Analysis Overview
SHA256
6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c
Threat Level: Known bad
The file 6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c was found to be: Known bad.
Malicious Activity Summary
Gozi
Adds autorun key to be loaded by Explorer.exe on startup
Detects executables built or packed with MPress PE compressor
UPX dump on OEP (original entry point)
Detects executables built or packed with MPress PE compressor
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 20:33
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 20:33
Reported
2024-03-15 20:36
Platform
win7-20240221-en
Max time kernel
143s
Max time network
121s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Okfgfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Okfgfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
Gozi
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Okfgfl32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cacacg32.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Pnimnfpc.exe | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdoajb32.exe | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pgpeal32.exe | C:\Windows\SysWOW64\Okfgfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnabbkhk.dll | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdlpjk32.dll | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qqeicede.exe | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldeamlkj.dll | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ilfila32.dll | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Imjcfnhk.dll | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaheie32.exe | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfpnmj32.exe | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjbcfn32.exe | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Blaopqpo.exe | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pkdgpo32.exe | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cacacg32.exe | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pqjfoa32.exe | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qqeicede.exe | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnimnfpc.exe | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aipheffp.dll | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cacacg32.exe | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipgljgoi.dll | C:\Windows\SysWOW64\Okfgfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmmani32.dll | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmmlmd32.dll | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhgkeald.dll | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfikmh32.exe | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqjfoa32.exe | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afkdakjb.exe | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjbcfn32.exe | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfgheegc.dll | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Blaopqpo.exe | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ackkppma.exe | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgpeal32.exe | C:\Windows\SysWOW64\Okfgfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gneolbel.dll | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pkfceo32.exe | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaheie32.exe | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Okfgfl32.exe | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pfikmh32.exe | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Afkdakjb.exe | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| File created | C:\Windows\SysWOW64\Okfgfl32.exe | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajbggjfq.exe | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cenaioaq.dll | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Idlgcclp.dll | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkdgpo32.exe | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmqalo32.dll | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajbggjfq.exe | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfpnmj32.exe | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| File created | C:\Windows\SysWOW64\Hqlhpf32.dll | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aohjlnjk.dll | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ackkppma.exe | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdoajb32.exe | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkfceo32.exe | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Cacacg32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll" | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll" | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll" | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgljgoi.dll" | C:\Windows\SysWOW64\Okfgfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll" | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll" | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll" | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pfikmh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ackkppma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Okfgfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll" | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Okfgfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll" | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll" | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll" | C:\Windows\SysWOW64\Pgpeal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajbggjfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Blaopqpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe
"C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe"
C:\Windows\SysWOW64\Okfgfl32.exe
C:\Windows\system32\Okfgfl32.exe
C:\Windows\SysWOW64\Pgpeal32.exe
C:\Windows\system32\Pgpeal32.exe
C:\Windows\SysWOW64\Pnimnfpc.exe
C:\Windows\system32\Pnimnfpc.exe
C:\Windows\SysWOW64\Pqjfoa32.exe
C:\Windows\system32\Pqjfoa32.exe
C:\Windows\SysWOW64\Pkdgpo32.exe
C:\Windows\system32\Pkdgpo32.exe
C:\Windows\SysWOW64\Pfikmh32.exe
C:\Windows\system32\Pfikmh32.exe
C:\Windows\SysWOW64\Pkfceo32.exe
C:\Windows\system32\Pkfceo32.exe
C:\Windows\SysWOW64\Qqeicede.exe
C:\Windows\system32\Qqeicede.exe
C:\Windows\SysWOW64\Aaheie32.exe
C:\Windows\system32\Aaheie32.exe
C:\Windows\SysWOW64\Ajbggjfq.exe
C:\Windows\system32\Ajbggjfq.exe
C:\Windows\SysWOW64\Ackkppma.exe
C:\Windows\system32\Ackkppma.exe
C:\Windows\SysWOW64\Afkdakjb.exe
C:\Windows\system32\Afkdakjb.exe
C:\Windows\SysWOW64\Bfpnmj32.exe
C:\Windows\system32\Bfpnmj32.exe
C:\Windows\SysWOW64\Bjbcfn32.exe
C:\Windows\system32\Bjbcfn32.exe
C:\Windows\SysWOW64\Blaopqpo.exe
C:\Windows\system32\Blaopqpo.exe
C:\Windows\SysWOW64\Cdoajb32.exe
C:\Windows\system32\Cdoajb32.exe
C:\Windows\SysWOW64\Cacacg32.exe
C:\Windows\system32\Cacacg32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 140
Network
Files
memory/1524-0-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Okfgfl32.exe
| MD5 | 076943d7feef0803dc2c7956c93e6df1 |
| SHA1 | d9c9780558fbe4ff2fc5cb25e286589f296f5fce |
| SHA256 | cfe22fee8b86c49f43332268ef536e663879abdf9c8226b8e31f675a28a54c44 |
| SHA512 | 482e23d6067092c0764924e815210b1368cec78ab879d3282b3423c7561da0ac1609bcb1d2e909827289b02adfa9d85bfde6c4b8dc9ca5756cca5a9361a6579d |
memory/1524-6-0x00000000003A0000-0x00000000003F3000-memory.dmp
\Windows\SysWOW64\Pgpeal32.exe
| MD5 | 1bd90164dcb0da56b68657f5f8f4906c |
| SHA1 | 989f24475fa7dc126cf483490d00c36c9241d2ae |
| SHA256 | 151d0ddfac0e874d11c46c6b0fb239c5e3dbd8bacefd9b545fe312a4896d29ed |
| SHA512 | 09cd9fc1ff30ea02d371e818401f5406d1f8e40062f415f6a793b1e48bd653d2c543129f34692b9084e8755bd39093fb2c8ae16f6922a75e8fb9b44ccde2650b |
\Windows\SysWOW64\Pqjfoa32.exe
| MD5 | 701dfb1d6ddaeff3d28388cb2616ee3d |
| SHA1 | b725180a09798f2fdb85a3e6153ed4fb1a9257e2 |
| SHA256 | f3ebb227c99b926b53a7651978cd52362ed3dfed8ccdbf924b2ac859eda40f97 |
| SHA512 | 77fd2d9e34485d63cdad2be939ee156385e9ae213ec5c6d49b2625a529b7bc101bc0b910b5b87a136e9d8511d1b4434666f3302079f77bef8015a64072d6b7c5 |
C:\Windows\SysWOW64\Pnimnfpc.exe
| MD5 | ba47c238c36c3f385d8b9598a1fc5ff5 |
| SHA1 | 6396c9fc797d2d9e72570767c4717f6f00a46d75 |
| SHA256 | 8417a6defbd1d43a33c690005c483befb5de0b7b3cd575c684101f18b03b8516 |
| SHA512 | 081ed4ec57af699dba5c0a0d284f43d40faa9ba913d1a59b2827ad23ba9428a30ed7164b91838b15e58486571a1bf3da26da4262e054e8a796ef16fc3159568f |
\Windows\SysWOW64\Pfikmh32.exe
| MD5 | ba633d794f78b73e1fdfeeb3e3957ab4 |
| SHA1 | 758c3c8664c8f54101ccd99e2e7ef868295c4df3 |
| SHA256 | 67f2dabe02ada3b8b520cf0cd3567163db7e4448b1ca70c6e41e0d3fe9e29be2 |
| SHA512 | 35f4464d439d63e507214b0136f5cd9b98900aa42bbdb9418e8252eddb1e59894469da51f9631c6cf0a4f7e09f5a9435f35af1705e252a2fbce204d9f6079cb5 |
memory/2888-88-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Pkfceo32.exe
| MD5 | 581b80ef8c0cd7b6ad13345b23eb5abb |
| SHA1 | 5215385e863c8b987c0fe436e93ad373c95615ef |
| SHA256 | d4969e3dfee984161b8880038d02e81496fe1f798a9942b30606464124e778c2 |
| SHA512 | 45391930c6c616d3fc11f1e9ced17f12d9b261497ece52270254471224133fb1d941417ed405e4896935512255212101c7dc81c5297ebb45739bd82dbc070f19 |
C:\Windows\SysWOW64\Qqeicede.exe
| MD5 | b42c2e8dcfd27cd2f02b69f043976635 |
| SHA1 | 9c7908ca69d39fd19c1c99fb0518e8c4a7e26460 |
| SHA256 | 1cb957cc6bdd9cfe5e4c1edfdd1ca5fd2c223940270e962994d28051cedd3adb |
| SHA512 | 6d323bf0526e81a29f9baf4f362249b2af2dbb304dd97f9b42962d743572de11002f9916b613de888b73ea6711859e5f7555fad0d04a56be1a9a18f9b4bd8c6e |
memory/1020-110-0x00000000002C0000-0x0000000000313000-memory.dmp
\Windows\SysWOW64\Aaheie32.exe
| MD5 | b54f95ef4ccd2d71189110ad5fd9e915 |
| SHA1 | d218db32509023d41c871425f3e57308e06eb7fa |
| SHA256 | 60e00bc41d3f377f4f3a41c4b60dd31298f351e593fd8dca9b35bc267c4271f5 |
| SHA512 | 6421fb89eb6325b7bff32a8d88b3db847f3735aec338759ff5e94ab208f99ea8e5d39d9cd6e62953618e1afdf0e2f9d6e2955aa9727a65c9a6e93fd79aa3e21f |
C:\Windows\SysWOW64\Ajbggjfq.exe
| MD5 | 42ecef8a8e6f6847e08d010ed27132a1 |
