d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe
Size

56KB
MD5

be9af9f5e59a6cdb123ef832350b63a8
SHA1

0151ad1c911dccf51e9eed4abb08924b86306e0d
SHA256

d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9
SHA512

e5780fed8448fd98e0813cf6640dc6bd1373d9c3ea7d8e701366dc53cf6ec92138b0ce70b69c227920b7fc81b13ac63a0270d43897c39587333bde518ab5e858
SSDEEP

768:lcNcEGfnWzTc1iToirsmOk579DByhoOV7DIpo//1H5bXdnh:l8SmI1iTBKABDNOV4mFv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Lgdidgjg.exeOcohmc32.exeOnkidm32.exeBgkiaj32.exeCggimh32.exeCnfkdb32.exeDkndie32.exeAajhndkb.exePmpolgoi.exeCgifbhid.exed1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exeNfjola32.exeNcnofeof.exeOmpfej32.exeBdfpkm32.exeLqojclne.exeQmeigg32.exeAaenbd32.exeAoioli32.exeNjjdho32.exeKlfaapbl.exePhajna32.exeMjaabq32.exeNagiji32.exePjkmomfn.exeAdkqoohc.exeBoenhgdd.exeLncjlq32.exeCdbpgl32.exeBaegibae.exeOghghb32.exeQacameaj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgdidgjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onkidm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgdidgjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cggimh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqojclne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjdho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klfaapbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nagiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghghb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qacameaj.exe

Executes dropped EXE 32 IoCs

Processes:

Klfaapbl.exeLgdidgjg.exeLqojclne.exeLncjlq32.exeMjaabq32.exeNfjola32.exeNcnofeof.exeNjjdho32.exeNagiji32.exeOnkidm32.exeOmpfej32.exeOghghb32.exeOcohmc32.exePjkmomfn.exePhajna32.exePmpolgoi.exeQmeigg32.exeQacameaj.exeAaenbd32.exeAoioli32.exeAajhndkb.exeAdkqoohc.exeBgkiaj32.exeBoenhgdd.exeBaegibae.exeBdfpkm32.exeCggimh32.exeCgifbhid.exeCnfkdb32.exeCdbpgl32.exeDkndie32.exeDkqaoe32.exe

pid	process
3656	Klfaapbl.exe
1592	Lgdidgjg.exe
1236	Lqojclne.exe
3064	Lncjlq32.exe
1568	Mjaabq32.exe
4120	Nfjola32.exe
2128	Ncnofeof.exe
2168	Njjdho32.exe
2200	Nagiji32.exe
964	Onkidm32.exe
2288	Ompfej32.exe
2556	Oghghb32.exe
2152	Ocohmc32.exe
1620	Pjkmomfn.exe
4444	Phajna32.exe
4016	Pmpolgoi.exe
3892	Qmeigg32.exe
3960	Qacameaj.exe
5048	Aaenbd32.exe
4548	Aoioli32.exe
4728	Aajhndkb.exe
1888	Adkqoohc.exe
3592	Bgkiaj32.exe
4472	Boenhgdd.exe
4392	Baegibae.exe
4160	Bdfpkm32.exe
2140	Cggimh32.exe
3280	Cgifbhid.exe
2060	Cnfkdb32.exe
1080	Cdbpgl32.exe
4504	Dkndie32.exe
3756	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

Processes:

