Analysis Overview
SHA256
907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196
Threat Level: Known bad
The file 907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196 was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:22
Reported
2024-04-07 23:24
Platform
win10v2004-20240226-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Laefdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibjqcd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jdemhe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lknjmkdo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nqfbaq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkkdan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kipabjil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hibljoco.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Haidklda.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcpllo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ibjqcd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Icjmmg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkkdan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpihai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jiphkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lnjjdgee.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iabgaklg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ijkljp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lklnhlfb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkbchk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpolqa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idacmfkj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Liekmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ifmcdblq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lgikfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpihai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ijdeiaio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hbeghene.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcgblncm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Laopdgcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jangmibi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jkfkfohj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jpojcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldohebqh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmpngk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkbkamnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldmlpbbj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ijdeiaio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iannfk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kilhgk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkpnlm32.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Mjcgohig.exe | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mglack32.exe | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bebboiqi.dll | C:\Windows\SysWOW64\Mjjmog32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hehifldd.dll | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcgqhjop.dll | C:\Windows\SysWOW64\Lgikfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgpagm32.exe | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpojcf32.exe | C:\Windows\SysWOW64\Jmpngk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kgmlkp32.exe | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbhnnj32.dll | C:\Windows\SysWOW64\Kkpnlm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgcifj32.dll | C:\Windows\SysWOW64\Mpolqa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ijkljp32.exe | C:\Windows\SysWOW64\Idacmfkj.exe | N/A |
| File created | C:\Windows\SysWOW64\Lppaheqp.dll | C:\Windows\SysWOW64\Jkdnpo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lnepih32.exe | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpaifalo.exe | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mpdelajl.exe | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgengpmj.dll | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdgpjm32.dll | C:\Windows\SysWOW64\Haidklda.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbfpobpb.exe | C:\Windows\SysWOW64\Jdcpcf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbapjafe.exe | C:\Windows\SysWOW64\Kpccnefa.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncldnkae.exe | C:\Windows\SysWOW64\Nqmhbpba.exe | N/A |
| File created | C:\Windows\SysWOW64\Lklnhlfb.exe | C:\Windows\SysWOW64\Lgpagm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibhblqpo.dll | C:\Windows\SysWOW64\Mjqjih32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Majopeii.exe | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| File created | C:\Windows\SysWOW64\Lihoogdd.dll | C:\Windows\SysWOW64\Ifmcdblq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Liekmj32.exe | C:\Windows\SysWOW64\Kkbkamnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Laalifad.exe | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nkjjij32.exe | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmegbjgn.exe | C:\Windows\SysWOW64\Jkfkfohj.exe | N/A |
