Analysis Overview
SHA256
a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19
Threat Level: Known bad
The file a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19 was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:54
Reported
2024-04-06 23:56
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abphal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abphal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Baadng32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Abphal32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ceegmj32.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Qbbhgi32.exe | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bbikgk32.exe | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aoogfhfp.dll | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agdjkogm.exe | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaloddnn.exe | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| File created | C:\Windows\SysWOW64\Cddjebgb.exe | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhdmagqq.dll | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| File created | C:\Windows\SysWOW64\Pndpajgd.exe | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| File created | C:\Windows\SysWOW64\Aobcmana.dll | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| File created | C:\Windows\SysWOW64\Baadng32.exe | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmclhi32.exe | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmclhi32.exe | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcnmkd32.dll | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpggbq32.dll | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bphbeplm.exe | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgahjhop.dll | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eoqbnm32.dll | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pndpajgd.exe | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| File created | C:\Windows\SysWOW64\Qbbhgi32.exe | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljhcccai.dll | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Beejng32.exe | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljacemio.dll | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qhiphb32.dll | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| File created | C:\Windows\SysWOW64\Kganqf32.dll | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bilmcf32.exe | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bilmcf32.exe | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bphbeplm.exe | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Napoohch.dll | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aigchgkh.exe | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhpeoj32.dll | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Beejng32.exe | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| File created | C:\Windows\SysWOW64\Opacnnhp.dll | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qkhpkoen.exe | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qkhpkoen.exe | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaloddnn.exe | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebjnie32.dll | C:\Windows\SysWOW64\Abphal32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjnmlk32.exe | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qjnmlk32.exe | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Abacpl32.dll | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aigchgkh.exe | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Abphal32.exe | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amelne32.exe | C:\Windows\SysWOW64\Abphal32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abphal32.exe | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Baadng32.exe | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agdjkogm.exe | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldhfglad.dll | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbikgk32.exe | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cddjebgb.exe | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Acfaeq32.exe | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfobiqka.dll | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| File created | C:\Windows\SysWOW64\Amelne32.exe | C:\Windows\SysWOW64\Abphal32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ceegmj32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll" | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll" | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Abphal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll" | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll" | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll" | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Abphal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aigchgkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bbikgk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll" | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll" | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qjnmlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" | C:\Windows\SysWOW64\Bmclhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll" | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pndpajgd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" | C:\Windows\SysWOW64\Abphal32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe
