Analysis Overview
SHA256
1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba
Threat Level: Known bad
The file 1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:09
Reported
2024-04-07 19:12
Platform
win7-20240221-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngibaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nhohda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajecmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Meppiblm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndemjoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngibaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Meppiblm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pngphgbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pngphgbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajecmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndemjoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nhohda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oeeecekc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oeeecekc.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Aoogfhfp.dll | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oalfhf32.exe | C:\Windows\SysWOW64\Oeeecekc.exe | N/A |
| File created | C:\Windows\SysWOW64\Abbeflpf.exe | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| File created | C:\Windows\SysWOW64\Mabanhgg.dll | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmjbhh32.exe | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckpfcfnm.dll | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bilmcf32.exe | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbgnak32.exe | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifbgfk32.dll | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qodlkm32.exe | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Behgcf32.exe | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndemjoae.exe | C:\Windows\SysWOW64\Meppiblm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngibaj32.exe | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohaeia32.exe | C:\Windows\SysWOW64\Nhohda32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaofqdkb.dll | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oalfhf32.exe | C:\Windows\SysWOW64\Oeeecekc.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgahjhop.dll | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Baadng32.exe | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcpnnfqg.dll | C:\Windows\SysWOW64\Ndemjoae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nhohda32.exe | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| File created | C:\Windows\SysWOW64\Oeeecekc.exe | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljhcccai.dll | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmfkdm32.dll | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abbeflpf.exe | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhnook32.dll | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljacemio.dll | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlcnda32.exe | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nlcnda32.exe | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogjgkqaa.dll | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oancnfoe.exe | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Paenhpdh.dll | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfnmfn32.exe | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nhohda32.exe | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afgkfl32.exe | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmjbhh32.exe | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nacehmno.dll | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fekagf32.dll | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Biojif32.exe | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nenobfak.exe | C:\Windows\SysWOW64\Ngibaj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ohaeia32.exe | C:\Windows\SysWOW64\Nhohda32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oeeecekc.exe | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aliolp32.dll | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pcibkm32.exe | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdmddc32.exe | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdmddc32.exe | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Meppiblm.exe | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| File created | C:\Windows\SysWOW64\Noomnjpj.dll | C:\Windows\SysWOW64\Meppiblm.exe | N/A |
| File created | C:\Windows\SysWOW64\Nckjkl32.exe | C:\Windows\SysWOW64\Ndemjoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmbckb32.dll | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmmlmd32.dll | C:\Windows\SysWOW64\Ajecmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lhajpc32.dll | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcibkm32.exe | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afkdakjb.exe | C:\Windows\SysWOW64\Ajecmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ehieciqq.dll | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Behgcf32.exe | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndemjoae.exe | C:\Windows\SysWOW64\Meppiblm.exe | N/A |
| File created | C:\Windows\SysWOW64\Oancnfoe.exe | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qodlkm32.exe | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjnolikh.dll | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bqjfjb32.dll | C:\Windows\SysWOW64\Oeeecekc.exe | N/A |
| File created | C:\Windows\SysWOW64\Cophek32.dll | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajecmj32.exe | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Meppiblm.exe | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ceegmj32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ngibaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaofqdkb.dll" | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" | C:\Windows\SysWOW64\Oalfhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll" | C:\Windows\SysWOW64\Nhohda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pngphgbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acfaeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oeeecekc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nhohda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjfjb32.dll" | C:\Windows\SysWOW64\Oeeecekc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Meppiblm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll" | C:\Windows\SysWOW64\Oancnfoe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afkdakjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll" | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndemjoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nckjkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgdenbm.dll" | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngibaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ohaeia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll" | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" | C:\Windows\SysWOW64\Meppiblm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Meppiblm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll" | C:\Windows\SysWOW64\Pokieo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Behgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll" | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Biojif32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe
"C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe"
C:\Windows\SysWOW64\Meppiblm.exe
C:\Windows\system32\Meppiblm.exe
C:\Windows\SysWOW64\Ndemjoae.exe
C:\Windows\system32\Ndemjoae.exe
C:\Windows\SysWOW64\Nckjkl32.exe
C:\Windows\system32\Nckjkl32.exe
C:\Windows\SysWOW64\Nlcnda32.exe
C:\Windows\system32\Nlcnda32.exe
C:\Windows\SysWOW64\Ngibaj32.exe
C:\Windows\system32\Ngibaj32.exe
C:\Windows\SysWOW64\Nenobfak.exe
C:\Windows\system32\Nenobfak.exe
C:\Windows\SysWOW64\Nhohda32.exe
C:\Windows\system32\Nhohda32.exe
C:\Windows\SysWOW64\Ohaeia32.exe
C:\Windows\system32\Ohaeia32.exe
C:\Windows\SysWOW64\Oeeecekc.exe
C:\Windows\system32\Oeeecekc.exe
C:\Windows\SysWOW64\Oalfhf32.exe
C:\Windows\system32\Oalfhf32.exe
C:\Windows\SysWOW64\Oancnfoe.exe
C:\Windows\system32\Oancnfoe.exe
C:\Windows\SysWOW64\Pngphgbf.exe
C:\Windows\system32\Pngphgbf.exe
C:\Windows\SysWOW64\Pokieo32.exe
C:\Windows\system32\Pokieo32.exe
C:\Windows\SysWOW64\Pcibkm32.exe
C:\Windows\system32\Pcibkm32.exe
C:\Windows\SysWOW64\Qodlkm32.exe
C:\Windows\system32\Qodlkm32.exe
C:\Windows\SysWOW64\Acfaeq32.exe
C:\Windows\system32\Acfaeq32.exe
C:\Windows\SysWOW64\Afgkfl32.exe
C:\Windows\system32\Afgkfl32.exe
C:\Windows\SysWOW64\Ajecmj32.exe
C:\Windows\system32\Ajecmj32.exe
C:\Windows\SysWOW64\Afkdakjb.exe
C:\Windows\system32\Afkdakjb.exe
C:\Windows\SysWOW64\Abbeflpf.exe
C:\Windows\system32\Abbeflpf.exe
C:\Windows\SysWOW64\Bilmcf32.exe
C:\Windows\system32\Bilmcf32.exe
C:\Windows\SysWOW64\Biojif32.exe
C:\Windows\system32\Biojif32.exe
C:\Windows\SysWOW64\Bbgnak32.exe
C:\Windows\system32\Bbgnak32.exe
C:\Windows\SysWOW64\Behgcf32.exe
C:\Windows\system32\Behgcf32.exe
C:\Windows\SysWOW64\Bdmddc32.exe
C:\Windows\system32\Bdmddc32.exe
C:\Windows\SysWOW64\Baadng32.exe
C:\Windows\system32\Baadng32.exe
C:\Windows\SysWOW64\Cfnmfn32.exe
C:\Windows\system32\Cfnmfn32.exe
C:\Windows\SysWOW64\Cmjbhh32.exe
C:\Windows\system32\Cmjbhh32.exe
C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 140
Network
Files
memory/2156-0-0x0000000000400000-0x0000000000438000-memory.dmp
\Windows\SysWOW64\Meppiblm.exe
| MD5 | 0b5b56f48567ce7181d0901c26d11f06 |
| SHA1 | 983782d1e7da4e73f1daf98e6ae8843379dbed59 |
| SHA256 | 1f6aa8223b135653ad554eecec3c2324e4558f2b247a08e5607fcc4bce531c9e |
| SHA512 | 2227500241e3765ffbf99129da8dc36d9c6aaf45fd56f244268188904779a528ad57a8a354a2233a6cd793d0db1c912042cc7e20ad671d5cba89ab30166dc7fc |
memory/2156-6-0x00000000003A0000-0x00000000003D8000-memory.dmp
C:\Windows\SysWOW64\Ndemjoae.exe
| MD5 | 084d9c9f365752806757f64e333f7ed9 |
| SHA1 | b5f73ed0d4bf057f2b275c25c40fd7c0b28bb850 |
| SHA256 | df32c09be8888e90ed41e124940cbee04f875a1030895d9d5e17203827f8afab |
| SHA512 | e91af3c9657ca44283653078fd1b148b58b93f1c10e6e7c0a74f4f28e61688c81c72bab69286fef0ab68627dae39b2d650739addd4716ed710fbaa9e89f496b2 |
\Windows\SysWOW64\Nckjkl32.exe
| MD5 | f1cbec61aec615cb3194a54795dee891 |
| SHA1 | 8e95bc85f68b463168dc7dffd56f968f1f8b6467 |
| SHA256 | 456e6cd3834c62feb999c42155f58b8c5ce053065b9a2af1227489f580ad6637 |
| SHA512 | fafe61b8e33eb5dc16d8bf66bb450a248876342a6638e9718b64ec16154d61a4d5fcb210d9e37d18663d2000cdbafcccb58d2c2c5c7df8e5d60459032e5accfd |
C:\Windows\SysWOW64\Nlcnda32.exe
| MD5 | d14687b8f5d410b97b36b4834caf4f96 |
| SHA1 | 97929ea0a6411c204cf4908a82d1fcbaa5944c91 |
| SHA256 | 569a0eea877728d0170a94817b86ace9b220c01a56e9a2ff3de6ced61fa29525 |
| SHA512 | 711aeb992c015ddf96686063fcacdd0ccb72bdf9b67496a713b0ee10233ca79b1750f4ebdb20a14a38b0fbf4a8d74a92990f7c5942f0551e658caf1a24969eb4 |
C:\Windows\SysWOW64\Ngibaj32.exe
| MD5 | ffa89dd22f9340c93b54021802b4b11c |
| SHA1 | 5c25e06e49aaa862d2a67c94023e7113086115f4 |
| SHA256 | f05d5101825c9d9f42995824e9f7e209d97d190193fa1ee56db9b010e9a1673f |
| SHA512 | 7a9f9016ea110e6b69a176cc175f450e8fc8f53815ba8f95699cb8eb94cc543a66bd8fecc1c6d5de7f6c043bdda376b0f89b2b0014743358945029e0fa196f16 |
memory/2604-69-0x0000000000400000-0x0000000000438000-memory.dmp
\Windows\SysWOW64\Nenobfak.exe
| MD5 | 89c76a1556e212ff2c4cce61b0eb1780 |
| SHA1 | 972b8a5646fb06210380b17b1316ab79cca72979 |
| SHA256 | e82734ba014904cb4d3efe8a1313f7d689af924384eef9d40c71e324b3737f9b |
| SHA512 | ad750adac872dff57c8e835f5b5c11bdbb23808233619f3ce9054858174bc5e6ab5167aedd02789c0e8f2909c0cf2abea114fb2020a9eb4bc3a37947a442f438 |
C:\Windows\SysWOW64\Nhohda32.exe
| MD5 | 25a902574a8378e2d9f305788937b12d |
| SHA1 | 91df04e96f7e5c8c2efc1e7fd4d348741737f207 |
| SHA256 | ff7e1dd6cc946b4b85738fcd823d756ed7d9c1931892b79912bd28e77732db61 |
| SHA512 | 86ccaf828b8a36db2b4dcdb09ddcb033389f273ed12f4687d481cc91226c05a53910e174efb846cf1b71870ae478616998781bf62bece65f0dc93210fab03c17 |
\Windows\SysWOW64\Ohaeia32.exe
| MD5 | 0790cd38c28da4ec3f321e22c54f01ff |
| SHA1 | 6d1ae7ae96f6d4af14372c9e165c1640746e6c04 |
| SHA256 | 8406dd661cbf0a3f0f49e14041af1bd0a4cf7aae00873990ba066f2580e84dfa |
| SHA512 | da457b1610bdd17d360d542b8e6b8cb63175fa1dbdbbb01a088958fa0e26a86a4f58b706e5385f24c4144bfac4b71a897cc53c8a4eb701e5fa80297264eacef2 |
C:\Windows\SysWOW64\Oeeecekc.exe
| MD5 | 007ad6828754fe70d5449876c8bcae1c |
| SHA1 | 4dc9b5e23c237d78b30f0d7f0660447ce1446b68 |
| SHA256 | b0b0a4f3c42cece4a66acbdb4234f5fb547154fc6963731e920be24a808adafb |
| SHA512 | d2ef705c42a563d6096a03e41f653c6332bcf520f6f7b46c1bfb3979cc9bbc3d7c0c3b8f9c31bd880d56a26ccb1af22b9a87c6e74f138ea469e0f29ebca09aa9 |
\Windows\SysWOW64\Oalfhf32.exe
| MD5 | 4d2c8d73874694968a6aad0a2f6aca88 |
| SHA1 | f7eb330b6f25232e100e943b49026e28c49f801e |
| SHA256 | 38f27d0d184aec40ad4d7d717be6e6d10fb69cdd5382077ab2b5da2036729bd2 |
| SHA512 | 5fbf905f4e902434b3a2752dcaa429c9c4ee02844eb36d287f44c91da47ae3140ee70e2b6a4dc5995e00e9bc991bff59af2e60179d4dfe5c6c1f9b99ea5d40a4 |
memory/580-129-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2692-137-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1072-138-0x0000000000400000-0x0000000000438000-memory.dmp
memory/580-136-0x0000000000220000-0x0000000000258000-memory.dmp