| SHA1 | d9b7294e1377250c8770ae164a22d9efce83f8cc |
| SHA256 | 01f89498ad4649e424519f05be685f84ebffe740c498ab30e7553a348b81d738 |
| SHA512 | 4735ebf050886f06332a8bbc319180c8e48c4b7553c1e3af4d45bb3beb69aaf8d5f799a5a258201c09b97ad9490e5ea4ef7bc42daed79d63d18f6a9e7ec8428f |
C:\Windows\SysWOW64\Ackkppma.exe
| MD5 | 32cae2fa4ed23e54385789679d30d73b |
| SHA1 | 7b32e88c6b99c7f0fa5fd6f73d8e4b243792bbd8 |
| SHA256 | 192690c6d2bd9ab254562fef2fc868b7ae101a48488bd570ff96e0112e3630a9 |
| SHA512 | d9bdbfb58aa8a28d85488cd698e8c292956c9af625e6ac9e8958e7e1a3eef19d401562050379d48f1e9ecaa61675d4cb02226380a9cd64ffa4ffbfc30ca423a5 |
memory/2500-130-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1960-142-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2824-116-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1020-102-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Pkdgpo32.exe
| MD5 | e1c0c3c1cfe0b1ef6d105c8de10fe0d4 |
| SHA1 | 628cb1966e664260c75f87a1d7122ca79f4b7cab |
| SHA256 | 856259de8c05637b5f12c66a0c4c1c8db5852505a8d7e454216598f31be5366a |
| SHA512 | ec27a6e35169428133a33e9ae63b2138f8b764c5e8820d825eb752f249766172708a4384f27387960fadf584a4a8a5585585f1d9ab4e3b24daeed6064179e0fc |
memory/2452-77-0x0000000000220000-0x0000000000273000-memory.dmp
memory/2612-56-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2496-37-0x0000000000220000-0x0000000000273000-memory.dmp
memory/2496-13-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Afkdakjb.exe
| MD5 | 5ee43189f7c352e157c6d3caefec150a |
| SHA1 | f75d78363f43b78299d13775b81552ceb029c212 |
| SHA256 | 42a10dc1314b1c559c5eeef9dded5a7bda2c2420ca77b1001c0c213af59a0419 |
| SHA512 | c93132a5b8f520ba8e798e4f3d7a2a8ca654766a023a7007fc9b7adbff6515d1ad9ef2c1e4a6fd595c6993e2fb672e0535b78d441a799aee2caa52690b8790a0 |
memory/1960-149-0x00000000002E0000-0x0000000000333000-memory.dmp
memory/1120-157-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Bfpnmj32.exe
| MD5 | 6510979eb449e7a07bf6bdb39a5ac755 |
| SHA1 | f922ffcb5830a0c5984f7977bf1f73e1ad40ab82 |
| SHA256 | a83d8260157d6e5dd32eb5059b140cd4f3ba76017c11706f708ef1a3ec74781a |
| SHA512 | bfa1d8ebfb62b72c10074283fa78e90a127b71ff037d83f8ef6234067952c9931cb55df4561add0d0d7f4de3509c4ea8e2e096584ff249883fba31c71e8e7682 |
memory/1120-167-0x0000000001BA0000-0x0000000001BF3000-memory.dmp
\Windows\SysWOW64\Bjbcfn32.exe
| MD5 | 1f8322e9013a935b0052337bbdd2ea63 |
| SHA1 | 350aedc81e249f616a83194b2c33521c0a1cadd1 |
| SHA256 | 4a7a92a7de9e666114a0af7fb4f38b5d31ea8f6f453969c6cd4818ab6cfa6762 |
| SHA512 | f3f9bbef908c6ca009f85ff871ef4a4ae5c3fd8bff9921a09eb4caecf6e0d80e37f30d099aac2a6607aa24addf566a944f32263563f3c78f6ae8287b0675a072 |
memory/1380-177-0x0000000000220000-0x0000000000273000-memory.dmp
memory/1268-188-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Blaopqpo.exe
| MD5 | 65c03bb25f247a3440d9938383357745 |
| SHA1 | 86dbb4bb63c9fce9e58904b4923f8feccfee47fe |
| SHA256 | 637450a4ac06be74b562cf6bce3407bad6ea207894de3302089f7e4c1261673b |
| SHA512 | a475c8458c2d108ca282bcd360a6593ea551c25852eb5cf72893e13fcff62b88908df329ccd050129d98b3b107a4779f3be176efe26442c8c155f8b375e5abd1 |
\Windows\SysWOW64\Cdoajb32.exe
| MD5 | 14ca80a5c6d3a47e6a5cc7f75c8d8125 |
| SHA1 | e55af2d8b9c05e9c0fd9173b7c332af425bcd92a |
| SHA256 | 729b3d8332fd6422689ddcb2a492584db13cc0c77ff5f1104234ff1d02cd2067 |
| SHA512 | f3bdd2ac291f871be8a734f647e3bae5e6a6d09443fbf76decf33d1f074dde635c99356ee3a6243b3bb8490d2909058db3a22e1662b4240ec86e1a9753935304 |
memory/320-203-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1268-196-0x0000000000220000-0x0000000000273000-memory.dmp
memory/1268-191-0x0000000000220000-0x0000000000273000-memory.dmp
memory/320-212-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/320-214-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/2784-213-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2124-223-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cacacg32.exe
| MD5 | 07f31bd55c92bc492747c27f8dffa108 |
| SHA1 | 79eb651b73c608aa62453a97521e3d2d83ef43a9 |
| SHA256 | ada476bbbb0cab66a0912bca7967a414cb587d86e3c6b99e2cf77aa461dc84fe |
| SHA512 | efec4df909f75dde50f58d17b6defc435e4bd2da59b1b90ed77a3cee1f04fc335da22f04742647f3cf2233daf46fbb1c1d2cfb04c51831fd0ca5592722c6cbc7 |
memory/1524-261-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2496-263-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2612-265-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2628-272-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2620-274-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2452-276-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2888-278-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1652-280-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1020-282-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2824-284-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2500-286-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1960-288-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1120-290-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1380-292-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1268-294-0x0000000000400000-0x0000000000453000-memory.dmp
memory/320-296-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2784-298-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 20:33
Reported
2024-03-15 20:36
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
160s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Odedipge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mhmmieil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Djipbbne.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qoelkp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aonoao32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ogekbb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dbckcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dlobmd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgnbdh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjfogbjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aajohjon.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnfkgp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pnifekmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Egaejeej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndnnianm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kjbdbjbi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bllbaa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kakmna32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekqckmfb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hepgkohh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gipbck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhhcne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cejjdlap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlpfhe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ahfmpnql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hepgkohh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnnnfalp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aajohjon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ihmfco32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Phmnfp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkaeih32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kcpjnjii.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dbfoclai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ecanojgl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fpcdof32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Phodcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbnknpqj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lndagg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlepcdoa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Famhmfkl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dbfoclai.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ienlbf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdokmm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iialhaad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Johggfha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qppaclio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gmdoel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kfkamk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhbcfbjk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Apmhiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnokjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bbbkbbkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Doojec32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojnfihmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbhhieao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nconfh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdqcenmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mphamg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dalkek32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bochmn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hemdlj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bpdnjple.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chfegk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpogkhnl.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Dbmdml32.dll | C:\Windows\SysWOW64\Pdmdnadc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpceplkl.dll | C:\Windows\SysWOW64\Hifmmb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ipkdek32.exe | C:\Windows\SysWOW64\Iialhaad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pfhmjf32.exe | C:\Windows\SysWOW64\Pakdbp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nconfh32.exe | C:\Windows\SysWOW64\Ndnnianm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ecanojgl.exe | C:\Windows\SysWOW64\Elhfbp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbmimp32.dll | C:\Windows\SysWOW64\Ljceqb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flbfjl32.dll | C:\Windows\SysWOW64\Oakbehfe.exe | N/A |