| File created | C:\Windows\SysWOW64\Imppcc32.dll | C:\Windows\SysWOW64\Kkbkamnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkgmcjld.exe | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iikopmkd.exe | C:\Windows\SysWOW64\Ifmcdblq.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnjjdgee.exe | C:\Windows\SysWOW64\Lklnhlfb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mncmjfmk.exe | C:\Windows\SysWOW64\Mjhqjg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Impepm32.exe | C:\Windows\SysWOW64\Ijaida32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eddbig32.dll | C:\Windows\SysWOW64\Imdnklfp.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkjjij32.exe | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File created | C:\Windows\SysWOW64\Nqfbaq32.exe | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lilanioo.exe | C:\Windows\SysWOW64\Lgneampk.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkfkfohj.exe | C:\Windows\SysWOW64\Jbocea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Phogofep.dll | C:\Windows\SysWOW64\Ibojncfj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdkind32.dll | C:\Windows\SysWOW64\Jbfpobpb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ldmlpbbj.exe | C:\Windows\SysWOW64\Laopdgcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpgkkioa.exe | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| File created | C:\Windows\SysWOW64\Imdnklfp.exe | C:\Windows\SysWOW64\Ijfboafl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jangmibi.exe | C:\Windows\SysWOW64\Jkdnpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fcdjjo32.dll | C:\Windows\SysWOW64\Nqfbaq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mlhblb32.dll | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnngob32.dll | C:\Windows\SysWOW64\Lcgblncm.exe | N/A |
| File created | C:\Windows\SysWOW64\Fnelfilp.dll | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njljefql.exe | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ppmeid32.dll | C:\Windows\SysWOW64\Hbeghene.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkdnpo32.exe | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jdemhe32.exe | C:\Windows\SysWOW64\Jagqlj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lijdhiaa.exe | C:\Windows\SysWOW64\Lcpllo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgneampk.exe | C:\Windows\SysWOW64\Ldohebqh.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkbchk32.exe | C:\Windows\SysWOW64\Mcklgm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kckbqpnj.exe | C:\Windows\SysWOW64\Kpmfddnf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekmihm32.dll | C:\Windows\SysWOW64\Ijfboafl.exe | N/A |
| File created | C:\Windows\SysWOW64\Kpmfddnf.exe | C:\Windows\SysWOW64\Kajfig32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjoceo32.dll | C:\Windows\SysWOW64\Ldmlpbbj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcklgm32.exe | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Egqcbapl.dll | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlmobp32.dll | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmklen32.exe | C:\Windows\SysWOW64\Hbeghene.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mkbchk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll" | C:\Windows\SysWOW64\Mcnhmm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkkdan32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Laopdgcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll" | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll" | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll" | C:\Windows\SysWOW64\Hfcpncdk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll" | C:\Windows\SysWOW64\Lnjjdgee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lnjjdgee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lcgblncm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll" | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ibojncfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll" | C:\Windows\SysWOW64\Lmqgnhmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nafokcol.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jkfkfohj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lknjmkdo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iikopmkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lmqgnhmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lpocjdld.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ldmlpbbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll" | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Imihfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mjhqjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll" | C:\Windows\SysWOW64\Iabgaklg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndghmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibjqcd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ijkljp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Haidklda.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ijkljp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Imihfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll" | C:\Windows\SysWOW64\Lddbqa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lcpllo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll" | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nceonl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Idofhfmm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll" | C:\Windows\SysWOW64\Icjmmg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lklnhlfb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lcmofolg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kpccnefa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hbeghene.