Malware Analysis Report

2025-03-14 22:31

Sample ID 240407-xt5a4abh2y
Target 1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba
SHA256 1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba

Threat Level: Known bad

The file 1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:09

Reported

2024-04-07 19:12

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngibaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdmddc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlcnda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ohaeia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcibkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhohda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajecmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Meppiblm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oalfhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abbeflpf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nckjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nenobfak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qodlkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Biojif32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndemjoae.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oancnfoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcibkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nlcnda32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngibaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nenobfak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oancnfoe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afkdakjb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Biojif32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pokieo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qodlkm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbgnak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdmddc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Meppiblm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nckjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pngphgbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbgnak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pngphgbf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pokieo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajecmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohaeia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oalfhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Behgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Behgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndemjoae.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhohda32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oeeecekc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oeeecekc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
N/A N/A C:\Windows\SysWOW64\Meppiblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Meppiblm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcnda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcnda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngibaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngibaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenobfak.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenobfak.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhohda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhohda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohaeia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohaeia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeeecekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeeecekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oalfhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oancnfoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Oancnfoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Pngphgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pngphgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pokieo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pokieo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfaeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajecmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajecmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkdakjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Afkdakjb.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bilmcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bilmcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biojif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biojif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgnak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgnak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Behgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Behgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdmddc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdmddc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baadng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baadng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfnmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfnmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmjbhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmjbhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Aoogfhfp.dll C:\Windows\SysWOW64\Cmjbhh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oeeecekc.exe N/A
File created C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Afkdakjb.exe N/A
File created C:\Windows\SysWOW64\Mabanhgg.dll C:\Windows\SysWOW64\Baadng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmjbhh32.exe C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File created C:\Windows\SysWOW64\Ckpfcfnm.dll C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Abbeflpf.exe N/A
File created C:\Windows\SysWOW64\Bbgnak32.exe C:\Windows\SysWOW64\Biojif32.exe N/A
File created C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cmjbhh32.exe N/A
File created C:\Windows\SysWOW64\Ifbgfk32.dll C:\Windows\SysWOW64\Oancnfoe.exe N/A
File opened for modification C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Pcibkm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Behgcf32.exe C:\Windows\SysWOW64\Bbgnak32.exe N/A
File created C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Meppiblm.exe N/A
File created C:\Windows\SysWOW64\Ngibaj32.exe C:\Windows\SysWOW64\Nlcnda32.exe N/A
File created C:\Windows\SysWOW64\Ohaeia32.exe C:\Windows\SysWOW64\Nhohda32.exe N/A
File created C:\Windows\SysWOW64\Jaofqdkb.dll C:\Windows\SysWOW64\Ohaeia32.exe N/A
File created C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oeeecekc.exe N/A
File created C:\Windows\SysWOW64\Lgahjhop.dll C:\Windows\SysWOW64\Abbeflpf.exe N/A
File opened for modification C:\Windows\SysWOW64\Baadng32.exe C:\Windows\SysWOW64\Bdmddc32.exe N/A
File created C:\Windows\SysWOW64\Kcpnnfqg.dll C:\Windows\SysWOW64\Ndemjoae.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhohda32.exe C:\Windows\SysWOW64\Nenobfak.exe N/A
File created C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Ohaeia32.exe N/A
File created C:\Windows\SysWOW64\Ljhcccai.dll C:\Windows\SysWOW64\Qodlkm32.exe N/A
File created C:\Windows\SysWOW64\Gmfkdm32.dll C:\Windows\SysWOW64\Afkdakjb.exe N/A
File opened for modification C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Afkdakjb.exe N/A
File created C:\Windows\SysWOW64\Dhnook32.dll C:\Windows\SysWOW64\Bbgnak32.exe N/A
File created C:\Windows\SysWOW64\Ljacemio.dll C:\Windows\SysWOW64\Bdmddc32.exe N/A
File created C:\Windows\SysWOW64\Nlcnda32.exe C:\Windows\SysWOW64\Nckjkl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlcnda32.exe C:\Windows\SysWOW64\Nckjkl32.exe N/A
File created C:\Windows\SysWOW64\Ogjgkqaa.dll C:\Windows\SysWOW64\Nckjkl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Oalfhf32.exe N/A
File created C:\Windows\SysWOW64\Paenhpdh.dll C:\Windows\SysWOW64\Pokieo32.exe N/A
File created C:\Windows\SysWOW64\Cfnmfn32.exe C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Nhohda32.exe C:\Windows\SysWOW64\Nenobfak.exe N/A
File opened for modification C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Acfaeq32.exe N/A
File created C:\Windows\SysWOW64\Cmjbhh32.exe C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File created C:\Windows\SysWOW64\Nacehmno.dll C:\Windows\SysWOW64\Pcibkm32.exe N/A
File created C:\Windows\SysWOW64\Fekagf32.dll C:\Windows\SysWOW64\Afgkfl32.exe N/A
File created C:\Windows\SysWOW64\Biojif32.exe C:\Windows\SysWOW64\Bilmcf32.exe N/A
File created C:\Windows\SysWOW64\Nenobfak.exe C:\Windows\SysWOW64\Ngibaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ohaeia32.exe C:\Windows\SysWOW64\Nhohda32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Ohaeia32.exe N/A
File created C:\Windows\SysWOW64\Aliolp32.dll C:\Windows\SysWOW64\Oalfhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Pokieo32.exe N/A
File created C:\Windows\SysWOW64\Bdmddc32.exe C:\Windows\SysWOW64\Behgcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdmddc32.exe C:\Windows\SysWOW64\Behgcf32.exe N/A
File created C:\Windows\SysWOW64\Meppiblm.exe C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
File created C:\Windows\SysWOW64\Noomnjpj.dll C:\Windows\SysWOW64\Meppiblm.exe N/A
File created C:\Windows\SysWOW64\Nckjkl32.exe C:\Windows\SysWOW64\Ndemjoae.exe N/A
File created C:\Windows\SysWOW64\Jmbckb32.dll C:\Windows\SysWOW64\Nlcnda32.exe N/A
File created C:\Windows\SysWOW64\Lmmlmd32.dll C:\Windows\SysWOW64\Ajecmj32.exe N/A
File created C:\Windows\SysWOW64\Lhajpc32.dll C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
File created C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Pokieo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afkdakjb.exe C:\Windows\SysWOW64\Ajecmj32.exe N/A
File created C:\Windows\SysWOW64\Ehieciqq.dll C:\Windows\SysWOW64\Biojif32.exe N/A
File created C:\Windows\SysWOW64\Behgcf32.exe C:\Windows\SysWOW64\Bbgnak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Meppiblm.exe N/A
File created C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Oalfhf32.exe N/A
File created C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Pcibkm32.exe N/A
File created C:\Windows\SysWOW64\Cjnolikh.dll C:\Windows\SysWOW64\Behgcf32.exe N/A
File created C:\Windows\SysWOW64\Bqjfjb32.dll C:\Windows\SysWOW64\Oeeecekc.exe N/A
File created C:\Windows\SysWOW64\Cophek32.dll C:\Windows\SysWOW64\Acfaeq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajecmj32.exe C:\Windows\SysWOW64\Afgkfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Meppiblm.exe C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pokieo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngibaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oalfhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaofqdkb.dll" C:\Windows\SysWOW64\Ohaeia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oalfhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aliolp32.dll" C:\Windows\SysWOW64\Oalfhf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nenobfak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nenobfak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll" C:\Windows\SysWOW64\Nhohda32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oancnfoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oancnfoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll" C:\Windows\SysWOW64\Nckjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlcnda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pngphgbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acfaeq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afkdakjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oeeecekc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pcibkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qodlkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdmddc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nhohda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjfjb32.dll" C:\Windows\SysWOW64\Oeeecekc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Meppiblm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll" C:\Windows\SysWOW64\Bdmddc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll" C:\Windows\SysWOW64\Oancnfoe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pcibkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afkdakjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" C:\Windows\SysWOW64\Qodlkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll" C:\Windows\SysWOW64\Bbgnak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbgnak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Behgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndemjoae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nckjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgdenbm.dll" C:\Windows\SysWOW64\Nenobfak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdmddc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngibaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ohaeia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" C:\Windows\SysWOW64\Meppiblm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Meppiblm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" C:\Windows\SysWOW64\Behgcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pokieo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll" C:\Windows\SysWOW64\Pokieo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Behgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll" C:\Windows\SysWOW64\Nlcnda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Biojif32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe C:\Windows\SysWOW64\Meppiblm.exe
PID 2156 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe C:\Windows\SysWOW64\Meppiblm.exe
PID 2156 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe C:\Windows\SysWOW64\Meppiblm.exe
PID 2156 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe C:\Windows\SysWOW64\Meppiblm.exe
PID 1852 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Meppiblm.exe C:\Windows\SysWOW64\Ndemjoae.exe
PID 1852 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Meppiblm.exe C:\Windows\SysWOW64\Ndemjoae.exe
PID 1852 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Meppiblm.exe C:\Windows\SysWOW64\Ndemjoae.exe
PID 1852 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Meppiblm.exe C:\Windows\SysWOW64\Ndemjoae.exe
PID 2636 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Nckjkl32.exe
PID 2636 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Nckjkl32.exe
PID 2636 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Nckjkl32.exe
PID 2636 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Nckjkl32.exe
PID 2596 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Nckjkl32.exe C:\Windows\SysWOW64\Nlcnda32.exe
PID 2596 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Nckjkl32.exe C:\Windows\SysWOW64\Nlcnda32.exe
PID 2596 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Nckjkl32.exe C:\Windows\SysWOW64\Nlcnda32.exe
PID 2596 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Nckjkl32.exe C:\Windows\SysWOW64\Nlcnda32.exe
PID 2604 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Nlcnda32.exe C:\Windows\SysWOW64\Ngibaj32.exe
PID 2604 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Nlcnda32.exe C:\Windows\SysWOW64\Ngibaj32.exe
PID 2604 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Nlcnda32.exe C:\Windows\SysWOW64\Ngibaj32.exe
PID 2604 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Nlcnda32.exe C:\Windows\SysWOW64\Ngibaj32.exe
PID 2392 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Ngibaj32.exe C:\Windows\SysWOW64\Nenobfak.exe
PID 2392 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Ngibaj32.exe C:\Windows\SysWOW64\Nenobfak.exe
PID 2392 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Ngibaj32.exe C:\Windows\SysWOW64\Nenobfak.exe
PID 2392 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Ngibaj32.exe C:\Windows\SysWOW64\Nenobfak.exe
PID 2896 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Nenobfak.exe C:\Windows\SysWOW64\Nhohda32.exe
PID 2896 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Nenobfak.exe C:\Windows\SysWOW64\Nhohda32.exe
PID 2896 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Nenobfak.exe C:\Windows\SysWOW64\Nhohda32.exe
PID 2896 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Nenobfak.exe C:\Windows\SysWOW64\Nhohda32.exe
PID 2152 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Nhohda32.exe C:\Windows\SysWOW64\Ohaeia32.exe
PID 2152 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Nhohda32.exe C:\Windows\SysWOW64\Ohaeia32.exe
PID 2152 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Nhohda32.exe C:\Windows\SysWOW64\Ohaeia32.exe
PID 2152 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Nhohda32.exe C:\Windows\SysWOW64\Ohaeia32.exe
PID 2692 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ohaeia32.exe C:\Windows\SysWOW64\Oeeecekc.exe
PID 2692 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ohaeia32.exe C:\Windows\SysWOW64\Oeeecekc.exe
PID 2692 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ohaeia32.exe C:\Windows\SysWOW64\Oeeecekc.exe
PID 2692 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ohaeia32.exe C:\Windows\SysWOW64\Oeeecekc.exe
PID 580 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 580 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 580 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 580 wrote to memory of 1072 N/A C:\Windows\SysWOW64\Oeeecekc.exe C:\Windows\SysWOW64\Oalfhf32.exe
PID 1072 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 1072 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 1072 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 1072 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Oalfhf32.exe C:\Windows\SysWOW64\Oancnfoe.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 1624 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Oancnfoe.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 1612 wrote to memory of 608 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 1612 wrote to memory of 608 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 1612 wrote to memory of 608 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 1612 wrote to memory of 608 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pokieo32.exe
PID 608 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 608 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 608 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 608 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Pokieo32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 3008 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Qodlkm32.exe
PID 3008 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Qodlkm32.exe
PID 3008 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Qodlkm32.exe
PID 3008 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Qodlkm32.exe
PID 2836 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2836 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2836 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Acfaeq32.exe
PID 2836 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Qodlkm32.exe C:\Windows\SysWOW64\Acfaeq32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe

