Analysis Overview
SHA256
642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9
Threat Level: Known bad
The file 642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9 was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:23
Reported
2024-06-03 22:26
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Faokjpfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eflgccbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eflgccbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Inljnfkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Gegfdb32.exe | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Glfhll32.exe | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| File created | C:\Windows\SysWOW64\Hciofb32.dll | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejdmpb32.dll | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Icbimi32.exe | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmjejphb.exe | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmjejphb.exe | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gldkfl32.exe | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gddifnbk.exe | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hacmcfge.exe | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfeoofge.dll | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
| File created | C:\Windows\SysWOW64\Inljnfkg.exe | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eqonkmdh.exe | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eflgccbp.exe | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| File created | C:\Windows\SysWOW64\Efncicpm.exe | C:\Windows\SysWOW64\Ecpgmhai.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkabadei.dll | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qahefm32.dll | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkojpojq.dll | C:\Windows\SysWOW64\Ecpgmhai.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfabenjd.dll | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdfflm32.exe | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fealjk32.dll | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkkalk32.exe | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdpfph32.dll | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ejbfhfaj.exe | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmhfjo32.dll | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbkgnfbd.exe | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nokeef32.dll | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hhmepp32.exe | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpapln32.exe | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| File created | C:\Windows\SysWOW64\Hacmcfge.exe | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Odbhmo32.dll | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| File created | C:\Windows\SysWOW64\Faokjpfd.exe | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghkllmoi.exe | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghoegl32.exe | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhjhkq32.exe | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlfdkoin.exe | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Polebcgg.dll | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| File created | C:\Windows\SysWOW64\Nfmjcmjd.dll | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eqonkmdh.exe | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnnhje32.dll | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hhjhkq32.exe | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hojopmqk.dll | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkkalk32.exe | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ilknfn32.exe | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdnaob32.dll | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdapak32.exe | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpekfank.dll | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hdhbam32.exe | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpocfncj.exe | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgilchkf.exe | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhmepp32.exe | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Inljnfkg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gbijhg32.exe | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Glqllcbf.dll | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbniiffi.dll | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eijcpoac.exe | C:\Windows\SysWOW64\Eflgccbp.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpknlk32.exe | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| File created | C:\Windows\SysWOW64\Hggomh32.exe | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdhaablp.dll | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Inljnfkg.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpdhmlbj.dll | C:\Windows\SysWOW64\Egamfkdh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hggomh32.exe | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjhhocjj.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olndbg32.dll" | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll" | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebedndfa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eqonkmdh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eflgccbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hobcak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll" | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hjhhocjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Faokjpfd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Faokjpfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Egamfkdh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Inljnfkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Efncicpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" | C:\Windows\SysWOW64\Faokjpfd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hpapln32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll" | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll" | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll" | C:\Windows\SysWOW64\Ilknfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkabadei.dll" | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe
"C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe"
C:\Windows\SysWOW64\Eqonkmdh.exe
C:\Windows\system32\Eqonkmdh.exe
C:\Windows\SysWOW64\Eflgccbp.exe
C:\Windows\system32\Eflgccbp.exe
C:\Windows\SysWOW64\Eijcpoac.exe
C:\Windows\system32\Eijcpoac.exe
C:\Windows\SysWOW64\Ecpgmhai.exe
C:\Windows\system32\Ecpgmhai.exe
C:\Windows\SysWOW64\Efncicpm.exe
C:\Windows\system32\Efncicpm.exe
C:\Windows\SysWOW64\Ekklaj32.exe
C:\Windows\system32\Ekklaj32.exe
C:\Windows\SysWOW64\Ebedndfa.exe
C:\Windows\system32\Ebedndfa.exe
C:\Windows\SysWOW64\Egamfkdh.exe
C:\Windows\system32\Egamfkdh.exe
C:\Windows\SysWOW64\Epieghdk.exe
C:\Windows\system32\Epieghdk.exe
C:\Windows\SysWOW64\Eiaiqn32.exe
C:\Windows\system32\Eiaiqn32.exe
C:\Windows\SysWOW64\Ejbfhfaj.exe
C:\Windows\system32\Ejbfhfaj.exe
C:\Windows\SysWOW64\Flabbihl.exe
C:\Windows\system32\Flabbihl.exe
C:\Windows\SysWOW64\Faokjpfd.exe
C:\Windows\system32\Faokjpfd.exe
C:\Windows\SysWOW64\Faagpp32.exe
C:\Windows\system32\Faagpp32.exe
C:\Windows\SysWOW64\Fdoclk32.exe
C:\Windows\system32\Fdoclk32.exe
C:\Windows\SysWOW64\Fdapak32.exe
C:\Windows\system32\Fdapak32.exe
C:\Windows\SysWOW64\Fbdqmghm.exe
C:\Windows\system32\Fbdqmghm.exe
C:\Windows\SysWOW64\Fmjejphb.exe
C:\Windows\system32\Fmjejphb.exe
C:\Windows\SysWOW64\Fddmgjpo.exe
C:\Windows\system32\Fddmgjpo.exe
C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
C:\Windows\SysWOW64\Gbijhg32.exe
C:\Windows\system32\Gbijhg32.exe
C:\Windows\SysWOW64\Gegfdb32.exe
C:\Windows\system32\Gegfdb32.exe
C:\Windows\SysWOW64\Gpmjak32.exe
C:\Windows\system32\Gpmjak32.exe
C:\Windows\SysWOW64\Gbkgnfbd.exe
C:\Windows\system32\Gbkgnfbd.exe
C:\Windows\SysWOW64\Gldkfl32.exe
C:\Windows\system32\Gldkfl32.exe
C:\Windows\SysWOW64\Ghkllmoi.exe
C:\Windows\system32\Ghkllmoi.exe
C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
C:\Windows\SysWOW64\Goddhg32.exe
C:\Windows\system32\Goddhg32.exe
C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
C:\Windows\SysWOW64\Ghoegl32.exe
C:\Windows\system32\Ghoegl32.exe
C:\Windows\SysWOW64\Hdfflm32.exe
C:\Windows\system32\Hdfflm32.exe
C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
C:\Windows\SysWOW64\Hdhbam32.exe
C:\Windows\system32\Hdhbam32.exe
C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
C:\Windows\SysWOW64\Hobcak32.exe
C:\Windows\system32\Hobcak32.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hjhhocjj.exe
C:\Windows\system32\Hjhhocjj.exe
C:\Windows\SysWOW64\Hhjhkq32.exe
C:\Windows\system32\Hhjhkq32.exe
C:\Windows\SysWOW64\Hlfdkoin.exe
C:\Windows\system32\Hlfdkoin.exe
C:\Windows\SysWOW64\Hpapln32.exe
C:\Windows\system32\Hpapln32.exe
C:\Windows\SysWOW64\Hacmcfge.exe
C:\Windows\system32\Hacmcfge.exe
C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Icbimi32.exe
C:\Windows\system32\Icbimi32.exe
C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
C:\Windows\SysWOW64\Ilknfn32.exe
C:\Windows\system32\Ilknfn32.exe
C:\Windows\SysWOW64\Ioijbj32.exe
C:\Windows\system32\Ioijbj32.exe
C:\Windows\SysWOW64\Inljnfkg.exe
C:\Windows\system32\Inljnfkg.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 140
Network
Files
memory/620-4-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Eqonkmdh.exe
| MD5 | 6b4fc628f75cbd0a8ff4bcefd2ad4dbb |
| SHA1 | 878eab0b96bec3e067d344d8443a5906cbbb63cf |
| SHA256 | 5aa8ab783831b9029bc4ad848ecad8df7d07d3b0a9d53073e707b67ba6215147 |
| SHA512 | 3bbf77106495228d0547459a19739bfd6175e841a12dfb5354afc5895d240a84dc5ca631f5ff61399c315f3eb303fb1e8f27ed263b86e82f358d8dadf5268ca1 |
memory/620-6-0x0000000000280000-0x00000000002C1000-memory.dmp
memory/2980-18-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Eflgccbp.exe
| MD5 | 15d08c8c1de2da5b3858fd8aea375cfa |
| SHA1 | 4c9333a66502432e9ecd6772514d10b1c1ec40a2 |
| SHA256 | 650694d395a7edb2e99f50f3043a318764ff287d9781ed6894bf569bbe7b35d5 |
| SHA512 | 6fc036deb3daf5d88a0269aab142b2b8c013a4f3208398471ba9ec61f3de69a57dd8a0e1d1750a3849c9f6d38d746461a19dfc0d01d01ea72ec28ab481d3c7fc |
\Windows\SysWOW64\Eijcpoac.exe
| MD5 | 83e404fdfb0411b84ee066c6f14ea76a |
| SHA1 | 6901acff5d83a03a15426d27200681024aeb307a |
| SHA256 | 852a8da1b32b7ecea039b6895ae94e9e3f0d28653c5253d672b5446f05feebd8 |
| SHA512 | f1b9dabbb7bbe792a1228400e719c90d4d0d24639c23c7c67cc891015c6e7f47cfded37ec9e836c721d0d58489c8b59a70d4b2dfe02c46f71ebc1ab4333105ca |
memory/2676-32-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2980-25-0x0000000000250000-0x0000000000291000-memory.dmp
\Windows\SysWOW64\Ecpgmhai.exe
| MD5 | 51f1f3390014691e7b23059a0e71dfa2 |
| SHA1 | 732cf08e884a755df840765812b977eb0135f953 |
| SHA256 | fdd5be8b03a75ec82a16ce65de3327454eb9a585cf1537057e4849a15c883fb1 |
| SHA512 | 0bc38f6b82187f93c4d8584e1a6d6086701c08c2134430317cd70b9c871c4c66c47573202067f0edcd06515d5c4fcf07289178fd96df401fbb5fcf07ac2ce69b |
memory/2052-58-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Efncicpm.exe
| MD5 | 7bed7c10ed7e4df92105dbc11ae5a17d |
| SHA1 | b90a8034487a6e92869de1f53c0468b4e6929128 |
| SHA256 | c63cf0f4be2e0d26eb85cd90bee2a37aea4fe92306c33ecde32af224cacc6701 |
| SHA512 | 784345009a6c1b90ef79881865ea09254143d958ff402cd3d2ec2fb4c9cbec53b3476576cf00ce6e12623018fc557c18d819b5c9bb7b55b281c9967d0014d9ce |
memory/2688-47-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2656-71-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Ekklaj32.exe
| MD5 | 1fea8e533de2570553a19d309d01db73 |
| SHA1 | 5f7d15eeb8f8c87b907339c691bc0678f689515f |
| SHA256 | caefbc2f099b9900344d77a9f60ce6b98a2a9a8b4e6842da9537536d25f72ed1 |
| SHA512 | 00e9eec50b249d6f2b987f20ad049d2393e18ed465d9d13cae9dd74d22b007d4d18bbf3a8b0c14221f9c41a9dd542ea09e6669e1e9410231a3790c5f22fd5729 |
memory/2656-74-0x0000000000310000-0x0000000000351000-memory.dmp
C:\Windows\SysWOW64\Ebedndfa.exe
| MD5 | a94c93cebcacf5576f273c53660dcbe3 |
| SHA1 | 428d792731298b21b7b2afb12fdf3de38adf235a |
| SHA256 | 7bd5f0242d3a26e0269af6735c0d1e0041c0bf65f1caf75664bbc53f82f0d221 |
| SHA512 | 6a76dd02c0fa5fa3b5d32a8c957f113cdc53219f528ac317071588b3b91d50e1443fc5c95881e8957524759cbf202abd2c5a04baab2e95a639efba9ddd6fe840 |