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll" | C:\Windows\SysWOW64\Jdcpcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mpaifalo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ijfboafl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll" | C:\Windows\SysWOW64\Ijaida32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll" | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jkdnpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbocea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe
"C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe"
C:\Windows\SysWOW64\Hpgkkioa.exe
C:\Windows\system32\Hpgkkioa.exe
C:\Windows\SysWOW64\Hbeghene.exe
C:\Windows\system32\Hbeghene.exe
C:\Windows\SysWOW64\Hmklen32.exe
C:\Windows\system32\Hmklen32.exe
C:\Windows\SysWOW64\Hpihai32.exe
C:\Windows\system32\Hpihai32.exe
C:\Windows\SysWOW64\Hfcpncdk.exe
C:\Windows\system32\Hfcpncdk.exe
C:\Windows\SysWOW64\Hibljoco.exe
C:\Windows\system32\Hibljoco.exe
C:\Windows\SysWOW64\Haidklda.exe
C:\Windows\system32\Haidklda.exe
C:\Windows\SysWOW64\Ibjqcd32.exe
C:\Windows\system32\Ibjqcd32.exe
C:\Windows\SysWOW64\Ijaida32.exe
C:\Windows\system32\Ijaida32.exe
C:\Windows\SysWOW64\Impepm32.exe
C:\Windows\system32\Impepm32.exe
C:\Windows\SysWOW64\Icjmmg32.exe
C:\Windows\system32\Icjmmg32.exe
C:\Windows\SysWOW64\Ijdeiaio.exe
C:\Windows\system32\Ijdeiaio.exe
C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
C:\Windows\SysWOW64\Ibojncfj.exe
C:\Windows\system32\Ibojncfj.exe
C:\Windows\SysWOW64\Ijfboafl.exe
C:\Windows\system32\Ijfboafl.exe
C:\Windows\SysWOW64\Imdnklfp.exe
C:\Windows\system32\Imdnklfp.exe
C:\Windows\SysWOW64\Idofhfmm.exe
C:\Windows\system32\Idofhfmm.exe
C:\Windows\SysWOW64\Ifmcdblq.exe
C:\Windows\system32\Ifmcdblq.exe
C:\Windows\SysWOW64\Iikopmkd.exe
C:\Windows\system32\Iikopmkd.exe
C:\Windows\SysWOW64\Iabgaklg.exe
C:\Windows\system32\Iabgaklg.exe
C:\Windows\SysWOW64\Idacmfkj.exe
C:\Windows\system32\Idacmfkj.exe
C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
C:\Windows\SysWOW64\Imihfl32.exe
C:\Windows\system32\Imihfl32.exe
C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
C:\Windows\SysWOW64\Jiphkm32.exe
C:\Windows\system32\Jiphkm32.exe
C:\Windows\SysWOW64\Jagqlj32.exe
C:\Windows\system32\Jagqlj32.exe
C:\Windows\SysWOW64\Jdemhe32.exe
C:\Windows\system32\Jdemhe32.exe
C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
C:\Windows\SysWOW64\Jpojcf32.exe
C:\Windows\system32\Jpojcf32.exe
C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
C:\Windows\SysWOW64\Kmgdgjek.exe
C:\Windows\system32\Kmgdgjek.exe
C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
C:\Windows\SysWOW64\Kagichjo.exe
C:\Windows\system32\Kagichjo.exe
C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6068 -ip 6068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3240-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3240-5-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1968-9-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Hpgkkioa.exe
| MD5 | 8cfc6dc851774c4f654328d7664f72f1 |
| SHA1 | a4921ecc45ba7a618d96d8e2d954b165e032a3c2 |
| SHA256 | e2256d84718dc860bf02f0610456977fb488a6862ac4c9ae7de13723f72950a7 |
| SHA512 | 97743bad87b996c21700e59aef93a6dd5bef45a698018ff4d3ec90e5029aab55248346bd77e98f3124d79a7b078a666d762f7b8d77211e40a62405507cf9d1e2 |
C:\Windows\SysWOW64\Hbeghene.exe
| MD5 | 220d8a11f7fce16b92073168cac1092f |
| SHA1 | 500bad6af58d314351bedb4b48af763083ebc453 |
| SHA256 | 45deb2acb501c49f9b9ced4518ea2a3445850da92c99bc651c2b12286a39c99a |
| SHA512 | 16a4a8db1686e8b8c6b651adc81f14a73773930f6af539980912838a07b47737a6c191e564eb1896d8721a30a6b8471c7fa44a7879f4e973b91f75eb19978c5c |
memory/560-17-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Hmklen32.exe
| MD5 | a45b76bf6c000b6986b87fe46ecc5792 |
| SHA1 | de8ba9d36ca176a49e300115923a1ec3d524b6a0 |
| SHA256 | 17cd6b4e27211eeadc828927722f528ce93e66d672b7b7b4179ae730cd8a2cf9 |
| SHA512 | 08d637c089857071bae82a132024979a1d27ec4140fd6982c147116774cdfc46511a0ea25645e9ed72f10a9f4f66c92e9ccf2b3b877cf33bc3977981d23eee84 |
memory/5036-25-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Hpihai32.exe
| MD5 | ad0f3f13e51472cf6cfcdea667e84d6f |
| SHA1 | 387ea787e463b198959cf9f4d6588de87491de5b |
| SHA256 | 61d6fd20767b0a386e89afbdd2b86d9028ce8e748f860ccac7a1cb93475d3c9b |
| SHA512 | 266740d4bdbcd313ce4644fa1e3fa71c7bb1a7b9406009f108f6dc1e2a68897581213fd6528019e2c4c572250f5715c4ad8c7b01f49e1cf8e376ea1c675204a8 |
memory/5084-32-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Hfcpncdk.exe
| MD5 | 2573d6b128be9e23d0f24a5b1f77ae61 |
| SHA1 | d68b8c44215520da53cd9e8d3fe0ee2e94cb4343 |
| SHA256 | 7112bb0939da4b69acb65d5bc73eb687dd054c6e874063c7239289c82a5348be |
| SHA512 | 28dc75096cd4f119898b3d8a92e504a99ea7e8e063b82cb92cd3948391d2393e66fc869097f7b78099ab42df5004839be51c2ca313e2ac2eb64c236a386b1c8d |
memory/2912-41-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Hibljoco.exe
| MD5 | 01b760b4ddb2349cda211427cab41c64 |