| File created | C:\Windows\SysWOW64\Qlqidj32.dll | C:\Windows\SysWOW64\Bgfhnpde.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjiloqjb.exe | C:\Windows\SysWOW64\Mmdlflki.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Niihlkdm.exe | C:\Windows\SysWOW64\Ndhgie32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gngeik32.exe | C:\Windows\SysWOW64\Ggmmlamj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipdbmgdb.dll | C:\Windows\SysWOW64\Llqjbhdc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfmolc32.exe | C:\Windows\SysWOW64\Bpcgpihi.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjnmfk32.dll | C:\Windows\SysWOW64\Mdghhb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kqdodo32.exe | C:\Windows\SysWOW64\Jckeokan.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmbopm32.exe | C:\Windows\SysWOW64\Mfhgcbfo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Idfaefkd.exe | C:\Windows\SysWOW64\Hmlpaoaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Qmepam32.exe | C:\Windows\SysWOW64\Pmaffnce.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjffpe32.exe | C:\Windows\SysWOW64\Qppaclio.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpogkhnl.exe | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| File created | C:\Windows\SysWOW64\Pinffi32.dll | C:\Windows\SysWOW64\Ilhkigcd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Doojec32.exe | C:\Windows\SysWOW64\Ddifgk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Obqanjdb.exe | C:\Windows\SysWOW64\Omdieb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbbmmo32.exe | C:\Windows\SysWOW64\Jnnnfalp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ecoaijio.exe | C:\Windows\SysWOW64\Dekapfke.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmeadk32.dll | C:\Windows\SysWOW64\Eljchpnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Eciqfjec.dll | C:\Windows\SysWOW64\Ibqnkh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipkdek32.exe | C:\Windows\SysWOW64\Iialhaad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkefmjcj.exe | C:\Windows\SysWOW64\Gdknpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhjmpfcl.dll | C:\Windows\SysWOW64\Dndnpf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hemdlj32.exe | C:\Windows\SysWOW64\Hlepcdoa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oikjkc32.exe | C:\Windows\SysWOW64\Obqanjdb.exe | N/A |
| File created | C:\Windows\SysWOW64\Dekapfke.exe | C:\Windows\SysWOW64\Dlqpaafg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlpfhe32.exe | C:\Windows\SysWOW64\Hedafk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofkhal32.dll | C:\Windows\SysWOW64\Bpdnjple.exe | N/A |
| File created | C:\Windows\SysWOW64\Eemgkpef.exe | C:\Windows\SysWOW64\Dbckcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gakbde32.dll | C:\Windows\SysWOW64\Geanfelc.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbddobla.exe | C:\Windows\SysWOW64\Pkklbh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mqkiok32.exe | C:\Windows\SysWOW64\Mfqlfb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjbcplpe.exe | C:\Windows\SysWOW64\Pnkbkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bddcenpi.exe | C:\Windows\SysWOW64\Bhmbqm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hclkag32.dll | C:\Windows\SysWOW64\Gnblnlhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ojnfihmo.exe | C:\Windows\SysWOW64\Ocdnln32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fifomlap.exe | C:\Windows\SysWOW64\Ehnpmkbg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nmenca32.exe | C:\Windows\SysWOW64\Mgclpkac.exe | N/A |
| File created | C:\Windows\SysWOW64\Iplkpa32.exe | C:\Windows\SysWOW64\Ibaeen32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eebgqe32.exe | C:\Windows\SysWOW64\Eljchpnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agckiqgg.exe | C:\Windows\SysWOW64\Abgcqjhp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kcpjnjii.exe | C:\Windows\SysWOW64\Klcekpdo.exe | N/A |
| File created | C:\Windows\SysWOW64\Kebkgjkg.dll | C:\Windows\SysWOW64\Nbbeml32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bpcgpihi.exe | C:\Windows\SysWOW64\Bjfogbjb.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgebnc32.exe | C:\Windows\SysWOW64\Hjabdo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lacbpccn.exe | C:\Windows\SysWOW64\Lndfchdj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bkdqdokk.exe | C:\Windows\SysWOW64\Bfghlhmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ehmfqgao.dll | C:\Windows\SysWOW64\Kifjip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lciibdmj.dll | C:\Windows\SysWOW64\Hemdlj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iojkeh32.exe | C:\Windows\SysWOW64\Ibcjqgnm.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpclaedf.dll | C:\Windows\SysWOW64\Hkmlnimb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlblcn32.exe | C:\Windows\SysWOW64\Geanfelc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iojkeh32.exe | C:\Windows\SysWOW64\Ibcjqgnm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ekimjn32.exe | C:\Windows\SysWOW64\Eaaiahei.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjcfcakn.exe | C:\Windows\SysWOW64\Gloejmld.exe | N/A |
| File created | C:\Windows\SysWOW64\Mffjnc32.exe | C:\Windows\SysWOW64\Ldgnbg32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Eldlhckj.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ifleji32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadhip32.dll" | C:\Windows\SysWOW64\Clchbqoo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll" | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jidinqpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbneceac.dll" | C:\Windows\SysWOW64\Hqghqpnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fneoma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lndfchdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgblkajh.dll" | C:\Windows\SysWOW64\Agobna32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bpkdjofm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghehjh32.dll" | C:\Windows\SysWOW64\Eiekog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll" | C:\Windows\SysWOW64\Ojnfihmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pakdbp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gkefmjcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hnjaonij.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nnicid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofmfi32.dll" | C:\Windows\SysWOW64\Onkidm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Edeeci32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oqhoeb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hjabdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndkjik32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ckjbhmad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oqmhqapg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdbamc32.dll" | C:\Windows\SysWOW64\Ecanojgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gjcfcakn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkonk32.dll" | C:\Windows\SysWOW64\Anhcpeon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njpdnedf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Egaejeej.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmdmpe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggaoeo32.dll" | C:\Windows\SysWOW64\Mmpbkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acphqk32.dll" | C:\Windows\SysWOW64\Djipbbne.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjofoqdn.dll" | C:\Windows\SysWOW64\Hlepcdoa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mcoljagj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhoped32.dll" | C:\Windows\SysWOW64\Ppdbgncl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjfogbjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hclccd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbndn32.dll" | C:\Windows\SysWOW64\Cejjdlap.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Chfegk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eiekog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mhldbh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aimogakj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hmhhpkcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ppdbgncl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ahgcjddh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbobjbh.dll" | C:\Windows\SysWOW64\Hbfdjc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll" | C:\Windows\SysWOW64\Jbbmmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jepbodhg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ljdkll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ilhkigcd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilmo32.dll" | C:\Windows\SysWOW64\Aeopfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjllm32.dll" | C:\Windows\SysWOW64\Ojajin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Omdieb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cpqlfa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hnokjm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqkcc32.dll" | C:\Windows\SysWOW64\Pbdmdlie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlqidj32.dll" | C:\Windows\SysWOW64\Bgfhnpde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ofmdio32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Objkmkjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qcncodki.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lmjcdd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alfall32.dll" | C:\Windows\SysWOW64\Jmamba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhcgogn.dll" | C:\Windows\SysWOW64\Mhhcne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ikbfgppo.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe
"C:\Users\Admin\AppData\Local\Temp\6610f2ffe8366384ae30fc96db1bf2bdabb049023712fc3dc387503fe52e059c.exe"