memory/1440-94-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1352-93-0x00000000002F0000-0x0000000000331000-memory.dmp
memory/1352-87-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Egamfkdh.exe
| MD5 | 6f0b7c57d0e53193285339812546894a |
| SHA1 | 45b8832bbad3b5fa7265fc66f9138869f204fcbf |
| SHA256 | e51e5ed36ab9d37242611930262224741c478bd94c9630b4de54a60f6d841ab2 |
| SHA512 | 1798f6333e01cdd58e11852ccd2bffd98be19392297d99d4fa3be2f0cb427c1187d7251689252f70b784fd6037f91285db6c8a06b6a385ef4bddbca2c6da75d7 |
memory/1440-109-0x0000000000300000-0x0000000000341000-memory.dmp
memory/2760-119-0x0000000000250000-0x0000000000291000-memory.dmp
memory/2760-118-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Epieghdk.exe
| MD5 | 5f1121e0ce616e301475f0a2ce348c70 |
| SHA1 | 1f8fa47a163d80529367914a208e401b29ffde4e |
| SHA256 | e29e8eb10cd1926a2370b6799652d1fd86bb78af1aadbcfb084872bd5d6162a6 |
| SHA512 | 9ec4069ab49d08bfb1eca241bf8e141ca900fec7cd87346a1b0021ef0f2f1665cbe61b1b8ee2739a225f4701f3f0a180dfbe0ab99ba4d4090b162c39d2ab495f |
memory/2676-102-0x0000000000250000-0x0000000000291000-memory.dmp
memory/2688-108-0x0000000000250000-0x0000000000291000-memory.dmp
\Windows\SysWOW64\Eiaiqn32.exe
| MD5 | 58ca0bfbcf9965f8b85c73860c8dc5e2 |
| SHA1 | 291d4b7c9f7b6144b01701e13a2cf0282ad7a306 |
| SHA256 | 0beca4e4d726b78c4832abff885871a17e6e579bbc9f4d3233a407b5d5671127 |
| SHA512 | 9d2821bdf9772c08bef8e4ce377fefbe36529691ef7fa5947e15aa52d705b887c16788c873060f6dcbfa81d39497d6bcefd2587089a827fc47ba20ef7e2d410b |
memory/1440-107-0x0000000000300000-0x0000000000341000-memory.dmp
memory/1568-149-0x0000000000250000-0x0000000000291000-memory.dmp
memory/2656-148-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Ejbfhfaj.exe
| MD5 | f50f69927bcce97e3a353a78dfd7b8f4 |
| SHA1 | 6d9ec0a24416182d5b08a26d74eadb24241691dd |
| SHA256 | 0f86709fbbb40930956d033f6f856d42eb60c282b9d73d7e31f14c6e464bfea2 |
| SHA512 | 425e3535d234eb8054b6cf66e100ccd88871f43c49d7ed28e1d5c03fdd11cd770940e6f92e8e81e61488f3ab044b23e9d0a6ac48060f5afca28022016f21afc9 |
memory/1568-145-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2052-138-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1548-137-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2052-136-0x0000000000280000-0x00000000002C1000-memory.dmp
memory/2116-156-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2656-155-0x0000000000310000-0x0000000000351000-memory.dmp
\Windows\SysWOW64\Flabbihl.exe
| MD5 | cb285beeca9db17fad4b2b6de3b45769 |
| SHA1 | 5515dba43794bf0ef24b978a4f2af8bcd508b8bd |
| SHA256 | f429acc7d178a4fc07bfe985a8afdc7b63999c314b05ca89e658ce3e5bdf7984 |
| SHA512 | 21d9a6313f3305118784b4ae7c25d5f308b03ea8e2c246b53092aee5ebbee8d1eac3b065fe43d09db425b3d34780fce87ba9ca2ba3b1a194c37af11d4dc54fb8 |
memory/2116-169-0x0000000001F80000-0x0000000001FC1000-memory.dmp
\Windows\SysWOW64\Faokjpfd.exe
| MD5 | fb381af597a2467601e970f140836d11 |
| SHA1 | 970f00c89b68c1b06f48e93dc24d1e3869cefd53 |
| SHA256 | e29396f2f3fb770dd18768bbe9ae938f4be554ffc857ebdaec9ea5648ae004bc |
| SHA512 | 5dfb59731cc20ebea468e95b636ad2fb9a735cf405abfb4bc598b9cfa74df108a83a2b0dd452cd04783fbd9354fccbd8a45d780a14f93d1058d2852ceb81e924 |
memory/1440-173-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1352-172-0x00000000002F0000-0x0000000000331000-memory.dmp
memory/332-171-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2116-170-0x0000000001F80000-0x0000000001FC1000-memory.dmp
memory/332-185-0x00000000002A0000-0x00000000002E1000-memory.dmp
memory/2820-187-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Faagpp32.exe
| MD5 | da6a2da816c576442c8c81418ab1b3d2 |
| SHA1 | 79f884bd8f0705674d79efe3c42528e7c36a276a |
| SHA256 | 99614d7352ba047146c424765df6cee37c3f5d5d604722cf65e4b35288835827 |
| SHA512 | 7b039d90d28fc6cdec789f946948d0f6d426d775d5a4c9a93eb2826fd5fecbca5b0bfa6f27577ecc6499d3e74f1c7d2f932b0b83c6aea45975a901241ce573a0 |
memory/2760-196-0x0000000000250000-0x0000000000291000-memory.dmp
memory/2920-205-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Fdoclk32.exe
| MD5 | 0dddcf5ec21b430992ef98ff1a289df3 |
| SHA1 | 9d208c06f650a7b5d7197098c1adc4cd9b91b63d |
| SHA256 | 724c64080de10f8d57f69e98df2f1dab3ada984a68b4194b4c53e43666caefc7 |
| SHA512 | 6b9589ad2463643437aa01980a9d54ff071c3715dea1d1b78af7b767a470997aa57e4c673fe53b7e0f7b09e8619b100742680d2b90c69a0ff2502f5a9ebd364d |
memory/2920-209-0x0000000000280000-0x00000000002C1000-memory.dmp
memory/2220-216-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2116-215-0x0000000000400000-0x0000000000441000-memory.dmp
\Windows\SysWOW64\Fdapak32.exe
| MD5 | e816ae5a8ac6a3014234c8e18b5ffdd7 |
| SHA1 | 28689dec89d4cf2088ed66e080241e14a3492a35 |
| SHA256 | 03e404ffbb6dacea9fd55758edde05ace465b39b80b884c81b1cf4c81691baff |
| SHA512 | 9200cc6acea4d9a1cf93398879c4d9e66634fee084169f2ced6387698ae171fd9691773b8b24e8d73c369b9652aebaee00692b4cfc0e8d7a98a697b95c8b4f1a |
memory/332-238-0x00000000002A0000-0x00000000002E1000-memory.dmp
C:\Windows\SysWOW64\Fbdqmghm.exe
| MD5 | df6582975e87ac411d0d1babb80c7265 |
| SHA1 | 841a680536bb482f037c4331a022af996b30a3a2 |
| SHA256 | 4e98b3c26167735fa8465d5b7c13d4a0b99aaf7fb0e3990b2b2080f1894f8686 |
| SHA512 | e718919293977f5ef34b0c88860532fc34051e0b41e88a85559e76216b9de072f904a697b8f3d50e6d69ca8d2cd20d1f3dad67a1588231d94a36e703326ecd73 |
memory/2256-236-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2840-245-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2820-242-0x0000000000400000-0x0000000000441000-memory.dmp
memory/332-229-0x00000000002A0000-0x00000000002E1000-memory.dmp
memory/332-228-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2820-249-0x0000000000450000-0x0000000000491000-memory.dmp
C:\Windows\SysWOW64\Fmjejphb.exe
| MD5 | 5ae52872299fa4380720764b114ffe80 |
| SHA1 | be6f2a5ec848073928fdb58da9b86027aa65fc4a |
| SHA256 | 0e2f4c1345a70fb1047af8622a864d231512e883d60a3a31d525def78923d8d6 |
| SHA512 | 95a1ed37fa5279041295b1f30f5dd7f84276a50091e9d451fe3e112427d411f0ba89682a8092746771ba584cb109ab44a88bb9148f9168cddae17aa9dd77b77c |
memory/1776-253-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Fddmgjpo.exe