Nfjola32.exeNagiji32.exeOnkidm32.exeOmpfej32.exeOcohmc32.exePjkmomfn.exePhajna32.exeQmeigg32.exeLncjlq32.exeNjjdho32.exeQacameaj.exeAdkqoohc.exeBoenhgdd.exeBdfpkm32.exeCggimh32.exePmpolgoi.exeAaenbd32.exeAajhndkb.exeBgkiaj32.exeLgdidgjg.exeMjaabq32.exeKlfaapbl.exeNcnofeof.exeCgifbhid.exeLqojclne.exeOghghb32.exeDkndie32.exed1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exeCnfkdb32.exeCdbpgl32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ncnofeof.exe	Nfjola32.exe
File created	C:\Windows\SysWOW64\Onkidm32.exe	Nagiji32.exe
File opened for modification	C:\Windows\SysWOW64\Ompfej32.exe	Onkidm32.exe
File opened for modification	C:\Windows\SysWOW64\Oghghb32.exe	Ompfej32.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Phajna32.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Lngqkhda.dll	Phajna32.exe
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Mjaabq32.exe	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Nagiji32.exe	Njjdho32.exe
File created	C:\Windows\SysWOW64\Hodbhp32.dll	Nagiji32.exe
File created	C:\Windows\SysWOW64\Dbfpagon.dll	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Boenhgdd.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Mpolbbim.dll	Nfjola32.exe
File created	C:\Windows\SysWOW64\Qbkofn32.dll	Pmpolgoi.exe
File opened for modification	C:\Windows\SysWOW64\Aoioli32.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Lielhgaa.dll	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Epopbo32.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Lqojclne.exe	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Nfjola32.exe	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Pjkmomfn.exe	Ocohmc32.exe
File created	C:\Windows\SysWOW64\Boenhgdd.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Lgdidgjg.exe	Klfaapbl.exe
File opened for modification	C:\Windows\SysWOW64\Lqojclne.exe	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Fnihkq32.dll	Lncjlq32.exe
File created	C:\Windows\SysWOW64\Bgemej32.dll	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Ojenek32.dll	Ompfej32.exe
File opened for modification	C:\Windows\SysWOW64\Pjkmomfn.exe	Ocohmc32.exe
File opened for modification	C:\Windows\SysWOW64\Pmpolgoi.exe	Phajna32.exe
File created	C:\Windows\SysWOW64\Qmeigg32.exe	Pmpolgoi.exe
File opened for modification	C:\Windows\SysWOW64\Qmeigg32.exe	Pmpolgoi.exe
File opened for modification	C:\Windows\SysWOW64\Cnfkdb32.exe	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Ehmjob32.dll	Lqojclne.exe
File opened for modification	C:\Windows\SysWOW64\Mjaabq32.exe	Lncjlq32.exe
File opened for modification	C:\Windows\SysWOW64\Nagiji32.exe	Njjdho32.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Phajna32.exe	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Kjamidgd.dll	Aaenbd32.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Baegibae.exe	Boenhgdd.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Njjdho32.exe	Ncnofeof.exe
File created	C:\Windows\SysWOW64\Lbpflbpa.dll	Onkidm32.exe
File created	C:\Windows\SysWOW64\Mioaanec.dll	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Klfaapbl.exe	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe
File opened for modification	C:\Windows\SysWOW64\Nfjola32.exe	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Aaenbd32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Adkqoohc.exe	Aajhndkb.exe
File created	C:\Windows\SysWOW64\Dolqpa32.dll	Lgdidgjg.exe
File created	C:\Windows\SysWOW64\Ompfej32.exe	Onkidm32.exe
File created	C:\Windows\SysWOW64\Oghghb32.exe	Ompfej32.exe
File created	C:\Windows\SysWOW64\Qkicbhla.dll	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdbpgl32.exe	Cnfkdb32.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Pmpolgoi.exe	Phajna32.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Aoioli32.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Bgkiaj32.exe	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Lgdidgjg.exe	Klfaapbl.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4948 3756 WerFault.exe Dkqaoe32.exe

pid	pid_target	process	target process
4948	3756	WerFault.exe	Dkqaoe32.exe

Modifies registry class 64 IoCs

Processes:

Nfjola32.exeNcnofeof.exePmpolgoi.exeAoioli32.exeKlfaapbl.exeMjaabq32.exeNjjdho32.exeOghghb32.exeLqojclne.exeQacameaj.exed1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exeOcohmc32.exeAaenbd32.exeOnkidm32.exePjkmomfn.exeLgdidgjg.exePhajna32.exeDkndie32.exeLncjlq32.exeBaegibae.exeAajhndkb.exeCdbpgl32.exeQmeigg32.exeBdfpkm32.exeCnfkdb32.exeBoenhgdd.exeNagiji32.exeBgkiaj32.exeCggimh32.exeCgifbhid.exeAdkqoohc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmpolgoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfiji32.dll"	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll"	Aoioli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqojclne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eanmnefk.dll"	Klfaapbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjamidgd.dll"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Pjkmomfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgdidgjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Onkidm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolqpa32.dll"	Lgdidgjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjaabq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnfkdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hodbhp32.dll"	Nagiji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll"	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajhndkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phajna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njjdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cggimh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlgcp32.dll"	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgemej32.dll"	Ncnofeof.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exeKlfaapbl.exeLgdidgjg.exeLqojclne.exeLncjlq32.exeMjaabq32.exeNfjola32.exeNcnofeof.exeNjjdho32.exeNagiji32.exeOnkidm32.exeOmpfej32.exeOghghb32.exeOcohmc32.exePjkmomfn.exePhajna32.exePmpolgoi.exeQmeigg32.exeQacameaj.exeAaenbd32.exeAoioli32.exeAajhndkb.exe