"C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe"
C:\Windows\SysWOW64\Pndpajgd.exe
C:\Windows\system32\Pndpajgd.exe
C:\Windows\SysWOW64\Qkhpkoen.exe
C:\Windows\system32\Qkhpkoen.exe
C:\Windows\SysWOW64\Qbbhgi32.exe
C:\Windows\system32\Qbbhgi32.exe
C:\Windows\SysWOW64\Qjnmlk32.exe
C:\Windows\system32\Qjnmlk32.exe
C:\Windows\SysWOW64\Acfaeq32.exe
C:\Windows\system32\Acfaeq32.exe
C:\Windows\SysWOW64\Agdjkogm.exe
C:\Windows\system32\Agdjkogm.exe
C:\Windows\SysWOW64\Aaloddnn.exe
C:\Windows\system32\Aaloddnn.exe
C:\Windows\SysWOW64\Aigchgkh.exe
C:\Windows\system32\Aigchgkh.exe
C:\Windows\SysWOW64\Abphal32.exe
C:\Windows\system32\Abphal32.exe
C:\Windows\SysWOW64\Amelne32.exe
C:\Windows\system32\Amelne32.exe
C:\Windows\SysWOW64\Bilmcf32.exe
C:\Windows\system32\Bilmcf32.exe
C:\Windows\SysWOW64\Bphbeplm.exe
C:\Windows\system32\Bphbeplm.exe
C:\Windows\SysWOW64\Beejng32.exe
C:\Windows\system32\Beejng32.exe
C:\Windows\SysWOW64\Bbikgk32.exe
C:\Windows\system32\Bbikgk32.exe
C:\Windows\SysWOW64\Bmclhi32.exe
C:\Windows\system32\Bmclhi32.exe
C:\Windows\SysWOW64\Baadng32.exe
C:\Windows\system32\Baadng32.exe
C:\Windows\SysWOW64\Cddjebgb.exe
C:\Windows\system32\Cddjebgb.exe
C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 140
Network
Files
memory/2208-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2208-11-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Pndpajgd.exe
| MD5 | 27c4451b2175a2c8c42cf7a4209b8496 |
| SHA1 | 577bca5ba224bc700b14d82f0af637f8562ca7d1 |
| SHA256 | 74eed16312c976c70180e13d1a70d17521199d8e6373aae2039622a157a49f0f |
| SHA512 | d5bce834495731e22ee174f6cd4c9834df5f59bf5180fee7f8d7b870ef2af83511ad85fe3ecfe2fc982e25a6fec5fda8ea8c24aa6379854d6cafa27ed897e224 |
\Windows\SysWOW64\Qbbhgi32.exe
| MD5 | 6bb6bc6583987860d429eb55cac948f0 |
| SHA1 | b7e5cb6fd73c5a9767b9738adb52eb1e6edd8685 |
| SHA256 | 1995e56f6b156d301ac4fcdf09c334c862af61655cbf81b4f90c23aa971d75aa |
| SHA512 | 4b33d2dc81bd54292b25c31797968cf611642f280c29bba5e97b6cb7479a9ed63fe14aa22326b140b1d07203b7950152ddb1cf3b2a70c036f1ae73d2ba7d2007 |
C:\Windows\SysWOW64\Qkhpkoen.exe
| MD5 | f298f6df05d7dc6a757ce2c3e2fd2282 |
| SHA1 | f87fe30dfd8cbbce532ffafd66d03449f2f65914 |
| SHA256 | 82b2e713da4b8cea61c4bef7ce6fd229e5c6f7e292f3f3ed0e0deebfb8a3bc50 |
| SHA512 | 65616cb2187d782283e9d253481471f2f53f850bbb0f566af3ffcd18e23111e3ecef79f979b9f1949f32c608ba773a4ea8ba05be6e235ebd1270a83377f4d7d1 |
memory/2720-26-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2208-24-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Qjnmlk32.exe
| MD5 | 3bdf71aeaab14c67225fce7ca97f3587 |
| SHA1 | e2a441f818667f0b62552f96c58bbd34e806fab8 |
| SHA256 | 6b8f2dc5d03d26f87cdafc83afad4a0863bc074c16f0410273f01e4f31540efd |
| SHA512 | 672b9fbbe22e91558f8fc4e77e5f9831c40d48818e5a08ab45af8bf931e3d9b97a7ed1b25f3a89963180eecb959ffe7d6b037771626e0714e01e66cfcb9a78f4 |
memory/2968-38-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2596-63-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Acfaeq32.exe
| MD5 | 8f7b8f3afc2fe48c7eb1f78282fd2e94 |
| SHA1 | 4a76a49acd404890a839a0e6a7636542ac9a0f8b |
| SHA256 | 82440845516d7e6b98ff606a3c67b54bf9a164f220d9eda161a1b56c464004c8 |
| SHA512 | dafba18b69861af1ccd6b23009f5a698a570d6c58fa82a53305b973dd8dfc470d880c2126d37598ec379100e06961318205be5b1ef1c697b3a0fbf47f1a36420 |
memory/2556-89-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Aaloddnn.exe
| MD5 | 733d68f2cd8f00ce3e45ed653fd6c15d |
| SHA1 | 89ef04839dc4ac96012d92a2ec14c2c732685e74 |
| SHA256 | 01fc7c4e5348f047446c81538aaf8feafe5813be61483f32afb368c321c99534 |
| SHA512 | ccc32ea7efdba003cc76473256c72409198e780d5735a91a535d8c82facc1db3115abf89b322f053f326ca879ff054a1d6e3262d744be941a894d52a202b3e62 |
C:\Windows\SysWOW64\Agdjkogm.exe
| MD5 | c7fc6766e6f2ca14d1d5aafa82771fd8 |
| SHA1 | 9c5d880b54327d225af4427e591229098dc752ef |
| SHA256 | e13c8d5f1441960a6df7ea7d10bfee3ceb89c0516a3ac54766f81fed89e803c5 |
| SHA512 | 96a61219926f485e17090ca889f852f481158dfa6c92712306c094ded7325a94862b5e886cff7da604c550763d210d689a44f8e364f6e5b65bb7831a4403784c |
memory/2596-76-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2740-102-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Aigchgkh.exe