| MD5 | 1f3532f3c929904d8b0c3ba0ed8adbb6 |
| SHA1 | ff07e39b23715e6987a9511b52f5e609d204f5ba |
| SHA256 | 55f4aafdecfad6bf2df89bb3fa3ebf23816f29763c3ce6a71f89884477da1291 |
| SHA512 | ff20c7603c04b51dac469ea21f4fe1648cc5270963db4ad0619290bf411e205032315c700ac17a2cd3e315d26ae183a2c26754b6a1699884499a24503b68c338 |
memory/2920-262-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2220-266-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2920-265-0x0000000000280000-0x00000000002C1000-memory.dmp
memory/2148-264-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2920-263-0x0000000000280000-0x00000000002C1000-memory.dmp
C:\Windows\SysWOW64\Gpknlk32.exe
| MD5 | e0f26994992f8d27b763170ea469e44a |
| SHA1 | 1bc712ad7a3c842b9edee07b8ff5205a0e718743 |
| SHA256 | 537adfa830e4e84a8a862a2f6e2ba0d9b77a9c9bdb0e2411d4940019ada85776 |
| SHA512 | a1bb4d2a406c608c873de62770442fc5a75d8a127f43ca18bb568cf41c3879bd67ae5492c605b08125c7f7b0d17b99b8f0eff55f1ecd3afd6283d04f13a677d6 |
C:\Windows\SysWOW64\Gbijhg32.exe
| MD5 | d9ca68724e44fbf9de2fde87124d4a69 |
| SHA1 | 3a94ea395743b2504989595c6c7e311dc1735034 |
| SHA256 | 175cd846ff43a99677296b95edeeae7e9b3fe525e9d37f85d0f5f4b396d41888 |
| SHA512 | 4faa64a6e9fbe351b6282d41847697859f404a92569cbe734f0e964c4b38b8799641c2f36969f5563920913f64596c8771710d448c215ecac5a1a50132b51570 |
memory/1232-279-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1296-285-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1232-284-0x0000000000250000-0x0000000000291000-memory.dmp
memory/1296-291-0x0000000000450000-0x0000000000491000-memory.dmp
C:\Windows\SysWOW64\Gegfdb32.exe
| MD5 | a53f7690eb20a3ee0d82af615d046144 |
| SHA1 | dfc0756564d22b44514290f0f8a05d851cd7a4a6 |
| SHA256 | afbced68e6aa57fa9ac5ed7851e22c739a603fb969c861eb46cb2230f2567654 |
| SHA512 | 15c5d2ce98813c248f6a46ed11a8ecbcc1abea46e8b8993c16bd51b78e6e6b787ab4bbc1b2afbfbb3648ec81fab4f128278b85a26833286673640e442b04323e |
memory/2256-303-0x0000000000280000-0x00000000002C1000-memory.dmp
C:\Windows\SysWOW64\Gpmjak32.exe
| MD5 | d92b081c3abe3856cb745bbcc9417ef6 |
| SHA1 | e5ddffc134d9f6a1f852221b032f21d3fd4908f5 |
| SHA256 | f6a1422db88afaa41a3424b0c9f0a2b446207f98fe0473bf7ddb7ba4e6091292 |
| SHA512 | e7b99d96fc7a435aef47968ed19e8b6e7979dceee85f10d7367f34def3af53efb38fed3dfca06203011dc46d6945df6d0d4ee7a588ac9700bbfbea0b313e4c3a |
memory/2136-308-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2840-304-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2928-302-0x0000000000280000-0x00000000002C1000-memory.dmp
memory/2928-301-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2256-299-0x0000000000280000-0x00000000002C1000-memory.dmp
memory/1692-319-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2136-318-0x0000000000250000-0x0000000000291000-memory.dmp
C:\Windows\SysWOW64\Gldkfl32.exe
| MD5 | 276c1ca21da94e6184981de7bfc6c792 |
| SHA1 | 069a89005874a6072776f3fa59189e8e3acd7609 |
| SHA256 | 0fb278e1f23bd59b3d58e7324dbd3048e63e14eec8f7d9898c9114b91c2e1ffe |
| SHA512 | 8941680d23aadca65c5a968cf65b8fc15f0ae5fe9507603e1555044c0ba9c9e004b9e7ed8ebc5a48ea7b0e622b04efa4da0fad9cb7469344977d6743b5673786 |
memory/1692-329-0x00000000002E0000-0x0000000000321000-memory.dmp
memory/1776-328-0x0000000000250000-0x0000000000291000-memory.dmp
memory/1776-317-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Gbkgnfbd.exe
| MD5 | 7283eaf3dd1371b1c2fb2f2827f1f449 |
| SHA1 | a2d8e7406cbd641bd77922b7fd29c1f8994b1e30 |
| SHA256 | 4d47d56d783a59f165ebf6c4587c9bb275365b93d577a9640be793860ea103e6 |
| SHA512 | 561aaf4eac7f052bb73c0a0d8a18fb3a65088c7fa395640709b7baa079aaa0cc5fee10a7c335becf188ed16d2eae93b430bdef11ade94eca4d8b579cdb8acc43 |
memory/2148-331-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2216-330-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ghkllmoi.exe
| MD5 | 6a27e6758c27cf4a9b2165e35548ca89 |
| SHA1 | 320f7dddbc508aee82cad0c7a94c42222a3259bb |
| SHA256 | da67e7794ecba249132305e04fedea6b4fdcf949f3d5150ca4374e236323ce8a |
| SHA512 | 740ee66ed0d0fefa06b5f9828556c375981638189a6b7588f378cf99bda92ea88e4104a516d29c45ee253cad264a536cced2cdaec5ff2a3f1d98d618995bdcab |
memory/2588-349-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2668-353-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1296-352-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1232-351-0x0000000000250000-0x0000000000291000-memory.dmp
memory/1232-350-0x0000000000250000-0x0000000000291000-memory.dmp
C:\Windows\SysWOW64\Glfhll32.exe
| MD5 | 9f522a470d3cad01871d2c7233308809 |
| SHA1 | 254357a4d6a4d2412ef800a5149ca551b0626823 |
| SHA256 | 181b6c3eb07e1b9468207328e3b26ebef9dc66de38eb26a5caef180e4ab99d31 |
| SHA512 | a42b3cba1a875b146e7090f02125354bcc2a0acdb670b74a0cbf747582bd43694cdf572d67929ee5c9f7ce139818fadeeb6d6c3c3b86ddf0815c54bc77617292 |
memory/2148-345-0x00000000003B0000-0x00000000003F1000-memory.dmp
memory/2620-368-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2136-364-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2668-363-0x0000000000250000-0x0000000000291000-memory.dmp
memory/2928-362-0x0000000000280000-0x00000000002C1000-memory.dmp
C:\Windows\SysWOW64\Goddhg32.exe
| MD5 | 2088d5e7eabdc14ea37724883401c7bc |
| SHA1 | 93708c490abacb3ed6ed89b9f79c905b99482011 |
| SHA256 | aa9cfc1f46d0efeb84b32a215ef19bc57155312ad28caee7cfd217354daadce1 |
| SHA512 | 49abbb6b374d910b65d27093cccbf27f01f06d20111c2b6299dd5bca9204a52e114ffcf536038059c84c2b7d8b4b9e31c3f1c432e36a4f80ec54e65602473492 |
C:\Windows\SysWOW64\Ghmiam32.exe
| MD5 | afa2b2eb98a9d6e7caeef16e28a137a9 |
| SHA1 | 3e081694ed78a7da193f4f7f33a2fdbdcecba3ca |
| SHA256 | d2b65b20f8e1af381764e09677c873409fdf0cb061f5be4419e2678b967e05ab |
| SHA512 | 7779882f1427537fdbed4adb67b5d32fbeb42fbf857f3e5be967ba24e261c60a5fa5b45b8366c0ea68dec16c7d55260dc7e5c54de96e828970e11bc071791348 |
memory/2480-375-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1692-374-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2216-388-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2480-390-0x00000000002D0000-0x0000000000311000-memory.dmp
C:\Windows\SysWOW64\Ghoegl32.exe
| MD5 | a6dcebe3f80031a3948b04499da573bc |