description	pid	process	target process
PID 1188 wrote to memory of 3656	1188	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe	Klfaapbl.exe
PID 1188 wrote to memory of 3656	1188	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe	Klfaapbl.exe
PID 1188 wrote to memory of 3656	1188	d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe	Klfaapbl.exe
PID 3656 wrote to memory of 1592	3656	Klfaapbl.exe	Lgdidgjg.exe
PID 3656 wrote to memory of 1592	3656	Klfaapbl.exe	Lgdidgjg.exe
PID 3656 wrote to memory of 1592	3656	Klfaapbl.exe	Lgdidgjg.exe
PID 1592 wrote to memory of 1236	1592	Lgdidgjg.exe	Lqojclne.exe
PID 1592 wrote to memory of 1236	1592	Lgdidgjg.exe	Lqojclne.exe
PID 1592 wrote to memory of 1236	1592	Lgdidgjg.exe	Lqojclne.exe
PID 1236 wrote to memory of 3064	1236	Lqojclne.exe	Lncjlq32.exe
PID 1236 wrote to memory of 3064	1236	Lqojclne.exe	Lncjlq32.exe
PID 1236 wrote to memory of 3064	1236	Lqojclne.exe	Lncjlq32.exe
PID 3064 wrote to memory of 1568	3064	Lncjlq32.exe	Mjaabq32.exe
PID 3064 wrote to memory of 1568	3064	Lncjlq32.exe	Mjaabq32.exe
PID 3064 wrote to memory of 1568	3064	Lncjlq32.exe	Mjaabq32.exe
PID 1568 wrote to memory of 4120	1568	Mjaabq32.exe	Nfjola32.exe
PID 1568 wrote to memory of 4120	1568	Mjaabq32.exe	Nfjola32.exe
PID 1568 wrote to memory of 4120	1568	Mjaabq32.exe	Nfjola32.exe
PID 4120 wrote to memory of 2128	4120	Nfjola32.exe	Ncnofeof.exe
PID 4120 wrote to memory of 2128	4120	Nfjola32.exe	Ncnofeof.exe
PID 4120 wrote to memory of 2128	4120	Nfjola32.exe	Ncnofeof.exe
PID 2128 wrote to memory of 2168	2128	Ncnofeof.exe	Njjdho32.exe
PID 2128 wrote to memory of 2168	2128	Ncnofeof.exe	Njjdho32.exe
PID 2128 wrote to memory of 2168	2128	Ncnofeof.exe	Njjdho32.exe
PID 2168 wrote to memory of 2200	2168	Njjdho32.exe	Nagiji32.exe
PID 2168 wrote to memory of 2200	2168	Njjdho32.exe	Nagiji32.exe
PID 2168 wrote to memory of 2200	2168	Njjdho32.exe	Nagiji32.exe
PID 2200 wrote to memory of 964	2200	Nagiji32.exe	Onkidm32.exe
PID 2200 wrote to memory of 964	2200	Nagiji32.exe	Onkidm32.exe
PID 2200 wrote to memory of 964	2200	Nagiji32.exe	Onkidm32.exe
PID 964 wrote to memory of 2288	964	Onkidm32.exe	Ompfej32.exe
PID 964 wrote to memory of 2288	964	Onkidm32.exe	Ompfej32.exe
PID 964 wrote to memory of 2288	964	Onkidm32.exe	Ompfej32.exe
PID 2288 wrote to memory of 2556	2288	Ompfej32.exe	Oghghb32.exe
PID 2288 wrote to memory of 2556	2288	Ompfej32.exe	Oghghb32.exe
PID 2288 wrote to memory of 2556	2288	Ompfej32.exe	Oghghb32.exe
PID 2556 wrote to memory of 2152	2556	Oghghb32.exe	Ocohmc32.exe
PID 2556 wrote to memory of 2152	2556	Oghghb32.exe	Ocohmc32.exe
PID 2556 wrote to memory of 2152	2556	Oghghb32.exe	Ocohmc32.exe
PID 2152 wrote to memory of 1620	2152	Ocohmc32.exe	Pjkmomfn.exe
PID 2152 wrote to memory of 1620	2152	Ocohmc32.exe	Pjkmomfn.exe
PID 2152 wrote to memory of 1620	2152	Ocohmc32.exe	Pjkmomfn.exe
PID 1620 wrote to memory of 4444	1620	Pjkmomfn.exe	Phajna32.exe
PID 1620 wrote to memory of 4444	1620	Pjkmomfn.exe	Phajna32.exe
PID 1620 wrote to memory of 4444	1620	Pjkmomfn.exe	Phajna32.exe
PID 4444 wrote to memory of 4016	4444	Phajna32.exe	Pmpolgoi.exe
PID 4444 wrote to memory of 4016	4444	Phajna32.exe	Pmpolgoi.exe
PID 4444 wrote to memory of 4016	4444	Phajna32.exe	Pmpolgoi.exe
PID 4016 wrote to memory of 3892	4016	Pmpolgoi.exe	Qmeigg32.exe
PID 4016 wrote to memory of 3892	4016	Pmpolgoi.exe	Qmeigg32.exe
PID 4016 wrote to memory of 3892	4016	Pmpolgoi.exe	Qmeigg32.exe
PID 3892 wrote to memory of 3960	3892	Qmeigg32.exe	Qacameaj.exe
PID 3892 wrote to memory of 3960	3892	Qmeigg32.exe	Qacameaj.exe
PID 3892 wrote to memory of 3960	3892	Qmeigg32.exe	Qacameaj.exe
PID 3960 wrote to memory of 5048	3960	Qacameaj.exe	Aaenbd32.exe
PID 3960 wrote to memory of 5048	3960	Qacameaj.exe	Aaenbd32.exe
PID 3960 wrote to memory of 5048	3960	Qacameaj.exe	Aaenbd32.exe
PID 5048 wrote to memory of 4548	5048	Aaenbd32.exe	Aoioli32.exe
PID 5048 wrote to memory of 4548	5048	Aaenbd32.exe	Aoioli32.exe
PID 5048 wrote to memory of 4548	5048	Aaenbd32.exe	Aoioli32.exe
PID 4548 wrote to memory of 4728	4548	Aoioli32.exe	Aajhndkb.exe
PID 4548 wrote to memory of 4728	4548	Aoioli32.exe	Aajhndkb.exe
PID 4548 wrote to memory of 4728	4548	Aoioli32.exe	Aajhndkb.exe
PID 4728 wrote to memory of 1888	4728	Aajhndkb.exe	Adkqoohc.exe