| MD5 | db4dbdf688d99c478ef49ca6198cad19 |
| SHA1 | 266e4d6e2b19a8f262735e12f23bc7720eec82b6 |
| SHA256 | 4d1724a15d4fd01614763a84917c1013c864dc37409823e63ba5e8390b893b6c |
| SHA512 | eac99a2ec0d9af501688b6104a76e0332bfec46a2cd9f492a411a326662573a34442d9f7628d8725b29ecb055828545b22dafa3ee4be9f9c90aabd19256e21bf |
C:\Windows\SysWOW64\Amelne32.exe
| MD5 | 00bc17eac0b19ddf4674d8a35c00d9fa |
| SHA1 | 20ee23187920ae9f414ba881238fd1df16611383 |
| SHA256 | 26fe399733d92e0e37aed7e18022642e7bd1ca2d2e7c9ebd9bb26909cdfc1126 |
| SHA512 | f2fec6f9368eb671f4cc5cb6ada2ce9df57dfd954cfbf4704747efba2ddc334148cb411824674bf7e45f4fed038ebaa4486c86ec461770e1fdf44d31af0dcc4d |
C:\Windows\SysWOW64\Abphal32.exe
| MD5 | d65a3601ea5d1e0f58748ebed24bd1b8 |
| SHA1 | db987c17d08a91daf7645fba03fa888931522fe0 |
| SHA256 | cdeff46140fa456a475fe24505a096fb16f295b81180398e8731f5e9d2a74dad |
| SHA512 | 8f5e2479ea191f5e7bfa1fff7e2afbcaa2e4331db5c0743f299dec5b16f5126b67883b9bbf9586868fc7151f46592ce21656dc3be0f037160605e3b3944b2d59 |
memory/2452-116-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2396-104-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2592-141-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bilmcf32.exe
| MD5 | d4d937a6055657f3b192f404c4aafc80 |
| SHA1 | fe5e79fc75fdbeb7bab97a35345cf965da0d0c7d |
| SHA256 | 69a54f32531834ffbb04ca6a57e03a2e6bf71e55e9a8ac079b149bf79e334b51 |
| SHA512 | 283fd961ff77614d26a31ee7d98270cd29912a9c5bbdd885a604c3453034b9693ff624a12a1d48bf551c62eb5b2768b5d6006c4e4ea7fbbb56b1ed3b927a859d |
C:\Windows\SysWOW64\Bphbeplm.exe
| MD5 | 03a6c703d328e1c0e994dfeaf9b481f8 |
| SHA1 | 7db6e2e0b56900b0d34c04ca82202d031007a1be |
| SHA256 | 78abdab726560bed740b6278534ec49959d8e2ed5c6c6ae1f13f3d8284610dac |
| SHA512 | 6780667428e6fdf961ad1c3e6f9a614048621787091d521ccb2982d0876b034d6bbf09563bbd5bcd260bb84b8701458dde26fc2af88dc1ee46d06af99b2c66a6 |
memory/2308-154-0x0000000000220000-0x0000000000260000-memory.dmp
\Windows\SysWOW64\Bbikgk32.exe
| MD5 | 22c190fa7a091633de17fd76ab9da776 |
| SHA1 | 37bdaa6813aba3e813ce6dd602bc343ab3f47ae3 |
| SHA256 | d5f4e5a9cd46b31258a4607e51882b6f3e71a6fb44d2fcdbe57df0f5171acfdc |
| SHA512 | 1f250e36f28739a4d301afea8a389393d98fd85e7e12d05299b1a55d15060eff78b5a83eb4a2c546d6b55082b771dfff860766771bc3aa474e2a58c0c6d11592 |
memory/1948-168-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Beejng32.exe
| MD5 | 482262c6a657d53bd7d49c693d39ef11 |
| SHA1 | 52d0a9db7b47adc17244299343ee98b634bad85e |
| SHA256 | b4b64196e90bed28e23ed1b5b3af6a8de9480b19a48b13ba65a60913dd5e074b |
| SHA512 | 6a27a875a8d7e0aee29e0c173d3170023dab261feebced321fb8b2b77a352c486e692de1fe3e9049437844d7a9319ad5d658ba452d73f12da5a9541013bd6fae |
memory/2308-161-0x0000000000220000-0x0000000000260000-memory.dmp
memory/916-193-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Bmclhi32.exe
| MD5 | cb611641269bbcb21e9e4ab5e741bff5 |
| SHA1 | 1dd6efabb27ff3c5276166e8fcf0c4cb0bd864b7 |
| SHA256 | d656b5e9cf9a6a2c052948d69be3dee18a0685e84ac293415011d764488d828f |
| SHA512 | 6ab9b642a4634d213cd62e918a031f229c0a373235b1484a06fbc723f5b19631342261eedca8b4f395d0664cb1472f9baf376db55dd8551d8e8b32e5711b5789 |
memory/580-196-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1480-197-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2308-198-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1948-199-0x0000000000400000-0x0000000000440000-memory.dmp
memory/788-200-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1696-201-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Baadng32.exe
| MD5 | 930da22f2d86cd45357ea6cbfb13ac3c |
| SHA1 | d376ac15c62bd56a612ef38624eeee513cbe6cb1 |
| SHA256 | 36a7707a94d0ad13e0b7a2bd618cce79c3ca548205b101accb0ff98bc48b59cb |
| SHA512 | 6854a418a80dece20112f328ae2fc0a13873919f18b8d169f7e96b20b364d764cea9f091b29d02aefec7d1991f87d9517486ff26ef4cefdab162b7afa9dcb55f |
C:\Windows\SysWOW64\Cddjebgb.exe
| MD5 | a4137e7a354d2af9c85128991efe0cfc |
| SHA1 | b73279833de78ff499b7674278074fe7a9588b43 |
| SHA256 | 5fad9d3928304bcb60b0c9bdfba191caff745239b4db61e6e6f4a087a1e89511 |
| SHA512 | 187e009c733e6cc022cd4fdf7a34732273a19ba24f6fe34200555b705f91d70876db65976f2e03c514810793ea0b9e0f0b098aeb6fbca6e3982ef2036b4ee0fb |
memory/2284-219-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2052-227-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ceegmj32.exe
| MD5 | dbb153e63c069eabc462a672c315dca7 |
| SHA1 | 9b93fc8f6598e9825d548f8f1edb56e4662af357 |
| SHA256 | 906692099f467070f18f0fb5c3402cb6935afbbc513184d4797c8c906b6a7c61 |
| SHA512 | f9d2f84e8cef521f21ce763910b5ea9c96aa77d9cca950e59555c5a7c6e9a0c481fe8ac055a8dbf7dacf06df7c461e734746f840a88116b148bfb851c7c0529f |
memory/824-232-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2208-233-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1696-234-0x0000000000400000-0x0000000000440000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:54