"C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe"

C:\Windows\SysWOW64\Meppiblm.exe

C:\Windows\system32\Meppiblm.exe

C:\Windows\SysWOW64\Ndemjoae.exe

C:\Windows\system32\Ndemjoae.exe

C:\Windows\SysWOW64\Nckjkl32.exe

C:\Windows\system32\Nckjkl32.exe

C:\Windows\SysWOW64\Nlcnda32.exe

C:\Windows\system32\Nlcnda32.exe

C:\Windows\SysWOW64\Ngibaj32.exe

C:\Windows\system32\Ngibaj32.exe

C:\Windows\SysWOW64\Nenobfak.exe

C:\Windows\system32\Nenobfak.exe

C:\Windows\SysWOW64\Nhohda32.exe

C:\Windows\system32\Nhohda32.exe

C:\Windows\SysWOW64\Ohaeia32.exe

C:\Windows\system32\Ohaeia32.exe

C:\Windows\SysWOW64\Oeeecekc.exe

C:\Windows\system32\Oeeecekc.exe

C:\Windows\SysWOW64\Oalfhf32.exe

C:\Windows\system32\Oalfhf32.exe

C:\Windows\SysWOW64\Oancnfoe.exe

C:\Windows\system32\Oancnfoe.exe

C:\Windows\SysWOW64\Pngphgbf.exe

C:\Windows\system32\Pngphgbf.exe

C:\Windows\SysWOW64\Pokieo32.exe

C:\Windows\system32\Pokieo32.exe

C:\Windows\SysWOW64\Pcibkm32.exe

C:\Windows\system32\Pcibkm32.exe

C:\Windows\SysWOW64\Qodlkm32.exe

C:\Windows\system32\Qodlkm32.exe

C:\Windows\SysWOW64\Acfaeq32.exe

C:\Windows\system32\Acfaeq32.exe

C:\Windows\SysWOW64\Afgkfl32.exe

C:\Windows\system32\Afgkfl32.exe

C:\Windows\SysWOW64\Ajecmj32.exe

C:\Windows\system32\Ajecmj32.exe

C:\Windows\SysWOW64\Afkdakjb.exe

C:\Windows\system32\Afkdakjb.exe

C:\Windows\SysWOW64\Abbeflpf.exe

C:\Windows\system32\Abbeflpf.exe

C:\Windows\SysWOW64\Bilmcf32.exe

C:\Windows\system32\Bilmcf32.exe

C:\Windows\SysWOW64\Biojif32.exe

C:\Windows\system32\Biojif32.exe

C:\Windows\SysWOW64\Bbgnak32.exe

C:\Windows\system32\Bbgnak32.exe

C:\Windows\SysWOW64\Behgcf32.exe

C:\Windows\system32\Behgcf32.exe

C:\Windows\SysWOW64\Bdmddc32.exe

C:\Windows\system32\Bdmddc32.exe

C:\Windows\SysWOW64\Baadng32.exe

C:\Windows\system32\Baadng32.exe

C:\Windows\SysWOW64\Cfnmfn32.exe

C:\Windows\system32\Cfnmfn32.exe

C:\Windows\SysWOW64\Cmjbhh32.exe

C:\Windows\system32\Cmjbhh32.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 140

Network

N/A

Files

memory/2156-0-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\Meppiblm.exe

MD5 0b5b56f48567ce7181d0901c26d11f06
SHA1 983782d1e7da4e73f1daf98e6ae8843379dbed59
SHA256 1f6aa8223b135653ad554eecec3c2324e4558f2b247a08e5607fcc4bce531c9e
SHA512 2227500241e3765ffbf99129da8dc36d9c6aaf45fd56f244268188904779a528ad57a8a354a2233a6cd793d0db1c912042cc7e20ad671d5cba89ab30166dc7fc

memory/2156-6-0x00000000003A0000-0x00000000003D8000-memory.dmp

C:\Windows\SysWOW64\Ndemjoae.exe

MD5 084d9c9f365752806757f64e333f7ed9
SHA1 b5f73ed0d4bf057f2b275c25c40fd7c0b28bb850
SHA256 df32c09be8888e90ed41e124940cbee04f875a1030895d9d5e17203827f8afab
SHA512 e91af3c9657ca44283653078fd1b148b58b93f1c10e6e7c0a74f4f28e61688c81c72bab69286fef0ab68627dae39b2d650739addd4716ed710fbaa9e89f496b2

\Windows\SysWOW64\Nckjkl32.exe

MD5 f1cbec61aec615cb3194a54795dee891
SHA1 8e95bc85f68b463168dc7dffd56f968f1f8b6467
SHA256 456e6cd3834c62feb999c42155f58b8c5ce053065b9a2af1227489f580ad6637
SHA512 fafe61b8e33eb5dc16d8bf66bb450a248876342a6638e9718b64ec16154d61a4d5fcb210d9e37d18663d2000cdbafcccb58d2c2c5c7df8e5d60459032e5accfd

C:\Windows\SysWOW64\Nlcnda32.exe

MD5 d14687b8f5d410b97b36b4834caf4f96
SHA1 97929ea0a6411c204cf4908a82d1fcbaa5944c91
SHA256 569a0eea877728d0170a94817b86ace9b220c01a56e9a2ff3de6ced61fa29525
SHA512 711aeb992c015ddf96686063fcacdd0ccb72bdf9b67496a713b0ee10233ca79b1750f4ebdb20a14a38b0fbf4a8d74a92990f7c5942f0551e658caf1a24969eb4

C:\Windows\SysWOW64\Ngibaj32.exe

MD5 ffa89dd22f9340c93b54021802b4b11c
SHA1 5c25e06e49aaa862d2a67c94023e7113086115f4
SHA256 f05d5101825c9d9f42995824e9f7e209d97d190193fa1ee56db9b010e9a1673f
SHA512 7a9f9016ea110e6b69a176cc175f450e8fc8f53815ba8f95699cb8eb94cc543a66bd8fecc1c6d5de7f6c043bdda376b0f89b2b0014743358945029e0fa196f16

memory/2604-69-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\Nenobfak.exe