memory/2152-122-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2896-103-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2392-79-0x0000000000260000-0x0000000000298000-memory.dmp
memory/2392-71-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2596-52-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2636-39-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1852-27-0x0000000000220000-0x0000000000258000-memory.dmp
memory/1852-25-0x0000000000400000-0x0000000000438000-memory.dmp
\Windows\SysWOW64\Oancnfoe.exe
| MD5 | ce221250d414c93f6373f8d253f2638a |
| SHA1 | ec9144a907d714cf55cf95383123de180f68af9e |
| SHA256 | d97c98e1a8fb4c603988a39daf3deda48bfb50d03a6bdd1c2800db723e4effa7 |
| SHA512 | 6f5c0ec668443318cedbc00fb05b58008f84fea338efe3eb2b280020246c711e7a02e8765eba14937adc066652f630f042b082357e716daf598cbdc74b7ec91c |
C:\Windows\SysWOW64\Pngphgbf.exe
| MD5 | 231b843172d5ad64f36db1514626fa10 |
| SHA1 | 9f23186860e23c755fc199fc68629372a5311238 |
| SHA256 | 47e6b04a214033772360ee876bf4147215fdc2ab90ba230c19e630b6b6dfbc70 |
| SHA512 | bf4b55f838250c68bad66dfb4414a6b7cc830dbf86dc285d649b4c4657cc4407bb46b6d6eab67ed5385481cbb4fd4c687ef06a5f32493ef27101a2b8e35c4b2d |
memory/1624-152-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1612-159-0x0000000000400000-0x0000000000438000-memory.dmp
\Windows\SysWOW64\Pokieo32.exe
| MD5 | 90343c58b317179c2a5d85d979903399 |
| SHA1 | 830810d30f9e687422a50af35f7ff4da28cf4a68 |
| SHA256 | dcb46ff0468f8e7cb18781a9d9766e7c6d3bcb6128ac20b2967d956d1c9a68b9 |
| SHA512 | 53ec19224a57e67f3bcd1979a593050e96a935c0716b0321b951602b8532f473c1233a4a347162efab4734c1e5fe3fadabb52b7f612d201e1cf04146a5f3af12 |
memory/1612-167-0x00000000003C0000-0x00000000003F8000-memory.dmp
memory/608-173-0x0000000000400000-0x0000000000438000-memory.dmp
\Windows\SysWOW64\Pcibkm32.exe
| MD5 | cbe23226f8275c68faa7bef1770aa676 |
| SHA1 | e65d035c15b3f09a2513a09f121720b7ac6971ad |
| SHA256 | 3cc0346e90f02ab893d00863efe1fb7523e098e3431fab595643c988179dbd4c |
| SHA512 | ca039bbee4a777ab730fb06bfd1ec4e2d131d6d7ee237f975637b7c9efc156b0c71446697907c5846e1b9eb3593fbae491ac4338dbf20b6e4c27d9375138dbbd |
memory/3008-193-0x0000000000400000-0x0000000000438000-memory.dmp
memory/608-186-0x00000000002D0000-0x0000000000308000-memory.dmp
memory/608-181-0x00000000002D0000-0x0000000000308000-memory.dmp
\Windows\SysWOW64\Qodlkm32.exe
| MD5 | 5b8ec94806a73183f09ac3697663f9f1 |
| SHA1 | fc88af54d0c697d5d2c7abc5625566bc6e9d374f |
| SHA256 | 0bfa72ca1451d01c15987c6ca20d0d4328c08726318e52abfbd4b12d8dc45132 |
| SHA512 | 7d68dc4d6f1286d9896fecb696494467e3bc1d787c075af01511af1fbd9ccb2da4a09977ff672939b3efaceb995474bc403c7ffd4716b9aa1954e1284130f465 |
memory/2836-202-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3008-195-0x00000000002E0000-0x0000000000318000-memory.dmp
C:\Windows\SysWOW64\Acfaeq32.exe
| MD5 | f84b84b4f3013a76aff7370c694eec81 |
| SHA1 | 3fcac2e80b2952d316db8fbe12450362ef374f1e |
| SHA256 | d569f6c42e2b2c67f452a2e605f05417cff25bd939679462ced9b52bbde0791d |
| SHA512 | c7eace994690712746f01317fca81048c3c4ee8b4730d24d5572ca652b311f7c3a61270454f1cb87273b0bcbfb23575d7c5099d7ad7e76a885ae1769c0e3c99a |
memory/2836-215-0x00000000005D0000-0x0000000000608000-memory.dmp
memory/1908-221-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Afgkfl32.exe
| MD5 | a853596218503e235a4d384e899b2ca3 |
| SHA1 | 14dfea8b12742412de9de2fb58318f2632099fd1 |
| SHA256 | 39c18a828621706ff0fea8e5c836c00669335d3641a05033d98c3d268802023c |
| SHA512 | 34b4cc8ebb076bf7a847fa4434896bcbdae2e16e070ee5b288c84f41568a505a793d686ab62b66e3179e16dc9694b557f693b33b5642a1e999c78d83fa3558ad |
memory/1444-232-0x00000000003B0000-0x00000000003E8000-memory.dmp
memory/1444-231-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ajecmj32.exe
| MD5 | 6ccde6b166c3237636dbe213cea573de |
| SHA1 | f74c5f7ef1011e7415e63633f0cafd209a5c4620 |
| SHA256 | 703e37f46f82e2a99f7f726db37c513ad2cbb776711e49daf7ea6e83fb06cddd |
| SHA512 | b5d03dad5728cc01f90b03cf3eb28dfaa3c27f9e0321f3a764ff555ca781994a2a995529f670ff3034ae5b1928a30ff45b3c368d3355d7039d4e829ceb776538 |
C:\Windows\SysWOW64\Afkdakjb.exe
| MD5 | 8c0de702fad2a985f567738846bf40f4 |
| SHA1 | d7b9070406273a5cf4dfff6866d8fa6c99149f77 |
| SHA256 | 9edb0fe5cf2417744da57ca7c5dff97d4656d5076290b0869d1ebfc92c2587b5 |
| SHA512 | 80aa40176220c8390485efa741f72f4abaca8f7cd8a34946bab73ff2ffea99f29e0a39ab877fe19e79ace4c06b657d857fda985f9f52453b68d38f901d35b8bc |
memory/1560-244-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Abbeflpf.exe
| MD5 | c504bf3890133e01d95db8ece1adc095 |
| SHA1 | bd0427d7c2fb207979ba5172e77a69b4d3833189 |
| SHA256 | dc0e8e5a734e6034afddc4ba3aed1f1938ec870e53c5d7ce0c5938833bc89f8a |
| SHA512 | 03ff5e12e7af23e4446628197953eca648a6281d7d4eb5b284e0ee1fac67542f18113c7f3e5d166c5672b28b810153b3f53346903ad91657c2644c32ab26ed9f |
memory/280-253-0x0000000000400000-0x0000000000438000-memory.dmp
memory/280-262-0x00000000002D0000-0x0000000000308000-memory.dmp
C:\Windows\SysWOW64\Bilmcf32.exe
| MD5 | 039813a15c72939dfe616d9cecff646e |
| SHA1 | f5e3ddeb85c0f93f6c340348452ca16f510e734f |
| SHA256 | 274feedbcf4d8e2a9f80373911502e74cdc17d4d65bfd9c71857335f2b3d01e5 |
| SHA512 | acfb9718eb0eac0ba39238a88d877851c09d0c69d7f56f3f48f698ef368204b839cca521ed6741fdf98935aa0352f40b0ba2052645606b54cadbdaf4a40992d0 |
memory/1764-263-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Biojif32.exe
| MD5 | 37b0323cab9bd1b44d9eefa9ca873ce9 |
| SHA1 | ebfd6fe59dbd36359f0497074740d9069072043c |
| SHA256 | ea5799b3fd81080e5ceedf7fb565ae02e607a8f4288f140b13be350846a65433 |
| SHA512 | 9972a8648e7adf11474b4ee39170533d6bfcf5db8fc6f04d2025a63fc3514d05654bb88c4ed5065bd1c3c80368da2db8d258413aac8e11116eaac0b065b05930 |
memory/928-277-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1764-278-0x0000000000260000-0x0000000000298000-memory.dmp
memory/280-269-0x00000000002D0000-0x0000000000308000-memory.dmp
memory/1764-279-0x0000000000260000-0x0000000000298000-memory.dmp
C:\Windows\SysWOW64\Bbgnak32.exe
| MD5 | 585491ee66f6ece04edce1bcf76e49bd |
| SHA1 | e7c0f772e051770f00c535d9adf57c3b7c90d21b |
| SHA256 | efda339f8dc7eb89fb165d4b72b803d7c6d90377bb8ec10b60842c62bf0ca881 |
| SHA512 | 14017777fc2f7a79d84b91df6e04b0181e56624beb53398df7cd567d85f3423b31d77ff59824dbdefb0f7c731cc3a3143027856323d1435a4355fcf8bac99993 |
memory/928-284-0x0000000000220000-0x0000000000258000-memory.dmp
memory/928-285-0x0000000000220000-0x0000000000258000-memory.dmp
memory/2064-290-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2064-295-0x00000000001B0000-0x00000000001E8000-memory.dmp
memory/2944-301-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2064-300-0x00000000001B0000-0x00000000001E8000-memory.dmp
C:\Windows\SysWOW64\Behgcf32.exe
| MD5 | c87a60f3ae40a0f567064b1f08a090b0 |