Reported
2024-04-06 23:56
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kagichjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mjqjih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nacbfdao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgidml32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpcmec32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpolqa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgidml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbdmpqcb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lgpagm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkkdan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kibnhjgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lpcmec32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Majopeii.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jbocea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbdmpqcb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lpocjdld.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkihknfg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nacbfdao.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jbocea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jiikak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcgblncm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkgmcjld.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ofdhdf32.dll | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbcfgejn.dll | C:\Windows\SysWOW64\Mjhqjg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kckbqpnj.exe | C:\Windows\SysWOW64\Kpmfddnf.exe | N/A |
| File created | C:\Windows\SysWOW64\Gefncbmc.dll | C:\Windows\SysWOW64\Lgpagm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Odegmceb.dll | C:\Windows\SysWOW64\Mgghhlhq.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjhqjg32.exe | C:\Windows\SysWOW64\Mgidml32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njogjfoj.exe | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jidbflcj.exe | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Milgab32.dll | C:\Windows\SysWOW64\Kphmie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lijdhiaa.exe | C:\Windows\SysWOW64\Lgkhlnbn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcklgm32.exe | C:\Windows\SysWOW64\Majopeii.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgbefoji.exe | C:\Windows\SysWOW64\Kphmie32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkihknfg.exe | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| File created | C:\Windows\SysWOW64\Baefid32.dll | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcbahlip.exe | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kpmfddnf.exe | C:\Windows\SysWOW64\Kibnhjgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kacphh32.exe | C:\Windows\SysWOW64\Kkihknfg.exe | N/A |
| File created | C:\Windows\SysWOW64\Kphmie32.exe | C:\Windows\SysWOW64\Kkkdan32.exe | N/A |
| File created | C:\Windows\SysWOW64\Laalifad.exe | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfffjqdf.exe | C:\Windows\SysWOW64\Jplmmfmi.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnmopdep.exe | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnolfdcn.exe | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnjdmn32.dll | C:\Windows\SysWOW64\Kibnhjgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jigollag.exe | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgkhlnbn.exe | C:\Windows\SysWOW64\Lpappc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fneiph32.dll | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkgmcjld.exe | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jibeql32.exe | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mahbje32.exe | C:\Windows\SysWOW64\Mjqjih32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mciobn32.exe | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njogjfoj.exe | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jplifcqp.dll | C:\Windows\SysWOW64\Kpmfddnf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lcmofolg.exe | C:\Windows\SysWOW64\Lpocjdld.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkgmcjld.exe | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmqgnhmp.exe | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| File created | C:\Windows\SysWOW64\Mbaohn32.dll | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lgpagm32.exe | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lcgblncm.exe | C:\Windows\SysWOW64\Laefdf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lifenaok.dll | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkkdan32.exe | C:\Windows\SysWOW64\Kbdmpqcb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbgkjl32.dll | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljnnch32.exe | C:\Windows\SysWOW64\Lgpagm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kagichjo.exe | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbdmpqcb.exe | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kibnhjgj.exe | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcklgm32.exe | C:\Windows\SysWOW64\Majopeii.