MD5 89c76a1556e212ff2c4cce61b0eb1780
SHA1 972b8a5646fb06210380b17b1316ab79cca72979
SHA256 e82734ba014904cb4d3efe8a1313f7d689af924384eef9d40c71e324b3737f9b
SHA512 ad750adac872dff57c8e835f5b5c11bdbb23808233619f3ce9054858174bc5e6ab5167aedd02789c0e8f2909c0cf2abea114fb2020a9eb4bc3a37947a442f438

C:\Windows\SysWOW64\Nhohda32.exe

MD5 25a902574a8378e2d9f305788937b12d
SHA1 91df04e96f7e5c8c2efc1e7fd4d348741737f207
SHA256 ff7e1dd6cc946b4b85738fcd823d756ed7d9c1931892b79912bd28e77732db61
SHA512 86ccaf828b8a36db2b4dcdb09ddcb033389f273ed12f4687d481cc91226c05a53910e174efb846cf1b71870ae478616998781bf62bece65f0dc93210fab03c17

\Windows\SysWOW64\Ohaeia32.exe

MD5 0790cd38c28da4ec3f321e22c54f01ff
SHA1 6d1ae7ae96f6d4af14372c9e165c1640746e6c04
SHA256 8406dd661cbf0a3f0f49e14041af1bd0a4cf7aae00873990ba066f2580e84dfa
SHA512 da457b1610bdd17d360d542b8e6b8cb63175fa1dbdbbb01a088958fa0e26a86a4f58b706e5385f24c4144bfac4b71a897cc53c8a4eb701e5fa80297264eacef2

C:\Windows\SysWOW64\Oeeecekc.exe

MD5 007ad6828754fe70d5449876c8bcae1c
SHA1 4dc9b5e23c237d78b30f0d7f0660447ce1446b68
SHA256 b0b0a4f3c42cece4a66acbdb4234f5fb547154fc6963731e920be24a808adafb
SHA512 d2ef705c42a563d6096a03e41f653c6332bcf520f6f7b46c1bfb3979cc9bbc3d7c0c3b8f9c31bd880d56a26ccb1af22b9a87c6e74f138ea469e0f29ebca09aa9

\Windows\SysWOW64\Oalfhf32.exe

MD5 4d2c8d73874694968a6aad0a2f6aca88
SHA1 f7eb330b6f25232e100e943b49026e28c49f801e
SHA256 38f27d0d184aec40ad4d7d717be6e6d10fb69cdd5382077ab2b5da2036729bd2
SHA512 5fbf905f4e902434b3a2752dcaa429c9c4ee02844eb36d287f44c91da47ae3140ee70e2b6a4dc5995e00e9bc991bff59af2e60179d4dfe5c6c1f9b99ea5d40a4

memory/580-129-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2692-137-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1072-138-0x0000000000400000-0x0000000000438000-memory.dmp

memory/580-136-0x0000000000220000-0x0000000000258000-memory.dmp

memory/2152-122-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2896-103-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2392-79-0x0000000000260000-0x0000000000298000-memory.dmp

memory/2392-71-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2596-52-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2636-39-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1852-27-0x0000000000220000-0x0000000000258000-memory.dmp

memory/1852-25-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\Oancnfoe.exe

MD5 ce221250d414c93f6373f8d253f2638a
SHA1 ec9144a907d714cf55cf95383123de180f68af9e
SHA256 d97c98e1a8fb4c603988a39daf3deda48bfb50d03a6bdd1c2800db723e4effa7
SHA512 6f5c0ec668443318cedbc00fb05b58008f84fea338efe3eb2b280020246c711e7a02e8765eba14937adc066652f630f042b082357e716daf598cbdc74b7ec91c

C:\Windows\SysWOW64\Pngphgbf.exe

MD5 231b843172d5ad64f36db1514626fa10
SHA1 9f23186860e23c755fc199fc68629372a5311238
SHA256 47e6b04a214033772360ee876bf4147215fdc2ab90ba230c19e630b6b6dfbc70
SHA512 bf4b55f838250c68bad66dfb4414a6b7cc830dbf86dc285d649b4c4657cc4407bb46b6d6eab67ed5385481cbb4fd4c687ef06a5f32493ef27101a2b8e35c4b2d

memory/1624-152-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1612-159-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\Pokieo32.exe

MD5 90343c58b317179c2a5d85d979903399
SHA1 830810d30f9e687422a50af35f7ff4da28cf4a68
SHA256 dcb46ff0468f8e7cb18781a9d9766e7c6d3bcb6128ac20b2967d956d1c9a68b9
SHA512 53ec19224a57e67f3bcd1979a593050e96a935c0716b0321b951602b8532f473c1233a4a347162efab4734c1e5fe3fadabb52b7f612d201e1cf04146a5f3af12

memory/1612-167-0x00000000003C0000-0x00000000003F8000-memory.dmp

memory/608-173-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\Pcibkm32.exe

MD5 cbe23226f8275c68faa7bef1770aa676
SHA1 e65d035c15b3f09a2513a09f121720b7ac6971ad
SHA256 3cc0346e90f02ab893d00863efe1fb7523e098e3431fab595643c988179dbd4c
SHA512 ca039bbee4a777ab730fb06bfd1ec4e2d131d6d7ee237f975637b7c9efc156b0c71446697907c5846e1b9eb3593fbae491ac4338dbf20b6e4c27d9375138dbbd

memory/3008-193-0x0000000000400000-0x0000000000438000-memory.dmp

memory/608-186-0x00000000002D0000-0x0000000000308000-memory.dmp

memory/608-181-0x00000000002D0000-0x0000000000308000-memory.dmp

\Windows\SysWOW64\Qodlkm32.exe

MD5 5b8ec94806a73183f09ac3697663f9f1
SHA1 fc88af54d0c697d5d2c7abc5625566bc6e9d374f
SHA256 0bfa72ca1451d01c15987c6ca20d0d4328c08726318e52abfbd4b12d8dc45132
SHA512 7d68dc4d6f1286d9896fecb696494467e3bc1d787c075af01511af1fbd9ccb2da4a09977ff672939b3efaceb995474bc403c7ffd4716b9aa1954e1284130f465

memory/2836-202-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3008-195-0x00000000002E0000-0x0000000000318000-memory.dmp

C:\Windows\SysWOW64\Acfaeq32.exe

MD5 f84b84b4f3013a76aff7370c694eec81
SHA1 3fcac2e80b2952d316db8fbe12450362ef374f1e
SHA256 d569f6c42e2b2c67f452a2e605f05417cff25bd939679462ced9b52bbde0791d
SHA512 c7eace994690712746f01317fca81048c3c4ee8b4730d24d5572ca652b311f7c3a61270454f1cb87273b0bcbfb23575d7c5099d7ad7e76a885ae1769c0e3c99a

memory/2836-215-0x00000000005D0000-0x0000000000608000-memory.dmp

memory/1908-221-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Afgkfl32.exe

MD5 a853596218503e235a4d384e899b2ca3
SHA1 14dfea8b12742412de9de2fb58318f2632099fd1
SHA256 39c18a828621706ff0fea8e5c836c00669335d3641a05033d98c3d268802023c
SHA512 34b4cc8ebb076bf7a847fa4434896bcbdae2e16e070ee5b288c84f41568a505a793d686ab62b66e3179e16dc9694b557f693b33b5642a1e999c78d83fa3558ad

memory/1444-232-0x00000000003B0000-0x00000000003E8000-memory.dmp

memory/1444-231-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ajecmj32.exe

MD5 6ccde6b166c3237636dbe213cea573de
SHA1 f74c5f7ef1011e7415e63633f0cafd209a5c4620
SHA256 703e37f46f82e2a99f7f726db37c513ad2cbb776711e49daf7ea6e83fb06cddd
SHA512 b5d03dad5728cc01f90b03cf3eb28dfaa3c27f9e0321f3a764ff555ca781994a2a995529f670ff3034ae5b1928a30ff45b3c368d3355d7039d4e829ceb776538

C:\Windows\SysWOW64\Afkdakjb.exe

MD5 8c0de702fad2a985f567738846bf40f4
SHA1 d7b9070406273a5cf4dfff6866d8fa6c99149f77
SHA256 9edb0fe5cf2417744da57ca7c5dff97d4656d5076290b0869d1ebfc92c2587b5
SHA512 80aa40176220c8390485efa741f72f4abaca8f7cd8a34946bab73ff2ffea99f29e0a39ab877fe19e79ace4c06b657d857fda985f9f52453b68d38f901d35b8bc

memory/1560-244-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Abbeflpf.exe

MD5 c504bf3890133e01d95db8ece1adc095
SHA1 bd0427d7c2fb207979ba5172e77a69b4d3833189
SHA256 dc0e8e5a734e6034afddc4ba3aed1f1938ec870e53c5d7ce0c5938833bc89f8a
SHA512 03ff5e12e7af23e4446628197953eca648a6281d7d4eb5b284e0ee1fac67542f18113c7f3e5d166c5672b28b810153b3f53346903ad91657c2644c32ab26ed9f

memory/280-253-0x0000000000400000-0x0000000000438000-memory.dmp

memory/280-262-0x00000000002D0000-0x0000000000308000-memory.dmp

C:\Windows\SysWOW64\Bilmcf32.exe

MD5 039813a15c72939dfe616d9cecff646e
SHA1 f5e3ddeb85c0f93f6c340348452ca16f510e734f
SHA256 274feedbcf4d8e2a9f80373911502e74cdc17d4d65bfd9c71857335f2b3d01e5
SHA512 acfb9718eb0eac0ba39238a88d877851c09d0c69d7f56f3f48f698ef368204b839cca521ed6741fdf98935aa0352f40b0ba2052645606b54cadbdaf4a40992d0

memory/1764-263-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Biojif32.exe