| SHA1 | 72931cb7118f587616d7551f093aea23ef85518f |
| SHA256 | 673aed9b01061d7dc6161a90d2704b2f55f89da1a1242ac4f8c63db89ca7810a |
| SHA512 | b305f5c0cf90f8509d305b7685f2d250847bd5d9362ad77c57f6cd0dae2ee5bebcf606ab9bb1252b18144a708cb0022067d5edffd3be84d4352fb3410e377fca |
C:\Windows\SysWOW64\Bdmddc32.exe
| MD5 | 2f753297e57907b4fdb06fee146eab3e |
| SHA1 | 1bd75f69bbdce2e0fa313369d0ce32dac2a72c9e |
| SHA256 | 803bac45863a33ac83d474f62ce30aa03961be4353bfa7e80963658ee5e30410 |
| SHA512 | a222c4bd87851d6f6f165de2d14eae1ae3e5d001799cc945005bc533bc00c0eb3d401bbab4e55e0fbb52fe7c1b546bf7450c722c7b8a6689bfb5ceb3207a9ef3 |
memory/2944-306-0x00000000002B0000-0x00000000002E8000-memory.dmp
C:\Windows\SysWOW64\Baadng32.exe
| MD5 | 63310cc87458a97859c4b8540056ee7c |
| SHA1 | d4b230971ca8966ec2d702c2074f5f001317748d |
| SHA256 | 45aebfaf4f010a598afeda740e8ba9d30ce7717c230d35d94011e7e3624f513b |
| SHA512 | 19dff5fb079351e5c7766dee5c5fe352e4eb02900b5fe32cf64b586c300a668f822ba45b2bebdb6fd9275325af3f4f85e47cb37e97677a6c5c5f9112e9b17a20 |
memory/2944-311-0x00000000002B0000-0x00000000002E8000-memory.dmp
memory/320-319-0x0000000000220000-0x0000000000258000-memory.dmp
memory/320-322-0x0000000000220000-0x0000000000258000-memory.dmp
memory/2860-320-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Cfnmfn32.exe
| MD5 | e56f0fb64e8609cfe2d220e80b08834c |
| SHA1 | c519f6abc909ec9ec29600698c05f0933140517b |
| SHA256 | 80056e577d3a120b1279dd198c05470ef29f7e2d505d7f87846b040fc94d245c |
| SHA512 | a635ef9c9f7d7bb28bda32331628d7ea0df5dcd68744331cdf5408fe5e2c1601be2bd2d9cdad1702aa49c81b2595785e006ac5589bffebc55d541bed45fef7b5 |
memory/2860-327-0x00000000005D0000-0x0000000000608000-memory.dmp
memory/2860-328-0x00000000005D0000-0x0000000000608000-memory.dmp
memory/1696-333-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Cmjbhh32.exe
| MD5 | 32989f7df27d2d3839f83a8a5627d43d |
| SHA1 | 3fdc83e96e5622da19db926e06cede1f49bc86c9 |
| SHA256 | d7444632073ea931a4cdfff31e7f5206b43e510117e4fd5a24928315ed6553a3 |
| SHA512 | 8bff365bb94cab38662ac16f75ad90291f9b55af9f7fdff56a03e9fcbe68a305ef194931ba4f9bb150cc31774539d036d52abca3f3e32d05012e286e4a1f9447 |
memory/1696-338-0x00000000002A0000-0x00000000002D8000-memory.dmp
memory/1696-343-0x00000000002A0000-0x00000000002D8000-memory.dmp
memory/2624-344-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ceegmj32.exe
| MD5 | de82b079a1184a60c4faef6e9f7a5891 |
| SHA1 | 39f74b2771d0da738c25dd8136223e829126188b |
| SHA256 | 3a3d49228e54fee30d3f37507258c580ba28b85aac354795e68b8f358bddbbf4 |
| SHA512 | 0c97e1c7831832b5a1b896e53c708634fabc2cd1455b7227d239313917a0493337d78fbb2cddd8b456d8436dfb0d95250652e90c1a7e9928c049949060a96b93 |
memory/2624-349-0x00000000001B0000-0x00000000001E8000-memory.dmp
memory/2600-350-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2156-351-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1624-352-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1612-353-0x0000000000400000-0x0000000000438000-memory.dmp
memory/608-354-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2836-355-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1052-356-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1560-357-0x0000000000400000-0x0000000000438000-memory.dmp
memory/280-358-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1764-359-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:09
Reported
2024-04-07 19:12
Platform
win10v2004-20240226-en
Max time kernel
14s
Max time network
12s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmbdbd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfolbmje.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Heocnk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jmhale32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ibqpimpl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hmabdibj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iefioj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfjcgn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmfhig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qgcbgo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmhale32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njefqo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjmehkqk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njefqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hfqlnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Imoneg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Imdgqfbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jmbdbd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oqfdnhfk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbiaapdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hfqlnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kboljk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jlpkba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nngokoej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pflplnlg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chmndlge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkaejf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdnidn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcioiood.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jlnnmb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Odkjng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmpgldhg.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Jmhale32.exe | C:\Windows\SysWOW64\Icplcpgo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pfhfan32.exe | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| File created | C:\Windows\SysWOW64\Bkjpmk32.dll | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Eifnachf.dll | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkmjgool.dll | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| File created | C:\Windows\SysWOW64\Npibja32.dll | C:\Windows\SysWOW64\Ibqpimpl.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdnidn32.exe | C:\Windows\SysWOW64\Kboljk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdeflhhf.dll | C:\Windows\SysWOW64\Ndhmhh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oqfdnhfk.exe | C:\Windows\SysWOW64\Ognpebpj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cnicfe32.exe | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckmllpik.dll | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmefhako.exe | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbmhofmq.dll | C:\Windows\SysWOW64\Pqpgdfnp.