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfcbokki.dll | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ggpfjejo.dll | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Laefdf32.exe | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogndib32.dll | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfhbppbc.exe | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmmcfa32.dll | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| File created | C:\Windows\SysWOW64\Lidmdfdo.dll | C:\Windows\SysWOW64\Lpcmec32.exe | N/A |
| File created | C:\Windows\SysWOW64\Epmjjbbj.dll | C:\Windows\SysWOW64\Majopeii.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngcgcjnc.exe | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfffjqdf.exe | C:\Windows\SysWOW64\Jplmmfmi.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjblgaie.dll | C:\Windows\SysWOW64\Kkihknfg.exe | N/A |
| File created | C:\Windows\SysWOW64\Hefffnbk.dll | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nkjjij32.exe | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdknoa32.dll | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmlgol32.dll | C:\Windows\SysWOW64\Jpaghf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbdmpqcb.exe | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjqjih32.exe | C:\Windows\SysWOW64\Lcgblncm.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpdelajl.exe | C:\Windows\SysWOW64\Mkgmcjld.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lcbiao32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll" | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll" | C:\Windows\SysWOW64\Majopeii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jdjfcecp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jiikak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jibeql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lgpagm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Laefdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll" | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" | C:\Windows\SysWOW64\Mgidml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mjhqjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jplmmfmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll" | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll" | C:\Windows\SysWOW64\Kkihknfg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lpocjdld.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" | C:\Windows\SysWOW64\Lgkhlnbn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll" | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kkihknfg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll" | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll" | C:\Windows\SysWOW64\Lgpagm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll" | C:\Windows\SysWOW64\Lcgblncm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kpmfddnf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll" | C:\Windows\SysWOW64\Mjqjih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll" | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kagichjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nacbfdao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll" | C:\Windows\SysWOW64\Jbocea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll" | C:\Windows\SysWOW64\Kphmie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kibnhjgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll" | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lgpagm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jpaghf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll" | C:\Windows\SysWOW64\Lpocjdld.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe
"C:\Users\Admin\AppData\Local\Temp\a166b803d4235876216af5fb75eeccba11f23a0b9540dc93873458b8f5c7aa19.exe"
C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
C:\Windows\SysWOW64\Jplmmfmi.exe
C:\Windows\system32\Jplmmfmi.exe
C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
C:\Windows\SysWOW64\Jpaghf32.exe
C:\Windows\system32\Jpaghf32.exe
C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
C:\Windows\SysWOW64\Jiikak32.exe
C:\Windows\system32\Jiikak32.exe
C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3660 -ip 3660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/968-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/968-5-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jibeql32.exe
| MD5 | fc11d9c418e89ef94f6664a4010e5d46 |
| SHA1 | 7abc6f8d892b80a4df62acdf959b23964c41d4c8 |