C:\Users\Admin\AppData\Local\Temp\d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe
"C:\Users\Admin\AppData\Local\Temp\d1fc01c7cbc34af74f06cb50bba666d2f953836503f923af800b9232a82fb8b9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\Klfaapbl.exe
C:\Windows\system32\Klfaapbl.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\Lgdidgjg.exe
C:\Windows\system32\Lgdidgjg.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\Lqojclne.exe
C:\Windows\system32\Lqojclne.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\Lncjlq32.exe
C:\Windows\system32\Lncjlq32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\Mjaabq32.exe
C:\Windows\system32\Mjaabq32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\Nfjola32.exe
C:\Windows\system32\Nfjola32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\Ncnofeof.exe
C:\Windows\system32\Ncnofeof.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\Njjdho32.exe
C:\Windows\system32\Njjdho32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\Nagiji32.exe
C:\Windows\system32\Nagiji32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\Onkidm32.exe
C:\Windows\system32\Onkidm32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\Ompfej32.exe
C:\Windows\system32\Ompfej32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\Oghghb32.exe
C:\Windows\system32\Oghghb32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\Ocohmc32.exe
C:\Windows\system32\Ocohmc32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\SysWOW64\Pjkmomfn.exe
C:\Windows\system32\Pjkmomfn.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\Phajna32.exe
C:\Windows\system32\Phajna32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\Pmpolgoi.exe
C:\Windows\system32\Pmpolgoi.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\Qmeigg32.exe
C:\Windows\system32\Qmeigg32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\Qacameaj.exe
C:\Windows\system32\Qacameaj.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\Aaenbd32.exe
C:\Windows\system32\Aaenbd32.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\Aoioli32.exe
C:\Windows\system32\Aoioli32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\Aajhndkb.exe
C:\Windows\system32\Aajhndkb.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\Adkqoohc.exe
C:\Windows\system32\Adkqoohc.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1888

C:\Windows\SysWOW64\Bgkiaj32.exe
C:\Windows\system32\Bgkiaj32.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3592

C:\Windows\SysWOW64\Boenhgdd.exe
C:\Windows\system32\Boenhgdd.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4472

C:\Windows\SysWOW64\Baegibae.exe
C:\Windows\system32\Baegibae.exe
26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4392

C:\Windows\SysWOW64\Bdfpkm32.exe
C:\Windows\system32\Bdfpkm32.exe
27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4160

C:\Windows\SysWOW64\Cggimh32.exe
C:\Windows\system32\Cggimh32.exe
28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2140