MD5 37b0323cab9bd1b44d9eefa9ca873ce9
SHA1 ebfd6fe59dbd36359f0497074740d9069072043c
SHA256 ea5799b3fd81080e5ceedf7fb565ae02e607a8f4288f140b13be350846a65433
SHA512 9972a8648e7adf11474b4ee39170533d6bfcf5db8fc6f04d2025a63fc3514d05654bb88c4ed5065bd1c3c80368da2db8d258413aac8e11116eaac0b065b05930

memory/928-277-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1764-278-0x0000000000260000-0x0000000000298000-memory.dmp

memory/280-269-0x00000000002D0000-0x0000000000308000-memory.dmp

memory/1764-279-0x0000000000260000-0x0000000000298000-memory.dmp

C:\Windows\SysWOW64\Bbgnak32.exe

MD5 585491ee66f6ece04edce1bcf76e49bd
SHA1 e7c0f772e051770f00c535d9adf57c3b7c90d21b
SHA256 efda339f8dc7eb89fb165d4b72b803d7c6d90377bb8ec10b60842c62bf0ca881
SHA512 14017777fc2f7a79d84b91df6e04b0181e56624beb53398df7cd567d85f3423b31d77ff59824dbdefb0f7c731cc3a3143027856323d1435a4355fcf8bac99993

memory/928-284-0x0000000000220000-0x0000000000258000-memory.dmp

memory/928-285-0x0000000000220000-0x0000000000258000-memory.dmp

memory/2064-290-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2064-295-0x00000000001B0000-0x00000000001E8000-memory.dmp

memory/2944-301-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2064-300-0x00000000001B0000-0x00000000001E8000-memory.dmp

C:\Windows\SysWOW64\Behgcf32.exe

MD5 c87a60f3ae40a0f567064b1f08a090b0
SHA1 72931cb7118f587616d7551f093aea23ef85518f
SHA256 673aed9b01061d7dc6161a90d2704b2f55f89da1a1242ac4f8c63db89ca7810a
SHA512 b305f5c0cf90f8509d305b7685f2d250847bd5d9362ad77c57f6cd0dae2ee5bebcf606ab9bb1252b18144a708cb0022067d5edffd3be84d4352fb3410e377fca

C:\Windows\SysWOW64\Bdmddc32.exe

MD5 2f753297e57907b4fdb06fee146eab3e
SHA1 1bd75f69bbdce2e0fa313369d0ce32dac2a72c9e
SHA256 803bac45863a33ac83d474f62ce30aa03961be4353bfa7e80963658ee5e30410
SHA512 a222c4bd87851d6f6f165de2d14eae1ae3e5d001799cc945005bc533bc00c0eb3d401bbab4e55e0fbb52fe7c1b546bf7450c722c7b8a6689bfb5ceb3207a9ef3

memory/2944-306-0x00000000002B0000-0x00000000002E8000-memory.dmp

C:\Windows\SysWOW64\Baadng32.exe

MD5 63310cc87458a97859c4b8540056ee7c
SHA1 d4b230971ca8966ec2d702c2074f5f001317748d
SHA256 45aebfaf4f010a598afeda740e8ba9d30ce7717c230d35d94011e7e3624f513b
SHA512 19dff5fb079351e5c7766dee5c5fe352e4eb02900b5fe32cf64b586c300a668f822ba45b2bebdb6fd9275325af3f4f85e47cb37e97677a6c5c5f9112e9b17a20

memory/2944-311-0x00000000002B0000-0x00000000002E8000-memory.dmp

memory/320-319-0x0000000000220000-0x0000000000258000-memory.dmp

memory/320-322-0x0000000000220000-0x0000000000258000-memory.dmp

memory/2860-320-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Cfnmfn32.exe

MD5 e56f0fb64e8609cfe2d220e80b08834c
SHA1 c519f6abc909ec9ec29600698c05f0933140517b
SHA256 80056e577d3a120b1279dd198c05470ef29f7e2d505d7f87846b040fc94d245c
SHA512 a635ef9c9f7d7bb28bda32331628d7ea0df5dcd68744331cdf5408fe5e2c1601be2bd2d9cdad1702aa49c81b2595785e006ac5589bffebc55d541bed45fef7b5

memory/2860-327-0x00000000005D0000-0x0000000000608000-memory.dmp

memory/2860-328-0x00000000005D0000-0x0000000000608000-memory.dmp

memory/1696-333-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Cmjbhh32.exe

MD5 32989f7df27d2d3839f83a8a5627d43d
SHA1 3fdc83e96e5622da19db926e06cede1f49bc86c9
SHA256 d7444632073ea931a4cdfff31e7f5206b43e510117e4fd5a24928315ed6553a3
SHA512 8bff365bb94cab38662ac16f75ad90291f9b55af9f7fdff56a03e9fcbe68a305ef194931ba4f9bb150cc31774539d036d52abca3f3e32d05012e286e4a1f9447

memory/1696-338-0x00000000002A0000-0x00000000002D8000-memory.dmp

memory/1696-343-0x00000000002A0000-0x00000000002D8000-memory.dmp

memory/2624-344-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ceegmj32.exe

MD5 de82b079a1184a60c4faef6e9f7a5891
SHA1 39f74b2771d0da738c25dd8136223e829126188b
SHA256 3a3d49228e54fee30d3f37507258c580ba28b85aac354795e68b8f358bddbbf4
SHA512 0c97e1c7831832b5a1b896e53c708634fabc2cd1455b7227d239313917a0493337d78fbb2cddd8b456d8436dfb0d95250652e90c1a7e9928c049949060a96b93

memory/2624-349-0x00000000001B0000-0x00000000001E8000-memory.dmp

memory/2600-350-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2156-351-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1624-352-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1612-353-0x0000000000400000-0x0000000000438000-memory.dmp

memory/608-354-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2836-355-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1052-356-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1560-357-0x0000000000400000-0x0000000000438000-memory.dmp

memory/280-358-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1764-359-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:09