| SHA256 | 095eed3936216d9f111b05d28cfddd61487065af75132a213c6f54b6c36183db |
| SHA512 | d9b25d223958b1a022169e90cba17bc06074c044382fd1c1cad7e84f14261647516021f1fae1b5ffc6716d8e058cd15f1de4bf686b6b5b8daf73df6cf6bcd4ea |
memory/2568-8-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jplmmfmi.exe
| MD5 | e9f1ff206dca9d7d293cf61a0df179da |
| SHA1 | 5c5b2535748bcdb82304f4f484538c84cab9c022 |
| SHA256 | 41e5325f806f1ddb68cb18760557ad3ad4ecac93306f6680b7122f05f5415ec3 |
| SHA512 | ec0f9c88c13059b5b6b27f8d260a825627bbc30e581ad3f6b453cc033cb833dceaf8a40d5f05bc5363bd238336a41a3ae868912db516b0bffa00137772ad3cd2 |
memory/2752-16-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jfffjqdf.exe
| MD5 | be4c56979da805f81ef001162dc704fe |
| SHA1 | b515d8dde4e8be0720c1fd692b1a4fa1b2a292fa |
| SHA256 | caa6265d0adfe30c4500f1e9f873bf9b342afba8282c2a006c10b5351a44ad2b |
| SHA512 | 8c2a11553b825e5f07696253067f4965cef6bb85faa867948972073726fbc5a90afac47762ef630c87476784c0fcc1c7dc87fef04dda380eb38a3753d1386adf |
memory/2284-24-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jdjfcecp.exe
| MD5 | 92079b1774b162e4a1d141ed711b5e57 |
| SHA1 | 096561feffa60a2e70840fda7c0519925d77550c |
| SHA256 | 39928f8201243076acb167207ea55470ac9b7e4745d311f2fe8787607f2186df |
| SHA512 | 5bd99814253fa770a5a41fea63b47fbba4f39b0b6ca0bc2134a41d0a490a42183a6962da0873d5a270740b9163e26aaa1f9a3f1938b37a66ad43f3ad94fb73f2 |
memory/3092-41-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3808-33-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jidbflcj.exe
| MD5 | 7da5613ff5073c0db92b941e5ebe6d68 |
| SHA1 | 02fcf7f34473d73ad43a27de0da3c7f2afd1b369 |
| SHA256 | 562b7119b0c82d425003c463a434fd899484f65cf9a8409baf6a6de6c4d3e2b7 |
| SHA512 | c2a2335b0d3cdb384b74c342dfbea42e56e20942a0416472dadbba2318a18f33de8ef1f9e4e01afb880d544f78479c268928a9b0ae32fb663961314a757d4e11 |
C:\Windows\SysWOW64\Jfhbppbc.exe
| MD5 | ebc1be6076cc1e88b4228553263ab4bd |
| SHA1 | d556dd63e47b34254a6d1a185261758dd0c2c9bb |
| SHA256 | d8f392fdb754377cdb3ca0829a19e1116c7c3937a00b44b29a64ddb1d07312d6 |
| SHA512 | 3b8902bf8981702f6b519bc6081d35e823228c35e16b0283b9b4c57ca5aa255d38b76245a853da392f2138533b0e3935d728d7c59bf6b073aea58fea4ea3edda |
memory/4784-49-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jigollag.exe
| MD5 | 0c67ae76ad63b5ebc30c1787f16ffc1d |
| SHA1 | c1483bd2c2686c4b3897de21732618b198c4c57f |
| SHA256 | d1d075d7ef6f08c777230d7c21b9e13fb4e85887a5877f3501ebffefe49fa097 |
| SHA512 | 30da11e88aefaa2334b114dc236de7c52e1d99535a5a721123ef8c18914f2869d531754583118a06d56131b0168f60ccc590d86875e6eabc9aec7a3469107df2 |
memory/5104-56-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jpaghf32.exe
| MD5 | 667a5347b72295e61079c3ceb0fb9d9a |
| SHA1 | 106fb0acf5ae65c8fd50ddf8ed934e385657ce62 |
| SHA256 | afde4794a230fe68beb6c4bbbb9a217ebb90ed45e89b990f5c0a93b1de07f10c |
| SHA512 | 7f1e902e71641d81b22c7a13b04d7e5850a15e5c4df49d585dbf55c0f2181a4495657c0fee3d2f83721c78cd17526dbf08d59bfb2a33aa863f848bb4db706264 |
memory/3756-65-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4168-77-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jbocea32.exe
| MD5 | ee2b430381da0b1173993108dd5ea8da |
| SHA1 | 660cf30012c5b49b6952f6c5080eb43b949d7567 |
| SHA256 | a0298dc449cabf6be1f33848a3320c7f00738b00d1cb71a3b3770c4e352a82a6 |
| SHA512 | b19f702bff49e583fa0dfe49e702b3a9470bdd24eb9bf60308588b0ea5ba10b4a1823c348d655db23810ad0dd2942d9a049d400ea782c075ca296b18367136e2 |
memory/4524-81-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Jiikak32.exe
| MD5 | c770b1994d9a1fe235a1f2a6fa123dda |
| SHA1 | 673e53d8d5f82c189caf5e572d7b573c4b7e0659 |
| SHA256 | 20898928477ea19cb6956f600e0e736c02d0d1b0d7350030b46431b78f7c21cc |
| SHA512 | 538e242bdb1268ecaa693502a04dac693d1cf4e357558a0009ae90fdc17c1a0a4d1bd7bdac18ce545d59e1320912c5e3b8e438075976223e6bca48f7bebc56a1 |
C:\Windows\SysWOW64\Kmegbjgn.exe
| MD5 | f2cd89b1a73c9a8814ca81a1d06dc67d |
| SHA1 | 6640a4328dbae8e801913959fe3ab365558e0563 |
| SHA256 | be8914a271884fd5744b2c5829ae05d2499e1a73fdf3642efea2ef204a84b58e |
| SHA512 | 189af651fa50cb6c5dccccbad3424296e9a3f3db40993ba89543faa8cbc08154dab930591c797e08bef31d8adcedfc00b40f01314fc0b0c5d23f9cf574461401 |
memory/3212-89-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kbapjafe.exe
| MD5 | b7730940a89a301f689b39b49e34edcc |
| SHA1 | 42919da5a2bc197f3bd17d38585cc7f4063fa3d0 |
| SHA256 | a48713bce042aefdad14ae7785efd27ebf789ea08d98036f2656d5a2c5709cd0 |
| SHA512 | 1ade9a1e8b39add6c52dd3181984d533475c5f1e48e89abefffc3adb4e0d9283a6afe6c573d92b93ce792de40a657d9879697fed5b0a43c96500d836af696c26 |
memory/4996-101-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kkihknfg.exe
| MD5 | e3f47d80d765a9bcb1a5db00f991ebf4 |
| SHA1 | 33b22ffef2ef62d999e2b5b0388f181ee1456538 |
| SHA256 | 2757ec5ee61de8b231d325780a982c12e0728aaafc67dbf4c675c61244517b96 |