| SHA1 | 1c0633d254f079fa2d73c186780a734c61ff6109 |
| SHA256 | 8dbc0f0085c698834f56874e6b3f6f5cbc02144b50f5030f41b4ce1f873296b8 |
| SHA512 | 2ccd34f2078bf10a5c9f8ad8aa7922e2de07698378790652dfd7d339f44b22335c760ca4de0e888593252e8ee2fee5ae77430a920345023a1a02ade09cc6ef2d |
memory/2920-49-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Haidklda.exe
| MD5 | 3d703c5ad386d17be8c5358ce7ac8332 |
| SHA1 | 78a3038ecafe93a6bb53b4b18a4bf9b81043a962 |
| SHA256 | dbca96a01d3b1cd85868f958a752f0a9f9a72873ff0fc286bf37194c0cdab484 |
| SHA512 | 6c25c6e29b59581bde74fec4eb51201cb4a35056f26cf6b3a60d1ef5a8c45b2f6c41b10299a1874121cfa565cc5d51a97df4b14fc0ca4902fa8d13df71df8c2f |
memory/1640-61-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4796-65-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ijaida32.exe
| MD5 | b56268aa0f67e31b7b4f9b43a92613aa |
| SHA1 | c0647989494bda97b74e30ee64df938d29156196 |
| SHA256 | ffd2ab3a3e584787b348e11ae2aba57f30c37da6357198c019b3ab82c855f63c |
| SHA512 | 28640fc55d79f4e10470498c5254c7a2c373c26851ebcf9c637e93c40d3cf70d21c3ea1e914d30806f25a0558d269f6ab9eb698c1352471f2d33d6a4e1e85a3b |
C:\Windows\SysWOW64\Impepm32.exe
| MD5 | 3b2a6e472f12fadfb5703ffa68f6f91a |
| SHA1 | 2e9d56c4d737f23d4bf9109808b3ffd408707298 |
| SHA256 | 0cdf052bef3380893f84fd4c3b2e117d9466a951bc55dd803345f2a051372abe |
| SHA512 | 79067beb208cdf34bdf815abe77e107179142bf89625a9e39fa7971ed2116ad756496225adcaf4b2f554927dc7ba66f2b17277d5c66eb892ad43b0ea55b7656b |
C:\Windows\SysWOW64\Icjmmg32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1396-81-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3896-73-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Icjmmg32.exe
| MD5 | 7b65fe955171baa50c0d3fe7ceb027b2 |
| SHA1 | 7ffdd0f6c7c30ec3fdca76e3bc9c75d87950df80 |
| SHA256 | d842c6563419fd4a273b0d6dfa188bd044f716c433e5178c84670835aa6bf630 |
| SHA512 | 59d5b369647ef06aadb76a599f2361d72d90fd49e5dd55e85b33bfa931609568cad9f6469c4271bfa97939c9da601b4e7a25e3f6c0c7e64e7a2570413b14bab3 |
memory/4160-89-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ijdeiaio.exe
| MD5 | 8f72124baecd9738af8d2a1487ac8afc |
| SHA1 | 83ccb35b78d8ddb1d3cfd70b9d82793fc55a4c55 |
| SHA256 | 10c7f6a52071067ca55fb52b90234b090352b53c591d59a607590b4d6321c713 |
| SHA512 | 8c838c6e0c287ad945a08ea9c85f513f6e133c032b0d85d6e27d70017f1e6dd08498db18b856c1ebcb675e9683392d402eb5cdf0406eaccd35323a5f66de6084 |
memory/3904-105-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Iannfk32.exe
| MD5 | 860ca20b8bbed4910bb74bcab891eb5c |
| SHA1 | 0b5d1d8a7e872feff5da971a225563669f47862c |
| SHA256 | ee187e3e12f0ac739727456069b20549f3151fef181d1596bc442f9bd93c950e |
| SHA512 | 54be83f5eafa06e008721f5c281826ddef7968eaed2e28c0d0719bf5310d0e09b6ad971703cc006526c2c06ed6fda4b18aa94b82c9ca76d478c9030d312c3176 |
C:\Windows\SysWOW64\Ibojncfj.exe
| MD5 | 249702df3f03fe3568b0d5f3812f2cb0 |
| SHA1 | 70a462fe08302992ca4a5a2cb81371ee3c9f5258 |
| SHA256 | 6a7973d92bf7765ae70d52cc8e6c940e571045a7f0f89168a254d1ef99403894 |
| SHA512 | e36f1dfcabeb652d26acc1e9055956766e588acdcc9423e1a78dc36b8d0d6c098c1a7641e4b77b44aa2b3b52820299e8b78f915158f5ae990103d7263c9e480f |
C:\Windows\SysWOW64\Ijfboafl.exe
| MD5 | 0c605cd8e40cd6dfca69da56b1171a6c |
| SHA1 | effd91b3e63b89e9b3ef3b29b90074136fdbdc1f |
| SHA256 | 10f7a8303b83aaf431311fd78112a16712318cf6c65c33c51f55f523931231b1 |
| SHA512 | a09a3237e87169669d1dab808e6855fdebb32649f1a6f28c9c9abea9c19fe6171ffecefca1a4a3b1820f053d884b40e70f2da7e8d2010680ab72c6edcbcf7174 |
memory/528-128-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Imdnklfp.exe
| MD5 | cc1743b8064ba973469c3d611540834d |
| SHA1 | 75b2171a815dcbed24d2efa401b502089f491c57 |
| SHA256 | 53d2fba1e8d4809d47d53d27bed84b7b3124f1f8e31b9af41e0feaceef9acb34 |
| SHA512 | b33116159cd1fb6d245690e7731ab3db9e07334a0c827c9fb6e7e2754bde7bcc4e050427ce685ac224fde3764e724928c85107b619ce4c01ee35cb3a75854d54 |
memory/740-137-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ifmcdblq.exe
| MD5 | 9a577ebf487b61303448b81f3c951c4b |
| SHA1 | 9df139314f6f1e4a9fbd6f84f4651a6bf685a550 |
| SHA256 | f5208fc94b3be22ee5c518a1a8d801b3b355d8dcd88e2cfef33e66ef1d59597d |
| SHA512 | 37c5b13b9893ac8aa4d8a000d4b512c4bac1f083c68cd59b3d8cb0403f1d6965dd027e27c13f15313b4d5955acde58aac43f1a3fada61a068bbee4e57ce2b788 |
C:\Windows\SysWOW64\Iikopmkd.exe
| MD5 | 2b2d8279c3f85606b0444a6db4e0b128 |
| SHA1 | ce984dc83ba296e5e2a7d960125a2d0fd4d07851 |
| SHA256 | 93838517e5f9e353210827a20c136ff1fadc8fe14f1c39ca2835765e2ad94902 |
| SHA512 | 0238d9deda06f5dfdba16a8d8bf4c27c80a7aa0e7dbb06bbb04524bf8d43e21f0b89cf4e536cf6b549462f31e1db3694f0a6adcc2a112c554bab5872a094725c |
memory/2888-157-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ijkljp32.exe
| MD5 | d98fcca24ec2619e16c6a53e741b8274 |
| SHA1 | ca7fe9d821bdbd822f02d69a3f22ec18f71ae5bb |
| SHA256 | 8b0cb6640c62fbe00ec1954677cac0cc41c4ca84779a3da0096c3795225b0051 |
| SHA512 | 406edc3bb93c5943ec138d2d33272df8ae3ed2f05bdf7ce4791abd87dda6f1b9f0b397d4175714923e6518abd589cd6f94761681805735cdab40ad121c88b798 |
C:\Windows\SysWOW64\Imihfl32.exe
| MD5 | c6cd76593ba8ece3f23ff4b7074d6363 |
| SHA1 | 8b9b9c0fe8b222c630971d9db759eeeebab61dff |
| SHA256 | 7ea9a1d0fd0994e9c1091b11ad5f50cbd1c19fd9e15e5c66961b022ed3590221 |