C:\Windows\SysWOW64\Hmlpaoaj.exe
C:\Windows\system32\Hmlpaoaj.exe
C:\Windows\SysWOW64\Idfaefkd.exe
C:\Windows\system32\Idfaefkd.exe
C:\Windows\SysWOW64\Ilafiihp.exe
C:\Windows\system32\Ilafiihp.exe
C:\Windows\SysWOW64\Ikbfgppo.exe
C:\Windows\system32\Ikbfgppo.exe
C:\Windows\SysWOW64\Jkgpbp32.exe
C:\Windows\system32\Jkgpbp32.exe
C:\Windows\SysWOW64\Jjlmclqa.exe
C:\Windows\system32\Jjlmclqa.exe
C:\Windows\SysWOW64\Jjoiil32.exe
C:\Windows\system32\Jjoiil32.exe
C:\Windows\SysWOW64\Jqknkedi.exe
C:\Windows\system32\Jqknkedi.exe
C:\Windows\SysWOW64\Kjhloj32.exe
C:\Windows\system32\Kjhloj32.exe
C:\Windows\SysWOW64\Kmieae32.exe
C:\Windows\system32\Kmieae32.exe
C:\Windows\SysWOW64\Kqfngd32.exe
C:\Windows\system32\Kqfngd32.exe
C:\Windows\SysWOW64\Lcjcnoej.exe
C:\Windows\system32\Lcjcnoej.exe
C:\Windows\SysWOW64\Lggldm32.exe
C:\Windows\system32\Lggldm32.exe
C:\Windows\SysWOW64\Lndagg32.exe
C:\Windows\system32\Lndagg32.exe
C:\Windows\SysWOW64\Mepfiq32.exe
C:\Windows\system32\Mepfiq32.exe
C:\Windows\SysWOW64\Mgclpkac.exe
C:\Windows\system32\Mgclpkac.exe
C:\Windows\SysWOW64\Nmenca32.exe
C:\Windows\system32\Nmenca32.exe
C:\Windows\SysWOW64\Nmgjia32.exe
C:\Windows\system32\Nmgjia32.exe
C:\Windows\SysWOW64\Nnicid32.exe
C:\Windows\system32\Nnicid32.exe
C:\Windows\SysWOW64\Njpdnedf.exe
C:\Windows\system32\Njpdnedf.exe
C:\Windows\SysWOW64\Odjeljhd.exe
C:\Windows\system32\Odjeljhd.exe
C:\Windows\SysWOW64\Omgcpokp.exe
C:\Windows\system32\Omgcpokp.exe
C:\Windows\SysWOW64\Phodcg32.exe
C:\Windows\system32\Phodcg32.exe
C:\Windows\SysWOW64\Phaahggp.exe
C:\Windows\system32\Phaahggp.exe
C:\Windows\SysWOW64\Pmaffnce.exe
C:\Windows\system32\Pmaffnce.exe
C:\Windows\SysWOW64\Qmepam32.exe
C:\Windows\system32\Qmepam32.exe
C:\Windows\SysWOW64\Qoelkp32.exe
C:\Windows\system32\Qoelkp32.exe
C:\Windows\SysWOW64\Qklmpalf.exe
C:\Windows\system32\Qklmpalf.exe
C:\Windows\SysWOW64\Aednci32.exe
C:\Windows\system32\Aednci32.exe
C:\Windows\SysWOW64\Aajohjon.exe
C:\Windows\system32\Aajohjon.exe
C:\Windows\SysWOW64\Aonoao32.exe
C:\Windows\system32\Aonoao32.exe
C:\Windows\SysWOW64\Ahgcjddh.exe
C:\Windows\system32\Ahgcjddh.exe
C:\Windows\SysWOW64\Bochmn32.exe
C:\Windows\system32\Bochmn32.exe
C:\Windows\SysWOW64\Boeebnhp.exe
C:\Windows\system32\Boeebnhp.exe
C:\Windows\SysWOW64\Bnkbcj32.exe
C:\Windows\system32\Bnkbcj32.exe
C:\Windows\SysWOW64\Bllbaa32.exe
C:\Windows\system32\Bllbaa32.exe
C:\Windows\SysWOW64\Bhbcfbjk.exe
C:\Windows\system32\Bhbcfbjk.exe
C:\Windows\SysWOW64\Coohhlpe.exe
C:\Windows\system32\Coohhlpe.exe
C:\Windows\SysWOW64\Clchbqoo.exe
C:\Windows\system32\Clchbqoo.exe
C:\Windows\SysWOW64\Cnfaohbj.exe
C:\Windows\system32\Cnfaohbj.exe
C:\Windows\SysWOW64\Ckjbhmad.exe
C:\Windows\system32\Ckjbhmad.exe
C:\Windows\SysWOW64\Chnbbqpn.exe
C:\Windows\system32\Chnbbqpn.exe
C:\Windows\SysWOW64\Cdecgbfa.exe
C:\Windows\system32\Cdecgbfa.exe
C:\Windows\SysWOW64\Dhclmp32.exe
C:\Windows\system32\Dhclmp32.exe
C:\Windows\SysWOW64\Dndnpf32.exe
C:\Windows\system32\Dndnpf32.exe
C:\Windows\SysWOW64\Dbbffdlq.exe
C:\Windows\system32\Dbbffdlq.exe
C:\Windows\SysWOW64\Eofgpikj.exe
C:\Windows\system32\Eofgpikj.exe
C:\Windows\SysWOW64\Eicedn32.exe
C:\Windows\system32\Eicedn32.exe
C:\Windows\SysWOW64\Efjbcakl.exe
C:\Windows\system32\Efjbcakl.exe
C:\Windows\SysWOW64\Flfkkhid.exe
C:\Windows\system32\Flfkkhid.exe
C:\Windows\SysWOW64\Fbbpmb32.exe
C:\Windows\system32\Fbbpmb32.exe
C:\Windows\SysWOW64\Fpgpgfmh.exe
C:\Windows\system32\Fpgpgfmh.exe
C:\Windows\SysWOW64\Gmdcfidg.exe
C:\Windows\system32\Gmdcfidg.exe
C:\Windows\SysWOW64\Gmfplibd.exe
C:\Windows\system32\Gmfplibd.exe
C:\Windows\SysWOW64\Hedafk32.exe
C:\Windows\system32\Hedafk32.exe
C:\Windows\SysWOW64\Hlpfhe32.exe
C:\Windows\system32\Hlpfhe32.exe
C:\Windows\SysWOW64\Hlepcdoa.exe
C:\Windows\system32\Hlepcdoa.exe
C:\Windows\SysWOW64\Hemdlj32.exe
C:\Windows\system32\Hemdlj32.exe
C:\Windows\SysWOW64\Ibaeen32.exe
C:\Windows\system32\Ibaeen32.exe
C:\Windows\SysWOW64\Iplkpa32.exe
C:\Windows\system32\Iplkpa32.exe
C:\Windows\SysWOW64\Jpenfp32.exe
C:\Windows\system32\Jpenfp32.exe
C:\Windows\SysWOW64\Jgpfbjlo.exe
C:\Windows\system32\Jgpfbjlo.exe
C:\Windows\SysWOW64\Jphkkpbp.exe
C:\Windows\system32\Jphkkpbp.exe
C:\Windows\SysWOW64\Jnlkedai.exe
C:\Windows\system32\Jnlkedai.exe
C:\Windows\SysWOW64\Komhll32.exe
C:\Windows\system32\Komhll32.exe
C:\Windows\SysWOW64\Klcekpdo.exe
C:\Windows\system32\Klcekpdo.exe
C:\Windows\SysWOW64\Kcpjnjii.exe
C:\Windows\system32\Kcpjnjii.exe
C:\Windows\SysWOW64\Kgnbdh32.exe
C:\Windows\system32\Kgnbdh32.exe
C:\Windows\SysWOW64\Lcdciiec.exe
C:\Windows\system32\Lcdciiec.exe
C:\Windows\SysWOW64\Ljnlecmp.exe
C:\Windows\system32\Ljnlecmp.exe
C:\Windows\SysWOW64\Lfeljd32.exe
C:\Windows\system32\Lfeljd32.exe
C:\Windows\SysWOW64\Lqkqhm32.exe
C:\Windows\system32\Lqkqhm32.exe
C:\Windows\SysWOW64\Ljceqb32.exe
C:\Windows\system32\Ljceqb32.exe
C:\Windows\SysWOW64\Lggejg32.exe
C:\Windows\system32\Lggejg32.exe
C:\Windows\SysWOW64\Mfqlfb32.exe
C:\Windows\system32\Mfqlfb32.exe
C:\Windows\SysWOW64\Mqkiok32.exe
C:\Windows\system32\Mqkiok32.exe
C:\Windows\SysWOW64\Nagiji32.exe
C:\Windows\system32\Nagiji32.exe
C:\Windows\SysWOW64\Ngqagcag.exe
C:\Windows\system32\Ngqagcag.exe
C:\Windows\SysWOW64\Onkidm32.exe
C:\Windows\system32\Onkidm32.exe
C:\Windows\SysWOW64\Ojajin32.exe
C:\Windows\system32\Ojajin32.exe
C:\Windows\SysWOW64\Oakbehfe.exe
C:\Windows\system32\Oakbehfe.exe
C:\Windows\SysWOW64\Ogekbb32.exe
C:\Windows\system32\Ogekbb32.exe
C:\Windows\SysWOW64\Ombcji32.exe
C:\Windows\system32\Ombcji32.exe
C:\Windows\SysWOW64\Opclldhj.exe
C:\Windows\system32\Opclldhj.exe
C:\Windows\SysWOW64\Ofmdio32.exe
C:\Windows\system32\Ofmdio32.exe
C:\Windows\SysWOW64\Ohlqcagj.exe
C:\Windows\system32\Ohlqcagj.exe
C:\Windows\SysWOW64\Pmiikh32.exe
C:\Windows\system32\Pmiikh32.exe
C:\Windows\SysWOW64\Phonha32.exe
C:\Windows\system32\Phonha32.exe
C:\Windows\SysWOW64\Pnifekmd.exe
C:\Windows\system32\Pnifekmd.exe
C:\Windows\SysWOW64\Phajna32.exe
C:\Windows\system32\Phajna32.exe
C:\Windows\SysWOW64\Pnkbkk32.exe
C:\Windows\system32\Pnkbkk32.exe
C:\Windows\SysWOW64\Pjbcplpe.exe
C:\Windows\system32\Pjbcplpe.exe
C:\Windows\SysWOW64\Pdmdnadc.exe
C:\Windows\system32\Pdmdnadc.exe
C:\Windows\SysWOW64\Qodeajbg.exe
C:\Windows\system32\Qodeajbg.exe
C:\Windows\SysWOW64\Afpjel32.exe
C:\Windows\system32\Afpjel32.exe
C:\Windows\SysWOW64\Adcjop32.exe
C:\Windows\system32\Adcjop32.exe
C:\Windows\SysWOW64\Amlogfel.exe
C:\Windows\system32\Amlogfel.exe
C:\Windows\SysWOW64\Ahaceo32.exe
C:\Windows\system32\Ahaceo32.exe
C:\Windows\SysWOW64\Apmhiq32.exe
C:\Windows\system32\Apmhiq32.exe
C:\Windows\SysWOW64\Aggpfkjj.exe
C:\Windows\system32\Aggpfkjj.exe
C:\Windows\SysWOW64\Ahfmpnql.exe
C:\Windows\system32\Ahfmpnql.exe
C:\Windows\SysWOW64\Bhhiemoj.exe
C:\Windows\system32\Bhhiemoj.exe
C:\Windows\SysWOW64\Bobabg32.exe
C:\Windows\system32\Bobabg32.exe
C:\Windows\SysWOW64\Bpdnjple.exe
C:\Windows\system32\Bpdnjple.exe
C:\Windows\SysWOW64\Bkibgh32.exe
C:\Windows\system32\Bkibgh32.exe
C:\Windows\SysWOW64\Bhmbqm32.exe
C:\Windows\system32\Bhmbqm32.exe
C:\Windows\SysWOW64\Bddcenpi.exe
C:\Windows\system32\Bddcenpi.exe
C:\Windows\SysWOW64\Bpkdjofm.exe
C:\Windows\system32\Bpkdjofm.exe
C:\Windows\SysWOW64\Bkphhgfc.exe
C:\Windows\system32\Bkphhgfc.exe
C:\Windows\SysWOW64\Chfegk32.exe
C:\Windows\system32\Chfegk32.exe
C:\Windows\SysWOW64\Caageq32.exe
C:\Windows\system32\Caageq32.exe
C:\Windows\SysWOW64\Chnlgjlb.exe
C:\Windows\system32\Chnlgjlb.exe
C:\Windows\SysWOW64\Ddgibkpc.exe
C:\Windows\system32\Ddgibkpc.exe
C:\Windows\SysWOW64\Dnonkq32.exe
C:\Windows\system32\Dnonkq32.exe
C:\Windows\SysWOW64\Ddifgk32.exe
C:\Windows\system32\Ddifgk32.exe
C:\Windows\SysWOW64\Doojec32.exe
C:\Windows\system32\Doojec32.exe
C:\Windows\SysWOW64\Dbocfo32.exe
C:\Windows\system32\Dbocfo32.exe
C:\Windows\SysWOW64\Dkhgod32.exe
C:\Windows\system32\Dkhgod32.exe
C:\Windows\SysWOW64\Egaejeej.exe
C:\Windows\system32\Egaejeej.exe
C:\Windows\SysWOW64\Enkmfolf.exe
C:\Windows\system32\Enkmfolf.exe
C:\Windows\SysWOW64\Edeeci32.exe
C:\Windows\system32\Edeeci32.exe
C:\Windows\SysWOW64\Eojiqb32.exe
C:\Windows\system32\Eojiqb32.exe
C:\Windows\SysWOW64\Ehbnigjj.exe
C:\Windows\system32\Ehbnigjj.exe
C:\Windows\SysWOW64\Eiekog32.exe
C:\Windows\system32\Eiekog32.exe
C:\Windows\SysWOW64\Fnbcgn32.exe
C:\Windows\system32\Fnbcgn32.exe
C:\Windows\SysWOW64\Fgjhpcmo.exe
C:\Windows\system32\Fgjhpcmo.exe
C:\Windows\SysWOW64\Filapfbo.exe
C:\Windows\system32\Filapfbo.exe
C:\Windows\SysWOW64\Finnef32.exe
C:\Windows\system32\Finnef32.exe
C:\Windows\SysWOW64\Fnkfmm32.exe
C:\Windows\system32\Fnkfmm32.exe
C:\Windows\SysWOW64\Gnnccl32.exe
C:\Windows\system32\Gnnccl32.exe
C:\Windows\SysWOW64\Gicgpelg.exe
C:\Windows\system32\Gicgpelg.exe
C:\Windows\SysWOW64\Ganldgib.exe
C:\Windows\system32\Ganldgib.exe
C:\Windows\SysWOW64\Gnblnlhl.exe
C:\Windows\system32\Gnblnlhl.exe
C:\Windows\SysWOW64\Gihpkd32.exe
C:\Windows\system32\Gihpkd32.exe
C:\Windows\SysWOW64\Gpaihooo.exe
C:\Windows\system32\Gpaihooo.exe
C:\Windows\SysWOW64\Ggmmlamj.exe
C:\Windows\system32\Ggmmlamj.exe
C:\Windows\SysWOW64\Gngeik32.exe
C:\Windows\system32\Gngeik32.exe
C:\Windows\SysWOW64\Geanfelc.exe
C:\Windows\system32\Geanfelc.exe
C:\Windows\SysWOW64\Hlblcn32.exe
C:\Windows\system32\Hlblcn32.exe
C:\Windows\SysWOW64\Hifmmb32.exe
C:\Windows\system32\Hifmmb32.exe
C:\Windows\SysWOW64\Hihibbjo.exe
C:\Windows\system32\Hihibbjo.exe
C:\Windows\SysWOW64\Ibqnkh32.exe
C:\Windows\system32\Ibqnkh32.exe
C:\Windows\SysWOW64\Ihmfco32.exe
C:\Windows\system32\Ihmfco32.exe
C:\Windows\SysWOW64\Ibcjqgnm.exe
C:\Windows\system32\Ibcjqgnm.exe
C:\Windows\SysWOW64\Iojkeh32.exe
C:\Windows\system32\Iojkeh32.exe
C:\Windows\SysWOW64\Ibgdlg32.exe
C:\Windows\system32\Ibgdlg32.exe
C:\Windows\SysWOW64\Iialhaad.exe
C:\Windows\system32\Iialhaad.exe
C:\Windows\SysWOW64\Ipkdek32.exe
C:\Windows\system32\Ipkdek32.exe
C:\Windows\SysWOW64\Jidinqpb.exe
C:\Windows\system32\Jidinqpb.exe
C:\Windows\SysWOW64\Jhkbdmbg.exe
C:\Windows\system32\Jhkbdmbg.exe
C:\Windows\SysWOW64\Jikoopij.exe
C:\Windows\system32\Jikoopij.exe
C:\Windows\SysWOW64\Johggfha.exe