| SHA512 | 7f409ecfc502527a1dcddb85e39389a4a21f33c82a49ac5dad71fd32ed53af6c519ca666dc8c3fcc83217c44dfc59ddecf5dc602c0c9d5e27353493ec835772c |
memory/3800-105-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kacphh32.exe
| MD5 | 34721f9c1ec28f5d0532e8de82deab5d |
| SHA1 | 52e43d5aeecdcee94f565ccc5237697d60e5c44a |
| SHA256 | 978b8f973eddd940c09ff6fd136ef8d2cc9eda3de9ed63c15b4efb0abd9653e4 |
| SHA512 | 11562283bc5fa08164fc2b1e3caa9204ad651efb20f24ad5fc18546f363ffbb1df4e536821d24c7c96d29a607dc1d56defa21c952038e5a9380784d2dc7ef1ec |
memory/692-113-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kdaldd32.exe
| MD5 | e99aac626a91965367c0d734446ada91 |
| SHA1 | 475d484545ea5b5fa064bc1fd2a103aba0a25826 |
| SHA256 | ddf8d9370cdfdd5df373b5db59e5cb2b19446ad580b7410438e790c31216c639 |
| SHA512 | 06182d0a14046a7d9cb446366196b93ed3fc0b156519937291e5d857234b3c7d55c1d055c1deddd25d9e65df17ff303878ed649823f41afc723c52e3ea0f46f5 |
memory/1620-121-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kbdmpqcb.exe
| MD5 | e3d2b56281e31b5448d8eb36c6cd54ff |
| SHA1 | 0ef12d5af4e31d95157d26abef0d20cf434a37ae |
| SHA256 | abb80fa577f8a4d500d541e4b28143b9bce5fb7d81404ae4c223daede85866ef |
| SHA512 | 8dacb95e6bb35b1c4b656b6d217a789f9d2056008a7181ff822a09c8cf2e7f8a7fdf81cd75d15704393e65535a2952d80e871c38aa359b957a6c8ebfce23379c |
memory/5092-130-0x0000000000400000-0x0000000000440000-memory.dmp
memory/652-136-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kkkdan32.exe
| MD5 | 556749e4f2a624841d0884d738b75242 |
| SHA1 | 39c09a924b01e19b4d1132c65743fa9fffc71105 |
| SHA256 | e379982894081ed07b369980a31195372fedde58ccf754fe1a72024d5a94976b |
| SHA512 | 307630c95aa9a3b76192c621e9e2e045b2efe4b6238fe5c993a6f6647207dd9a648b2064730d3cbe252c4a7f4c674b35e46a1794ed012734523f9b653eb8da54 |
C:\Windows\SysWOW64\Kphmie32.exe
| MD5 | d9a1617fc158e4b8f0bb1c9f553a02a7 |
| SHA1 | 659a898461a65fd04ea82898d514d2d8d6c737f6 |
| SHA256 | c68cbb0608862924fc954d8af14a26135797bb1f9e35afd3c841feba77f04df0 |
| SHA512 | 56bd9be0e74f89491cde04b864f4ce0a65a0ee47d57db48a024b63b4f36d33a09c77b7617015dbee14ee10b20f35a9de685f765d8e10c1eb6daddd1a21c4993a |
memory/2220-149-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kgbefoji.exe
| MD5 | ea562c19e8fc77555e399bea59559612 |
| SHA1 | 5d9b774171c823c912459b6f4894ca085dd00923 |
| SHA256 | 7f52235f4e9c9feb7d64725325d0f8696f7661745735dde34d6fd19b15e0fa56 |
| SHA512 | a04b00c967387d0aa9c7ba9570a796221ef32fec50180549afedd10df5f8b4a88516ae1ebabc7c952d761b83cba682fe1741e5343489bcf47331d5bb6af155b3 |
C:\Windows\SysWOW64\Kagichjo.exe
| MD5 | 4d5f417b236a456133ea728963065e7e |
| SHA1 | 2542ac753cd89992fd3e7767693b6e317afad1c7 |
| SHA256 | c26cc1d04a2d7fbe6a39e424e3705476311a417aa132c230f9250c09244b2bdc |
| SHA512 | 785d3eecf221a65239e61b7f5e515c12be8b4e476b3efec90f5d3f22d45839a56bb783411e779234e68db4e264180738154f5e85a4f60474736668f2b0115061 |
memory/1708-164-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4976-166-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kpjjod32.exe
| MD5 | f9e49e7ebcaa47f6e084f5216caeeaa1 |
| SHA1 | 23df58e7aca2f921264e580acce4e3526b2df7e9 |
| SHA256 | 513c20d33a64dac17c8f500fc4ca4bdd63d2e51934c953b0609c99013c3c2c7a |
| SHA512 | 79a92d267cf1189cc9ed600c165ca3d0f7e8481c0c8977a00815006b3df9d820a98ed953c26fafed1357caa3fe0a9ee54f7f9e5478a959cf8ce957f6397a5762 |
memory/1936-173-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kibnhjgj.exe
| MD5 | e53923c5f5bccdbb34e73f70eefed90a |
| SHA1 | 3950edc6613160922694ac0c48a1cc1703f3e9b9 |
| SHA256 | dae65396d73420d960a46ff7e73074ad9d304488097b4d736816b7c018c50f7f |
| SHA512 | d586aabb78e6a44884a6721276f10b2055abe499341d3964013b21fc91e2d1ec4ec3dbff0c16f50099b5992837dc4b146e85e029281c978631adba6e3b52ca24 |
C:\Windows\SysWOW64\Kpmfddnf.exe
| MD5 | 414284abe6f565bc5cfa1f8c60478453 |
| SHA1 | 962e28b90a6b4b8a1bc5690104c4d0083aac97d4 |
| SHA256 | ea00887c5264082cd9524ed36f5c11ce883254b68a181072681550751374b619 |
| SHA512 | 8eae505d2d4ec68571ab6159e6b0555401f6e39f3f450d0c4f0e84a1b3a439934040044abf8dc772cd7acd8211c55b7a5e7d73cc86aa6f3b6d53f3c2c62a69ae |
memory/4700-177-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3420-185-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Kckbqpnj.exe
| MD5 | e5ef1acc34fb58dd38427e76cf721d6f |
| SHA1 | 01d29b2873a5e8334e97849ac0aa471270287de7 |
| SHA256 | a4d8b46dae2f41b987f4328c560ef4a4b8e9e3e560617c4dfe50d68127f7c8af |
| SHA512 | eccf4a92a7c3d1f0c12d823917a87c43bc5f0dfee1fb0f1b6d1079b3bd7f8dc08830a5959a584ce03820ecf280d264487ce378f7fa36336968eca1a7db461c35 |
memory/4528-192-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lmqgnhmp.exe
| MD5 | 76687eb2a5cb2a21742e2b5906298892 |
| SHA1 | 0d7df50021fad476fc44171db6c755fb08bc4ce9 |
| SHA256 | 637f24d8bc70a7f54cc19290f115ae54d7fefa9e2f30dd517626f8b6791e098d |