| SHA512 | b1d0264c1e1f1517fcd7cea56e0735e2caf82c8bf14474ac23ffe5ea3b118e2fe82f4c16bbf604c8ca9037dc5a29af72c6473b9e7585ac372ca8170c2741d534 |
memory/3120-184-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Jdcpcf32.exe
| MD5 | 9d6fe9b2763591f09530f6850218b047 |
| SHA1 | f6574fbd80c9d059f09933a4ed583459420c9792 |
| SHA256 | d0410b56fb56bba5c6cc23dbcc1542015650486be633601c88fb0318e7adcd44 |
| SHA512 | c048898f7ab36018b0c1be7cdf8cc805d66fd49e6db722f08f628769a6c64d905595099e233c94dc6cea228d4d9ec3a7a3014f7258d54bf0d969c845167a8e06 |
C:\Windows\SysWOW64\Jbfpobpb.exe
| MD5 | d548d61a4a4193f10601ae56ebf4ad43 |
| SHA1 | e140bc3915b1639009797d78352f38c8727f7756 |
| SHA256 | ca1098c5f5b1d251beb2504c2c3f76dfba155527a9e3148833ee3efef3c700b6 |
| SHA512 | 1a2b770a92e5a733181ca8df300248bc5c5c6f0cf586e79d4aa8600e7a937a4794cf7d79280e3344716fe702df774c231e881df4414d1ed313d9ae30d8ef3688 |
C:\Windows\SysWOW64\Jiphkm32.exe
| MD5 | 5952d7fe99a0c09b500c31765aec1475 |
| SHA1 | c8552463bebcb578d60dbf36ee9001ae45e44843 |
| SHA256 | d83f8cfbfc8c4a7bb32d6f0946bc1d568850853c2ba521c59445dae77feb9262 |
| SHA512 | 1ce913397a0afc05bc8a387ca2a2f43213306098aab813d30596d4da9d760facc234a60bd6b7a1b618ca569797d45a82fe851b4b4a6c026209e62c230dbbd1d6 |
C:\Windows\SysWOW64\Jdemhe32.exe
| MD5 | d28af249d749dd44e6fa14284cd9d2f4 |
| SHA1 | 72447289fc8e10e253b84e95a09dde2c53f3d1c4 |
| SHA256 | 0d2c031687e06b919b87b800c0d8f102b5cab832b1a6158ee80c1c1edd083885 |
| SHA512 | 4e79c3615e3502769c35465a763d4ff6d42a644df37f793d34aa05262f75b0b4b2a92bc1289e65caa15ea0908355c38096eef9159427d7cf3f78a5febb6a7d79 |
memory/4308-233-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Jfdida32.exe
| MD5 | 70161e39103f0e2c959a478db3361cec |
| SHA1 | 549fc57a6f8e9ae2cd9f10c325a80e60dfec8b2b |
| SHA256 | 8909c2b8cbeb550a30d62f71c864fcd8b914afcb5d46b17f07c2bff946caeba6 |
| SHA512 | 25ec2bf45002a83dd3ea2a7b02ce58ba728b2e5524cb3a9a21d66e341fa3d6092579934a89bf3d2dc1f394955c47d6b083b400071a0eb87da15ba193aff1cbe3 |
memory/2352-229-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Jbkjjblm.exe
| MD5 | 14a40b85efaac65d60a16ce28c1963ad |
| SHA1 | adb0ce4ad2a883c3caa244031b8bd193cba69545 |
| SHA256 | b0088a91fd49cca373fbacf2a7421044dd386f43c8cef8cd51e83a12db5d008e |
| SHA512 | 18be0706995940af9aca6ef396425009c567f04a2edfc20398d67c166bed6465979364ee69f7c42ecaff7104521c02f9bb5bcab9e2edf2ce4e58473abe0f0777 |
memory/4440-280-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1472-273-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2456-303-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1836-309-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4912-317-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4596-339-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1852-347-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3228-363-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Kbfiep32.exe
| MD5 | 86badc254f35e3e2015fa4257295e74d |
| SHA1 | 1802cd11cc25d47a0d85d0a5d5ed186b0dd85641 |
| SHA256 | 93779c483b92a53e4eb9bb42fce06e48920b8d4c7b8cda6f4333e3c2225c8a3d |
| SHA512 | 588322191396e3c97d4f58d4feefd58ceda29577744770841ab7a2a0165f3ef4ccfda39372fbcf118296f77c6295d9c74979863d2363433f735011a468ca9b07 |
memory/2988-387-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4012-410-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1580-417-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4028-424-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Lpocjdld.exe
| MD5 | ba90dcaa7e5581463dd1597c0efc8398 |
| SHA1 | f713e0fc282735b1732be903711f19b6560b4fad |
| SHA256 | 56af7f62b833c1390f63587a6667d1c684f154d5e526f4ebc9bd92428e198741 |
| SHA512 | eea0fb4c816301e9d335db4884bf42806bfcc623544015b50fee4c250ee8ca4c5fac9b63bb0d30232f10bf729b1007275c2b1841041ca5f82b09413e22afdf21 |
C:\Windows\SysWOW64\Lgikfn32.exe
| MD5 | 5b5a2513c3a7d59b19d6436eb14c20c8 |
| SHA1 | e61a34bac4d700026e9c2ba1074299b872060758 |
| SHA256 | 895d7f761191f07c24e5cee32ae9b2e2d070bf7ca4cd7d0191a91ace9f5cf892 |
| SHA512 | 425bf7895b0af9bf45db64e874ff6c09dd4a3df01c54b0598f38bbe1af2d18577bf3b7a1f4803586da49b4ec3372dede3e90b044f9d6a15a5d4a07597872844f |
memory/2416-441-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4492-431-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Kpmfddnf.exe
| MD5 | 23b1e44ee21c02af92989b4a74c59794 |
| SHA1 | 1c20ab442ef6a45ceb893b6cb7f9a8a8c83e8fc1 |
| SHA256 | a7cf5c5974df12cd8cbd624f1700ac2b343bdd0caf67f374a267b76a1f612d91 |
| SHA512 | bd09bd72f3de261c57acc0a14c58a87f44af5df35d6289e094e5f3d21bdc65dffec49925cf0188985763a842d877447fba90a48a288e8ad8af640d8dab23d160 |
memory/1764-425-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4480-401-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2120-395-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4332-394-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3644-377-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1916-376-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1100-369-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Kinemkko.exe
| MD5 | e038112360a4df07857a6999a1bdc308 |
| SHA1 | 00d09832a1ce0677e4b9ed8b46419b60574f46a6 |
| SHA256 | 7045af9394cc93a733c36d311983e92052746c34102c52456eca5d428578780a |
| SHA512 | ba3c60e93aa615b8389c61f468e2a93b0664a74ed043576a0ca98ca2430e962945d7f7bee159baf66f3e22b7dbff973294de981c3779c47d814c6975b1bccd52 |
