87871f11957028127c852190921f2e4f796f149fda3e69da3ec428bac

SHA512
5054b81c233328ebd7e0d2215f58204da8653be572f1d05d097d619dea04045b9c4e043b051d91e39332db603120189cdd95ebc25648a5961f8432df1733125f

Download Submit
C:\Windows\SysWOW64\Jkhpogij.exe

Filesize
80KB

MD5
fa8e9354365931e471ac64ef64df1ce9

SHA1
121612146c64776da93b5dc9dcbffec0fae5efbc

SHA256
eaf85c37a742c64c19dfb03986b0ac2553e51f4ad358803fba9999db158a3b3b

SHA512
d7895abf0c6a1799503f7b72521b88c8621a860a5290386ca230a0254b19e7fc740c16cdf8e9c264646142854634493645aa1caf32fdf55a1adebbaaa05a0e7a

Download Submit
C:\Windows\SysWOW64\Kdjhkp32.exe

Filesize
80KB

MD5
a1115d4f341a1f9c31dc186c3df469c1

SHA1
5f43a7c0ac0252ef0ba76f0affda78427a23f472

SHA256
990cb99b79632b889c6b6c51283baf231c64e162fa725b9ca76b8ec71df4f58d

SHA512
c23d44cb8fe0d2e1eabadb3fd7eb39002787a44e09d1d0199ad35018bb92d1154fb5bce6409e37d14e7cb8af0d889d6a39940d4dded8f4e3c8565d61f53c9e30

Download Submit
C:\Windows\SysWOW64\Khhaanop.exe

Filesize
80KB

MD5
fe85ccb01e7772feb583bc0e60deedb5

SHA1
04cf9b8cce6813321a7ef9b24ec7d6ed39950a07

SHA256
906d9a77d5245684fe6b7af147b508c4cbb72d4fbe264021b268c48855906703

SHA512
6aab5e089dafe32ee50e8e5daad648f23d6621f6185a6180ff5b38b359b765c4b77569ac8e28bd7063bb866800f02c677a6da6ca0dfdf067cabb3ecaf7935311

Download Submit
C:\Windows\SysWOW64\Kiomnk32.exe

Filesize
80KB

MD5
951c265090f2e12837367b023b43d611

SHA1
7cc6e695577d641343bf9021c18855d6ee55647c

SHA256
e4e50f4f34a6a3ffcf83633b732e1945a5683b7ad30abc98554429776404d30f

SHA512
4a5442e5b513ded929bdd21fff6c47644b612488d57aa2e2c7476087a3babdfca304ea855d8223a5e26d65cf109147de578ad84142554c4f22b0131bd0fbcb00

Download Submit
C:\Windows\SysWOW64\Kjbdbjbi.exe

Filesize
64KB

MD5
8703d6e984ff6c251653d75953694c09

SHA1
a58fdbc7765a6eb18dd6f96537b77b640444ae26

SHA256
4b96a6bdf5798eabc4e9f54eeeada6f3ad3d7ae988385c833eb7b64be418c6c9

SHA512
42f86ef17dea81669d7ca98442339248e9a3496fd2766d7e94b846aa6adf9df056427bc8cd36dac5e1089affa30b5f9abd991e752784e52be99878c0072e5d56

Download Submit
C:\Windows\SysWOW64\Kjbdbjbi.exe

Filesize
80KB

MD5
bfb6772a3a6291c7735a2aa6af60598f

SHA1
370f9f02391717822eeb1809a56276a1afa89ae8

SHA256
ff2607d5ef9b3a5fc5821483c1d02cded4ccef496476f6f563fb88b63b424237

SHA512
dc6a471ba300146aa4a4c3bc1de3fec8911505e00d04d0df0876e8e050737432361c66b17128602cc2d104a754681fd02d1f2ba8b5bb8e1e1226374780a91822

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
80KB

MD5
44830e294a02405f33e9963c8eeeb71e

SHA1
09d2000ff2f0e9c5ed8b8f65bf131397a38ccce9

SHA256
f09f79ac422e519b10c0e9e89bd0f3b5eab9f1e08c7763597899870a381ab06b

SHA512
447666150e2db0cc81a043d60564bce7fbd0e2f1482d6b1647e6f416770cc77917e1fef428b43e9c04ba9fd8669ab1e9f06a0bb7acc8e89be77949621dfdc53d

Download Submit
C:\Windows\SysWOW64\Kmkpipaf.exe

Filesize
80KB

MD5
e7c318e1078dc939f0be4f9b6c01769e

SHA1
fe84cb5d36a2c4952563041880c3b1c2ba8244ed

SHA256
90675b6430c60ce7b0e590a29440163946276a36daa56eb2a3c70b14758c3306

SHA512
27bc37521d456648e57fe295f59fc8b9641037ae2c50b094c9fe198e17545b3289b7e4c8111615a9aaceb91a32b4c468fe1f29fa30f60823f53ac04a41d3805e