Reported

2024-04-07 19:12

Platform

win10v2004-20240226-en

Max time kernel

14s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmbdbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Heocnk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmhale32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ibqpimpl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngmgne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcbmka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hmabdibj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iefioj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfjcgn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmfhig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmhale32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njefqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjmehkqk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ambgef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njefqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfqlnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Imoneg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imdgqfbd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmbdbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbiaapdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hfqlnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kboljk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jlpkba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aepefb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nngokoej.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pflplnlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qjoankoi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chmndlge.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkaejf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdnidn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcioiood.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qqijje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfbkeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bapiabak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jlnnmb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcbmka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Odkjng32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmpgldhg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Gbiaapdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkaejf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gblngpbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmabdibj.exe N/A
N/A N/A C:\Windows\SysWOW64\Helfik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Heocnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfnphn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfqlnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iefioj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipknlb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imoneg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imakkfdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Imdgqfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibqpimpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Icplcpgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmhale32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlnnmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlpkba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmpgldhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcioiood.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmbdbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kboljk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdnidn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kepelfam.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdqejn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngmgne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nngokoej.exe N/A
N/A N/A C:\Windows\SysWOW64\Nebdoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nphhmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njqmepik.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngdmod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndhmhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njefqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odkjng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oflgep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocpgod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olhlhjpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ognpebpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcmfodb.exe N/A
N/A N/A C:\Windows\SysWOW64\Olmeci32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofeilobp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdfjifjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfhfan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqmjog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfjcgn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pflplnlg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmfhig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfolbmje.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqdqof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcbmka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjmehkqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqfmde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjoankoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqijje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgcbgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqkgpedc.exe N/A
N/A N/A C:\Windows\SysWOW64\Afhohlbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambgef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeiofcji.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddjfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Afoeiklb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Jmhale32.exe C:\Windows\SysWOW64\Icplcpgo.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfhfan32.exe C:\Windows\SysWOW64\Pdfjifjo.exe N/A
File created C:\Windows\SysWOW64\Bkjpmk32.dll C:\Windows\SysWOW64\Ajhddjfn.exe N/A
File created C:\Windows\SysWOW64\Eifnachf.dll C:\Windows\SysWOW64\Cnicfe32.exe N/A
File created C:\Windows\SysWOW64\Kkmjgool.dll C:\Windows\SysWOW64\Calhnpgn.exe N/A
File created C:\Windows\SysWOW64\Npibja32.dll C:\Windows\SysWOW64\Ibqpimpl.exe N/A
File created C:\Windows\SysWOW64\Kdnidn32.exe C:\Windows\SysWOW64\Kboljk32.exe N/A
File created C:\Windows\SysWOW64\Jdeflhhf.dll C:\Windows\SysWOW64\Ndhmhh32.exe N/A
File created C:\Windows\SysWOW64\Oqfdnhfk.exe C:\Windows\SysWOW64\Ognpebpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Cfbkeh32.exe N/A
File created C:\Windows\SysWOW64\Ckmllpik.dll C:\Windows\SysWOW64\Cfbkeh32.exe N/A
File created C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Dfknkg32.exe N/A
File created C:\Windows\SysWOW64\Gbmhofmq.dll C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
File created C:\Windows\SysWOW64\Jbpbca32.dll C:\Windows\SysWOW64\Dmefhako.exe N/A
File opened for modification C:\Windows\SysWOW64\Oqfdnhfk.exe C:\Windows\SysWOW64\Ognpebpj.exe N/A
File created C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Aqkgpedc.exe N/A
File created C:\Windows\SysWOW64\Glbandkm.dll C:\Windows\SysWOW64\Bganhm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cnffqf32.exe N/A
File created C:\Windows\SysWOW64\Nphhmj32.exe C:\Windows\SysWOW64\Nebdoa32.exe N/A
File created C:\Windows\SysWOW64\Njqmepik.exe C:\Windows\SysWOW64\Nphhmj32.exe N/A
File created C:\Windows\SysWOW64\Ocpgod32.exe C:\Windows\SysWOW64\Oflgep32.exe N/A
File created C:\Windows\SysWOW64\Pflplnlg.exe C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmfhig32.exe C:\Windows\SysWOW64\Pflplnlg.exe N/A
File created C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
File created C:\Windows\SysWOW64\Agjbpg32.dll C:\Windows\SysWOW64\Dfiafg32.exe N/A
File created C:\Windows\SysWOW64\Gbdhjm32.dll C:\Windows\SysWOW64\Nphhmj32.exe N/A
File created C:\Windows\SysWOW64\Ofcmfodb.exe C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocpgod32.exe C:\Windows\SysWOW64\Oflgep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofeilobp.exe C:\Windows\SysWOW64\Olmeci32.exe N/A
File created C:\Windows\SysWOW64\Kmfiloih.dll C:\Windows\SysWOW64\Afoeiklb.exe N/A
File created C:\Windows\SysWOW64\Dhkjej32.exe C:\Windows\SysWOW64\Dmefhako.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Cnicfe32.exe N/A
File created C:\Windows\SysWOW64\Beapme32.dll C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe C:\Windows\SysWOW64\Deokon32.exe N/A
File created C:\Windows\SysWOW64\Jmpgldhg.exe C:\Windows\SysWOW64\Jlpkba32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qqijje32.exe C:\Windows\SysWOW64\Qjoankoi.exe N/A
File created C:\Windows\SysWOW64\Dmjapi32.dll C:\Windows\SysWOW64\Bgcknmop.exe N/A
File created C:\Windows\SysWOW64\Bnpppgdj.exe C:\Windows\SysWOW64\Bgehcmmm.exe N/A
File created C:\Windows\SysWOW64\Cogflbdn.dll C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Mkoqfnpl.dll C:\Windows\SysWOW64\Jcioiood.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofcmfodb.exe C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgcbgo32.exe C:\Windows\SysWOW64\Qqijje32.exe N/A
File created C:\Windows\SysWOW64\Aeiofcji.exe C:\Windows\SysWOW64\Ambgef32.exe N/A
File created C:\Windows\SysWOW64\Amfoeb32.dll C:\Windows\SysWOW64\Dodbbdbb.exe N/A
File created C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfolbmje.exe C:\Windows\SysWOW64\Pmfhig32.exe N/A
File created C:\Windows\SysWOW64\Ibaabn32.dll C:\Windows\SysWOW64\Afhohlbj.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmgjgcgo.exe C:\Windows\SysWOW64\Cjinkg32.exe N/A
File created C:\Windows\SysWOW64\Kpihae32.dll C:\Windows\SysWOW64\Gbiaapdf.exe N/A
File created C:\Windows\SysWOW64\Nkenegog.dll C:\Windows\SysWOW64\Ngmgne32.exe N/A
File created C:\Windows\SysWOW64\Cmgjgcgo.exe C:\Windows\SysWOW64\Cjinkg32.exe N/A
File created C:\Windows\SysWOW64\Naeheh32.dll C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File created C:\Windows\SysWOW64\Iefioj32.exe C:\Windows\SysWOW64\Hfqlnm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqdqof32.exe C:\Windows\SysWOW64\Pfolbmje.exe N/A
File created C:\Windows\SysWOW64\Laqpgflj.dll C:\Windows\SysWOW64\Qqijje32.exe N/A
File created C:\Windows\SysWOW64\Feibedlp.dll C:\Windows\SysWOW64\Ambgef32.exe N/A
File created C:\Windows\SysWOW64\Ghekjiam.dll C:\Windows\SysWOW64\Caebma32.exe N/A
File created C:\Windows\SysWOW64\Ngdmod32.exe C:\Windows\SysWOW64\Njqmepik.exe N/A
File created C:\Windows\SysWOW64\Ndhmhh32.exe C:\Windows\SysWOW64\Ngdmod32.exe N/A
File created C:\Windows\SysWOW64\Pqmjog32.exe C:\Windows\SysWOW64\Pfhfan32.exe N/A
File created C:\Windows\SysWOW64\Pfjcgn32.exe C:\Windows\SysWOW64\Pqmjog32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Dfknkg32.exe N/A
File created C:\Windows\SysWOW64\Daekdooc.exe C:\Windows\SysWOW64\Dkkcge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Imdgqfbd.exe C:\Windows\SysWOW64\Imakkfdg.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll" C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Deokon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngmgne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmfhig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll" C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaheeaan.dll" C:\Windows\SysWOW64\Jmhale32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pflplnlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkoqfnpl.dll" C:\Windows\SysWOW64\Jcioiood.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njqmepik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll" C:\Windows\SysWOW64\Bapiabak.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjegoo32.dll" C:\Windows\SysWOW64\Helfik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll" C:\Windows\SysWOW64\Ngmgne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll" C:\Windows\SysWOW64\Pfhfan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pflplnlg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hfnphn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibqpimpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll" C:\Windows\SysWOW64\Pfjcgn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhhdil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecnpbjmi.dll" C:\Windows\SysWOW64\Hfqlnm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njqmepik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll" C:\Windows\SysWOW64\Pmfhig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkaejf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jlpkba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofcmfodb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfhfan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qqijje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Heocnk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll" C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pqdqof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfbkeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll" C:\Windows\SysWOW64\Ndhmhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifbkgjd.dll" C:\Windows\SysWOW64\Icplcpgo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nphhmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odkjng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ambgef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnchkk32.dll" C:\Windows\SysWOW64\Imakkfdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll" C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" C:\Windows\SysWOW64\Chmndlge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdnidn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jcioiood.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agocgbni.dll" C:\Windows\SysWOW64\Kdqejn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfjcgn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll" C:\Windows\SysWOW64\Pflplnlg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4580 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe C:\Windows\SysWOW64\Gbiaapdf.exe
PID 4580 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe C:\Windows\SysWOW64\Gbiaapdf.exe
PID 4580 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe C:\Windows\SysWOW64\Gbiaapdf.exe
PID 3200 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Gbiaapdf.exe C:\Windows\SysWOW64\Gkaejf32.exe
PID 3200 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Gbiaapdf.exe C:\Windows\SysWOW64\Gkaejf32.exe
PID 3200 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Gbiaapdf.exe C:\Windows\SysWOW64\Gkaejf32.exe
PID 1164 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Gkaejf32.exe C:\Windows\SysWOW64\Gblngpbd.exe
PID 1164 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Gkaejf32.exe C:\Windows\SysWOW64\Gblngpbd.exe
PID 1164 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Gkaejf32.exe C:\Windows\SysWOW64\Gblngpbd.exe
PID 1520 wrote to memory of 2296 N/A C:\Windows\SysWOW64\Gblngpbd.exe C:\Windows\SysWOW64\Hmabdibj.exe
PID 1520 wrote to memory of 2296 N/A C:\Windows\SysWOW64\Gblngpbd.exe C:\Windows\SysWOW64\Hmabdibj.exe
PID 1520 wrote to memory of 2296 N/A C:\Windows\SysWOW64\Gblngpbd.exe C:\Windows\SysWOW64\Hmabdibj.exe
PID 2296 wrote to memory of 3760 N/A C:\Windows\SysWOW64\Hmabdibj.exe C:\Windows\SysWOW64\Helfik32.exe
PID 2296 wrote to memory of 3760 N/A C:\Windows\SysWOW64\Hmabdibj.exe C:\Windows\SysWOW64\Helfik32.exe
PID 2296 wrote to memory of 3760 N/A C:\Windows\SysWOW64\Hmabdibj.exe C:\Windows\SysWOW64\Helfik32.exe
PID 3760 wrote to memory of 5080 N/A C:\Windows\SysWOW64\Helfik32.exe C:\Windows\SysWOW64\Heocnk32.exe
PID 3760 wrote to memory of 5080 N/A C:\Windows\SysWOW64\Helfik32.exe C:\Windows\SysWOW64\Heocnk32.exe
PID 3760 wrote to memory of 5080 N/A C:\Windows\SysWOW64\Helfik32.exe C:\Windows\SysWOW64\Heocnk32.exe
PID 5080 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Heocnk32.exe C:\Windows\SysWOW64\Hfnphn32.exe
PID 5080 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Heocnk32.exe C:\Windows\SysWOW64\Hfnphn32.exe
PID 5080 wrote to memory of 4356 N/A C:\Windows\SysWOW64\Heocnk32.exe C:\Windows\SysWOW64\Hfnphn32.exe
PID 4356 wrote to memory of 4640 N/A C:\Windows\SysWOW64\Hfnphn32.exe C:\Windows\SysWOW64\Hfqlnm32.exe
PID 4356 wrote to memory of 4640 N/A C:\Windows\SysWOW64\Hfnphn32.exe C:\Windows\SysWOW64\Hfqlnm32.exe
PID 4356 wrote to memory of 4640 N/A C:\Windows\SysWOW64\Hfnphn32.exe C:\Windows\SysWOW64\Hfqlnm32.exe
PID 4640 wrote to memory of 3736 N/A C:\Windows\SysWOW64\Hfqlnm32.exe C:\Windows\SysWOW64\Iefioj32.exe
PID 4640 wrote to memory of 3736 N/A C:\Windows\SysWOW64\Hfqlnm32.exe C:\Windows\SysWOW64\Iefioj32.exe
PID 4640 wrote to memory of 3736 N/A C:\Windows\SysWOW64\Hfqlnm32.exe C:\Windows\SysWOW64\Iefioj32.exe
PID 3736 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Iefioj32.exe C:\Windows\SysWOW64\Ipknlb32.exe
PID 3736 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Iefioj32.exe C:\Windows\SysWOW64\Ipknlb32.exe
PID 3736 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Iefioj32.exe C:\Windows\SysWOW64\Ipknlb32.exe
PID 1384 wrote to memory of 4476 N/A C:\Windows\SysWOW64\Ipknlb32.exe C:\Windows\SysWOW64\Imoneg32.exe
PID 1384 wrote to memory of 4476 N/A C:\Windows\SysWOW64\Ipknlb32.exe C:\Windows\SysWOW64\Imoneg32.exe
PID 1384 wrote to memory of 4476 N/A C:\Windows\SysWOW64\Ipknlb32.exe C:\Windows\SysWOW64\Imoneg32.exe
PID 4476 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Imoneg32.exe C:\Windows\SysWOW64\Imakkfdg.exe
PID 4476 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Imoneg32.exe C:\Windows\SysWOW64\Imakkfdg.exe
PID 4476 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Imoneg32.exe C:\Windows\SysWOW64\Imakkfdg.exe
PID 3640 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Imakkfdg.exe C:\Windows\SysWOW64\Imdgqfbd.exe
PID 3640 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Imakkfdg.exe C:\Windows\SysWOW64\Imdgqfbd.exe
PID 3640 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Imakkfdg.exe C:\Windows\SysWOW64\Imdgqfbd.exe
PID 2188 wrote to memory of 1156 N/A C:\Windows\SysWOW64\Imdgqfbd.exe C:\Windows\SysWOW64\Ibqpimpl.exe
PID 2188 wrote to memory of 1156 N/A C:\Windows\SysWOW64\Imdgqfbd.exe C:\Windows\SysWOW64\Ibqpimpl.exe
PID 2188 wrote to memory of 1156 N/A C:\Windows\SysWOW64\Imdgqfbd.exe C:\Windows\SysWOW64\Ibqpimpl.exe
PID 1156 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Ibqpimpl.exe C:\Windows\SysWOW64\Icplcpgo.exe
PID 1156 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Ibqpimpl.exe C:\Windows\SysWOW64\Icplcpgo.exe
PID 1156 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Ibqpimpl.exe C:\Windows\SysWOW64\Icplcpgo.exe
PID 3152 wrote to memory of 4924 N/A C:\Windows\SysWOW64\Icplcpgo.exe C:\Windows\SysWOW64\Jmhale32.exe
PID 3152 wrote to memory of 4924 N/A C:\Windows\SysWOW64\Icplcpgo.exe C:\Windows\SysWOW64\Jmhale32.exe
PID 3152 wrote to memory of 4924 N/A C:\Windows\SysWOW64\Icplcpgo.exe C:\Windows\SysWOW64\Jmhale32.exe
PID 4924 wrote to memory of 4392 N/A C:\Windows\SysWOW64\Jmhale32.exe C:\Windows\SysWOW64\Jlnnmb32.exe
PID 4924 wrote to memory of 4392 N/A C:\Windows\SysWOW64\Jmhale32.exe C:\Windows\SysWOW64\Jlnnmb32.exe
PID 4924 wrote to memory of 4392 N/A C:\Windows\SysWOW64\Jmhale32.exe C:\Windows\SysWOW64\Jlnnmb32.exe
PID 4392 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Jlnnmb32.exe C:\Windows\SysWOW64\Jlpkba32.exe
PID 4392 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Jlnnmb32.exe C:\Windows\SysWOW64\Jlpkba32.exe
PID 4392 wrote to memory of 2204 N/A C:\Windows\SysWOW64\Jlnnmb32.exe C:\Windows\SysWOW64\Jlpkba32.exe
PID 2204 wrote to memory of 3120 N/A C:\Windows\SysWOW64\Jlpkba32.exe C:\Windows\SysWOW64\Jmpgldhg.exe
PID 2204 wrote to memory of 3120 N/A C:\Windows\SysWOW64\Jlpkba32.exe C:\Windows\SysWOW64\Jmpgldhg.exe
PID 2204 wrote to memory of 3120 N/A C:\Windows\SysWOW64\Jlpkba32.exe C:\Windows\SysWOW64\Jmpgldhg.exe
PID 3120 wrote to memory of 3688 N/A C:\Windows\SysWOW64\Jmpgldhg.exe C:\Windows\SysWOW64\Jcioiood.exe
PID 3120 wrote to memory of 3688 N/A C:\Windows\SysWOW64\Jmpgldhg.exe C:\Windows\SysWOW64\Jcioiood.exe
PID 3120 wrote to memory of 3688 N/A C:\Windows\SysWOW64\Jmpgldhg.exe C:\Windows\SysWOW64\Jcioiood.exe
PID 3688 wrote to memory of 3980 N/A C:\Windows\SysWOW64\Jcioiood.exe C:\Windows\SysWOW64\Jmbdbd32.exe
PID 3688 wrote to memory of 3980 N/A C:\Windows\SysWOW64\Jcioiood.exe C:\Windows\SysWOW64\Jmbdbd32.exe
PID 3688 wrote to memory of 3980 N/A C:\Windows\SysWOW64\Jcioiood.exe C:\Windows\SysWOW64\Jmbdbd32.exe
PID 3980 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Jmbdbd32.exe C:\Windows\SysWOW64\Kboljk32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe

"C:\Users\Admin\AppData\Local\Temp\1d228c5034615a56e3a36b0bf1d064ccd99151b167f73bdb40d3e48fcf85e5ba.exe"

C:\Windows\SysWOW64\Gbiaapdf.exe

C:\Windows\system32\Gbiaapdf.exe

C:\Windows\SysWOW64\Gkaejf32.exe

C:\Windows\system32\Gkaejf32.exe

C:\Windows\SysWOW64\Gblngpbd.exe

C:\Windows\system32\Gblngpbd.exe

C:\Windows\SysWOW64\Hmabdibj.exe

C:\Windows\system32\Hmabdibj.exe

C:\Windows\SysWOW64\Helfik32.exe

C:\Windows\system32\Helfik32.exe

C:\Windows\SysWOW64\Heocnk32.exe

C:\Windows\system32\Heocnk32.exe

C:\Windows\SysWOW64\Hfnphn32.exe

C:\Windows\system32\Hfnphn32.exe

C:\Windows\SysWOW64\Hfqlnm32.exe

C:\Windows\system32\Hfqlnm32.exe

C:\Windows\SysWOW64\Iefioj32.exe

C:\Windows\system32\Iefioj32.exe

C:\Windows\SysWOW64\Ipknlb32.exe

C:\Windows\system32\Ipknlb32.exe

C:\Windows\SysWOW64\Imoneg32.exe

C:\Windows\system32\Imoneg32.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Ibqpimpl.exe

C:\Windows\system32\Ibqpimpl.exe

C:\Windows\SysWOW64\Icplcpgo.exe

C:\Windows\system32\Icplcpgo.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jlnnmb32.exe

C:\Windows\system32\Jlnnmb32.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jmpgldhg.exe

C:\Windows\system32\Jmpgldhg.exe

C:\Windows\SysWOW64\Jcioiood.exe

C:\Windows\system32\Jcioiood.exe

C:\Windows\SysWOW64\Jmbdbd32.exe

C:\Windows\system32\Jmbdbd32.exe

C:\Windows\SysWOW64\Kboljk32.exe

C:\Windows\system32\Kboljk32.exe

C:\Windows\SysWOW64\Kdnidn32.exe

C:\Windows\system32\Kdnidn32.exe

C:\Windows\SysWOW64\Kepelfam.exe

C:\Windows\system32\Kepelfam.exe

C:\Windows\SysWOW64\Kdqejn32.exe

C:\Windows\system32\Kdqejn32.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nngokoej.exe

C:\Windows\system32\Nngokoej.exe

C:\Windows\SysWOW64\Nebdoa32.exe

C:\Windows\system32\Nebdoa32.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Ngdmod32.exe

C:\Windows\system32\Ngdmod32.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Odkjng32.exe

C:\Windows\system32\Odkjng32.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Ocpgod32.exe

C:\Windows\system32\Ocpgod32.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Olmeci32.exe

C:\Windows\system32\Olmeci32.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pqpgdfnp.exe

C:\Windows\system32\Pqpgdfnp.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Pjmehkqk.exe

C:\Windows\system32\Pjmehkqk.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bmkjkd32.exe

C:\Windows\system32\Bmkjkd32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Chmndlge.exe

C:\Windows\system32\Chmndlge.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5920 -ip 5920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 216

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp

Files

memory/4580-0-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4580-5-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Gbiaapdf.exe

MD5 af178d653069ec36a24ab1a1c6c94b0d
SHA1 81e2c9dfd1e5a277f8ce20ffc767ea48987d5a6a
SHA256 15386bead943478d494f8cc571eed5e6d202048ef13cd8642822309265cb6e96
SHA512 d091e2eb09db879b07624dcb8edb0eb3f5b7d28d085a35be9a4a19e45c31522818afb8f3f28c311e2425dc10dcceb849047790cf532c54d49253880c3d80d76c