memory/3988-354-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Kdaldd32.exe
| MD5 | a5b56473c2cac001186a5f095a260bbd |
| SHA1 | d8472367c12b6ce2ab3c8e508923342f8b319256 |
| SHA256 | 8147ee7bc7c5d8f92a21d2f022ebff65f15881fbdedef2532e8b1acefbee1690 |
| SHA512 | 8bc9000de4deb6a885170fc36fb006dd0ba8331e17b3ba0f20cc6af4c3b1f713ab4d79cf80c67dbda163096f24c0a83110dfbc02bbcaa7a5bbc2e567361a2f6b |
memory/3840-341-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4892-329-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1012-323-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3448-316-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Kmegbjgn.exe
| MD5 | 23774feb538982480c74eb3add9b7585 |
| SHA1 | 68f5afb431c1a1e3836f6db5d70c78440a6411de |
| SHA256 | 708e413e3c1e2ee4fbb4d7685033c2fce139e88317f88d8b4544b319ab359992 |
| SHA512 | 5853a4ad0600aad87d49a6ecd3dbc2be9d6f041bbdb6b595fa9af484d11f4aabd1ef37e8d8ded9d55c633c166966685ca83efacbca1ab2e25556e1b7e2d358d6 |
memory/2508-297-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3716-287-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2256-286-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4436-263-0x0000000000400000-0x0000000000434000-memory.dmp
memory/884-257-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Jjbako32.exe
| MD5 | 49e6fafd49953480341d6057eddef749 |
| SHA1 | 9ae3c0265704788c8694cc315b43d6bc8c7981d8 |
| SHA256 | 72a93e99ef8fc6b119c4eff46cc1775456c1de489683bce14c25017209f16944 |
| SHA512 | 6762913c2be9799e9aec42e5b06b3fbfca127ee8d4438303e6f5564da30b31fb5d6bc9b86e48b86443b6b052ddd916393461385032f10dcbe40e8b9e9692db2d |
memory/3864-249-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Jbkjjblm.exe
| MD5 | 4011e05fdf9df9f6bbbd7721c36c9184 |
| SHA1 | ccbf31a56c9c7766c169266fdbbf809e1e0a3189 |
| SHA256 | afa1449ab4206d2edb01051b9a97870d6664538008eaaf82e7ef4438db122b16 |
| SHA512 | 2846a06c825d3d7ef519d1ae380c172269e4694dc1876f9265eb3bdb18f2b87831d9698b81c988c2c8d88338f2a982b623a068d51cec34f372905449cbd68d1f |
memory/1804-241-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1548-217-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Jagqlj32.exe
| MD5 | b7237211d3f42ced58703cec8b084f4b |
| SHA1 | 1b2ff0853ce408790ea4d1ff41029fdd910122e4 |
| SHA256 | 4a72c2ab97d147673a056712c5cb3674825ef43a392956e2fa3da8fbcdf024b2 |
| SHA512 | ef99ed7c6952ae9bcd0806e7d4f23b1a606dde689b239768933679705c7195067d0c434cd67e7ef7d25005f46fc412ba328521adfa288b3cc7c3ade5c0ebd5b4 |
memory/3400-209-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2164-201-0x0000000000400000-0x0000000000434000-memory.dmp
memory/536-193-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4812-177-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4504-169-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Idacmfkj.exe
| MD5 | 801edb8e85b98a57af0f5aaa04443b5b |
| SHA1 | 8f0bee5a05f374aef38068a077b8b416cdfece5e |
| SHA256 | 6d72f1c866476e926937bbbc236fca354696f25bb7aeaf778ef0e0851b3b9215 |
| SHA512 | f7a004d26aaefc4ede1bc333fd5541cc467bb92c67b7b9326d993600aeece2b7dd7a2cf7088df9a060e2b8cc3670f686a565e4d86ea4137de3f36494fc7cc06a |
memory/3868-165-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Iabgaklg.exe
| MD5 | 547fde7e579767e1fd4b2eb4391c733e |
| SHA1 | 7f8a3c91dfccd5bd71fb250b818a0a122a0dd93d |
| SHA256 | baa1101c45cc7205c6be42ec0c57c11ae08617494c220b90c90912cf35e453f8 |
| SHA512 | 7b3380fc607fb0b640ba07945c23f3a7f075c67bf520bc3567471ff3a6bb738a9d0fdc747bd3cc36f75aae9447f99f3f71f737c2794c40ccbe16e396578ba80b |
memory/4896-145-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Idofhfmm.exe
| MD5 | 04c70c04ca6dbb0cbdf1c5f27d0154b3 |
| SHA1 | 776d582c39f0d92bfff7136cd620e0122f9dd4e9 |
| SHA256 | 0beb32ed55b6c5bcc2f9354bfcf9c9d7a91de88c763f80fc810dbddc4b573390 |
| SHA512 | 4a8ff65994db4116d13c76eefb21cb5cf7553f6581c99023999c1dcc67adc63524710f97fd2e655f4ca8832da951eb088beb9433f8a542c282512df6c3e8fdec |
memory/844-121-0x0000000000400000-0x0000000000434000-memory.dmp
memory/632-113-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Lddbqa32.exe
| MD5 | 591d9f038ad067bb505cdd4e2ef8b03e |
| SHA1 | a75cfa269fe4386e32cccd89b951df3d79555ba2 |
| SHA256 | 79e1d392d735eda2d72fb50930cc159cf34bd37ed339e872ec48e7ed0452bb29 |
| SHA512 | 7e536e6e16d45da6b9a25c4ee23fe20e677f18657f31caaf78161b658a241792f5dd08a926d64801421a1f79253f9f4d807744fc86b7942e8273fae3d42a1d8b |
memory/4232-97-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Ibjqcd32.exe
| MD5 | 637d1eb97ed55e43bba6beb6ba0abd6d |
| SHA1 | fa52eb96f38c4f89de134354521ddcb2bd530218 |
| SHA256 | 35268d59003f317ca5d9e90ebcd2857ab318d8da97303cdbf9e6b26040bc13d9 |
| SHA512 | 70d354d6ca64fe12558bf6bd97f48e375df354e267369f0e8edba3d6d2df12d1a3a1a5db36cf796330b1a3ffee77f0e6ca02a4e5e6584600a95ae14702351a4d |
C:\Windows\SysWOW64\Mpkbebbf.exe
| MD5 | d2e196230575976fe91a8298029c71f2 |
| SHA1 | e28f1eb212781446a317d3d8483215df4047b429 |
| SHA256 | 1fff86b5b3501e1a1682952fae0a325759c681cd7b83c122a5cd4cea2e219a6f |
| SHA512 | 5c9886f4313d56a39fc1d013057b692c2c525c003369537344fc5075837e3da9f4d8d105fb84a93ec186c1da6651c3583af77e34078b6d9fbbab07d439fdc5b3 |
C:\Windows\SysWOW64\Mpmokb32.exe
| MD5 | 27e85a83b477499996c5075c929a066a |
| SHA1 | aad5c22ff50888b565353646e39d0ea8d69ac2b3 |