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbpbca32.dll | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oqfdnhfk.exe | C:\Windows\SysWOW64\Ognpebpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Afhohlbj.exe | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| File created | C:\Windows\SysWOW64\Glbandkm.dll | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Caebma32.exe | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nphhmj32.exe | C:\Windows\SysWOW64\Nebdoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njqmepik.exe | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocpgod32.exe | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pflplnlg.exe | C:\Windows\SysWOW64\Pqpgdfnp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmfhig32.exe | C:\Windows\SysWOW64\Pflplnlg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajhddjfn.exe | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| File created | C:\Windows\SysWOW64\Agjbpg32.dll | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbdhjm32.dll | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofcmfodb.exe | C:\Windows\SysWOW64\Oqfdnhfk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocpgod32.exe | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ofeilobp.exe | C:\Windows\SysWOW64\Olmeci32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmfiloih.dll | C:\Windows\SysWOW64\Afoeiklb.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhkjej32.exe | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceckcp32.exe | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Beapme32.dll | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkkcge32.exe | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmpgldhg.exe | C:\Windows\SysWOW64\Jlpkba32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qqijje32.exe | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmjapi32.dll | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnpppgdj.exe | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| File created | C:\Windows\SysWOW64\Cogflbdn.dll | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkoqfnpl.dll | C:\Windows\SysWOW64\Jcioiood.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ofcmfodb.exe | C:\Windows\SysWOW64\Oqfdnhfk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgcbgo32.exe | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aeiofcji.exe | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amfoeb32.dll | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ognpebpj.exe | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pfolbmje.exe | C:\Windows\SysWOW64\Pmfhig32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibaabn32.dll | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmgjgcgo.exe | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kpihae32.dll | C:\Windows\SysWOW64\Gbiaapdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkenegog.dll | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmgjgcgo.exe | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Naeheh32.dll | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| File created | C:\Windows\SysWOW64\Iefioj32.exe | C:\Windows\SysWOW64\Hfqlnm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pqdqof32.exe | C:\Windows\SysWOW64\Pfolbmje.exe | N/A |
| File created | C:\Windows\SysWOW64\Laqpgflj.dll | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Feibedlp.dll | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghekjiam.dll | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngdmod32.exe | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndhmhh32.exe | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqmjog32.exe | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfjcgn32.exe | C:\Windows\SysWOW64\Pqmjog32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmefhako.exe | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Daekdooc.exe | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Imdgqfbd.exe | C:\Windows\SysWOW64\Imakkfdg.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmfhig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll" | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaheeaan.dll" | C:\Windows\SysWOW64\Jmhale32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pflplnlg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" | C:\Windows\SysWOW64\Jcioiood.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qgcbgo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll" | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjegoo32.dll" | C:\Windows\SysWOW64\Helfik32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll" | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll" | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pflplnlg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hfnphn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibqpimpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll" | C:\Windows\SysWOW64\Pfjcgn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bhhdil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnpbjmi.dll" | C:\Windows\SysWOW64\Hfqlnm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll" | C:\Windows\SysWOW64\Pmfhig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gkaejf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jlpkba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ofcmfodb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Heocnk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" | C:\Windows\SysWOW64\Pqpgdfnp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pqdqof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjfaeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll" | C:\Windows\SysWOW64\Ndhmhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll" | C:\Windows\SysWOW64\Icplcpgo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Odkjng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll" | C:\Windows\SysWOW64\Imakkfdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" | C:\Windows\SysWOW64\Chmndlge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdnidn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jcioiood.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll" | C:\Windows\SysWOW64\Kdqejn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pfjcgn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" | C:\Windows\SysWOW64\Pflplnlg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe
"C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe"
C:\Windows\SysWOW64\Gbiaapdf.exe
C:\Windows\system32\Gbiaapdf.exe
C:\Windows\SysWOW64\Gkaejf32.exe
C:\Windows\system32\Gkaejf32.exe
C:\Windows\SysWOW64\Gblngpbd.exe
C:\Windows\system32\Gblngpbd.exe
C:\Windows\SysWOW64\Hmabdibj.exe
C:\Windows\system32\Hmabdibj.exe
C:\Windows\SysWOW64\Helfik32.exe
C:\Windows\system32\Helfik32.exe
C:\Windows\SysWOW64\Heocnk32.exe
C:\Windows\system32\Heocnk32.exe
C:\Windows\SysWOW64\Hfnphn32.exe