C:\Windows\system32\Johggfha.exe
C:\Windows\SysWOW64\Jafdcbge.exe
C:\Windows\system32\Jafdcbge.exe
C:\Windows\SysWOW64\Jllhpkfk.exe
C:\Windows\system32\Jllhpkfk.exe
C:\Windows\SysWOW64\Kakmna32.exe
C:\Windows\system32\Kakmna32.exe
C:\Windows\SysWOW64\Klpakj32.exe
C:\Windows\system32\Klpakj32.exe
C:\Windows\SysWOW64\Ledepn32.exe
C:\Windows\system32\Ledepn32.exe
C:\Windows\SysWOW64\Llqjbhdc.exe
C:\Windows\system32\Llqjbhdc.exe
C:\Windows\SysWOW64\Ljdkll32.exe
C:\Windows\system32\Ljdkll32.exe
C:\Windows\SysWOW64\Mfkkqmiq.exe
C:\Windows\system32\Mfkkqmiq.exe
C:\Windows\SysWOW64\Mledmg32.exe
C:\Windows\system32\Mledmg32.exe
C:\Windows\SysWOW64\Mcoljagj.exe
C:\Windows\system32\Mcoljagj.exe
C:\Windows\SysWOW64\Mhldbh32.exe
C:\Windows\system32\Mhldbh32.exe
C:\Windows\SysWOW64\Mcaipa32.exe
C:\Windows\system32\Mcaipa32.exe
C:\Windows\SysWOW64\Mhoahh32.exe
C:\Windows\system32\Mhoahh32.exe
C:\Windows\SysWOW64\Mokfja32.exe
C:\Windows\system32\Mokfja32.exe
C:\Windows\SysWOW64\Mfenglqf.exe
C:\Windows\system32\Mfenglqf.exe
C:\Windows\SysWOW64\Mlofcf32.exe
C:\Windows\system32\Mlofcf32.exe
C:\Windows\SysWOW64\Nqmojd32.exe
C:\Windows\system32\Nqmojd32.exe
C:\Windows\SysWOW64\Nfihbk32.exe
C:\Windows\system32\Nfihbk32.exe
C:\Windows\SysWOW64\Nmcpoedn.exe
C:\Windows\system32\Nmcpoedn.exe
C:\Windows\SysWOW64\Nbphglbe.exe
C:\Windows\system32\Nbphglbe.exe
C:\Windows\SysWOW64\Nbbeml32.exe
C:\Windows\system32\Nbbeml32.exe
C:\Windows\SysWOW64\Ncbafoge.exe
C:\Windows\system32\Ncbafoge.exe
C:\Windows\SysWOW64\Njljch32.exe
C:\Windows\system32\Njljch32.exe
C:\Windows\SysWOW64\Nqfbpb32.exe
C:\Windows\system32\Nqfbpb32.exe
C:\Windows\SysWOW64\Ocdnln32.exe
C:\Windows\system32\Ocdnln32.exe
C:\Windows\SysWOW64\Ojnfihmo.exe
C:\Windows\system32\Ojnfihmo.exe
C:\Windows\SysWOW64\Oqhoeb32.exe
C:\Windows\system32\Oqhoeb32.exe
C:\Windows\SysWOW64\Objkmkjj.exe
C:\Windows\system32\Objkmkjj.exe
C:\Windows\SysWOW64\Oqmhqapg.exe
C:\Windows\system32\Oqmhqapg.exe
C:\Windows\SysWOW64\Omdieb32.exe
C:\Windows\system32\Omdieb32.exe
C:\Windows\SysWOW64\Obqanjdb.exe
C:\Windows\system32\Obqanjdb.exe
C:\Windows\SysWOW64\Oikjkc32.exe
C:\Windows\system32\Oikjkc32.exe
C:\Windows\SysWOW64\Ppdbgncl.exe
C:\Windows\system32\Ppdbgncl.exe
C:\Windows\SysWOW64\Ppgomnai.exe
C:\Windows\system32\Ppgomnai.exe
C:\Windows\SysWOW64\Pfagighf.exe
C:\Windows\system32\Pfagighf.exe
C:\Windows\SysWOW64\Pmkofa32.exe
C:\Windows\system32\Pmkofa32.exe
C:\Windows\SysWOW64\Pbhgoh32.exe
C:\Windows\system32\Pbhgoh32.exe
C:\Windows\SysWOW64\Pmmlla32.exe
C:\Windows\system32\Pmmlla32.exe
C:\Windows\SysWOW64\Pjaleemj.exe
C:\Windows\system32\Pjaleemj.exe
C:\Windows\SysWOW64\Pakdbp32.exe
C:\Windows\system32\Pakdbp32.exe
C:\Windows\SysWOW64\Pfhmjf32.exe
C:\Windows\system32\Pfhmjf32.exe
C:\Windows\SysWOW64\Qppaclio.exe
C:\Windows\system32\Qppaclio.exe
C:\Windows\SysWOW64\Qjffpe32.exe
C:\Windows\system32\Qjffpe32.exe
C:\Windows\SysWOW64\Abcgjg32.exe
C:\Windows\system32\Abcgjg32.exe
C:\Windows\SysWOW64\Aimogakj.exe
C:\Windows\system32\Aimogakj.exe
C:\Windows\SysWOW64\Amkhmoap.exe
C:\Windows\system32\Amkhmoap.exe
C:\Windows\SysWOW64\Bjfogbjb.exe
C:\Windows\system32\Bjfogbjb.exe
C:\Windows\SysWOW64\Bpcgpihi.exe
C:\Windows\system32\Bpcgpihi.exe
C:\Windows\SysWOW64\Bfmolc32.exe
C:\Windows\system32\Bfmolc32.exe
C:\Windows\SysWOW64\Bpedeiff.exe
C:\Windows\system32\Bpedeiff.exe
C:\Windows\SysWOW64\Bbdpad32.exe
C:\Windows\system32\Bbdpad32.exe
C:\Windows\SysWOW64\Bmidnm32.exe
C:\Windows\system32\Bmidnm32.exe
C:\Windows\SysWOW64\Bbfmgd32.exe
C:\Windows\system32\Bbfmgd32.exe
C:\Windows\SysWOW64\Bipecnkd.exe
C:\Windows\system32\Bipecnkd.exe
C:\Windows\SysWOW64\Bbhildae.exe
C:\Windows\system32\Bbhildae.exe
C:\Windows\SysWOW64\Cpogkhnl.exe
C:\Windows\system32\Cpogkhnl.exe
C:\Windows\SysWOW64\Ccppmc32.exe
C:\Windows\system32\Ccppmc32.exe
C:\Windows\SysWOW64\Cdolgfbp.exe
C:\Windows\system32\Cdolgfbp.exe
C:\Windows\SysWOW64\Eaaiahei.exe
C:\Windows\system32\Eaaiahei.exe
C:\Windows\SysWOW64\Ekimjn32.exe
C:\Windows\system32\Ekimjn32.exe
C:\Windows\SysWOW64\Enjfli32.exe
C:\Windows\system32\Enjfli32.exe
C:\Windows\SysWOW64\Eddnic32.exe
C:\Windows\system32\Eddnic32.exe
C:\Windows\SysWOW64\Enlcahgh.exe
C:\Windows\system32\Enlcahgh.exe
C:\Windows\SysWOW64\Ekqckmfb.exe
C:\Windows\system32\Ekqckmfb.exe
C:\Windows\SysWOW64\Eqmlccdi.exe
C:\Windows\system32\Eqmlccdi.exe
C:\Windows\SysWOW64\Fkcpql32.exe
C:\Windows\system32\Fkcpql32.exe
C:\Windows\SysWOW64\Famhmfkl.exe
C:\Windows\system32\Famhmfkl.exe
C:\Windows\SysWOW64\Fcpakn32.exe
C:\Windows\system32\Fcpakn32.exe
C:\Windows\SysWOW64\Fnffhgon.exe
C:\Windows\system32\Fnffhgon.exe
C:\Windows\SysWOW64\Fdpnda32.exe
C:\Windows\system32\Fdpnda32.exe
C:\Windows\SysWOW64\Fnhbmgmk.exe
C:\Windows\system32\Fnhbmgmk.exe
C:\Windows\SysWOW64\Fqikob32.exe
C:\Windows\system32\Fqikob32.exe
C:\Windows\SysWOW64\Ggccllai.exe
C:\Windows\system32\Ggccllai.exe
C:\Windows\SysWOW64\Gbhhieao.exe
C:\Windows\system32\Gbhhieao.exe
C:\Windows\SysWOW64\Ggepalof.exe
C:\Windows\system32\Ggepalof.exe
C:\Windows\SysWOW64\Gbkdod32.exe
C:\Windows\system32\Gbkdod32.exe
C:\Windows\SysWOW64\Gjficg32.exe
C:\Windows\system32\Gjficg32.exe
C:\Windows\SysWOW64\Gdknpp32.exe
C:\Windows\system32\Gdknpp32.exe
C:\Windows\SysWOW64\Gkefmjcj.exe
C:\Windows\system32\Gkefmjcj.exe
C:\Windows\SysWOW64\Gdnjfojj.exe
C:\Windows\system32\Gdnjfojj.exe
C:\Windows\SysWOW64\Gjkbnfha.exe
C:\Windows\system32\Gjkbnfha.exe
C:\Windows\SysWOW64\Hepgkohh.exe
C:\Windows\system32\Hepgkohh.exe
C:\Windows\SysWOW64\Hjmodffo.exe
C:\Windows\system32\Hjmodffo.exe
C:\Windows\SysWOW64\Hqghqpnl.exe
C:\Windows\system32\Hqghqpnl.exe
C:\Windows\SysWOW64\Hkmlnimb.exe
C:\Windows\system32\Hkmlnimb.exe
C:\Windows\SysWOW64\Hbfdjc32.exe
C:\Windows\system32\Hbfdjc32.exe
C:\Windows\SysWOW64\Hgcmbj32.exe
C:\Windows\system32\Hgcmbj32.exe
C:\Windows\SysWOW64\Hkaeih32.exe
C:\Windows\system32\Hkaeih32.exe
C:\Windows\SysWOW64\Hcljmj32.exe
C:\Windows\system32\Hcljmj32.exe
C:\Windows\SysWOW64\Ibnjkbog.exe
C:\Windows\system32\Ibnjkbog.exe
C:\Windows\SysWOW64\Icogcjde.exe
C:\Windows\system32\Icogcjde.exe
C:\Windows\SysWOW64\Ilhkigcd.exe
C:\Windows\system32\Ilhkigcd.exe
C:\Windows\SysWOW64\Infhebbh.exe
C:\Windows\system32\Infhebbh.exe
C:\Windows\SysWOW64\Ilmedf32.exe
C:\Windows\system32\Ilmedf32.exe
C:\Windows\SysWOW64\Ibgmaqfl.exe
C:\Windows\system32\Ibgmaqfl.exe
C:\Windows\SysWOW64\Idhiii32.exe
C:\Windows\system32\Idhiii32.exe
C:\Windows\SysWOW64\Jnnnfalp.exe
C:\Windows\system32\Jnnnfalp.exe
C:\Windows\SysWOW64\Jbbmmo32.exe
C:\Windows\system32\Jbbmmo32.exe
C:\Windows\SysWOW64\Kaopoj32.exe
C:\Windows\system32\Kaopoj32.exe
C:\Windows\SysWOW64\Lahbei32.exe
C:\Windows\system32\Lahbei32.exe
C:\Windows\SysWOW64\Mlemcq32.exe
C:\Windows\system32\Mlemcq32.exe
C:\Windows\SysWOW64\Mllccpfj.exe
C:\Windows\system32\Mllccpfj.exe
C:\Windows\SysWOW64\Mdghhb32.exe
C:\Windows\system32\Mdghhb32.exe
C:\Windows\SysWOW64\Nlnpio32.exe
C:\Windows\system32\Nlnpio32.exe
C:\Windows\SysWOW64\Nefdbekh.exe
C:\Windows\system32\Nefdbekh.exe
C:\Windows\SysWOW64\Nkcmjlio.exe
C:\Windows\system32\Nkcmjlio.exe
C:\Windows\SysWOW64\Noaeqjpe.exe
C:\Windows\system32\Noaeqjpe.exe
C:\Windows\SysWOW64\Ndnnianm.exe
C:\Windows\system32\Ndnnianm.exe
C:\Windows\SysWOW64\Nconfh32.exe
C:\Windows\system32\Nconfh32.exe
C:\Windows\SysWOW64\Nhlfoodc.exe
C:\Windows\system32\Nhlfoodc.exe
C:\Windows\SysWOW64\Nfpghccm.exe
C:\Windows\system32\Nfpghccm.exe
C:\Windows\SysWOW64\Okmpqjad.exe
C:\Windows\system32\Okmpqjad.exe
C:\Windows\SysWOW64\Odedipge.exe
C:\Windows\system32\Odedipge.exe
C:\Windows\SysWOW64\Ofdqcc32.exe
C:\Windows\system32\Ofdqcc32.exe
C:\Windows\SysWOW64\Pdqcenmg.exe
C:\Windows\system32\Pdqcenmg.exe
C:\Windows\SysWOW64\Pkklbh32.exe
C:\Windows\system32\Pkklbh32.exe
C:\Windows\SysWOW64\Pbddobla.exe
C:\Windows\system32\Pbddobla.exe
C:\Windows\SysWOW64\Pfbmdabh.exe
C:\Windows\system32\Pfbmdabh.exe
C:\Windows\SysWOW64\Pehjfm32.exe
C:\Windows\system32\Pehjfm32.exe
C:\Windows\SysWOW64\Pcijce32.exe
C:\Windows\system32\Pcijce32.exe
C:\Windows\SysWOW64\Qfjcep32.exe
C:\Windows\system32\Qfjcep32.exe
C:\Windows\SysWOW64\Qmckbjdl.exe
C:\Windows\system32\Qmckbjdl.exe
C:\Windows\SysWOW64\Qcncodki.exe
C:\Windows\system32\Qcncodki.exe
C:\Windows\SysWOW64\Aeopfl32.exe
C:\Windows\system32\Aeopfl32.exe
C:\Windows\SysWOW64\Apddce32.exe
C:\Windows\system32\Apddce32.exe
C:\Windows\SysWOW64\Aealll32.exe
C:\Windows\system32\Aealll32.exe
C:\Windows\SysWOW64\Aeffgkkp.exe
C:\Windows\system32\Aeffgkkp.exe
C:\Windows\SysWOW64\Bldgoeog.exe
C:\Windows\system32\Bldgoeog.exe
C:\Windows\SysWOW64\Bmddihfj.exe
C:\Windows\system32\Bmddihfj.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\Bikeni32.exe
C:\Windows\system32\Bikeni32.exe
C:\Windows\SysWOW64\Bfabmmhe.exe
C:\Windows\system32\Bfabmmhe.exe
C:\Windows\SysWOW64\Blnjecfl.exe
C:\Windows\system32\Blnjecfl.exe
C:\Windows\SysWOW64\Cplckbmc.exe
C:\Windows\system32\Cplckbmc.exe
C:\Windows\SysWOW64\Cdjlap32.exe
C:\Windows\system32\Cdjlap32.exe
C:\Windows\SysWOW64\Cpqlfa32.exe
C:\Windows\system32\Cpqlfa32.exe
C:\Windows\SysWOW64\Cmdmpe32.exe
C:\Windows\system32\Cmdmpe32.exe
C:\Windows\SysWOW64\Dbfoclai.exe
C:\Windows\system32\Dbfoclai.exe
C:\Windows\SysWOW64\Dgdgijhp.exe
C:\Windows\system32\Dgdgijhp.exe
C:\Windows\SysWOW64\Dlqpaafg.exe
C:\Windows\system32\Dlqpaafg.exe
C:\Windows\SysWOW64\Dekapfke.exe
C:\Windows\system32\Dekapfke.exe
C:\Windows\SysWOW64\Ecoaijio.exe
C:\Windows\system32\Ecoaijio.exe
C:\Windows\SysWOW64\Elhfbp32.exe
C:\Windows\system32\Elhfbp32.exe
C:\Windows\SysWOW64\Ecanojgl.exe
C:\Windows\system32\Ecanojgl.exe
C:\Windows\SysWOW64\Eljchpnl.exe
C:\Windows\system32\Eljchpnl.exe
C:\Windows\SysWOW64\Eebgqe32.exe
C:\Windows\system32\Eebgqe32.exe
C:\Windows\SysWOW64\Elolco32.exe
C:\Windows\system32\Elolco32.exe
C:\Windows\SysWOW64\Egdqph32.exe
C:\Windows\system32\Egdqph32.exe
C:\Windows\SysWOW64\Fneoma32.exe
C:\Windows\system32\Fneoma32.exe
C:\Windows\SysWOW64\Ffcpgcfj.exe
C:\Windows\system32\Ffcpgcfj.exe
C:\Windows\SysWOW64\Gddqejni.exe
C:\Windows\system32\Gddqejni.exe
C:\Windows\SysWOW64\Gloejmld.exe