C:\Windows\SysWOW64\Cgifbhid.exe
C:\Windows\system32\Cgifbhid.exe
29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3280

C:\Windows\SysWOW64\Cnfkdb32.exe
C:\Windows\system32\Cnfkdb32.exe
30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2060

C:\Windows\SysWOW64\Cdbpgl32.exe
C:\Windows\system32\Cdbpgl32.exe
31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1080

C:\Windows\SysWOW64\Dkndie32.exe
C:\Windows\system32\Dkndie32.exe
32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4504

C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
33⤵
- Executes dropped EXE
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 224
34⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3756 -ip 3756
1⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaenbd32.exe
Filesize
56KB

MD5
c909e46d7633275ea77d9cda67a4a287

SHA1
3ee5037cdaf0a2968fd542a45c3679af3c0f1afe

SHA256
9b06a5542f7c8fb617ee4d25176f6917ceca2ff92bb1961e8440f8b93ee16458

SHA512
092227e8eaeb6f13b2d22508784b43528a459c43d68d3eac512e845ad62065e2b91567bfec253ab898ba206acdf92809548d1d83f25ab6cb704d7b3d26dfbc7c

Download Submit
C:\Windows\SysWOW64\Aajhndkb.exe
Filesize
56KB

MD5
aa4b47454c00defbcb6b5600d673a3d3

SHA1
a8a7235da02a2e8c752c471c0c096bcc9cf09ae3

SHA256
f97c90180c6659d3f1f5704a53cb9d37fa44e6317600f6bbee8d5c69f2610142

SHA512
676952da6c1d44bc57418a386d260be26b5e3ecfa38b517ce85c46f8b452d8f732cd5ae9c33742d3bf360538e78773d844de7c8d7625893967163018776ba8e9

Download Submit
C:\Windows\SysWOW64\Adkqoohc.exe
Filesize
56KB

MD5
fb8818302a22ec9e07169dc8f4b1fc62

SHA1
b69f0f7ed352314c8db4cd0b12743462dd7d7c89

SHA256
2e7dd6044267287840ebdf4e6d23440355919bc92036cabf0d6073df5889832f

SHA512
1513665a83f26eafec1be4815eed5ec88e207c9925e6411b0fff51028ca9b9bbf8dd92a2c541b82da556e51a8a2193d58cbca2d04fa212a564026ca4c0fd9461

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe
Filesize
56KB

MD5
bd77849c9097b351fa6e0b6730ae4165

SHA1
eae5195b4d956ff396a531ffa04f22a04a539dd8

SHA256
0f91a7fc21feffcf0e1a689fd4ac36cf80b07b1a5892eca644612b06ae9f4f18

SHA512
2ee0fb0b4b9aa3a98c8783df6ded4d77720a772401be0a8a0dbc8cbe81eacc3e456b2106254c4aea24f5daac35d449cf1103585c541717485993bb8b3cc99a33

Download Submit
C:\Windows\SysWOW64\Baegibae.exe
Filesize
56KB

MD5
7421c686815c19411b6c93dff1db2546

SHA1
c00a8d1d52c1ad6c665118c790b2f4c7b7d2076b

SHA256
3522457309b9c57194e1802ba1b9a6ae5e7e102b5f84779c1217798d9e944cc7

SHA512
80357be68863b06ac48be4bba19643b3de7a31e0bfb5b7ade0bd0a9aea6f2b86a81387f7d47f7f78183d8c1ef05b3e0cb7853321f93942206123b3922171dcaa

Download Submit
C:\Windows\SysWOW64\Bdfpkm32.exe
Filesize
56KB

MD5
f5b86ec1bbea555efec3fc653566895b

SHA1
8af55d4f105dceffd03d57af7193c3d8ea4eadf8

SHA256
6d2dd086040dae0b7bdcc02fcb34e111179a024e32a661f9fc54dcb3ceff210b

SHA512
37693ba31980010419794bfac7f4f19f3b75b4b59d897c780927420b808ea3bbd0162a064351adeaab3b7a49808a1c49e3404c24fa2f931f5ff07524ce6786fa

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe
Filesize
56KB

MD5
16230712d0b9f4660528759dccae463d

SHA1
b633a7aa79e7ea435d966af7bf1381d5d3431047

SHA256
8019a804dea284ebafe99b292f526aa8f42b492c4a300ba6bb5e165ad42c2e1b

SHA512
a186459048e28dca589ff1e65768de855e6b3872ba011a83045cecff3cff083f8d66351afe93a70ec02e220a04e8c2d1982da605fccc8a790d81c09f8f28e45b