C:\Windows\system32\Hfnphn32.exe
C:\Windows\SysWOW64\Hfqlnm32.exe
C:\Windows\system32\Hfqlnm32.exe
C:\Windows\SysWOW64\Iefioj32.exe
C:\Windows\system32\Iefioj32.exe
C:\Windows\SysWOW64\Ipknlb32.exe
C:\Windows\system32\Ipknlb32.exe
C:\Windows\SysWOW64\Imoneg32.exe
C:\Windows\system32\Imoneg32.exe
C:\Windows\SysWOW64\Imakkfdg.exe
C:\Windows\system32\Imakkfdg.exe
C:\Windows\SysWOW64\Imdgqfbd.exe
C:\Windows\system32\Imdgqfbd.exe
C:\Windows\SysWOW64\Ibqpimpl.exe
C:\Windows\system32\Ibqpimpl.exe
C:\Windows\SysWOW64\Icplcpgo.exe
C:\Windows\system32\Icplcpgo.exe
C:\Windows\SysWOW64\Jmhale32.exe
C:\Windows\system32\Jmhale32.exe
C:\Windows\SysWOW64\Jlnnmb32.exe
C:\Windows\system32\Jlnnmb32.exe
C:\Windows\SysWOW64\Jlpkba32.exe
C:\Windows\system32\Jlpkba32.exe
C:\Windows\SysWOW64\Jmpgldhg.exe
C:\Windows\system32\Jmpgldhg.exe
C:\Windows\SysWOW64\Jcioiood.exe
C:\Windows\system32\Jcioiood.exe
C:\Windows\SysWOW64\Jmbdbd32.exe
C:\Windows\system32\Jmbdbd32.exe
C:\Windows\SysWOW64\Kboljk32.exe
C:\Windows\system32\Kboljk32.exe
C:\Windows\SysWOW64\Kdnidn32.exe
C:\Windows\system32\Kdnidn32.exe
C:\Windows\SysWOW64\Kepelfam.exe
C:\Windows\system32\Kepelfam.exe
C:\Windows\SysWOW64\Kdqejn32.exe
C:\Windows\system32\Kdqejn32.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Nngokoej.exe
C:\Windows\system32\Nngokoej.exe
C:\Windows\SysWOW64\Nebdoa32.exe
C:\Windows\system32\Nebdoa32.exe
C:\Windows\SysWOW64\Nphhmj32.exe
C:\Windows\system32\Nphhmj32.exe
C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
C:\Windows\SysWOW64\Ngdmod32.exe
C:\Windows\system32\Ngdmod32.exe
C:\Windows\SysWOW64\Ndhmhh32.exe
C:\Windows\system32\Ndhmhh32.exe
C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
C:\Windows\SysWOW64\Odkjng32.exe
C:\Windows\system32\Odkjng32.exe
C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
C:\Windows\SysWOW64\Ocpgod32.exe
C:\Windows\system32\Ocpgod32.exe
C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
C:\Windows\SysWOW64\Ognpebpj.exe
C:\Windows\system32\Ognpebpj.exe
C:\Windows\SysWOW64\Oqfdnhfk.exe
C:\Windows\system32\Oqfdnhfk.exe
C:\Windows\SysWOW64\Ofcmfodb.exe
C:\Windows\system32\Ofcmfodb.exe
C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
C:\Windows\SysWOW64\Ofeilobp.exe
C:\Windows\system32\Ofeilobp.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pfhfan32.exe
C:\Windows\system32\Pfhfan32.exe
C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
C:\Windows\SysWOW64\Pfjcgn32.exe
C:\Windows\system32\Pfjcgn32.exe
C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
C:\Windows\SysWOW64\Pflplnlg.exe
C:\Windows\system32\Pflplnlg.exe
C:\Windows\SysWOW64\Pmfhig32.exe
C:\Windows\system32\Pmfhig32.exe
C:\Windows\SysWOW64\Pfolbmje.exe
C:\Windows\system32\Pfolbmje.exe
C:\Windows\SysWOW64\Pqdqof32.exe
C:\Windows\system32\Pqdqof32.exe
C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
C:\Windows\SysWOW64\Pjmehkqk.exe
C:\Windows\system32\Pjmehkqk.exe
C:\Windows\SysWOW64\Qqfmde32.exe
C:\Windows\system32\Qqfmde32.exe
C:\Windows\SysWOW64\Qjoankoi.exe
C:\Windows\system32\Qjoankoi.exe
C:\Windows\SysWOW64\Qqijje32.exe
C:\Windows\system32\Qqijje32.exe
C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
C:\Windows\SysWOW64\Aqkgpedc.exe
C:\Windows\system32\Aqkgpedc.exe
C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aeiofcji.exe
C:\Windows\system32\Aeiofcji.exe
C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
C:\Windows\SysWOW64\Ajhddjfn.exe
C:\Windows\system32\Ajhddjfn.exe
C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Bfdodjhm.exe
C:\Windows\system32\Bfdodjhm.exe
C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Bgehcmmm.exe
C:\Windows\system32\Bgehcmmm.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
C:\Windows\SysWOW64\Bjfaeh32.exe
C:\Windows\system32\Bjfaeh32.exe
C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
C:\Windows\SysWOW64\Chmndlge.exe
C:\Windows\system32\Chmndlge.exe
C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
C:\Windows\SysWOW64\Cnicfe32.exe
C:\Windows\system32\Cnicfe32.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dfknkg32.exe
C:\Windows\system32\Dfknkg32.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
C:\Windows\SysWOW64\Deokon32.exe
C:\Windows\system32\Deokon32.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5920 -ip 5920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 216
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
Files
memory/4580-0-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4580-5-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Gbiaapdf.exe
| MD5 | af178d653069ec36a24ab1a1c6c94b0d |
| SHA1 | 81e2c9dfd1e5a277f8ce20ffc767ea48987d5a6a |
| SHA256 | 15386bead943478d494f8cc571eed5e6d202048ef13cd8642822309265cb6e96 |
| SHA512 | d091e2eb09db879b07624dcb8edb0eb3f5b7d28d085a35be9a4a19e45c31522818afb8f3f28c311e2425dc10dcceb849047790cf532c54d49253880c3d80d76c |
C:\Windows\SysWOW64\Gkaejf32.exe
| MD5 | 887b7f63508a611346674f0753f424fd |
| SHA1 | 259ddb24b6b47e03c79eede7236c19c67f4aa6c2 |
| SHA256 | 94a8c918968a64837b04f08e215e64738930d0d02e009aa0cd64aceba8826240 |
| SHA512 | 858d4967b350816f73db369debb2d710820b4f8096cfe011c45c0b6b432a0e83550a34b8e271a3bde0280d6e635a80b693fab3f9abbe8c1ba9b3cb31c1c382f3 |
memory/1164-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3200-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1520-25-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Gblngpbd.exe
| MD5 | 25d6834c8a009b1d0abeaebc5d6d3dbc |
| SHA1 | 022c50e6f55c451462af47d389186145ec59301d |
| SHA256 | 6d225e98f8f36424f16468a2c6a9bbf5c2523fad3337a4376ba1ea47d9d5439e |
| SHA512 | 504cfd0e547cc7515d8166e55237f05f0e1a5039e4a6dad97045cc85a71d11fff05faf4225562141e3081af9c01b51cb7698fb1721c5535512befb8e19fff7c9 |
C:\Windows\SysWOW64\Hmabdibj.exe
| MD5 | 7774bf11c85a6b4a5cd6c0aee81c60bd |
| SHA1 | a345a0b2e3d415be128f6cc866e663a4fba7e0a4 |
| SHA256 | 966d8af6ac094ff3c3fc89d521f40e9d5233f169d637677a04eea01ae7dde7b8 |
| SHA512 | 12c9850a797544735b686ad2dd9feebb9b90526aafb3f89434716de264d86476fb2fcd521459000ad839dc7d19c7891d336deb20789070db8c52354630092379 |
memory/2296-33-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Helfik32.exe
| MD5 | 7ef015d30edfe8eb3d8085ba97a38818 |
| SHA1 | c703188b7ff939ddc01d16eb382ed92648200c30 |
| SHA256 | 6b0dd7affa0720b84372b69f4871a5de89600d6d0c42932d5b8671b65d2405f2 |
| SHA512 | 498988bfb81cb0c52cb5f9d4769c62f4e8e138535850467ff24b9242d3ec988050367c0c3757f9aaa7c961048241c4ed97695555245f9d20a8ecc0df5e4dc49e |
memory/3760-41-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Heocnk32.exe
| MD5 | 4cc3028e98be7dc435d61ff4e6de6e9e |
| SHA1 | cc90ce8d3a2e9249f933689a3c163c45689a4922 |
| SHA256 | 4da66f25ea4fab0572e783ee2d247a08f147bd22557627c8bdb1106ddfa8a98d |