C:\Windows\system32\Gloejmld.exe
C:\Windows\SysWOW64\Gjcfcakn.exe
C:\Windows\system32\Gjcfcakn.exe
C:\Windows\SysWOW64\Gqmnpk32.exe
C:\Windows\system32\Gqmnpk32.exe
C:\Windows\SysWOW64\Gmdoel32.exe
C:\Windows\system32\Gmdoel32.exe
C:\Windows\SysWOW64\Ggicbe32.exe
C:\Windows\system32\Ggicbe32.exe
C:\Windows\SysWOW64\Gmfkjl32.exe
C:\Windows\system32\Gmfkjl32.exe
C:\Windows\SysWOW64\Hfnpca32.exe
C:\Windows\system32\Hfnpca32.exe
C:\Windows\SysWOW64\Hmhhpkcj.exe
C:\Windows\system32\Hmhhpkcj.exe
C:\Windows\SysWOW64\Hnhdjn32.exe
C:\Windows\system32\Hnhdjn32.exe
C:\Windows\SysWOW64\Hnjaonij.exe
C:\Windows\system32\Hnjaonij.exe
C:\Windows\SysWOW64\Hcgjhega.exe
C:\Windows\system32\Hcgjhega.exe
C:\Windows\SysWOW64\Hjabdo32.exe
C:\Windows\system32\Hjabdo32.exe
C:\Windows\SysWOW64\Hgebnc32.exe
C:\Windows\system32\Hgebnc32.exe
C:\Windows\SysWOW64\Hnokjm32.exe
C:\Windows\system32\Hnokjm32.exe
C:\Windows\SysWOW64\Hclccd32.exe
C:\Windows\system32\Hclccd32.exe
C:\Windows\SysWOW64\Icnphd32.exe
C:\Windows\system32\Icnphd32.exe
C:\Windows\SysWOW64\Ijhhenhf.exe
C:\Windows\system32\Ijhhenhf.exe
C:\Windows\SysWOW64\Ienlbf32.exe
C:\Windows\system32\Ienlbf32.exe
C:\Windows\SysWOW64\Iepihf32.exe
C:\Windows\system32\Iepihf32.exe
C:\Windows\SysWOW64\Ifaepolg.exe
C:\Windows\system32\Ifaepolg.exe
C:\Windows\SysWOW64\Icefib32.exe
C:\Windows\system32\Icefib32.exe
C:\Windows\SysWOW64\Jepbodhg.exe
C:\Windows\system32\Jepbodhg.exe
C:\Windows\SysWOW64\Knifging.exe
C:\Windows\system32\Knifging.exe
C:\Windows\SysWOW64\Kagbdenk.exe
C:\Windows\system32\Kagbdenk.exe
C:\Windows\SysWOW64\Kfdklllb.exe
C:\Windows\system32\Kfdklllb.exe
C:\Windows\SysWOW64\Kmncif32.exe
C:\Windows\system32\Kmncif32.exe
C:\Windows\SysWOW64\Kjbdbjbi.exe
C:\Windows\system32\Kjbdbjbi.exe
C:\Windows\SysWOW64\Kdjhkp32.exe
C:\Windows\system32\Kdjhkp32.exe
C:\Windows\SysWOW64\Knpmhh32.exe
C:\Windows\system32\Knpmhh32.exe
C:\Windows\SysWOW64\Kfkamk32.exe
C:\Windows\system32\Kfkamk32.exe
C:\Windows\SysWOW64\Ldoafodd.exe
C:\Windows\system32\Ldoafodd.exe
C:\Windows\SysWOW64\Lndfchdj.exe
C:\Windows\system32\Lndfchdj.exe
C:\Windows\SysWOW64\Lacbpccn.exe
C:\Windows\system32\Lacbpccn.exe
C:\Windows\SysWOW64\Lmjcdd32.exe
C:\Windows\system32\Lmjcdd32.exe
C:\Windows\SysWOW64\Mgkjch32.exe
C:\Windows\system32\Mgkjch32.exe
C:\Windows\SysWOW64\Mdokmm32.exe
C:\Windows\system32\Mdokmm32.exe
C:\Windows\SysWOW64\Mgpcohcb.exe
C:\Windows\system32\Mgpcohcb.exe
C:\Windows\SysWOW64\Ngemjg32.exe
C:\Windows\system32\Ngemjg32.exe
C:\Windows\SysWOW64\Nnoefagj.exe
C:\Windows\system32\Nnoefagj.exe
C:\Windows\SysWOW64\Ndinck32.exe
C:\Windows\system32\Ndinck32.exe
C:\Windows\SysWOW64\Ndkjik32.exe
C:\Windows\system32\Ndkjik32.exe
C:\Windows\SysWOW64\Ndmgnkja.exe
C:\Windows\system32\Ndmgnkja.exe
C:\Windows\SysWOW64\Nnfkgp32.exe
C:\Windows\system32\Nnfkgp32.exe
C:\Windows\SysWOW64\Nemchn32.exe
C:\Windows\system32\Nemchn32.exe
C:\Windows\SysWOW64\Ngnppfgb.exe
C:\Windows\system32\Ngnppfgb.exe
C:\Windows\SysWOW64\Onmahojj.exe
C:\Windows\system32\Onmahojj.exe
C:\Windows\SysWOW64\Odgjdibf.exe
C:\Windows\system32\Odgjdibf.exe
C:\Windows\SysWOW64\Okqbac32.exe
C:\Windows\system32\Okqbac32.exe
C:\Windows\SysWOW64\Oeffnl32.exe
C:\Windows\system32\Oeffnl32.exe
C:\Windows\SysWOW64\Ogjpld32.exe
C:\Windows\system32\Ogjpld32.exe
C:\Windows\SysWOW64\Pbdmdlie.exe
C:\Windows\system32\Pbdmdlie.exe
C:\Windows\SysWOW64\Pdeffgff.exe
C:\Windows\system32\Pdeffgff.exe
C:\Windows\SysWOW64\Pfdbpjmi.exe
C:\Windows\system32\Pfdbpjmi.exe
C:\Windows\SysWOW64\Qbkcek32.exe
C:\Windows\system32\Qbkcek32.exe
C:\Windows\SysWOW64\Qdllffpo.exe
C:\Windows\system32\Qdllffpo.exe
C:\Windows\SysWOW64\Adnilfnl.exe
C:\Windows\system32\Adnilfnl.exe
C:\Windows\SysWOW64\Agobna32.exe
C:\Windows\system32\Agobna32.exe
C:\Windows\SysWOW64\Afpbkicl.exe
C:\Windows\system32\Afpbkicl.exe
C:\Windows\SysWOW64\Agaoca32.exe
C:\Windows\system32\Agaoca32.exe
C:\Windows\SysWOW64\Abgcqjhp.exe
C:\Windows\system32\Abgcqjhp.exe
C:\Windows\SysWOW64\Agckiqgg.exe
C:\Windows\system32\Agckiqgg.exe
C:\Windows\SysWOW64\Bgfhnpde.exe
C:\Windows\system32\Bgfhnpde.exe
C:\Windows\SysWOW64\Bfghlhmd.exe
C:\Windows\system32\Bfghlhmd.exe
C:\Windows\SysWOW64\Bkdqdokk.exe
C:\Windows\system32\Bkdqdokk.exe
C:\Windows\SysWOW64\Bgkaip32.exe
C:\Windows\system32\Bgkaip32.exe
C:\Windows\SysWOW64\Bijncb32.exe
C:\Windows\system32\Bijncb32.exe
C:\Windows\SysWOW64\Beaohcmf.exe
C:\Windows\system32\Beaohcmf.exe
C:\Windows\SysWOW64\Cbglgg32.exe
C:\Windows\system32\Cbglgg32.exe
C:\Windows\SysWOW64\Cpmifkgd.exe
C:\Windows\system32\Cpmifkgd.exe
C:\Windows\SysWOW64\Cfgace32.exe
C:\Windows\system32\Cfgace32.exe
C:\Windows\SysWOW64\Deokja32.exe
C:\Windows\system32\Deokja32.exe
C:\Windows\SysWOW64\Dlicflic.exe
C:\Windows\system32\Dlicflic.exe
C:\Windows\SysWOW64\Dbckcf32.exe
C:\Windows\system32\Dbckcf32.exe
C:\Windows\SysWOW64\Eemgkpef.exe
C:\Windows\system32\Eemgkpef.exe
C:\Windows\SysWOW64\Eoekde32.exe
C:\Windows\system32\Eoekde32.exe
C:\Windows\SysWOW64\Eflceb32.exe
C:\Windows\system32\Eflceb32.exe
C:\Windows\SysWOW64\Ehnpmkbg.exe
C:\Windows\system32\Ehnpmkbg.exe
C:\Windows\SysWOW64\Fifomlap.exe
C:\Windows\system32\Fifomlap.exe
C:\Windows\SysWOW64\Fgjpfqpi.exe
C:\Windows\system32\Fgjpfqpi.exe
C:\Windows\SysWOW64\Fpcdof32.exe
C:\Windows\system32\Fpcdof32.exe
C:\Windows\SysWOW64\Fepmgm32.exe
C:\Windows\system32\Fepmgm32.exe
C:\Windows\SysWOW64\Gipbck32.exe
C:\Windows\system32\Gipbck32.exe
C:\Windows\SysWOW64\Gpjjpe32.exe
C:\Windows\system32\Gpjjpe32.exe
C:\Windows\SysWOW64\Ghgljg32.exe
C:\Windows\system32\Ghgljg32.exe
C:\Windows\SysWOW64\Ggilgn32.exe
C:\Windows\system32\Ggilgn32.exe
C:\Windows\SysWOW64\Hcommoin.exe
C:\Windows\system32\Hcommoin.exe
C:\Windows\SysWOW64\Ioppho32.exe
C:\Windows\system32\Ioppho32.exe
C:\Windows\SysWOW64\Imcqacfq.exe
C:\Windows\system32\Imcqacfq.exe
C:\Windows\SysWOW64\Ifleji32.exe
C:\Windows\system32\Ifleji32.exe
C:\Windows\SysWOW64\Imfmgcdn.exe
C:\Windows\system32\Imfmgcdn.exe
C:\Windows\SysWOW64\Ioffhn32.exe
C:\Windows\system32\Ioffhn32.exe
C:\Windows\SysWOW64\Icdoolge.exe
C:\Windows\system32\Icdoolge.exe
C:\Windows\SysWOW64\Jjqdafmp.exe
C:\Windows\system32\Jjqdafmp.exe
C:\Windows\SysWOW64\Jmamba32.exe
C:\Windows\system32\Jmamba32.exe
C:\Windows\SysWOW64\Jckeokan.exe
C:\Windows\system32\Jckeokan.exe
C:\Windows\SysWOW64\Kqdodo32.exe
C:\Windows\system32\Kqdodo32.exe
C:\Windows\SysWOW64\Kfcdaehf.exe
C:\Windows\system32\Kfcdaehf.exe
C:\Windows\SysWOW64\Kgcqlh32.exe
C:\Windows\system32\Kgcqlh32.exe
C:\Windows\SysWOW64\Kakednfj.exe
C:\Windows\system32\Kakednfj.exe
C:\Windows\SysWOW64\Kifjip32.exe
C:\Windows\system32\Kifjip32.exe
C:\Windows\SysWOW64\Lpbokjho.exe
C:\Windows\system32\Lpbokjho.exe
C:\Windows\SysWOW64\Ladhkmno.exe
C:\Windows\system32\Ladhkmno.exe
C:\Windows\SysWOW64\Lccdghmc.exe
C:\Windows\system32\Lccdghmc.exe
C:\Windows\SysWOW64\Libido32.exe
C:\Windows\system32\Libido32.exe
C:\Windows\SysWOW64\Ldgnbg32.exe
C:\Windows\system32\Ldgnbg32.exe
C:\Windows\SysWOW64\Mffjnc32.exe
C:\Windows\system32\Mffjnc32.exe
C:\Windows\SysWOW64\Mmpbkm32.exe
C:\Windows\system32\Mmpbkm32.exe
C:\Windows\SysWOW64\Mfhgcbfo.exe
C:\Windows\system32\Mfhgcbfo.exe
C:\Windows\SysWOW64\Mmbopm32.exe
C:\Windows\system32\Mmbopm32.exe
C:\Windows\SysWOW64\Mhhcne32.exe
C:\Windows\system32\Mhhcne32.exe
C:\Windows\SysWOW64\Mmdlflki.exe
C:\Windows\system32\Mmdlflki.exe
C:\Windows\SysWOW64\Mjiloqjb.exe
C:\Windows\system32\Mjiloqjb.exe
C:\Windows\SysWOW64\Mhmmieil.exe
C:\Windows\system32\Mhmmieil.exe
C:\Windows\SysWOW64\Mphamg32.exe
C:\Windows\system32\Mphamg32.exe
C:\Windows\SysWOW64\Ndhgie32.exe
C:\Windows\system32\Ndhgie32.exe
C:\Windows\SysWOW64\Niihlkdm.exe
C:\Windows\system32\Niihlkdm.exe
C:\Windows\SysWOW64\Odaiodbp.exe
C:\Windows\system32\Odaiodbp.exe
C:\Windows\SysWOW64\Oknnanhj.exe
C:\Windows\system32\Oknnanhj.exe
C:\Windows\SysWOW64\Pdmikb32.exe
C:\Windows\system32\Pdmikb32.exe
C:\Windows\SysWOW64\Phmnfp32.exe
C:\Windows\system32\Phmnfp32.exe
C:\Windows\SysWOW64\Qnamofdf.exe
C:\Windows\system32\Qnamofdf.exe
C:\Windows\SysWOW64\Anhcpeon.exe
C:\Windows\system32\Anhcpeon.exe
C:\Windows\SysWOW64\Agqhik32.exe
C:\Windows\system32\Agqhik32.exe
C:\Windows\SysWOW64\Bgjjoi32.exe
C:\Windows\system32\Bgjjoi32.exe
C:\Windows\SysWOW64\Biigildg.exe
C:\Windows\system32\Biigildg.exe
C:\Windows\SysWOW64\Bbbkbbkg.exe
C:\Windows\system32\Bbbkbbkg.exe
C:\Windows\SysWOW64\Bilcol32.exe
C:\Windows\system32\Bilcol32.exe
C:\Windows\SysWOW64\Cnhlgc32.exe
C:\Windows\system32\Cnhlgc32.exe
C:\Windows\SysWOW64\Cqghcn32.exe
C:\Windows\system32\Cqghcn32.exe
C:\Windows\SysWOW64\Cjomldfp.exe
C:\Windows\system32\Cjomldfp.exe
C:\Windows\SysWOW64\Cejjdlap.exe
C:\Windows\system32\Cejjdlap.exe
C:\Windows\SysWOW64\Cbnknpqj.exe
C:\Windows\system32\Cbnknpqj.exe
C:\Windows\SysWOW64\Djipbbne.exe
C:\Windows\system32\Djipbbne.exe
C:\Windows\SysWOW64\Dendok32.exe
C:\Windows\system32\Dendok32.exe
C:\Windows\SysWOW64\Dlobmd32.exe
C:\Windows\system32\Dlobmd32.exe
C:\Windows\SysWOW64\Dalkek32.exe
C:\Windows\system32\Dalkek32.exe
C:\Windows\SysWOW64\Enpknplq.exe
C:\Windows\system32\Enpknplq.exe
C:\Windows\SysWOW64\Eejcki32.exe
C:\Windows\system32\Eejcki32.exe
C:\Windows\SysWOW64\Eldlhckj.exe
C:\Windows\system32\Eldlhckj.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7372 -ip 7372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 13.107.21.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.179.17.96.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 15.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.16.234:443 | chromewebstore.googleapis.com | tcp |
| GB | 172.217.16.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| GB | 172.217.16.234:443 | chromewebstore.googleapis.com | tcp |
| GB | 172.217.16.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 13.107.21.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4748-0-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4748-1-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Hmlpaoaj.exe
| MD5 | 6a1208f341cb7db892a81819b889d269 |
| SHA1 | 2599e86b857b09ebb9cc9441c64423601f0ab7e6 |