Download Submit
C:\Windows\SysWOW64\Boenhgdd.exe
Filesize
56KB

MD5
206fab54c85febbf727bfcc293b2efe2

SHA1
d86f76797640ee1445ca62d04a832fba267c0564

SHA256
b248dea05b1ae514aed7d70f9cb41293e765f568e31a6b2343d7cb9a461716a1

SHA512
a2617f97be6283b94102ea3c858f8f33afc58c13420ff6cde606398d4f2ddd24bb8107ad044a669c676ea48d184398c98f8b7d7a57889cf7a7dfb27f33f2c108

Download Submit
C:\Windows\SysWOW64\Cdbpgl32.exe
Filesize
56KB

MD5
16424008c8f2849ca80dcd37541d7f72

SHA1
daef729a537a649e5df656ad3d7ee404ed46e228

SHA256
1872728cff1ba6462b3d5cc67466e89809a6892b2c8167a72f90c8e273fc1522

SHA512
6485cb1c62826ad38ded532e9027957f095a93d9fecbffa9de2acef2063c4726a823c33ee00246b6eb4bd523faf38fa75a2e84d2382c265a954ef6065b044acc

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe
Filesize
56KB

MD5
ceed668b99c44e69375e8c2bd8faa442

SHA1
96c27cb711a0ac6b24667af9819e46f1d6f7aa66

SHA256
2aa4ca070f9af7e1fe2e4dbc17cec2efe9e2f88d2c0088b3a039f4b271cd84fa

SHA512
8e8c2d7c52ef7caa039f0277b785e39298f68a2d385e3ffc5e4b148601bd589e9f2d8c51c5d1fc5b5453733c8539b7dc84f259cc9b9d0f4605fe3ed9af00fbc4

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe
Filesize
56KB

MD5
7997b7583248c9049f98e094b28585ae

SHA1
23de231ba831e5107800d9cc13544cfc9f39f105

SHA256
a2e3bfc245ee6d8d6a1741767ecfe6016686ef7776bb7837da505997805495ae

SHA512
06f2fa482441ba55e789730ab75db4c79bc57652a74bd897e00c0d7024d6b92eb1913ab109545b031bfd12452487a7d9ec79e17ca9322d2e2f0dbdfbba1041b9

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe
Filesize
56KB

MD5
a5d158744963f1a7f70845227ca0e688

SHA1
55a548072c17a9a3bc24a83482e0f1074bae970c

SHA256
96ab953c50199e8998fc6d7d7fa25c5907dd44d42d6692f07c30ba6d5f2b8156

SHA512
b1c24e740c69602486b737c90b756bdde8186dfabd002841bd0c00f097e5c4f518d13a0594f93a4947d404075abfde2d4a03af90ee57788569784f9f9ae59a59

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe
Filesize
56KB

MD5
310cf980c295d57f61262c2e66b8a4c4

SHA1
36d67875213013b0c301d1134635a67469c931eb

SHA256
3756db067652a552f20dc509ec9af2254372937bb5270704876f779ea586a6ec

SHA512
4d05bd22fa0672b804dad5277e0967c64996082a56e23d32f7cecfe8fc120586928921cced32a49c2300c9d720565a7497649ffa55dffa2dc011a7e73bb63415

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe
Filesize
56KB

MD5
7b6549129747c1113ab75baae1e1712d

SHA1
0927adb8b5b4cd2842a16c1fad1313806abf64b3

SHA256
b02c533565cf5cdce5f7878b838a019ee9be1f14e0d403d5fbf86d5a9c7a234a

SHA512
744ccaf69e18024c34f2d8dc135b19179c125693ac0db089719d11924b242319ed431041aed6fa6486bedc6032bd4799e49b3903a94a05f4d7b1ff005d6ae98b

Download Submit
C:\Windows\SysWOW64\Klfaapbl.exe
Filesize
56KB

MD5
25c28fe835c502d73848601cdf065763

SHA1
a87a12e092ae389a78924d92cdd76eb47eaab8df

SHA256
f45bca5c1c85e16579b25d121130b6ac2201da3170c8221f2e8e8cbb257d2f78

SHA512
2b748354cac0c059c5daa87574f67d9a1cfe794acdd5f25eb9a3c6a3ae6c18b676947451384dd3fcf131f1615d1fff45f1e37be4cbe15a2fd5a4c8b4fd782b04