| SHA512 | d4c50e62a8ca9a9cfed9a58b88abfbba65176e2f17586e9ef0df8643292d8aa39cb468ba1b2b2d4cfb107d07534341e044228377cbfe7321fc9e47e058227878 |
memory/3540-201-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lpocjdld.exe
| MD5 | 27a9f9e7608e1dc4ec370239d5d11837 |
| SHA1 | f5000ccf52c1a9681ad23fe2661f7534450086b7 |
| SHA256 | 77dd8f666382c79f05c9b87c7a7829e7c2a03089c3a9cc0120c66274021a97c0 |
| SHA512 | 8be95fae2a02095b25fa6c4630ffddf10ac2a8eb9f4a3bb128f7d2760b6f45ba8615f8331332e6e61f175153a9d7fdc23026e452ba6549b7e2d908eb7f5dee78 |
memory/3416-209-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lcmofolg.exe
| MD5 | 2a12a4abe43424bb3d9e8cc5c8974b58 |
| SHA1 | 585c8ec60bf3b61d96226831b38bf1829405abaf |
| SHA256 | a97ec002b1fc74ed11551f82a4e691489d3f269e81620cfc4faf8a723a37faca |
| SHA512 | 04e65c0af64fa3473b8897b0b6f914ebc35ef4a9c2db652de1255e72a69bf38967816ce4d382c6465227474b511a09fb4f542da294740d53f2d8ea0cacb1fbfc |
memory/2232-216-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lmccchkn.exe
| MD5 | 5f9a85ca589d57ca26258467cfdcbd0e |
| SHA1 | 64ddaa22f744883f156493b72dea147c56668a7c |
| SHA256 | 46a803d03eba3881a82073739e573d434a3eab6498554ee97052d6171d9a6484 |
| SHA512 | 62564981a435d74352906f1e9930d6c6340291e3c09cb17d8994b60a8d00946c276d65b245064706adcdde006ab264d798be5129d1e7ad3c95fd80b0ea3035c8 |
memory/1436-229-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lpappc32.exe
| MD5 | dcc67305691473599b8806520dc5ce6a |
| SHA1 | 7a74a13005018eb58a23b997bd3dd00e6d5a1e14 |
| SHA256 | 6231334a0f6a6aed559fa9ce8e71941d1d3336c384bea8010929c1a529ff08b5 |
| SHA512 | 01a7fc94c5118dbe31f0828397b8e9add6cf5ace79101aa8a54422ace1e46741fc0aa1fd56804ad23e6f4090c1d2904d95bbdcd5a8901712424ae76097cb2664 |
memory/716-233-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lgkhlnbn.exe
| MD5 | 2c038442a610ff7553884d0e4c0f2d74 |
| SHA1 | 1daedbc5b4736fb0a5d1f6e47359eca368da7512 |
| SHA256 | 1f05e49e8947fdc900157614108ae7ec21adaf255fbb48923896e97ee15e5720 |
| SHA512 | becf7c8219fda0310756ea79ff3ecf830e7820753618fcfc1b49d444bfb3fe40418f01045b7c4a6e1ad6a2629aee6b622efa4778c02ec7306d28371337c14623 |
memory/1176-241-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lijdhiaa.exe
| MD5 | 29a1399c47b2bb8a1c4fdbc570cea086 |
| SHA1 | 44e1a17158ce34ca494228fb4283e6f69203ef14 |
| SHA256 | c77672afbba87acc2cc0d994857cc9f00630edb2f2eb47c472cc38b246a04836 |
| SHA512 | 6efe4d8f0d8d9173e44ab45e26ad69ab38094b9d210047f449427a52643bbe13a10af28d857bb97d5f7109efa67b308772ea344f5da9ada1be5ab5bee1178ed1 |
memory/4400-249-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Laalifad.exe
| MD5 | 0c1f25d9d557418e50da79ec0226a953 |
| SHA1 | feffb4a1165c5c11cda37986a78a16eaa591cab2 |
| SHA256 | 925e220b1bb7ffbc23a2a57ae44abc447fa2a291590bf3125243e9375b1bba33 |
| SHA512 | a967d02e257782e881d4dc9c0ccf4f3b4489f3b47426597abd387807c4f1c5063a88e876e70f0abd8426f0996b4fe1611c005a938fd9bbf6542a0ef939d37c3c |
memory/3044-262-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1200-268-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3164-269-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3128-279-0x0000000000400000-0x0000000000440000-memory.dmp
memory/780-286-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3880-287-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3840-297-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4468-299-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1684-305-0x0000000000400000-0x0000000000440000-memory.dmp
memory/864-311-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4636-321-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4408-323-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4872-329-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1904-335-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2908-352-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2040-357-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3588-351-0x0000000000400000-0x0000000000440000-memory.dmp
memory/396-359-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1108-369-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4024-371-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4980-377-0x0000000000400000-0x0000000000440000-memory.dmp
memory/916-387-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1576-389-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2144-395-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1484-406-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4268-407-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1808-417-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4412-419-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3440-425-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2216-431-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4772-441-0x0000000000400000-0x0000000000440000-memory.dmp