| SHA256 | 425ac796fe718714b8931848810a25aa496ec3b5b72eb890abf06ca2d0872a9b |
| SHA512 | 227f4187f277c3af2f9545cf7322486a376624ec610c8d0f1f37b1c5b8642bfe3c8161e9958c2fb427959165ff7b303ae97c3ace3d9bba89cb1e2aa3d1b2038d |
memory/1796-8-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Idfaefkd.exe
| MD5 | 53e82ddf1f5051aef848a4302e240cb3 |
| SHA1 | 6fa82616e9f0c1132bf92a95f416b23d4ee606ad |
| SHA256 | badc223a7e03642d49df3cf2b0c65e14f3d8439af9b79ba6fab180f2f6d16be7 |
| SHA512 | 5f342752643dfa1804abb802cb52aaf2f11668e2019db5a1a93fe462f5cceea074a16db6c5c2d7b9395e74f59b36f82ddc934280b875bd65e6902aa58e187f59 |
memory/1952-21-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ilafiihp.exe
| MD5 | 771da260948a9c46bf8c84e4e0184795 |
| SHA1 | e86796aa88119637236c1666507d41717c3e1357 |
| SHA256 | 18d7ef941487a9f83a80b09ee02c146a67fec30a5f53612ac9b25b68c689295d |
| SHA512 | 5b18dbc531781bda7d857afed8b334e4c35cf1cd17028ad7d6b78f421c7b57b3739731aefd52350d8ea4445b3b586d0ee9c6cb269358268ca09af74472f99ace |
memory/2044-25-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ikbfgppo.exe
| MD5 | 878d34fe024961c936c0d28a4513ce65 |
| SHA1 | 9b6ef160e8c34c9baa1762c1325b1240c1a3efb4 |
| SHA256 | b10c0909e258e1e26ffec83378278d8042419f8889ab66e6c019b49cd9c82818 |
| SHA512 | 8e976df68a2e5283179e76359382e3d171b5339cd9be3544511651924952dbabf65cde57fd03f4e67b647ef43fb791741eb0253c726f07edcf50f2e8aa84f85c |
memory/3328-32-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jkgpbp32.exe
| MD5 | 45f181d77822a59d104f3cb64a1379fa |
| SHA1 | 45bc0bd5a0b284140d4fcfd0837886d0b0e3e1d4 |
| SHA256 | b026755bd0fa17dcce429f98794b691ec3e941d20647cf90fcc371e17d0827e4 |
| SHA512 | c9413f5d2a2c56fd4ae4811c4abc2e46d5e708c2c4a3ce490efd74c912ec5fa39e9ca474d84b475ed49f2dc202655140db04b5d91028a6de5f7053165b52b96b |
memory/452-41-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jjlmclqa.exe
| MD5 | e48be3e424cb53a64cfb7d2572c86a1d |
| SHA1 | 49045acc27ccde323d2244cbc70acbfafb02a90b |
| SHA256 | 9befe592c0fc6d9f35d40ab96a01b174ced0308e453ad2226b4a039788167aa1 |
| SHA512 | 8609be728dfa299cefa516c95164402e92c108c58d730b14685b2f1786f69b11fedc6a300cb2ae6664a0e39ffd019612b2523d9a97eda40ace4f45a9f7848218 |
memory/2924-49-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jjoiil32.exe
| MD5 | b505229e8cab17a0480770b13fe3b5e5 |
| SHA1 | b7a2161f05008400d0553c079fe0287507a5be3e |
| SHA256 | b8f4b3e89b1086cf5e80e95b2592b5637efb517a426be1812e1852fd23bea2d5 |
| SHA512 | cbbefce5c6e99a619cc299a311edfc55c7f4f7c1f5b515eb99d4c1cabe2d63d454403c822e13793d6d7a4305d5cd0b5894d3353b650488b5456c9c61a7e0eb09 |
memory/4520-57-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jqknkedi.exe
| MD5 | 02148d4e7b434dc5bebfaa94b2a7959f |
| SHA1 | 0507b14105fc819bbe3253e5e855fe2262b101cf |
| SHA256 | ef953545185b54476acf87aa5ff5b827f648716b80017cd0b7a3c8eaaa97cbcf |
| SHA512 | 3c770b935f91ab4ec4d2862f3c8cd62350b1e604c5e666d7ff9b0fb95caa16acb7fd325cf612a45554a14ca78fde37e54db11a91d8876e7d7c3c3dce6f12d0dc |
memory/1612-65-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kjhloj32.exe
| MD5 | 4cea89ac10ad43d2a09a9327e92010ec |
| SHA1 | cc195a7f21fa3eecda537f7843bed10814dfd9b3 |
| SHA256 | bda20b13da7ce577b5d7fc9e52e59e8ecba8d72ff0ce4ea2ba506ba932c6ab1c |
| SHA512 | bc93fc786d4e30df288148be5c7c842770aacf6bd058939c6de240935f41766fe974a17a7bc383f4a9906afca2c11bab2422b1029790b46843dc17fe7e90c8e0 |
memory/5108-72-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kmieae32.exe
| MD5 | 969aae95c591ac71d184fb79674ecca1 |
| SHA1 | 125e15b76ae652f7317a00f6bfb24a54edbb5e2b |
| SHA256 | 0ccdc34c035b5c6b89d46634574feb642fa8bab120e60446018866195b6e38ea |
| SHA512 | 65937aee7d0ebce384249910433ac5285f911fdd4e3ec45e261bd942be38e0eb85d418f0a82fc440d2df4db9a5aad174b39c15e825740a5eee11625f0f1db987 |
memory/4748-81-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4884-86-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kqfngd32.exe
| MD5 | 664fbada38693a8f76439c13723c134a |
| SHA1 | fb467a548c19cc957b325b3ade810999f2578f30 |
| SHA256 | d254b16d25072a9d4bd387860586edbb2c60ed3f451e0cf47029c17dc8a80ba5 |
| SHA512 | 41d989945fa173ca5b42eaf8b5d14a70d16f2a4ca60b4d4293681f6a7be0eafc0418a7063d1932a4e37db9a784146ae138ce837bc8b24ca173ede0819fbdcba0 |
memory/3848-90-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Lcjcnoej.exe
| MD5 | 32a59c67e031d89f1bf526a75100b99e |
| SHA1 | 954c87a20472a04baefbde053cdd25d2171f5df7 |
| SHA256 | f1019ae68a8f955f9ce30b20ded4a3f09f2d93d19f96213a91229402bcd19a34 |
| SHA512 | 39db790dbac3b13b33113714bf84912288d54af5791c3d729935303ec9c5fc346e6426065cf7be52d38c0122286ec65e2c450420a7f23ccffbeb04922a70cdc9 |
memory/5032-97-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Lggldm32.exe
| MD5 | c0ad4a5c4fdc5827fca6121f1108f277 |
| SHA1 | 473f04f5ba93249c49e130f76166cdb7421dcdb2 |
| SHA256 | 25f853bb249cc25b5ede11ed504f2700113b97550ea663f60b5114c4d055b0b7 |
| SHA512 | 77bc5fd4b4b508885948c950e754691d1642a8974d7fb2517a7f13b06a9ad92af287a80994fe8a699ae9b776a261fb49cd3a4a7a9a0ba368474216109ce81245 |
memory/1564-105-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Lndagg32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Lndagg32.exe
| MD5 | 7952da55152e74575ea7a97fe7ddf7dc |
| SHA1 | f30da4e91b5a4f6faa85459302f6b2a50fc70eea |
| SHA256 | 66426275a040b0dc524c4d27ffd5e56aaaaa31debd2851b39b25c2a971c09b6c |
| SHA512 | 755c8074a1275f591f602b6bb01a62dccc0b08b2b4235a3873bffa46f54e73563388cac876645f429139caa699de7894ded9f18e8e107eb53ffef5772b031514 |
memory/4332-115-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Mepfiq32.exe
| MD5 | 8f59b71a27663041c1d07d5386e0b35f |
| SHA1 | 0cd278303f06130bca22e8573a8d0fc4b200d966 |
| SHA256 | 3db3c290d6876a87f00ed750b8a81d4d4f80fd3b2a5d3693910107965a2d0042 |
| SHA512 | 9a6ef22990c2c51ff6aa6e568ea61d62fc3c110499c5a0ca66395b1caf8bbfccb64f8987e84495449a9dc32c73c7b6550f14643896f415f6e66e820683404432 |
memory/5000-122-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Mgclpkac.exe
| MD5 | 86ad8691899d6ceae003ce0ef4bc0437 |
| SHA1 | 7621895f8a49bf0a16c874334676108c205d5a34 |
| SHA256 | 185b75cb727f24c472935c4380f617822040bee96414bbb9c42aef2341f1aecc |
| SHA512 | c71c769565a03e380750c8aa58d5bc4de1f4c1ecf3cb6cd3ee918fbb212aeab9d706dd3fb3817e6fcac6b149f294e9d65f7cc3e877077d5397fc531e7ae662bd |
memory/3308-130-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Nmenca32.exe
| MD5 | 010e75991906a2dfa7be4efde76b21d9 |
| SHA1 | 28fdbfe3583e9ca0376c2f64183e9a6fab80a465 |
| SHA256 | 373b414cdba3bc3f32f0250d1d85920d6ade63f1c222dbcdb51122106a85e285 |
| SHA512 | f979a4ab8d43890fec7efe75eab9c76d5deb98b0f2e4904fae66726562fdd90ff34bbdaccb0cee9718caf60c11f978c9dd412ade6765eff32f725fd96e380aeb |
C:\Windows\SysWOW64\Nmgjia32.exe
| MD5 | 8629224ab81b5b0a0b356cd90307c4fb |
| SHA1 | 9bb2059743211e984a6c8068edd83ac4b5a13c8a |
| SHA256 | 93143ce5d5f68aa43211ff15a87a56a890395df7ccb270b08cdb3682a3284d1d |
| SHA512 | 9d4db0462738089fc99c3017b80f4d8c6c6ffcf2f372ce73dd6f88a113266604b7857d8f4a6dc0254ecee29de5ba416368bab28bba1a361affaa5479221a50c1 |
memory/3952-138-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1636-146-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Nnicid32.exe
| MD5 | e9bf3b5bcd6e4e159b30c8cc9692f4ba |
| SHA1 | 0c272a420564af49b6f58e8bd6cd52a3ccbae57e |
| SHA256 | 54414b42a2230923472039bd21d315c5f5c69c03e7a3555b9f312bdbb2d176f3 |
| SHA512 | 602bda6c058264b7348d5b513bef383691a2712fdc48811481ae12f1d8fff783576724ff3d397bdc3ad11e8292e6f8f48ac5bb586e8813fe6ef1a31be238f366 |
memory/3280-155-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Njpdnedf.exe
| MD5 | 83a1bd03d9a395394217ec2ea998eb34 |
| SHA1 | 904d8bd39f28811f8291cc9fc11e767c08f327bf |
| SHA256 | f17c6a3cbf13bffeb106a1297c10c3a116336d0875db1c498143667273a96ec6 |
| SHA512 | 40ab5e04533f5187163206c30594e7c2ba772a7602d659f3650acf61a8f5b08d9b8b727fbd2e87e288398aee137bcc7b12d70dc28c0501bbbe993be1d00cab57 |
memory/3856-162-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Odjeljhd.exe
| MD5 | c3a299e0a70181589deb8e74243bf439 |
| SHA1 | c86bb01ce052c83e5945f9e6e920aa4219e6b2ab |
| SHA256 | 3e1c15583e79cc8efba7e11494cad75f725535dfdd15067c42cae938a0bf865c |
| SHA512 | 7c5825738bc4d6e1e3cb31b57876db34cfed92a8f6ad68860fc53f081bfe6821a67f5be6ed17686924c9795ff7fb7f359ae78886fae468eef3c7c6d58b0e631d |
memory/4036-171-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Omgcpokp.exe
| MD5 | b51a2dbb8ae9315a9720cdc614a97290 |
| SHA1 | d7d7c9332abe2b4e0e5a886760826e78cd2be45c |
| SHA256 | 978ce995302c966fd45f0670d1662005e56a08569ebfec8ef1a955426d32f996 |
| SHA512 | cba02775e01ac3ef6d93b8713b830948066e5cbb54ea1d2773713c40b2800539667a72385118ffb5ac4a06fe46fb383be4bfd50f2614f6bdd69c09a8f10f03de |
memory/3556-178-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Phodcg32.exe
| MD5 | a41f58e381c4719015e1950d3ded1020 |
| SHA1 | ce2d8803f1f2501b579c746d6f35db0a75b48c3f |
| SHA256 | f5f9de2b745d296dec4bf9a765c84e0e174dcb72aacd8c696715dc38ecfe478f |
| SHA512 | 65b356e4e32fbbdb713223ad98089b3109829467cf34d371a3b6b62892df0f1717e2295767cb7476da8003b98049e6e2442714d0efdd09c57c23f15d7a9ece3a |
memory/2120-186-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Phaahggp.exe
| MD5 | 3810c67d5c23994ee596aaafec10c61f |
| SHA1 | 71acc46c236645c38978e33c97855a5ad48bf565 |
| SHA256 | 9b7c4c95356c1ae99afbbf64d48a1f51257cbf19982eb01c7e908cee50f0ebc1 |
| SHA512 | 8f2157ee0ca1ce1261e4a851486220e1c9562ec79961ab340ceedce0c3519d78c8828895e38359580fd5f3488ebf7f2554b8cc0b226b59c7634fb657539f3e14 |
memory/1152-194-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Pmaffnce.exe
| MD5 | 5666e24b26ef1bf5ee3a6689cae13cca |
| SHA1 | 44e22da5edb151c0009a4e18d1aa117591481c61 |
| SHA256 | 759ac9b3c8b9fcdb908b2b46d00cb74468570f839ffad15fe454e503b123c20a |
| SHA512 | df7cbc3ad8d5d5d976dcf8c93166636f4b0f379341394a670c505d43925b786855d7e07d36ba50c35cf469e9fbc8e949ce0e377b546721636e78f54012960d36 |
memory/4324-202-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Qmepam32.exe
| MD5 | b421dbb3f233bbb16bb4b159f00a701d |