Download Submit
C:\Windows\SysWOW64\Lgdidgjg.exe
Filesize
56KB

MD5
079666f489adf77ba71d2b3432e32034

SHA1
d4a447239dcaf83693364bb327ca237dad393501

SHA256
fc52521ab9f39571e9c2aa067fe610b14706ab9944ce217c68cecf7105f21cbc

SHA512
0f89a57093099adc5072f4d9649780cd3126a2c8ecda671bdc0064c103f9033b118ea85ff484a3805b04b5284f5bccbd82a8a5fec9883f23bb8823f629c51fc8

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe
Filesize
56KB

MD5
738a2e613461963b74792713aad288d7

SHA1
1df5cce37bc7aea1e17dd8d806d4625fdbc28016

SHA256
546e191bb210585201a1974d7f1766a048a8669bbdb97148268a1fef974a2b58

SHA512
6d16fbdecbed4746a6106e37e06c9f83694971f18a0796116e242ca4ffa2bd0bba0ce482a66c7ebf1637382c736ccb2ed89c89250ea166e6d01e6789aacd4a15

Download Submit
C:\Windows\SysWOW64\Lqojclne.exe
Filesize
56KB

MD5
c57c88640304b062521419301901d2b4

SHA1
77d0926a73c04a20ed8cd9413d7f636e9b734344

SHA256
52da97536d21f8ecabfe4186ec57fac1e0d2a8c3f34e7561f758f795bf924731

SHA512
3ef81ddd986e08ebcc97601ee9d617608811ec8c6ff70ed5c5643c5bcba4ffe5cb8262db625e788fe9a514b3b459bebc1c3914d2d6e0f61ce55133e24b6c5ec6

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe
Filesize
56KB

MD5
e2832c93e0eb63d0a0173a9a4046388a

SHA1
42e5226b8561a289a26a64ccf4f52889efabd167

SHA256
5f7a875d8433ef18dabcc4ff61399855a4dbb38120a2bd00ad6f476c59afeff8

SHA512
27f0e66bacf9f3b721a15d3c59a080d9d473538f688988b12a5627cf4b3d4ed7dd5b035b3d8c0a75f111d641ccace66cea34c486e74187bb08ede8ad0a9ff6cc

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe
Filesize
56KB

MD5
d371cb128ef8cd3b0ee78eddb2383057

SHA1
b7c3e3c039aefb30f0c2df5f8aab9f29e39c124c

SHA256
2cea394d619e9f39076037337b2ece9b7c2ee2552b8edb221b86795af9933e38

SHA512
3e01584ff7e91bc8d087363940babba3855a3ae7635b11b9470d04cd8d1d31baafb597af164030cc6a685270541ee3986f0cba35826beb1155921348be19c506

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe
Filesize
56KB

MD5
874d459c4415928b5b9c648dff4994b4

SHA1
a080fa5162361ad06c157c1cf1cf22d15cefb55d

SHA256
f3bcc378eaff2ca77cbf1ca7afd140250b442aa000253c7c609eb82a7c705614

SHA512
58757cfc4601cb67718a681e5fbd939aadca2c7839653bda97dbb38a4d86a3ce0f22e3f169315f06bca51388efc4c8cbbae74161cbe4942364f26b4f156cdd6c

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe
Filesize
56KB

MD5
8ad234b2c4a328bd3564cd174beeaff4

SHA1
c3ee860833225fb92ddd059b136a30bf37fc757b

SHA256
a6bcb40d840f2b3f431be423ef02c856272dc7e14bb5852318c5f5aa9902dab7

SHA512
1267e3a18a5f6ee9ff2f3bc840a2285296f5cb691d35c7e28f47e593999a3e588c7dec6ac1652ae0c740a041ddc679de18966c93914a39b7b1e0c53c411528a9

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe
Filesize
56KB

MD5
71801a865626930c5877a5b0efeebc60

SHA1
6d741d95fe3366981b63af9808eb82aa2a129ef8

SHA256
d059e153b0e0a22bf88d5efe42c6d99930067643bcd8286726e35df65106eee8

SHA512
3cae882646cf03eb933ed2c688a480d06f943040b4a26878dbb5a046e304a325e535fa807e16683f69bae9d00938b9cb9942f8825b1c88b77ce818e2592bb909

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe
Filesize
56KB

MD5
999d85f1d83532049ebe5f6f3ca50e59

SHA1
b18dedd6027deb345def8c12be9dbfbc9ca0dfe1

SHA256
0df3036a721e123127d1211a61af6674337c45fbbea9bb860a75e1277c98c851

SHA512
c1607c80d07b05518d6b54ff31dfa9aeb9fc714431e70f3a0282d7dcc5e682bfa47a7f0bc5a55562ea106077f1b733a9e080e5c8c5848a2e91d2e963603d5fbf