| SHA1 | 8235470408128f14373216c67b42abcdae30b1c5 |
| SHA256 | b9477ebd4703932730e8959befa3acca01f6c6eb1cb140e33c7d4ebc3ea1cbcc |
| SHA512 | 1b6be898d7a78157fd6be1b5fa24fc97cf69cf1b145c768b502a5846146052d04661048759308cdad2d1e5bed08245352434c69bdcaf2f980d7e24db184e018f |
memory/856-398-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2216-397-0x0000000000250000-0x0000000000291000-memory.dmp
memory/2580-393-0x0000000000250000-0x0000000000291000-memory.dmp
memory/1692-392-0x00000000002E0000-0x0000000000321000-memory.dmp
memory/2580-391-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Gddifnbk.exe
| MD5 | 1319c5d77bfd188bcd7ad7a47d318ada |
| SHA1 | 7b5f6fa819a084d543749a72e68051deed1db00f |
| SHA256 | b0f13afddc45f97d4560c76e1d45f5c2b008d4ce7204ee583e526356c2a8025c |
| SHA512 | 7996353f19842d022467b93210e2305161c27c66d295d97cd329d489fa2f374c2f77a5f8d7a620400d6a26efe1f1ed9314c96e2e313539fb39d7afe6f2264a24 |
C:\Windows\SysWOW64\Hdfflm32.exe
| MD5 | 062df4e2a0e386f3dac1f083596c9120 |
| SHA1 | a9e5d3b72679163f4d249facec3ea9a38570c117 |
| SHA256 | c33a037b14759d2394a533c0b92a5c0377db8c4639a6c7c5e96e4d23293ecf97 |
| SHA512 | c902576e34d3d95c13e67ed9f981b5ee5814a5bb8d638134c1f6e12950ce0ae62204b99376f7ac8c37b4d65ab4a79a56193267fa405012bca8f86ba886193153 |
memory/2764-418-0x0000000000280000-0x00000000002C1000-memory.dmp
memory/2668-417-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2764-416-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2780-419-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Hcifgjgc.exe
| MD5 | 5e1f97787316143aa0f2da43f9b830e0 |
| SHA1 | 9ec5430f2bcee5e9881cf71144f3007f21dfde60 |
| SHA256 | f4d7e3b3f774473e9fbcc6fd3f05efdeb6729a252e0af31491b11bf43dca017c |
| SHA512 | d0649058bd3b6813da3305f6560740707902053d8ebaf70a3d3dbb35f2164a64c3d13e639c8b78a9efd10428384646d5f288e8b7fbf29b714d6db445e0c6d051 |
memory/856-412-0x0000000001F70000-0x0000000001FB1000-memory.dmp
memory/2780-425-0x00000000002F0000-0x0000000000331000-memory.dmp
C:\Windows\SysWOW64\Hdhbam32.exe
| MD5 | 1e5f5ec0c9530941d9dc27b341a0e930 |
| SHA1 | dfc489c2c16947b82d2c80eabb817b19c8731fbc |
| SHA256 | 872041c13757daa3b277c0a9828c2984ea4af5e5b35f8f60eb39fa8f3b49f822 |
| SHA512 | 04de223fb0f0838df6d274ea7461f38da23beb335cc4ae5c7feeb32a282815a8d9886a25e66998555256d37b2e190872280796692e6f795ef30ef014cefff1ee |
memory/1644-434-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2480-439-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Hggomh32.exe
| MD5 | 6926006b078194a7676144ac62bd4e24 |
| SHA1 | e0ee7c6391c9f14ea6484d01056ff53148c2cf55 |
| SHA256 | 0dac6b287cf9d77dde78336004870b67d23324840ca978ebb5ccb5e569e67de8 |
| SHA512 | 06b70594484322a0be7f3a14154deb9a6d4077779a3fa1cc500403ba85dda5c64d7dc93e6ccf55857188c87ce0087a24ed72e53cd6c1000804f0874d5a5945de |
memory/2620-433-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Hpocfncj.exe
| MD5 | 01e503552858fc3f381e21357216a1e3 |
| SHA1 | 7f4d4706e286013b53a1458bc881a8d52c3712c6 |
| SHA256 | 1117e374a3003bcb13eaba14e29a66a707a93078b9a01ad08369cbef4925efdf |
| SHA512 | 0792b25391070ca9b6be8ffad6a1dbd4ac36b8608d290db410131c7ee4b76016ab587a2352715688dc53ca479c3b12baf1014fb055252aa3263aa355e99bdea3 |
C:\Windows\SysWOW64\Hobcak32.exe
| MD5 | 6d89d4d2138a2d484c7d817cacff9af6 |
| SHA1 | 605fa5c9205571083bf117280d6daad7df909b64 |
| SHA256 | 3e04baab4fa072b15a7be557050d085336adf656943ab2bda78dbe69ab7c2021 |
| SHA512 | de2ebe38ceaf6ebe90ed7ff7b1322503011b3e558334887a405f64a5c8562566800f7a09dec24788f8295c6b3bae52709b6feaf0d16930bff65539268d1f981a |
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | 112deff738769144170680a480a8c075 |
| SHA1 | 71519c9ebc54b39ccbb73427f5fef82ce60880da |
| SHA256 | 14249f9901c89852c36cfeab8994dd465dbbe5d96ba610816286a4efa13bf253 |
| SHA512 | e5493ac56d8b052aabefd8e9658da683abfb8b55eac0d4e4e3bad3247acb2b5cc7ac9c3da516e9f51695984e94cb070e529e0e3f163617c6968315828129f843 |
C:\Windows\SysWOW64\Hjhhocjj.exe
| MD5 | 84abfe0aed13d17815accc50a1eb8087 |
| SHA1 | da7ea1dec48c0fd759a048ed891c30177117e641 |
| SHA256 | 8eaf917fe0d968b7efa8c6a8af85db46d1d8b0260d2e43f42c908c3d4b4ab9b5 |
| SHA512 | 71dfcbdd2266f42d7831cce65f822d0f30ce03b7a898514dae171ff66115174364b88d779d402969489f88665a85e27b197dd7f93906390b9804dc276ca3f44c |
C:\Windows\SysWOW64\Hhjhkq32.exe
| MD5 | 5250c9b0de348880bcffb7b792f5711c |
| SHA1 | cd9d05fbe4f937166913275e43c1b56098a1b34f |
| SHA256 | 13314277dd38b608efc1a8a303948c18581eeb6058a2af74cae0527c344f5d5a |
| SHA512 | b0b9a4726748f563102562de488c886cfa8c7ab64c9cc4d1af018b374e67863483166a3a62ebd39b7bd5556aa29e88d83e65c9687ec8118a22ee8a976cdf48ed |
C:\Windows\SysWOW64\Hlfdkoin.exe
| MD5 | e0c8b452f8ade27737a7065b2e1944e2 |
| SHA1 | 5a4254ed83405fda0a74ab6ea5d21afe232faf2e |
| SHA256 | c2d968e2b3854b5395f810b9a2c07ad69c672278f314c30027db8fd702cc9e60 |
| SHA512 | a84a7876d1e346e4e71668a9470a61b2f197bf483498a4c38f3ba412af97dd3c84a3c4853f64b180ff95f812af55e77472afd8f011f00108ec552c8b152f0dbd |
C:\Windows\SysWOW64\Hpapln32.exe
| MD5 | 6d9769015eca85d06685cea41dbe2ef1 |
| SHA1 | d2187ab02d377c7c9340473bd47bf27cadf7e0de |
| SHA256 | b6aa3b8fe186ac73f28e6b330047fbee386f88b1e42c65caf6a2053ec49261f8 |
| SHA512 | 2acc6f78d50b0e5647b7288d83dd50dfb7489c36f8dee2bd1c5218f94a21bf4c84327c471fb4b6211f175adb7f873501d8706db16fe25a13588da11ce757d230 |
C:\Windows\SysWOW64\Hacmcfge.exe
| MD5 | 423b196ef4cbfcafa6f445b5e208ed71 |
| SHA1 | e1c6371091b00fcb8256bfc515a74f43d0518ae4 |
| SHA256 | 00e84668327ed7b177b8a55ac21a1a6af8f48bd21e5e04aa190f5648db937491 |
| SHA512 | b5e842b9cd41c28aa0e8e73d30b1469578daa793cfbf3b806e70e15ce2470b4cf75a0d8e84dadf370ef1d0a25cc1adfdc56fc00c8b4663d74e5e97b2d7d61674 |
C:\Windows\SysWOW64\Henidd32.exe
| MD5 | d836ceac8ecbc2c71096e5e52ab47dfd |
| SHA1 | 26be1a67e5ec14f4104e1487b01f46fcd0dfc63f |
| SHA256 | 790d91b85ceac099d27f8eb2320d83310cdc0a39c71b867c12e292b6f487fe0a |
| SHA512 | a56768e342d7a2bd50ac0686c3a668a9516c976a60b7a2ef75497cfeff32d4686ad1138faa3e1d40b1a751f61eb1aa6879473066432e3a9c075b033209cefc6e |
C:\Windows\SysWOW64\Hhmepp32.exe
| MD5 | 6e70e462b8af3ed68439ed36f64176f0 |
| SHA1 | 2d5e8161d14fae962b699a8b406b93dbde9a7c67 |
| SHA256 | f416d029e4cac7e8925c5ccf9d6a02f070da19752b4d44b43258abc6b58867b2 |