| SHA256 | 7491fb3d315584e39ac7695d7b51ac54dc3102e0f6991f397b32e63771552b23 |
| SHA512 | 8206d312326cd79d45919d48fb21c385af15d1a2292de2bee77f75006cc2449105f940d4a56696e825df5edb084930a0b95d8378044eef4c2d1bfc8b9e1b2527 |
C:\Windows\SysWOW64\Mpolqa32.exe
| MD5 | 629b5458451001ed3b537a82ab344424 |
| SHA1 | f6a591cd3efd4ff197c99a35d1e9a70126ffa590 |
| SHA256 | 2dfe34c5db0486dc712e4cf0b59f0192b1b2528505f5aa55198726be7887c38d |
| SHA512 | 3ff127fc61e97bbcf7aa96cb4004eaa8efd41bc03febf8d1159d572dabd01a1191b85c9f5a5b5a26a48350eafe1cbb3b0815546dd40de74b6ae4810a408f2a2e |
C:\Windows\SysWOW64\Mpaifalo.exe
| MD5 | 77666e5ac1142445cd4ad204c79bf6e6 |
| SHA1 | 9e63526f85733ec4f7d0e66e669b3376d050189c |
| SHA256 | 965ddefb2c332225f9c954f6c35fed53a826ecd21720f2d61e421fedb1eb1f43 |
| SHA512 | 64150d951e2ad23b00bb612e0e5ded85613ee62dfac6c33be66a3d87aa4ef87a133e00119d98dce8215053fcf643e05adf4f2ffe4f4a9156c454a325efff2ef0 |
C:\Windows\SysWOW64\Mjjmog32.exe
| MD5 | 445279c0bf9d92f2694361299eeab20f |
| SHA1 | 01de3095c39944f9b69169ecb84c58a23f10ce55 |
| SHA256 | a86ab6dc8c535e547228b85e58a808e4c1c6d557697010fac24c610025d521b0 |
| SHA512 | b576ff0d08f9aabeb539fb89c07174a958493a93ab7c8e8e6fda2ba6f353d6c11a31fc00d0998bfc4114b7b7e5e3d500cff49ce508bf92ed3b19569caf058d71 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:22
Reported
2024-04-07 23:24
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ceegmj32.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Afkdakjb.exe | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmmlmd32.dll | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aoogfhfp.dll | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmccjbaf.exe | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oodajl32.dll | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qbbhgi32.exe | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpfaocal.exe | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| File created | C:\Windows\SysWOW64\Dqcngnae.dll | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnhbfpnj.dll | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| File created | C:\Windows\SysWOW64\Pokieo32.exe | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| File created | C:\Windows\SysWOW64\Qbbhgi32.exe | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmccjbaf.exe | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bajomhbl.exe | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bejdiffp.exe | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpfaocal.exe | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjldghjm.exe | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| File created | C:\Windows\SysWOW64\Anlfbi32.exe | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Afkdakjb.exe | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ecjdib32.dll | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmmfff32.dll | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjldghjm.exe | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pokieo32.exe | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcnmkd32.dll | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Anlfbi32.exe | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Odmoin32.dll | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acpdko32.exe | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Acpdko32.exe | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bejdiffp.exe | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmomkh32.dll | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bajomhbl.exe | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fhbhji32.dll | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ceegmj32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll" | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll" | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll" | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmomkh32.dll" | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pjldghjm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll" | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll" | C:\Windows\SysWOW64\Qbbhgi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhbfpnj.dll" | C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll" | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Anlfbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bajomhbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe
"C:\Users\Admin\AppData\Local\Temp\907dd6fa9a521211d55df07e6acce1dc64dedbbed440e35dfb2e305b67e1e196.exe"
C:\Windows\SysWOW64\Pjldghjm.exe
C:\Windows\system32\Pjldghjm.exe
C:\Windows\SysWOW64\Pokieo32.exe
C:\Windows\system32\Pokieo32.exe
C:\Windows\SysWOW64\Pmccjbaf.exe
C:\Windows\system32\Pmccjbaf.exe
C:\Windows\SysWOW64\Qbbhgi32.exe
C:\Windows\system32\Qbbhgi32.exe
C:\Windows\SysWOW64\Anlfbi32.exe
C:\Windows\system32\Anlfbi32.exe
C:\Windows\SysWOW64\Afkdakjb.exe
C:\Windows\system32\Afkdakjb.exe
C:\Windows\SysWOW64\Acpdko32.exe
C:\Windows\system32\Acpdko32.exe
C:\Windows\SysWOW64\Bajomhbl.exe
C:\Windows\system32\Bajomhbl.exe
C:\Windows\SysWOW64\Bejdiffp.exe
C:\Windows\system32\Bejdiffp.exe
C:\Windows\SysWOW64\Cpfaocal.exe
C:\Windows\system32\Cpfaocal.exe
C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 140
Network
Files