| SHA1 | 6a8a0db79bdf3acd884153a3d867ccab6eb25495 |
| SHA256 | 0b1d96c62a9c673fdcada5b55626d553d25b7b58168868ce56c96a9108b1e240 |
| SHA512 | ed5c2489e320c7b6f8d27718b3ea9ff83d7823be0ac04189244e794135a50cf232b27c5aec045168e2cde868b4c0d2c166f8a7e81e36121a484e4d27ded5c0ba |
memory/4024-211-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Qoelkp32.exe
| MD5 | 7e47c8154a7f7c8c6371d6a59f5d6bc2 |
| SHA1 | 01b03373c5c8771b258590d771fc8e295cc075c6 |
| SHA256 | 25b9796b1caa7e6404bf99f53d3d308ba6b9b1d7efa54052491cba3d8d2dc0c0 |
| SHA512 | 4562fbe8a9d5a9e42a7c07671ecc5914e9c0542a4e6d6ba1ad52e64cc11ae767c3fbf9198610ec9ede822a7b14535d4f817120f13abee00e8dc64bec2d44e086 |
C:\Windows\SysWOW64\Qoelkp32.exe
| MD5 | cec5c0ed1740da3c31677408af7279a0 |
| SHA1 | e4d038a90fc3c08f8afa1c10af2f113b8a9e52f8 |
| SHA256 | 1ad6f32be6c4b52e77f4a39066c97dad651b3c3ddf7014b6caea33712b8c4dd9 |
| SHA512 | b6124a46248d2ab7cf1f0ee20b7fd781b59088ad9b58428ff1e108845350224845c81aeffc0e0ac192353b61867bbf54dbc8ec18a74e6a3049a0ac36b7abb838 |
memory/3668-218-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Qklmpalf.exe
| MD5 | 2391e19bd8eaa57050df7ea0a27f634d |
| SHA1 | 905db822e8eed332d95684edff06066a1a5b6b5b |
| SHA256 | 3d42b7fdd5aea5b8927da624527008745a63b2c5c7d4b69884a4296063499338 |
| SHA512 | 57f310a80bf39a05068b3951228841d0f54fbff7d98b13d38837260a3910839b2d422e188f300efacdee635d3f713d6c99d2ba0740b35b951afefa8e705533ba |
memory/2172-226-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Aednci32.exe
| MD5 | e20abf98f19c0e64a6055babf9cc0175 |
| SHA1 | ca7f78578612451147e9d75458cbebb48de7ba14 |
| SHA256 | 461bd9a1d816440e62ce5fd26d5f712222224c0baadfad2a9c1872c5b46560e6 |
| SHA512 | bb1e3decc9a623b9822e1766ea5440f88832ccef8c11e3777b5fe47749721d873503880f3a1cff017d564376a93f77ea3a1d95e7b656ae5342f3b9510a1de3fb |
C:\Windows\SysWOW64\Aednci32.exe
| MD5 | 284fdf0e4795a7186313943128d5e4e1 |
| SHA1 | 6c8bfc4b9b3e46c0884b4418e99c255f1335bab7 |
| SHA256 | 95c31430db0013d412156b6584dce14967eb6874c4074d9b91d935ec6fc79466 |
| SHA512 | eebb615889a3505eab4fc69a0e351d4894218e3a98880684e9d83f03ae767966cba7f893d6aeb76a986b802790f43ced7f0f0cc7cc77702e4cec2ce43425b318 |
memory/2680-234-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Aajohjon.exe
| MD5 | 2ded5bf160bf4da02c9a30c834441726 |
| SHA1 | 5cede2661884b5b13884672681da0e0d3d92e78c |
| SHA256 | ca1d95231fc77908d7a6873e829edd57afaf32b3dd76c6ac48b6436be247c1e9 |
| SHA512 | 7d494de8f1af2c95d50c97265a8828a8e445256cd4da423c2a48513ec0ed863fb09b9fb4d60705a2c4751ec3978555348d3016f6a099cb9f512ff44be8c645c6 |
memory/2332-242-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Aonoao32.exe
| MD5 | 9a82f37e2582bd61810dc30fc69ceb46 |
| SHA1 | 8d43708a475c534fd2517743322a713408aec993 |
| SHA256 | 289a7e9beeeb0f3fec010c15ad0abd671e06e980029c4e3454a83f15a8369ffe |
| SHA512 | 46f1297858dbaae5eb1bd3f04c37d6d1dfdef15220abe82e32ff34eccd60cab33386156f95b7b79a254dfe15a181dbfd4ab678d68840dbf39e4ebdde6d892a17 |
memory/1752-251-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ahgcjddh.exe
| MD5 | 03ecd10b0482c20a69369a32d54a66c7 |
| SHA1 | 6b62a22734bf70ea8f96a7ffea67b6c37060ef30 |
| SHA256 | 5eb1dad12cd0f66204bfbafbc1b9af97beaaa406ece2cb9ccec60610968000b5 |
| SHA512 | 64e223242675c32024b756938201f9e18dedefb61e0eba1999fb727648014d1fea758540cd08dd91be7875ff619b23ab06dd25614a93a252ba6c63e034852be1 |
memory/1388-259-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2520-265-0x0000000000400000-0x0000000000453000-memory.dmp
memory/780-271-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bnkbcj32.exe
| MD5 | a16cb4c87aa1f1e18c0a029c3f461f4a |
| SHA1 | 23e3f2753cb44ae2d8880ffedd36990f7e59df54 |
| SHA256 | 1481a283722744052017d84ce375eceab3f2d95753639815d218a57b85279f93 |
| SHA512 | 60b6cfa3fa95958303789c76ac26a4de648d4c235091b753089368d2ff5652f8d3b04488d9bb350e8c4354dd795bd64c2e099f475394d842bb46e7e03122ff39 |
memory/4484-277-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2436-283-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4112-289-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4416-295-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5092-301-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2312-307-0x0000000000400000-0x0000000000453000-memory.dmp
memory/932-313-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2064-319-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1172-329-0x0000000000400000-0x0000000000453000-memory.dmp
memory/64-331-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3972-344-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3608-348-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Eicedn32.exe
| MD5 | e9ee5854628af12380f6dfa0a0479ece |
| SHA1 | 6cc100b361c6582c36fa333e878756ae875ff551 |
| SHA256 | 1dd2d61f43da956a69c4f461dbb4a367a7b4c2adb3ea3118fd75f4592afae144 |
| SHA512 | 0fbfd73f0e93aedcf8c2ee4766f08923b6e4a42351305b99cc94eeb5286859a084de3f805178b23dfe48fb4ffb99ee4d5419829e94f8bbe51d95f48d02c19cda |
memory/5136-354-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5176-360-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Flfkkhid.exe
| MD5 | f7cdb4c705321be83e872072abe9541a |
| SHA1 | 28b257b76f99fe61183b7bec54e878ab9b627ebb |
| SHA256 | 6a25066481bb7c69335373986f26856e5cfaba95e2cc019f052bb4bf2b7ea4c0 |
| SHA512 | 95a4ecb2e5311269d3435f14a2060820a8054cb9e2645707d7011db1c033e8dbed8b173c57af3745a08841652a6541f7086647c4a4ecedf31616ccdda2f0aa64 |
memory/5216-366-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5256-372-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5312-378-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5352-384-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Gmfplibd.exe
| MD5 | c9d890af1e0c931f4698b57b8bdb3da1 |
| SHA1 | ebedec888c954745032e99478ec1c9d11b0955c7 |
| SHA256 | 4dc0b564f62d1938f0202b8ba127c407e0388e88a74203bedf7f9daee22266ac |
| SHA512 | b96251f2a40bb44ef8f6147e4eae9fc3653d472026fe27c4952e03ee0f80daa69013c6621cb5aee7a9fd0265ec2dd5978a4376e20a94583c0137d7f3d27c0660 |
memory/5392-390-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5448-396-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5488-402-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5528-408-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5572-414-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5612-427-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5672-437-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5716-443-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5752-444-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Klcekpdo.exe
| MD5 | bf62b55cb47ff007c78ca4d22845b578 |
| SHA1 | 4060c2903a5d4fbfc314c7122d8d7b7783d250ca |
| SHA256 | 1205a80c1020e912a6c5b0983780771b85b8a43567236f6d6908cdd84a89763a |
| SHA512 | ee7ad5240bd330beeca632c01b767e007ea65459b1f14952aee62751cb2dfcc6d2f59cdd4d46846f878ea1fd467d366e57a34f9c235839c94fd4491706217512 |
C:\Windows\SysWOW64\Pdmdnadc.exe
| MD5 | 8e0bf8fab3396ab55277f64b16e5ada1 |
| SHA1 | 058c74cf43e8f64b7240775844a04b14b986a368 |
| SHA256 | 9ae3900f1285954aa5f455128603725d3b12edeb9727141ed0daffaeb2809ae4 |
| SHA512 | ace9b838a24d89bdb60df3c1a86e1051f0448333114ebb1858547b5be4f784ec5efe979e16d41f1b10e4602491b86fe3b3280cba23bab1891468d25d27efbb20 |
C:\Windows\SysWOW64\Bkphhgfc.exe
| MD5 | de2b8f44dbb87cc41c3ce8a366510a33 |
| SHA1 | 33f820b6a769e7b74199d735756276f408222d5a |
| SHA256 | 37175cb0d06fb171a97a37ea46c5bb4341b0a268a97927a3724c02d347c267e9 |
| SHA512 | 278c768427a4281047c1f954eacd0ec22f95ccce342564df7e075b7be0258c1a9d149f5a6ed67432ecf8b72fa75cd45f7ff6e7c546e782a967423215ec6b9226 |
C:\Windows\SysWOW64\Dbocfo32.exe
| MD5 | 6841ae36edbc425b807cce0e4257f46f |
| SHA1 | f42c5c2af093cc0fc5445a79ed5d3254afe3cf38 |
| SHA256 | dc520fb0b2a1fc75335ec190babec47667cb2e55c23e140f37799569f9efa205 |
| SHA512 | 0eea9321a6ec4901764c88c89aeab3fc5324f0388b24071bb3a57a0a0b9e80d6eba3df5ca345f1104fa8c1012c158a6a0ba8621e2c4d119c21312a67e27edea8 |
C:\Windows\SysWOW64\Filapfbo.exe
| MD5 | 7d3c68a487ab56d6e346fc9c243ea24c |
| SHA1 | 2cb0e999b63dbfb206c3a3348c8b03307718cd40 |
| SHA256 | 2ac673ea1ea5d7fc31b9c4cd9ba7a9a60ac98bb888e0db14da65f3e199f63292 |
| SHA512 | a44b78a9e890083cfce355927803c696407895e6d77aa79a011c66f83a0621532651b825386b4c03e45104946c7f80c1d5bbf3af485356b60878040aeca31770 |
C:\Windows\SysWOW64\Klpakj32.exe
| MD5 | b22c451e6b96084a1a952deae670bdb3 |
| SHA1 | 1a2b9792420bd33e85bc73d70a85131f84e3f588 |
| SHA256 | f08481668903edca82de21f2239c36458bd3e6479ed85d975232e1e59c1755ed |
| SHA512 | aeb526ffea050936dec31ca93ae393cbabe715441f97f008ae070cdd00b60cd66f0b99ea5bb19156617514927968a8d6a7d3029ac751c96eb93ee7a9c6b91d23 |
C:\Windows\SysWOW64\Ncbafoge.exe
| MD5 | 649087a7dd572e89501f66a97e9d076e |
| SHA1 | 1accbb3445b87ff813d98e28f301f0a1ce716345 |
| SHA256 | fabffafd44b7d18ff61ec3e59af968bf7c2f9367a96cb6e1edcc107615eb6484 |
| SHA512 | eb7a4beb02b87cdd97072babc7df8a49b1d6ef8af9b2b3862f1f4ca0143b0c86ed3702f29be9b143a798568765a65dc204cb612cf7ded3edc64f28b49cad8adc |
C:\Windows\SysWOW64\Cpogkhnl.exe
| MD5 | 1e4d231b466e7e6f95c198608dcf9b4d |
| SHA1 | e7ba279a230ef92030693c8c622e4ebd29193b85 |
| SHA256 | bb82b8e839c3a9315282bf6babaa58291b5089df52422ca98b5d6fbcd4836e77 |
| SHA512 | e37acbce6e93f05db8afbfeb0bfed46f34a2639c9ba3d110b67e73f732dad80df79714c24246f5c499b3c7d62f1c429a9b9f5e0680e4c17d85c9ca83ac14c7cd |
C:\Windows\SysWOW64\Cdolgfbp.exe
| MD5 | 8cb4c92a6c2b92f18b6d8e5b79120887 |
| SHA1 | beefd0670ffe5357336964320e0ea734e967869c |
| SHA256 | 9d9e214611b0c8a514bb73d21020233ea2261526112d016b6a23d333f5534cf0 |
| SHA512 | 0df9159c593767b4a5a2b75c0d60b87d67af0aed936f5b5c5eb648f5ffeee0f1d96b38ce8ff7710fdf68550190dca8396b1b0e6e6441e4e3928af7a7b4456cec |
C:\Windows\SysWOW64\Hkaeih32.exe
| MD5 | ab39181c81cc92932e5868473cf12762 |
| SHA1 | c7c97bd48738debff9a91e8f610c4120eaad272b |
| SHA256 | a0ac518c4376c8772ea0831310746d2541e0ea7216749bc486006b04829f232d |
| SHA512 | 2e0e282d4e5d98a57707cc9d287e5c47615048cf0b3fac6d2c4e55b78390d1be149019176298f20837ee865f83aeeae70c8bb4dfcd745d1cb7377708acb5fddf |