| SHA512 | 0503acc80e6153c0d1f722ed0eb1f16dfbfee08d5c3c6556bdfb4f4abcda34ebdaea34406f566ce66df3745c88e5fec14f19a8b0b3531ad604e2a6c0be47c860 |
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | 0dfdb0eccff8f5e1df475edae916a70c |
| SHA1 | 4c5e9b111f3d98e7453cfa4a9c673629b6df578f |
| SHA256 | 45fcb689112675b796cb842d64b878aa05c2883a5158de90654fd55ccae35ca0 |
| SHA512 | 0f667074580d5b82fcfdb52ee7989b4a336b76a980d6b86f99b395304716ccc67a67b65ec550c64f36ec9ed1296320d91069aaecc5e9fd01dcf4e19a17a5c25e |
C:\Windows\SysWOW64\Icbimi32.exe
| MD5 | a878f996cb2d6fe882565bf0f580cc91 |
| SHA1 | 79e404820ec4c50881889762071fe9e1f26a0d2c |
| SHA256 | 756b10778343d41b38bb6e7923213952ef1b37a9cc7135d0f19c681071b786ac |
| SHA512 | aa596c6020ff698730828287a9691496c5af1afff60eb430b3bc587309bdfbe2b1c076f7858a3adf5415229a7dd1858addae9d8685f077c620dd37344e41d378 |
C:\Windows\SysWOW64\Ieqeidnl.exe
| MD5 | 743be36dcee711b53452e98f5b798092 |
| SHA1 | 6ae8d01fbcc05cb2e50ff882127beffa21aca600 |
| SHA256 | 066f119d67e65731f0727dbe3f55cad8ccdba5e06e5b9336314cb18366c42cdb |
| SHA512 | 75f482fbb6edf6475ac5c33871490baa192d3365613e544272142d1e9e2547a2374d002035830f2f4f8ed8f42a684f0893ed1347c2a2b04f6dda99a932c686d1 |
C:\Windows\SysWOW64\Ilknfn32.exe
| MD5 | 950e10a450eaaa03cf6a7acc65204cd7 |
| SHA1 | 9fe31a5e75055d013b60161a2a66371250a1239e |
| SHA256 | 884fb07a43f0d4cee46cb79ee6b0d2cf4c936576a868ddecbe1f579c0d712170 |
| SHA512 | 3fc3e3de2cfcff5046562827036966fbf2288d4421b1ebb395edf3206d4912bdf58f272d9b29a811baf08d4e571c1d0b4892d97e41bfa6a8bf0cd1fb5f773af4 |
C:\Windows\SysWOW64\Ioijbj32.exe
| MD5 | 0b4e46962abe335c62d5bb2b0279eff1 |
| SHA1 | f13c6a640fe2cdf9219e2c647fb1661f11578a2a |
| SHA256 | a0b93db24392ae4d93ad11d99b7609a1dcc68af6e65045152017c9005164154e |
| SHA512 | 5a667f517a012f35f7fd8dcc555dc9bf94088e64f27cf1085372577d539d0c18686b6d0bb086c0c1e83a3bbf29455d6d7feab56105c641fe3369b74ac8a27c81 |
C:\Windows\SysWOW64\Inljnfkg.exe
| MD5 | b6540be1ad43897f2728cb3322a4a134 |
| SHA1 | f250aa92f20e46149c0b5bc64d0de3e2dd0c618f |
| SHA256 | b70850fac12ddbd2a5a1d8cda90847c585af67231154a6b16d12fbdf7699148e |
| SHA512 | b8b7ac7b9bc49e74a144abf49a8653f4a99a4836d33ceaffeaccc05088fd0d295b9670ed514ddb6a4b925890e33326bd18b6159d385b2e4e9477e60d4ee2cce5 |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | fad9fd8c3bf2b5d03e0b9d1e16a72aec |
| SHA1 | ebceb3fef26bc3df746c0933fddb0a0a902c2cac |
| SHA256 | 54a075002acf8aff59ee537c82599ca934a93771f7932f24d278fc500b98d465 |
| SHA512 | 927a8e66cbb81706a5c684f32dc5f307da4c897b40a1efbdca9734129502ced31c9d3b99d25eaccb223a39b8e2626b928f126f256f8c87e09d7d1fc55f6da0ed |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:23
Reported
2024-06-03 22:26
Platform
win10v2004-20240508-en
Max time kernel
137s
Max time network
107s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kaemnhla.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmlnbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpaifalo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iabgaklg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Liekmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nqiogp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ifopiajn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kaqcbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kknafn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkbchk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ibccic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfdida32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lgneampk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iinlemia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldkojb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jkfkfohj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nqmhbpba.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jbhmdbnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mnocof32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgidml32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kaqcbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lpocjdld.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jjmhppqd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jdmcidam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kphmie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mjhqjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ifopiajn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdffocib.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lgneampk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ggpfjejo.dll | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihaoimoh.dll | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgidml32.exe | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Akanejnd.dll | C:\Windows\SysWOW64\Kknafn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipmack32.dll | C:\Windows\SysWOW64\Ibccic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Majknlkd.dll | C:\Windows\SysWOW64\Nqiogp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njacpf32.exe | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Lphfpbdi.exe | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fnelfilp.dll | C:\Windows\SysWOW64\Mjhqjg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbapjafe.exe | C:\Windows\SysWOW64\Kaqcbi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mpdelajl.exe | C:\Windows\SysWOW64\Mjjmog32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kknafn32.exe | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mciobn32.exe | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkpgck32.exe | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eilljncf.dll | C:\Windows\SysWOW64\Jdmcidam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkpnlm32.exe | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcgqhjop.dll | C:\Windows\SysWOW64\Lcmofolg.exe | N/A |