C:\Windows\SysWOW64\Gkaejf32.exe

MD5 887b7f63508a611346674f0753f424fd
SHA1 259ddb24b6b47e03c79eede7236c19c67f4aa6c2
SHA256 94a8c918968a64837b04f08e215e64738930d0d02e009aa0cd64aceba8826240
SHA512 858d4967b350816f73db369debb2d710820b4f8096cfe011c45c0b6b432a0e83550a34b8e271a3bde0280d6e635a80b693fab3f9abbe8c1ba9b3cb31c1c382f3

memory/1164-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3200-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1520-25-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Gblngpbd.exe

MD5 25d6834c8a009b1d0abeaebc5d6d3dbc
SHA1 022c50e6f55c451462af47d389186145ec59301d
SHA256 6d225e98f8f36424f16468a2c6a9bbf5c2523fad3337a4376ba1ea47d9d5439e
SHA512 504cfd0e547cc7515d8166e55237f05f0e1a5039e4a6dad97045cc85a71d11fff05faf4225562141e3081af9c01b51cb7698fb1721c5535512befb8e19fff7c9

C:\Windows\SysWOW64\Hmabdibj.exe

MD5 7774bf11c85a6b4a5cd6c0aee81c60bd
SHA1 a345a0b2e3d415be128f6cc866e663a4fba7e0a4
SHA256 966d8af6ac094ff3c3fc89d521f40e9d5233f169d637677a04eea01ae7dde7b8
SHA512 12c9850a797544735b686ad2dd9feebb9b90526aafb3f89434716de264d86476fb2fcd521459000ad839dc7d19c7891d336deb20789070db8c52354630092379

memory/2296-33-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Helfik32.exe

MD5 7ef015d30edfe8eb3d8085ba97a38818
SHA1 c703188b7ff939ddc01d16eb382ed92648200c30
SHA256 6b0dd7affa0720b84372b69f4871a5de89600d6d0c42932d5b8671b65d2405f2
SHA512 498988bfb81cb0c52cb5f9d4769c62f4e8e138535850467ff24b9242d3ec988050367c0c3757f9aaa7c961048241c4ed97695555245f9d20a8ecc0df5e4dc49e

memory/3760-41-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Heocnk32.exe

MD5 4cc3028e98be7dc435d61ff4e6de6e9e
SHA1 cc90ce8d3a2e9249f933689a3c163c45689a4922
SHA256 4da66f25ea4fab0572e783ee2d247a08f147bd22557627c8bdb1106ddfa8a98d
SHA512 7f3c69766b9b8d439f76cd8ca15f09396bb7a4f5b5eec412d01d702e8d3b7d3214d467c938ea20024ab2d93a392cc97f3a1f78cabe20e0b84c90a4350f088f42

memory/5080-48-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Hfnphn32.exe

MD5 d23acd934bb9077bb2632cb51707583e
SHA1 39dffa16a08f8291f792b556e047289a996260b9
SHA256 212eb5c5cc1697cb3d7a33f2c350ed7aa018df2d98d3f011c4d7c12f65813dd9
SHA512 41e5347c2027d2efd77e4a328f43d67bebfb6764faed90e0fd9e3f70f71d23e76c50a416ae4f2ad10c1976f0587bda1c5c2e6e25a8128646ccfdb278bee035bb

memory/4356-56-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Hfqlnm32.exe

MD5 c7ae40a85ee1c99d11ce9a49848fb976
SHA1 00b9bb74e5a738d8d98beaa8747c7c5a4b9b5136
SHA256 7e9d28be9abf9e7477271ee950eea667fe38b21bb2f06457e60154dffcca2761
SHA512 7bf1dc7cc666be51c90614467978f16fe4b723aa70c620e9fe2e217936373f1b2802167ef4252c8304e8c36aa42a99215a6c7d113d8bf23ed2025699372c5dff

memory/4640-64-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Iefioj32.exe

MD5 8b573b05fd94d3ef13b15a8378eb2137
SHA1 fb2b4826ccaea219ae1763138868baf177767775
SHA256 850d2aec3b47e67ace5130b4756ff84c511d2ad004e7e0925f47ef6e5ad06527
SHA512 f4ce64dd78cee402cdad925ec22dd27096e60a422139d30b3f7f2625459d1d0ee792ed24f67121704a4f4cff125fa602bbe4cbd5918823bd4c1cb2a75201595d

memory/3736-72-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ipknlb32.exe

MD5 331a4b6d67288d0f5e16545756c2a715
SHA1 f7772edf443211783a96ef89ee7e887a3247697e
SHA256 b6fc2f27293d484875f5cd817a9bd46b0ace949d9598d856fcdaf9161b108ebe
SHA512 4fa58986b5d147c9445d8f2b68eef40e68a0ec5d927c38d4356b7c21ec1c532a60a6f325ee0a5e42e5336cd9d1ec22bca55045acd6ebf37d541ef07e5b0c27b2

memory/4580-82-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1384-87-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Imoneg32.exe

MD5 85b4ededc08aeeab8bb92669c014e0c2
SHA1 48e20e9b4e3ff924faceab044063032ca6a3fbf2
SHA256 57d302df7557a743d05343f4839b06ce07e1bfeac0dfc5b59d0fd06819a3eca1
SHA512 bc882b82c2782568f81a9fd2bb47b157e87eaf36e44115e8af923713761960011c041b5a391e18a8ef6bdfb23828b318255a429436dc6e84e9d2b00c8a0f80ec

memory/4476-90-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Imakkfdg.exe

MD5 710a738102f3c60ca1dcc59b55f91de2
SHA1 09236860e413a4f5932ffdaef33f997c4321735e
SHA256 cc47d16bd17b93ab94d0370e823e97bdc569bee098c5870c19f0179a8776a1e2
SHA512 2ee7bbf002cb34add8aa55860b1bfc9e8e1ce965cb25bb6e1e1d794640ee4e935829246502f55c83a49a9a4956ce07e0504482fa2c8ece95e2722a10df4e3a9a

memory/3640-97-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Imdgqfbd.exe

MD5 1fe876f13d052c52cc115bba84662826
SHA1 7c699ee02a5d2cdb1b8e1e7de61964f02583437e
SHA256 c7552961f5905a0c773cd9c3c53a40f7363492bb010304bbfadd9267fd38f3c4
SHA512 f94969f76af3f931531a9bca7a9207f19516590acc15f27d78f46a887f17d7dcb84bf19714f9901373415fcd9a0f0f95dc4f184d3e154b6e2a6555c378f412f2

memory/2188-107-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ibqpimpl.exe

MD5 802a9587ac1f3253c96ceee5b948a745
SHA1 dd69b6bdba66024f957e05eee040a9b87ac1f88a
SHA256 8bd0bf99e60dbf66a15491581332d26536641e914e9e1682dba3bdcba367954c
SHA512 9d78b3f0e3b0c4550446441a837d51b43d7d4d8b05f977cc0578f9a6f34d89af4c129f3f583a37ec07f609aa93e9898aff0b42b7d73dcc923b22cd925bdb9e29

memory/1156-114-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Icplcpgo.exe

MD5 28f7d116aa55b5c56c1d2127085a2542
SHA1 578a656da93ec9143577961ce13ec89053e7afda
SHA256 de4fa81277626801b5e209d00dcdb50776a881a30dbdf82085c8bf4462ec1754
SHA512 2e9a0e442f2854e1c32969e104aa585ebff245b8c15414a2ba369aa373eec394d87c41f7d8409f049c084ee2916e94a7b5bd3a86b862a457cccdeb4b167713be

memory/3152-122-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Jmhale32.exe

MD5 385075309dd982147a4aea2d5b3391bb
SHA1 98eef8a95100707be65011c96ef56c83e87ec20a
SHA256 9db3baa40a0435c3f7b53dfd48bf1ef231016ebbb4b253b1a0d8d704ccd3f1a4
SHA512 90622cd39bc1621724e95000b779726931c89ac42a64df74e8beff8caa1de6313e395c0bfd2664303c57dfbe6f0cd2f5c0c44d060ccc04ab28a286569b7ea771

memory/4924-130-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Jlnnmb32.exe

MD5 dfa2074052747ff4bec610452fa99af2
SHA1 c82370abf13de39e32a73b74b0a055d07c548105
SHA256 386324ff3d43bcd6b1379c67f4e2a120497a6854a8bf43d279c606986f94ae14
SHA512 6de185129e7443edc0567f0e35be37d005b6307018c6e54e32994bbc4eefca3f4ceae747018301d8114bcfc68041222222a91caf019299f21c924c2c87a5c1f3

memory/4392-139-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Jlpkba32.exe

MD5 a2c1a0acf570d9b6aa80fc7fa7720c0e
SHA1 0c85de2a4ab92ac5b6fcfc0ef4a328d2a7e7bad6
SHA256 14fbaf15c4d2d6d53c9c35177c22f65ebbcc38ade3bacbdb0dcfbb56ec3b0b95
SHA512 4ae01f69a8c1b5fe8079c35fbd1f0dab890fcd0017d0f29c858086503ce55485aeae2f00c69b96ed3161ed5709e55573e1509bc7a0cbec3464e1f580b0f2e68b

memory/2204-146-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Jmpgldhg.exe