| SHA512 | 7f3c69766b9b8d439f76cd8ca15f09396bb7a4f5b5eec412d01d702e8d3b7d3214d467c938ea20024ab2d93a392cc97f3a1f78cabe20e0b84c90a4350f088f42 |
memory/5080-48-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Hfnphn32.exe
| MD5 | d23acd934bb9077bb2632cb51707583e |
| SHA1 | 39dffa16a08f8291f792b556e047289a996260b9 |
| SHA256 | 212eb5c5cc1697cb3d7a33f2c350ed7aa018df2d98d3f011c4d7c12f65813dd9 |
| SHA512 | 41e5347c2027d2efd77e4a328f43d67bebfb6764faed90e0fd9e3f70f71d23e76c50a416ae4f2ad10c1976f0587bda1c5c2e6e25a8128646ccfdb278bee035bb |
memory/4356-56-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Hfqlnm32.exe
| MD5 | c7ae40a85ee1c99d11ce9a49848fb976 |
| SHA1 | 00b9bb74e5a738d8d98beaa8747c7c5a4b9b5136 |
| SHA256 | 7e9d28be9abf9e7477271ee950eea667fe38b21bb2f06457e60154dffcca2761 |
| SHA512 | 7bf1dc7cc666be51c90614467978f16fe4b723aa70c620e9fe2e217936373f1b2802167ef4252c8304e8c36aa42a99215a6c7d113d8bf23ed2025699372c5dff |
memory/4640-64-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Iefioj32.exe
| MD5 | 8b573b05fd94d3ef13b15a8378eb2137 |
| SHA1 | fb2b4826ccaea219ae1763138868baf177767775 |
| SHA256 | 850d2aec3b47e67ace5130b4756ff84c511d2ad004e7e0925f47ef6e5ad06527 |
| SHA512 | f4ce64dd78cee402cdad925ec22dd27096e60a422139d30b3f7f2625459d1d0ee792ed24f67121704a4f4cff125fa602bbe4cbd5918823bd4c1cb2a75201595d |
memory/3736-72-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ipknlb32.exe
| MD5 | 331a4b6d67288d0f5e16545756c2a715 |
| SHA1 | f7772edf443211783a96ef89ee7e887a3247697e |
| SHA256 | b6fc2f27293d484875f5cd817a9bd46b0ace949d9598d856fcdaf9161b108ebe |
| SHA512 | 4fa58986b5d147c9445d8f2b68eef40e68a0ec5d927c38d4356b7c21ec1c532a60a6f325ee0a5e42e5336cd9d1ec22bca55045acd6ebf37d541ef07e5b0c27b2 |
memory/4580-82-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1384-87-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Imoneg32.exe
| MD5 | 85b4ededc08aeeab8bb92669c014e0c2 |
| SHA1 | 48e20e9b4e3ff924faceab044063032ca6a3fbf2 |
| SHA256 | 57d302df7557a743d05343f4839b06ce07e1bfeac0dfc5b59d0fd06819a3eca1 |
| SHA512 | bc882b82c2782568f81a9fd2bb47b157e87eaf36e44115e8af923713761960011c041b5a391e18a8ef6bdfb23828b318255a429436dc6e84e9d2b00c8a0f80ec |
memory/4476-90-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Imakkfdg.exe
| MD5 | 710a738102f3c60ca1dcc59b55f91de2 |
| SHA1 | 09236860e413a4f5932ffdaef33f997c4321735e |
| SHA256 | cc47d16bd17b93ab94d0370e823e97bdc569bee098c5870c19f0179a8776a1e2 |
| SHA512 | 2ee7bbf002cb34add8aa55860b1bfc9e8e1ce965cb25bb6e1e1d794640ee4e935829246502f55c83a49a9a4956ce07e0504482fa2c8ece95e2722a10df4e3a9a |
memory/3640-97-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Imdgqfbd.exe
| MD5 | 1fe876f13d052c52cc115bba84662826 |
| SHA1 | 7c699ee02a5d2cdb1b8e1e7de61964f02583437e |
| SHA256 | c7552961f5905a0c773cd9c3c53a40f7363492bb010304bbfadd9267fd38f3c4 |
| SHA512 | f94969f76af3f931531a9bca7a9207f19516590acc15f27d78f46a887f17d7dcb84bf19714f9901373415fcd9a0f0f95dc4f184d3e154b6e2a6555c378f412f2 |
memory/2188-107-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ibqpimpl.exe
| MD5 | 802a9587ac1f3253c96ceee5b948a745 |
| SHA1 | dd69b6bdba66024f957e05eee040a9b87ac1f88a |
| SHA256 | 8bd0bf99e60dbf66a15491581332d26536641e914e9e1682dba3bdcba367954c |
| SHA512 | 9d78b3f0e3b0c4550446441a837d51b43d7d4d8b05f977cc0578f9a6f34d89af4c129f3f583a37ec07f609aa93e9898aff0b42b7d73dcc923b22cd925bdb9e29 |
memory/1156-114-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Icplcpgo.exe
| MD5 | 28f7d116aa55b5c56c1d2127085a2542 |
| SHA1 | 578a656da93ec9143577961ce13ec89053e7afda |
| SHA256 | de4fa81277626801b5e209d00dcdb50776a881a30dbdf82085c8bf4462ec1754 |
| SHA512 | 2e9a0e442f2854e1c32969e104aa585ebff245b8c15414a2ba369aa373eec394d87c41f7d8409f049c084ee2916e94a7b5bd3a86b862a457cccdeb4b167713be |
memory/3152-122-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Jmhale32.exe
| MD5 | 385075309dd982147a4aea2d5b3391bb |
| SHA1 | 98eef8a95100707be65011c96ef56c83e87ec20a |
| SHA256 | 9db3baa40a0435c3f7b53dfd48bf1ef231016ebbb4b253b1a0d8d704ccd3f1a4 |
| SHA512 | 90622cd39bc1621724e95000b779726931c89ac42a64df74e8beff8caa1de6313e395c0bfd2664303c57dfbe6f0cd2f5c0c44d060ccc04ab28a286569b7ea771 |
memory/4924-130-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Jlnnmb32.exe
| MD5 | dfa2074052747ff4bec610452fa99af2 |
| SHA1 | c82370abf13de39e32a73b74b0a055d07c548105 |
| SHA256 | 386324ff3d43bcd6b1379c67f4e2a120497a6854a8bf43d279c606986f94ae14 |
| SHA512 | 6de185129e7443edc0567f0e35be37d005b6307018c6e54e32994bbc4eefca3f4ceae747018301d8114bcfc68041222222a91caf019299f21c924c2c87a5c1f3 |
memory/4392-139-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Jlpkba32.exe
| MD5 | a2c1a0acf570d9b6aa80fc7fa7720c0e |
| SHA1 | 0c85de2a4ab92ac5b6fcfc0ef4a328d2a7e7bad6 |
| SHA256 | 14fbaf15c4d2d6d53c9c35177c22f65ebbcc38ade3bacbdb0dcfbb56ec3b0b95 |
| SHA512 | 4ae01f69a8c1b5fe8079c35fbd1f0dab890fcd0017d0f29c858086503ce55485aeae2f00c69b96ed3161ed5709e55573e1509bc7a0cbec3464e1f580b0f2e68b |
memory/2204-146-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Jmpgldhg.exe
| MD5 | 92ef08c30203b9792540807e688eff52 |
| SHA1 | 0fe5f9752b4b1a65a81f870c024e8e52f0169eb1 |
| SHA256 | 30ecb8fb767b8c3613822c78f32dd405810572bbf2387553264b9ae800120b7b |
| SHA512 | cc2cb6ae6ccaa4444d3148568a08b8ab5c8f35f20875cbfb7272f1393d756dc71373fa6782d2d08370d61ab896abc943d683924c3461d077edd8f97ad2eb97af |
memory/3120-155-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Jcioiood.exe
| MD5 | dfa6ccdcefa4b87360054cc9ae25500f |
| SHA1 | 9320d445b78ef46f739dcbe0e6efbac6a914e961 |
| SHA256 | a20dee376107b1dedf0ffed4fa3b8f2bad339f18383791dda3eee41236faff38 |
| SHA512 | 8518e76d3c7c312b0e6993967b9ee69a257ba048cfa4003d86e378478248851b64ab9f380cb7f3836bcd5ca0ed0f518f981a5f9df15abca0819e2fc5e836be27 |
memory/3688-163-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3980-171-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Jmbdbd32.exe
| MD5 | 432dd7f1811990f9d3f7b26d370ec9f5 |
| SHA1 | 6f340188a13902bdcf6565756558cfd45dabeb8d |
| SHA256 | 3809f5eb55bf1a64aeadd9a187d30cf90c41cd5c5435a143d451f5d9b97a9679 |
| SHA512 | b13b3402c58b3f25b8a855aef08038fd1fd2c76405dd9b4ac195931f62d67dc2b191ef18b385b2b7964a2c72f1e00f66c3420983bd3bae35f35a66aadb5afbda |
C:\Windows\SysWOW64\Kboljk32.exe
| MD5 | d6945ce52da9556376bfa35038564af6 |
| SHA1 | f976656374c6341b0677fa04a457571781fc8375 |
| SHA256 | 8fd760abcd73d52a92e2ef9fb04235c70081ce9fa342a4b150f6a17fcd0dc00c |
| SHA512 | 7fb94d164c15a3172e5c025e5bc02e1dc9d35705da9c639933521fdae61c6f74e4d74e5c2102d851a1b8140bb0e3a8d2bb3fae041a0f94141974b60c67275835 |
memory/4204-178-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kdnidn32.exe
| MD5 | 3ec0d1f11cb79154afeb317d4cd9e90d |
| SHA1 | 6b85453dd435aac9144be07cc53eae194aeba50c |