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe
Filesize
56KB

MD5
3de7f60937c777640de79634fd5f3212

SHA1
d535de58933d314c31fa15e5dda7599bd3f3d0d2

SHA256
8ce7d530e4eb31015a37ac813ab1a548b1b366d1c6e5f6420483de86477b81e9

SHA512
0fae61236e96b304ef939f91b9215f9fce16737048692a52060f1d3354d6ea1fccc2c486f79ef5e5f2a4a0920904db88c514a52177aaa26d90836a64367cd150

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe
Filesize
56KB

MD5
3e1e339c454b32e44eea68c9f0615fce

SHA1
59b28eeb1dd63bf475ad31937f884b5653e49ba3

SHA256
9e72adb7d9cad8d425b34339bb8da892644a85faa2a9d4f638a8a7622c32df9a

SHA512
2b0ab3c7f03716b278d15fd45c148af415832e3b22bd0f81605b3a6b974d67174762ce0fcdfbf04a34065256b1ea4d032d11cf7371c2be63ba6f55437e63e042

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe
Filesize
56KB

MD5
67039797771d1c4177fa8fdccdcf3a16

SHA1
592f59044aec6ceb8c6cc1088b0f3e917dacc844

SHA256
3eda3c1410d35a9bb1315afef5aacc601dd009276a54c3bdc10c03903c35d6fb

SHA512
998cdd10793bb00adebf6b345d48d154ecd4e4af1fbe20fa22fb5e348ae35afe9dd62ea03572f51859c3c9afac65ab95f601787ac223873410d9d1726fd4bd41

Download Submit
C:\Windows\SysWOW64\Phajna32.exe
Filesize
56KB

MD5
6b2defb5dfbdd758230c4d76f9ff668b

SHA1
ad2dcc6c5e7394c400dc0ab638cee5aec69c3841

SHA256
7649a96f39892103ad696407e07850f1a356e67e678f0492b9961d54c9fb094f

SHA512
cd45c2fff97fd5733804a0730b251db86218668d0e98d02b669bcdfbdd44fec93db8f8f62086500915e78f3998a9a29a0e63e3b0dfc8201a53e289368ad009bc

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe
Filesize
56KB

MD5
cbde71edc9db7031cc7beebdb86bb7d7

SHA1
b1c30558fedd32cf64ce91893c1001ec3ac8b389

SHA256
69a43fe675f8c6c16ff16175791f3005bba3367274ea1a9a7a0c675bdb28159c

SHA512
4cda93229c3601c69989931e18d8bed951b5078e497ae2f57b70ae4931cf07dc5a966bb5a188b7a639c5b1a05f39f15bc544db3db1434ab74215924cb62b7a9c

Download Submit
C:\Windows\SysWOW64\Pmpolgoi.exe
Filesize
56KB

MD5
b589b0f1f8022040e71424e22dc19456

SHA1
e6112dc6622f0e77b6a76ae61bdaf4126dcbe68f

SHA256
3ee9a992d7b85de8591e3a6cb2fde9fd3be7cd012ee62ab2ec6604bfcc3fa74c

SHA512
976cfc50fb8c66661666209b06c0dc7a1918a974508416d501c082d2569ed099d6e0c6416debe3f472348bb16f72d5656750ccb1f28871768a25b3a95209b91f

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe
Filesize
56KB

MD5
1d9f16863bc46b5c8f22e8815447b082

SHA1
3eb729a505a460bb171e106d4bad0271c6bf39f2

SHA256
4eeade83aedff185a48409c30a8afff21db7a5f7de6ee80781ea4705824c8814

SHA512
e144410d9845c715332f9ff982ad649421dd3ac3901653d60cee99fba12709adaa1023f6128c341f141b1f84ce3fdf8ac36c841232d385df60ddcfa69f1fb6e3

Download Submit
C:\Windows\SysWOW64\Qmeigg32.exe
Filesize
56KB

MD5
0868f9fb71359342831a8a662015ba22

SHA1
cdf759223c3e5d8c596de3e898df8ccae5eda23e

SHA256
c578b9be92f2c71e056794b242a686b980f953050f1fdad5dee7848c3ae146ea

SHA512
5859cc50bd9d76b893990877b67440288e727303a1fa7b4d408b0c7bd930c9d9296e03931e465a5bdbd103079c960aaba465b8d6386297acaa9d7935f3089e9e

Download Submit
memory/964-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/964-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1188-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3280-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3656-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3892-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3892-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4120-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4392-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download