memory/2208-0-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Pjldghjm.exe
| MD5 | 15b9cb7a3b46c80a2c593a1421cdf0e1 |
| SHA1 | 1c86bae559d2f1ed3be0b962925fb3c29e61ba6f |
| SHA256 | 1ca126b84f0826bc517be76abea4adbb2e11e2038831cbb5fe69a7c7aaee303f |
| SHA512 | 72552e714e7aa38beb09c5583a15e1ca670d8f089f2de0a14a60fd393d3b169f20341c763514c983da89ad21a8503e7512a503c99429c503e91bbd87b48d8f4e |
memory/2208-6-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2208-13-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2600-19-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Pokieo32.exe
| MD5 | 352435c3c5ba2ef4a9d726ff8f86e631 |
| SHA1 | e1262a23d34bf98f725e2021482dba5f7b8df217 |
| SHA256 | 284352735787c37aa5b0d64ebba5af667528f2cce249b422f0e079daee9d155d |
| SHA512 | 68e6ef7daaa23594957a7c08c3d6fe76551a09dbc81065427b5a2cb1bb8f910a71a796708382f281c98b11f3789eb9fb3823d30244c25032b52b1f9166d0f7ff |
memory/2600-32-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2600-33-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2572-34-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Pmccjbaf.exe
| MD5 | 93cddfca1cdb99e02a919d7c4c1852df |
| SHA1 | 42736ad6a8fce023f09bde411b74b40c6f7f81a3 |
| SHA256 | 91d7a5f95119e9796024d39e3d38727e0834f8129787db987f90b3e7310d0fe4 |
| SHA512 | 6e3ad04ae740fc5fe91d0b1ad9fd5beeddc1d1824ad312e98515d920e0634487fa328d477dd93cd0de6fbfd97552ee4f8d6fdf06aea3d2d9bae1afbce0cdd51c |
memory/2648-42-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Qbbhgi32.exe
| MD5 | 36bbc888aa3f3ff5d817c7f10608b5c1 |
| SHA1 | 63da3af6aa47e01578e0a1818c7571191dc06da3 |
| SHA256 | 6db7b790cde4697556fe3b7469e39b02fd9c8bcf607c66c5ae4ef6b3810eff01 |
| SHA512 | 6d71ddbf5432385db97a70bb1bc9e964e0757ac35f11a70a9fe7019fc01ad2b4904a575ebcdb74b0fd3c337d8b351f5d01381b1532114b3767a122d5c0a256bd |
memory/2880-55-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\Anlfbi32.exe
| MD5 | c8f60926fb4908d72a2023a16fb8fae3 |
| SHA1 | ee79365d21266e6ff5d18ee7ffa6db5140782057 |
| SHA256 | dc08c4266f7f15f97018f94bb9e6f2bd9d665d48c4127468589449f439186660 |
| SHA512 | 4edcd4917fd7222e882793bfb1cfd1e8ed5e7877e9e28060fbcd35b50a66e61743e7125db1d5844955cf432bed4f15e0c468812970d0036f420e1320f4aaa042 |
memory/2880-63-0x0000000000220000-0x0000000000254000-memory.dmp
\Windows\SysWOW64\Afkdakjb.exe
| MD5 | 43f1dbfe3258b6ce60fb1a0b015e8bcd |
| SHA1 | c61b3432b5b01ff8f46852e2ad99c0885f15856d |
| SHA256 | c60f37e390afcb7b3f4d1b8d7252d56bfc84940db3871c880eba93a7f533b8c6 |
| SHA512 | 3ef354ec93d449abfe6899e7bb9c5a0900b91b4c00e614865ee6b655d8da7b8e7e5064299d26fe5418d9e583dfca0d16fe1e94576eff5f860a7b063e0cad07e7 |
C:\Windows\SysWOW64\Acpdko32.exe
| MD5 | f3976d5c4f460179b57a313ed566617b |
| SHA1 | 67bbdd18995677c10554340c89242a07806aaf12 |
| SHA256 | a6b52d93fbcf3a174e032acb5989724ef82866670d286e749203b3014f5fa82d |
| SHA512 | 6e0c4f8914b2fbbfa8647c58feb675d2c024749bf605ca2e19da5eb1ed94dcb7eb4d0e8df64e14e7bb3cf95af7e30e657b9e70a5ba14ae1592846e2a136882c8 |
memory/2400-93-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2400-99-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2660-100-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2004-101-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Bajomhbl.exe
| MD5 | f2c4beeb67a7aa9febbacac6615778c0 |
| SHA1 | fe5f832f0ae501bd409a80b593bc08c6525f0664 |
| SHA256 | 4b16b8852417a9416ace2f1107fdf89d49a265eef9c1199bfefa6e3e3c1b87b3 |
| SHA512 | 90136a1b92d1b5fecc6dd82a8828176add2ea7ecf2752ad94032a5ac9f57e9d47a031cef31e97a4c271702cce432094fd31e46673fd213f922c9d5628ec4b26b |
memory/1100-110-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Bejdiffp.exe
| MD5 | 7a35d09e13e2550e9730b4ecf91f2142 |
| SHA1 | bee36c6b41240123b9de4806b75f137bf0f98fc8 |
| SHA256 | 76a6805d15c2e288135055f78936b44157ca6112e212ece050256bb1bcaf69df |
| SHA512 | dcd2cf56bf5866991491cfdc0aed518e0a9b055666a1b1940f87100de710d898610c2d7a6188ce5f4419605e2a70ed383a4847e9882de2e7ebae6ab2cf89a231 |
memory/1100-121-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2716-128-0x0000000000400000-0x0000000000434000-memory.dmp
\Windows\SysWOW64\Cpfaocal.exe
| MD5 | f9b6dcaf6485c05f8a012365a9f03042 |
| SHA1 | 86b933b2dbdda0b5194bf655c65310be90ad6c9d |
| SHA256 | 00cdc5e8777103b5ca3d6cca00ab4a514dca87fe1d56ae1d767c6cf92e734cb3 |
| SHA512 | 6372b794feae45083125c593ddaee254b1e5d2871eb362a542728ea10fe6a3a831d70c614c58893bfb38ce6ada9929b1e87dbc41e221d897acbbdb38fbca4b71 |
memory/996-142-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2716-135-0x0000000000220000-0x0000000000254000-memory.dmp
\Windows\SysWOW64\Ceegmj32.exe
| MD5 | d11956fae14bf97afbe3b59ec91c4436 |
| SHA1 | ae35699fb1ae11013e0cdf23817c134669e670bb |
| SHA256 | 770c799dd6e76c4b58cbe689a8179cb3521d88bdd0ba6ab620a1adf554aef61c |
| SHA512 | b16a0d4bb1e79f478df0d0f242d7433f4cc9fd700160e946676b28d413c4623e2a63f05eb86ad12deaf857a17b7c9922bccc7d7f088cd29f4265989e50ccabad |
memory/2000-150-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2208-155-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2648-156-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2880-157-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2400-158-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1100-159-0x0000000000400000-0x0000000000434000-memory.dmp