| SHA256 | 32d9e14bcb22b3fe1f464a80fc8af9d6179ce4e73018cb0dfaa8439906a519b9 |
| SHA512 | 8bcb8e04be4feeef0522c8dfa121e8f951558e9ec16dd75fdfee51126551f5c52c4ad81760c457fc6ee6a94503512d657f7dbd6e81d8c7bbb8a70b2522b53f96 |
memory/2148-191-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kepelfam.exe
| MD5 | 44ad575a95e9a28c35b44974ba6ee458 |
| SHA1 | 21e63a16c46bdfc266c087dd331785c92722accc |
| SHA256 | 484bf4acbe1eba871f022cfba301905dd202185deb7b23415e66bf1e1eedd8bc |
| SHA512 | 184cd3f63bdbb8f6797d2a801f322699138ddae0e8c39333ba0f5307af4c7153938a38bd46a330b2cc8fb63cd5e3b23490e490f7ab340060fc2b0bd75bb7ab60 |
memory/4508-195-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Kdqejn32.exe
| MD5 | d73d0811b412a8a41db68bdb9702c1ac |
| SHA1 | e6ccdd2439647989612a5ef9bdfc911e664a80d4 |
| SHA256 | 57a1d0d8cadbfb0c5406d3f7cab77883d93bc37ec0ab4962cb65341248f5715f |
| SHA512 | c489dc7bd4e6781aaccd38b54e58dcf72134ed85751f2938c8749db771d809922c46380b06c3c42c65f884ba845e241ca286f8fdcc94dee90b74c86fdee42377 |
memory/3264-203-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ngmgne32.exe
| MD5 | f55851bc1805ec71f700742e428beb27 |
| SHA1 | 76d4a32df79417561fc4143c22fcd70853251fc8 |
| SHA256 | 132b79bf1bcff50922ae4a063499f8d4c06fa37a9c1bd2f2c70cd732bc6bae53 |
| SHA512 | 5107669b16066a12075e62584cfb2fab7b5b5a116992670ebf5796e5d282feb8737d11289804b40c23c736f44f19f330f3d00463c30420c96e7ec91c931a1e0f |
memory/2740-210-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Nngokoej.exe
| MD5 | 081303dbaeecb5ed8e5c0c1dea713b2a |
| SHA1 | c54c70dae4844006a10273487cdb315d28b0e374 |
| SHA256 | dbb1af876d9f478ac2a170b7c826b068b76545778b9847b6f1677b20eafcdd9a |
| SHA512 | d6be9d9187991f1d64703964062260ee22df4501c0a662317fa0851f073e454f50c6db1683fb5af1c5fc6ce29d88eeac11c4fc86c69a59aededd57864b41fc47 |
memory/1532-218-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Nebdoa32.exe
| MD5 | 3245f0edf1d286e916edbcc60a4a2aa0 |
| SHA1 | 99c85c427c36cb7731d65f570880f3ba0f9abd13 |
| SHA256 | 2b009845f276b0bcddb0e8208440e2bad7ae81718bcfe1f05e5e73ec7ce4f4d6 |
| SHA512 | ea83c22c261f8b9f3ef5a12244b452bb3b6980dd5e2b2bc31f3f20f94c5f5783c230d96ff1f1ad938e1c7be1740661a742c6df5534149afbb6f3f731d6919a1f |
memory/5072-227-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Nphhmj32.exe
| MD5 | c1059109824b056f984dd689d8ac5f0a |
| SHA1 | bee605f7406d1090d5127fd9c998e4862a140eaf |
| SHA256 | a078a727e55394b4ffc25e7209ee6bb8ac82f01e83c8ae1a1f4684b8e16295e7 |
| SHA512 | cf77925fc149f3474885483c41ae9f023b7ca12101ecdc7cf56f3ab75708ad08caef043f769b617f75ead982a2b457775baffa877d5d40bcb7ebadd3bcf08f2a |
C:\Windows\SysWOW64\Njqmepik.exe
| MD5 | 11f754a53d65518d878ca8ac029df577 |
| SHA1 | fc41ee5e95895b0a03742410330e0a9171fc52da |
| SHA256 | 629dcbade7b60b574a501b425aee8858229053fadb223eff0322fb5bd386ea9c |
| SHA512 | 5d116d85299bd5003b3981b87ffdd9a43e8dd94cae0fb593493cea27864854564ed70c1773335d411de34c1ed7cf8ac2e00c1c282b3424f9867e54d25480d913 |
memory/1160-235-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4280-243-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ngdmod32.exe
| MD5 | 0f40cf4e304fa2d22a748bca0f7323c5 |
| SHA1 | 8b1561c4070ab6895d366efd58a8d382cdc5fe65 |
| SHA256 | 2ce5e3165537a023c6e46d4609911b98334ab5454a0ef45f8b264be8cd0a2752 |
| SHA512 | 6dfad07bdc2aa7140d67785c3a5793cdb7e7a7d8cd165be6628d67fa329ca4c079caca7f8a97c18567bf94c79fd6a45cb55339e45bfa683cbdb9d9dda1fbc6f1 |
memory/220-250-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Ndhmhh32.exe
| MD5 | eb78a6c0cdfe263619516560024d203c |
| SHA1 | 48baf07d08d457c112772a74ce69a16cdd3188c4 |
| SHA256 | 643b58a1c93901d46a832931e763c8919f17aa01e24e9be23e4a77cea76d9726 |
| SHA512 | f68f57033641cc4314f87e848b9430367af29db61948c5cc95906991b9966b531a49db43167bcfc50f2723ad99d755bdd2eda7e1c0352b7b656dc3ba486c88f4 |
memory/3616-259-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4060-265-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1100-272-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5020-278-0x0000000000400000-0x0000000000438000-memory.dmp
memory/436-284-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2876-290-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4752-296-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1740-302-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3732-308-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3076-314-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4388-320-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2664-326-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4840-336-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1124-338-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Pfjcgn32.exe
| MD5 | c816980a6fa91f56ea1ec2f9b7b4f825 |
| SHA1 | d46d992a3d8f824353b3112ab9896d538940511a |
| SHA256 | 862d613133fa76ec211d4ce6b370dec56856c0ad94019790fbb289b4aa096e25 |
| SHA512 | 839982ac4e9fe5c1e7b94681ad509bc5be159997aed5a59a3795c75f53dbc400b825cc0468a1f5aae384755454e6fe493d4438fef87d36141602900ba72189dd |
memory/2136-344-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1968-350-0x0000000000400000-0x0000000000438000-memory.dmp
memory/468-356-0x0000000000400000-0x0000000000438000-memory.dmp
memory/452-362-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3420-368-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3236-378-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1412-380-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4456-390-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4272-392-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1944-403-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4556-404-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3256-410-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5108-416-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1696-422-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3776-432-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3140-434-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\Afoeiklb.exe
| MD5 | e3591efb96c747679fbf34ad23b34ffb |
| SHA1 | b29e3b5877388929d2899ff9c9c741ffe42122c5 |
| SHA256 | 5c029df4409bf250a07804c93040a99b0e4626f77732c3ee47eb65f74d62dc93 |
| SHA512 | 165a38b96cbaaf343fe6b5a995d13d24502f8decb0c52283a0971a327be1cfc8bb85cd8b73e2d53c28c57c10cd61096ee987ead3d2d5dc6ae1189f7e58f578b6 |
C:\Windows\SysWOW64\Bgehcmmm.exe
| MD5 | 6fcf26c6318d8b63dd2c81c78a8a65fd |
| SHA1 | a630474325f3b13d976bb2d66f6792360db45672 |
| SHA256 | 0a93242c1b4cb05bd08eb874b80a8e1d6e6e21e8d35828a32febcf973959d27a |
| SHA512 | dc67444ecea5a3aa8971cf53dc48aa3512879f81f4dc193145c8485ec353b2f3cb5620a3d7f80b5dac06ee980ed56b7118e54753cc6657ebfa1c98d4c4012188 |