MD5 92ef08c30203b9792540807e688eff52
SHA1 0fe5f9752b4b1a65a81f870c024e8e52f0169eb1
SHA256 30ecb8fb767b8c3613822c78f32dd405810572bbf2387553264b9ae800120b7b
SHA512 cc2cb6ae6ccaa4444d3148568a08b8ab5c8f35f20875cbfb7272f1393d756dc71373fa6782d2d08370d61ab896abc943d683924c3461d077edd8f97ad2eb97af

memory/3120-155-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Jcioiood.exe

MD5 dfa6ccdcefa4b87360054cc9ae25500f
SHA1 9320d445b78ef46f739dcbe0e6efbac6a914e961
SHA256 a20dee376107b1dedf0ffed4fa3b8f2bad339f18383791dda3eee41236faff38
SHA512 8518e76d3c7c312b0e6993967b9ee69a257ba048cfa4003d86e378478248851b64ab9f380cb7f3836bcd5ca0ed0f518f981a5f9df15abca0819e2fc5e836be27

memory/3688-163-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3980-171-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Jmbdbd32.exe

MD5 432dd7f1811990f9d3f7b26d370ec9f5
SHA1 6f340188a13902bdcf6565756558cfd45dabeb8d
SHA256 3809f5eb55bf1a64aeadd9a187d30cf90c41cd5c5435a143d451f5d9b97a9679
SHA512 b13b3402c58b3f25b8a855aef08038fd1fd2c76405dd9b4ac195931f62d67dc2b191ef18b385b2b7964a2c72f1e00f66c3420983bd3bae35f35a66aadb5afbda

C:\Windows\SysWOW64\Kboljk32.exe

MD5 d6945ce52da9556376bfa35038564af6
SHA1 f976656374c6341b0677fa04a457571781fc8375
SHA256 8fd760abcd73d52a92e2ef9fb04235c70081ce9fa342a4b150f6a17fcd0dc00c
SHA512 7fb94d164c15a3172e5c025e5bc02e1dc9d35705da9c639933521fdae61c6f74e4d74e5c2102d851a1b8140bb0e3a8d2bb3fae041a0f94141974b60c67275835

memory/4204-178-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kdnidn32.exe

MD5 3ec0d1f11cb79154afeb317d4cd9e90d
SHA1 6b85453dd435aac9144be07cc53eae194aeba50c
SHA256 32d9e14bcb22b3fe1f464a80fc8af9d6179ce4e73018cb0dfaa8439906a519b9
SHA512 8bcb8e04be4feeef0522c8dfa121e8f951558e9ec16dd75fdfee51126551f5c52c4ad81760c457fc6ee6a94503512d657f7dbd6e81d8c7bbb8a70b2522b53f96

memory/2148-191-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kepelfam.exe

MD5 44ad575a95e9a28c35b44974ba6ee458
SHA1 21e63a16c46bdfc266c087dd331785c92722accc
SHA256 484bf4acbe1eba871f022cfba301905dd202185deb7b23415e66bf1e1eedd8bc
SHA512 184cd3f63bdbb8f6797d2a801f322699138ddae0e8c39333ba0f5307af4c7153938a38bd46a330b2cc8fb63cd5e3b23490e490f7ab340060fc2b0bd75bb7ab60

memory/4508-195-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Kdqejn32.exe

MD5 d73d0811b412a8a41db68bdb9702c1ac
SHA1 e6ccdd2439647989612a5ef9bdfc911e664a80d4
SHA256 57a1d0d8cadbfb0c5406d3f7cab77883d93bc37ec0ab4962cb65341248f5715f
SHA512 c489dc7bd4e6781aaccd38b54e58dcf72134ed85751f2938c8749db771d809922c46380b06c3c42c65f884ba845e241ca286f8fdcc94dee90b74c86fdee42377

memory/3264-203-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ngmgne32.exe

MD5 f55851bc1805ec71f700742e428beb27
SHA1 76d4a32df79417561fc4143c22fcd70853251fc8
SHA256 132b79bf1bcff50922ae4a063499f8d4c06fa37a9c1bd2f2c70cd732bc6bae53
SHA512 5107669b16066a12075e62584cfb2fab7b5b5a116992670ebf5796e5d282feb8737d11289804b40c23c736f44f19f330f3d00463c30420c96e7ec91c931a1e0f

memory/2740-210-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Nngokoej.exe

MD5 081303dbaeecb5ed8e5c0c1dea713b2a
SHA1 c54c70dae4844006a10273487cdb315d28b0e374
SHA256 dbb1af876d9f478ac2a170b7c826b068b76545778b9847b6f1677b20eafcdd9a
SHA512 d6be9d9187991f1d64703964062260ee22df4501c0a662317fa0851f073e454f50c6db1683fb5af1c5fc6ce29d88eeac11c4fc86c69a59aededd57864b41fc47

memory/1532-218-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Nebdoa32.exe

MD5 3245f0edf1d286e916edbcc60a4a2aa0
SHA1 99c85c427c36cb7731d65f570880f3ba0f9abd13
SHA256 2b009845f276b0bcddb0e8208440e2bad7ae81718bcfe1f05e5e73ec7ce4f4d6
SHA512 ea83c22c261f8b9f3ef5a12244b452bb3b6980dd5e2b2bc31f3f20f94c5f5783c230d96ff1f1ad938e1c7be1740661a742c6df5534149afbb6f3f731d6919a1f

memory/5072-227-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Nphhmj32.exe

MD5 c1059109824b056f984dd689d8ac5f0a
SHA1 bee605f7406d1090d5127fd9c998e4862a140eaf
SHA256 a078a727e55394b4ffc25e7209ee6bb8ac82f01e83c8ae1a1f4684b8e16295e7
SHA512 cf77925fc149f3474885483c41ae9f023b7ca12101ecdc7cf56f3ab75708ad08caef043f769b617f75ead982a2b457775baffa877d5d40bcb7ebadd3bcf08f2a

C:\Windows\SysWOW64\Njqmepik.exe

MD5 11f754a53d65518d878ca8ac029df577
SHA1 fc41ee5e95895b0a03742410330e0a9171fc52da
SHA256 629dcbade7b60b574a501b425aee8858229053fadb223eff0322fb5bd386ea9c
SHA512 5d116d85299bd5003b3981b87ffdd9a43e8dd94cae0fb593493cea27864854564ed70c1773335d411de34c1ed7cf8ac2e00c1c282b3424f9867e54d25480d913

memory/1160-235-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4280-243-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ngdmod32.exe

MD5 0f40cf4e304fa2d22a748bca0f7323c5
SHA1 8b1561c4070ab6895d366efd58a8d382cdc5fe65
SHA256 2ce5e3165537a023c6e46d4609911b98334ab5454a0ef45f8b264be8cd0a2752
SHA512 6dfad07bdc2aa7140d67785c3a5793cdb7e7a7d8cd165be6628d67fa329ca4c079caca7f8a97c18567bf94c79fd6a45cb55339e45bfa683cbdb9d9dda1fbc6f1

memory/220-250-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Ndhmhh32.exe

MD5 eb78a6c0cdfe263619516560024d203c
SHA1 48baf07d08d457c112772a74ce69a16cdd3188c4
SHA256 643b58a1c93901d46a832931e763c8919f17aa01e24e9be23e4a77cea76d9726
SHA512 f68f57033641cc4314f87e848b9430367af29db61948c5cc95906991b9966b531a49db43167bcfc50f2723ad99d755bdd2eda7e1c0352b7b656dc3ba486c88f4

memory/3616-259-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4060-265-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1100-272-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5020-278-0x0000000000400000-0x0000000000438000-memory.dmp

memory/436-284-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2876-290-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4752-296-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1740-302-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3732-308-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3076-314-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4388-320-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2664-326-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4840-336-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1124-338-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Pfjcgn32.exe

MD5 c816980a6fa91f56ea1ec2f9b7b4f825
SHA1 d46d992a3d8f824353b3112ab9896d538940511a
SHA256 862d613133fa76ec211d4ce6b370dec56856c0ad94019790fbb289b4aa096e25
SHA512 839982ac4e9fe5c1e7b94681ad509bc5be159997aed5a59a3795c75f53dbc400b825cc0468a1f5aae384755454e6fe493d4438fef87d36141602900ba72189dd

memory/2136-344-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1968-350-0x0000000000400000-0x0000000000438000-memory.dmp

memory/468-356-0x0000000000400000-0x0000000000438000-memory.dmp

memory/452-362-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3420-368-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3236-378-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1412-380-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4456-390-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4272-392-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1944-403-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4556-404-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3256-410-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5108-416-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1696-422-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3776-432-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3140-434-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\Afoeiklb.exe

MD5 e3591efb96c747679fbf34ad23b34ffb
SHA1 b29e3b5877388929d2899ff9c9c741ffe42122c5
SHA256 5c029df4409bf250a07804c93040a99b0e4626f77732c3ee47eb65f74d62dc93
SHA512 165a38b96cbaaf343fe6b5a995d13d24502f8decb0c52283a0971a327be1cfc8bb85cd8b73e2d53c28c57c10cd61096ee987ead3d2d5dc6ae1189f7e58f578b6

C:\Windows\SysWOW64\Bgehcmmm.exe

MD5 6fcf26c6318d8b63dd2c81c78a8a65fd
SHA1 a630474325f3b13d976bb2d66f6792360db45672
SHA256 0a93242c1b4cb05bd08eb874b80a8e1d6e6e21e8d35828a32febcf973959d27a
SHA512 dc67444ecea5a3aa8971cf53dc48aa3512879f81f4dc193145c8485ec353b2f3cb5620a3d7f80b5dac06ee980ed56b7118e54753cc6657ebfa1c98d4c4012188