Download Submit
C:\Windows\SysWOW64\Kmlgcf32.exe

Filesize
80KB

MD5
29436a456423bda337715aecefc544e1

SHA1
b63edbf71d76b2071b0a9d913728ffa18381ba66

SHA256
14f8c0bf10d0da5eacba5bee9e2c4695e1197559ee09d020f78291815c06fea9

SHA512
1e224e2f0b8c14ae5ab0b2d6d17f95f0f36d7e750fd24273660f687cd68e48b696f7a53c459d8f8311d2aefdfb471c7ad6198b282dddb9742b90d1669f445152

Download Submit
C:\Windows\SysWOW64\Lennpb32.exe

Filesize
80KB

MD5
62928f1123c352d29f63434598191bfc

SHA1
65e83a65cae88ce6763b31279bbe16bd36d184fb

SHA256
3970baed6dd49156a10b6e52773c82a036d59e78ce55fbbcdc758626555998f0

SHA512
9b7be5748d347b6795e886cda077e84d2782cb8be10d36bb05c5ebd518432f59bc9977616cd8d754eb193e8df29b3a8387f5f834a7c017cea84639f70b4048fe

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
80KB

MD5
af5d5fbc9e8298b3f276f127e73e55e6

SHA1
bd16ba255770d1c8068d1d86fddbdf18fcdc0985

SHA256
5cc913316c29b1793441878361a0f7e75ea164d40a7308f4adf09a766d333cde

SHA512
ce8c5f95013bae8858f7a6d77a05fcb3b575794f8d25a675f0df174665f54adbcff762123b1838f0e06b489e5e220ebdcb05c02c2dc39cf6d224eb9467bf6b3e

Download Submit
C:\Windows\SysWOW64\Mmebpbod.exe

Filesize
80KB

MD5
74303c46c045b94a077982b3ed637de4

SHA1
afbc6a0a68f9dea9a4ff06c221f2f36ed5c4fbda

SHA256
9fd11e819d67e020840fe09f4cdc21b34821a1b335eec7036fc85ca8f89385e3

SHA512
3378a2beadf257ec10b2c73dda9bb9b613ef04d6977c70e2b31328bc7128eb0016ef4e0404c4c018c31e193c6c2a5d44156beec2f47915c858ae693ab083389a

Download Submit
C:\Windows\SysWOW64\Nefdbekh.exe

Filesize
80KB

MD5
933025d8087cde46c418948a48d4b525

SHA1
8debadf0ff7e95688cc5f0bd8a09e3eeab807d35

SHA256
1e405263f38221d0ff625c7056d8c6aad688f9e43b50e70444b0e450f6315ace

SHA512
1d4b17f6edbd6ab9ca6970644a6962563aada38a8750154d65447663d5ea3447dd5a3a8819318333c54aa127542b8234c93d0d2969bc371f7442ae97b638d9fd

Download Submit
C:\Windows\SysWOW64\Omcbkl32.exe

Filesize
80KB

MD5
75a4859c092b300018e00754668ff4c4

SHA1
5dd928175380972be382a0b3664738559f84279f

SHA256
12c331a3341ca7046dccbcfecef9ec2dd0214b1f794902b103b0cf273f3b66a0

SHA512
21ab6cc488c7f56027181bd7fe939f14d62f8f05a33f2bd33313702021a4f6cb496e5fbc3375121e3c7b551b5b4c768303192a1d5b637d71bcffd97e03277a7f

Download Submit
C:\Windows\SysWOW64\Piaiqlak.exe

Filesize
80KB

MD5
f0ed1768c92a3d4c226b7b7444d5544d

SHA1
567ae687a1ecb56af736609d290e97260f8aa6ad

SHA256
6974d737784702406808a5c2d1dee07ec7a0654fadbbccd0f73ebe6b19e52c0a

SHA512
0367565c17f31a2b02729b36d579be88dabd6b3801593429f75dbd0f68ea401a9c80320defb35b5263bb491b41a0aea929649facd0e3068da5f720fe0bbbdd40

Download Submit
C:\Windows\SysWOW64\Pjlnhi32.exe

Filesize
80KB

MD5
517f89aac9381c2b3d55e4394106f701

SHA1
837979776be1fd7b6b54af99e3e8a7a75282c586

SHA256
aa13389c9f2b5296bc8742a116a1fd1c35882129bb62faddf562e4bd204f68c3

SHA512
4a2555bfb27a68a09cec25bbd809fc5193c0835468ca3556ee67bcc31bc3b2f14abedf96ae96c72a864aac32707c74133cfd55c72df418258bdb6499021de5a9

Download Submit
memory/216-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/376-389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/436-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/624-453-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/644-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/672-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/748-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/812-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/832-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/836-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/864-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/940-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/960-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1028-566-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1112-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1116-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1172-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1340-369-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1400-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1416-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1424-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1576-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1948-534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2136-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2232-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2516-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2632-491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-497-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3080-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3104-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3320-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3396-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-441-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3732-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3736-507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3916-519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4152-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-574-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-559-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4352-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4408-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4496-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4572-594-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4572-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-528-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4732-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4988-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5080-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download