| File created | C:\Windows\SysWOW64\Geegicjl.dll | C:\Windows\SysWOW64\Mpaifalo.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddpfgd32.dll | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gncoccha.dll | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbfiep32.exe | C:\Windows\SysWOW64\Kphmie32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kcifkp32.exe | C:\Windows\SysWOW64\Kdffocib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lgbnmm32.exe | C:\Windows\SysWOW64\Lphfpbdi.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkeebhjc.dll | C:\Windows\SysWOW64\Kaemnhla.exe | N/A |
| File created | C:\Windows\SysWOW64\Iabgaklg.exe | C:\Windows\SysWOW64\Ibagcc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kphmie32.exe | C:\Windows\SysWOW64\Kaemnhla.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Liekmj32.exe | C:\Windows\SysWOW64\Kajfig32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ichhhi32.dll | C:\Windows\SysWOW64\Jkfkfohj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjjmog32.exe | C:\Windows\SysWOW64\Mpaifalo.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbbkdl32.dll | C:\Windows\SysWOW64\Mjjmog32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngpjnkpf.exe | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkihknfg.exe | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcifkp32.exe | C:\Windows\SysWOW64\Kdffocib.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbocda32.dll | C:\Windows\SysWOW64\Lpcmec32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mglppmnd.dll | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jmpngk32.exe | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pponmema.dll | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Lifenaok.dll | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mnapdf32.exe | C:\Windows\SysWOW64\Mkbchk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibagcc32.exe | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
| File created | C:\Windows\SysWOW64\Jigollag.exe | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldaeka32.exe | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjqjih32.exe | C:\Windows\SysWOW64\Lgbnmm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbhmdbnp.exe | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbapjafe.exe | C:\Windows\SysWOW64\Kaqcbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkbchk32.exe | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjhqjg32.exe | C:\Windows\SysWOW64\Mgidml32.exe | N/A |
| File created | C:\Windows\SysWOW64\Baefid32.dll | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljnnch32.exe | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbmfoa32.exe | C:\Windows\SysWOW64\Jmpngk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmmcfa32.dll | C:\Windows\SysWOW64\Kaqcbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nqjfoc32.dll | C:\Windows\SysWOW64\Kdaldd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdffocib.exe | C:\Windows\SysWOW64\Kmlnbi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lalcng32.exe | C:\Windows\SysWOW64\Liekmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkckjila.dll | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| File created | C:\Windows\SysWOW64\Nqmhbpba.exe | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdmcidam.exe | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| File created | C:\Windows\SysWOW64\Offdjb32.dll | C:\Windows\SysWOW64\Ldkojb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dlddhggk.dll | C:\Windows\SysWOW64\Nqmhbpba.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jjmhppqd.exe | C:\Windows\SysWOW64\Iinlemia.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjobcj32.dll | C:\Windows\SysWOW64\Iinlemia.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kajfig32.exe | C:\Windows\SysWOW64\Kkpnlm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lijdhiaa.exe | C:\Windows\SysWOW64\Lcpllo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Anmklllo.dll | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkihknfg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmlnbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdffocib.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll" | C:\Windows\SysWOW64\Kajfig32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jkfkfohj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll" | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jjmhppqd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jmpngk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kknafn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbhmdbnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njljefql.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll" | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll" | C:\Windows\SysWOW64\Mjjmog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nqmhbpba.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kmlnbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" | C:\Windows\SysWOW64\Ncldnkae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibccic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll" | C:\Windows\SysWOW64\Liggbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mpaifalo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kaemnhla.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll" | C:\Windows\SysWOW64\Kaemnhla.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lpcmec32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll" | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Liekmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll" | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" | C:\Windows\SysWOW64\Nkqpjidj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kbfiep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjmhppqd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll" | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll" | C:\Windows\SysWOW64\Jdmcidam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll" | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ibagcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkpnlm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll" | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nqmhbpba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jfdida32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iinlemia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" | C:\Windows\SysWOW64\Jjmhppqd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll" | C:\Windows\SysWOW64\Ibagcc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll" | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" | C:\Windows\SysWOW64\Lcpllo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jibeql32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mjjmog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ldkojb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll" | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe
"C:\Users\Admin\AppData\Local\Temp\642e688f22e19beabc93ef244ff8c4a6176c5928d02aa8102864ace48d0bc0c9.exe"
C:\Windows\SysWOW64\Ibagcc32.exe
C:\Windows\system32\Ibagcc32.exe
C:\Windows\SysWOW64\Iabgaklg.exe
C:\Windows\system32\Iabgaklg.exe
C:\Windows\SysWOW64\Ibccic32.exe
C:\Windows\system32\Ibccic32.exe
C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
C:\Windows\SysWOW64\Jbhmdbnp.exe
C:\Windows\system32\Jbhmdbnp.exe
C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
C:\Windows\SysWOW64\Jibeql32.exe
C:\Windows\system32\Jibeql32.exe
C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
C:\Windows\SysWOW64\Jmpngk32.exe
C:\Windows\system32\Jmpngk32.exe
C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
C:\Windows\SysWOW64\Kkihknfg.exe
C:\Windows\system32\Kkihknfg.exe
C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
C:\Windows\SysWOW64\Kphmie32.exe
C:\Windows\system32\Kphmie32.exe
C:\Windows\SysWOW64\Kbfiep32.exe
C:\Windows\system32\Kbfiep32.exe
C:\Windows\SysWOW64\Kknafn32.exe
C:\Windows\system32\Kknafn32.exe
C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
C:\Windows\SysWOW64\Kdffocib.exe
C:\Windows\system32\Kdffocib.exe
C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
C:\Windows\SysWOW64\Kkpnlm32.exe
C:\Windows\system32\Kkpnlm32.exe
C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/3380-0-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3380-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Ibagcc32.exe
| MD5 | da8a66cf087a9cb44fe0d56194ad13b1 |
| SHA1 | 966f1018ccd8a50cb4f4835bac3f227cd578d830 |
| SHA256 | 8911a6fac838a0db0c7677ec2e7e256c0a0013f257eb670e98b395fd105c938b |
| SHA512 | d6ee8e6ff62f831ce7b299ddcb1cbee5e1266a50cc5114ed5e484f32477a49ce36108ea74936b46ef44aaca43c51567ea4414eab0cfafbe9006d2dd15a86587f |
memory/4004-9-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Iabgaklg.exe
| MD5 | 610df322211ea13d3da0c66782155152 |
| SHA1 | 17ac471b88c996fd6add72468c7209bd95ede4b8 |
| SHA256 | 373ddfadd4aa4fae825c1d6afb6504cd0a420fd4bc639fc88be187ab780bb993 |
| SHA512 | d37aca6b3467845dd6f6ef4b5a75a63ab32da885af5a3118140eec6a0f5ff3cd75701e47fc0dfd2a9e746a70280e618b0b78a4cedbbeb4cfb186be6fe043c475 |
memory/3052-17-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ibccic32.exe
| MD5 | 1be01c5e1e4f5dfd6b8c2a68bd6cbc36 |
| SHA1 | 40cf22d2b278e752f67416db8e6dad926a9c5761 |
| SHA256 | febb024d756e0204d52cf24cdae6306777151f04cfa6f038ff800e071f5e1a35 |
| SHA512 | 173b49f3f08de3bbd3ef22ec0a793f4a64ffcd1eff6aa9be27b90efd8f2a348fb05effa6af67abf4346ab82b1bcd9e2eb511e213089520d6579f7b6d0d519f05 |
memory/2520-25-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Ifopiajn.exe
| MD5 | 44bc04f6cd097a58b1d474447cf23727 |
| SHA1 | a5546a426e134ee058ddd514d33f3faab5679d43 |
| SHA256 | aeafe09fd43025aa50d28f63b1d63aeeeb895b3ff210bd1796d3d0a9f5b7e5ab |
| SHA512 | 1707721f661ecc890fc2f6df90367e8739ce3de0b095b1e8864d87cd3e94963780e97a005fa676757fffa09fd010bd348c855c676410d1464e0e9153c97778a3 |
memory/2820-37-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Iinlemia.exe
| MD5 | e712667152e6fc6700c5abd29a4d5f3a |
| SHA1 | 29dd8f0d37e6099cbfa1725c6942aea3adfb1f19 |
| SHA256 | dd145b047355b586fea8f6540858fd9ef5fdde9a97697d46bb1307295eb5657d |
| SHA512 | 7eb503965a837df39c951b8e85586f64f6eb8d40505c0adfbbfec1c6f76f50a1768deb1df162c23e67966f6cde3f353e668a68cbc4de9993a7bc751d6ce0ff74 |
memory/3100-41-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jjmhppqd.exe
| MD5 | 4ff554b976ccdcfc47eaf0bcb42b76b7 |
| SHA1 | 525b6bd66f2ea8449a8059ec77ca5a59a2593759 |
| SHA256 | 6e7a5dc2d00d2e45c337e3de0df682547279c7ad84e278583c435a317c2a451a |
| SHA512 | 6303d4ea1bdd6aafe90f323681b0ad02e2bd6acbece578e9b9425aa246e418a6d197a553d7d46a2d425381ba6e9dac719086ed0224382710cb96dd541a02a193 |
memory/3888-48-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jmkdlkph.exe
| MD5 | 0e0dc85e64b0972c3f85d6dd7f46dc5d |
| SHA1 | a691ae202cbb87e18a165c5b8693d15d3b06d3e2 |
| SHA256 | 4c136a2578317935ecb820885bb51f41e6f3c8ecc38ec72dafc0c8d93b42f172 |
| SHA512 | 253d402037364f94222395b3db21375e14c210633f31e882d11ed38dae5580162973f904cad660da6cdeb32a415560b02ec46cb4a360c9ebcd134a0ad3601252 |
memory/2808-56-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jbhmdbnp.exe
| MD5 | 20053c46fa4cad4a34ba5e5934881dd3 |
| SHA1 | f259ab1ba6555c02da1df18119d3a1970ab547d2 |
| SHA256 | f29a7e43f04c7917c0a8f1fda7cd18b0d2c92d4b6b7dd60dbd5d0c8e3df081b6 |
| SHA512 | de87414948669cce350b4ba2d7315428db15de0e743410d05e4d9cf26e0f81457befdad17f00010cbc9da27206ac2b864cc84a8db5a08bbeb05c088d6c17c257 |
memory/2396-65-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jfdida32.exe
| MD5 | 535bebc67dd8588dee085c4cfc02e00e |
| SHA1 | f5e35ad0da9806e21048e22b7688aa82f91b5436 |
| SHA256 | a23272c5dcb83b3186aeed2bab1dd73971ae0ab155fd198c67ee2c61a02453ba |
| SHA512 | 727ead23d888b56e9e99d6d224c7e43b968bb5d4d9b2fad22d151e6acb5e9189b1d20021797a39c0b9fcd27f2dfde6b6cd6417f0b0e47f02f348c95f103faf60 |
memory/3380-73-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4988-74-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jibeql32.exe
| MD5 | 4cedd9310c8a90f49923fa33b54b40dd |
| SHA1 | 307212fc0426ae8398019322d73c7decdd0c5314 |
| SHA256 | 047f3fb4e82842329f0340ded1d26b59503c116979cf3ed0c9b5fa9a5b113430 |
| SHA512 | a7de91e9b0dc25f689e93f5d654a12e93f44c2775a25caa9c3e678be6fae04f73410b497e1aa0519e04efff390b08bfdcc87a9e0a4f596a2f909e270c329ee6a |
memory/884-82-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jjbako32.exe
| MD5 | 1d8e3931b2daef97edf2ced6ad1c8671 |
| SHA1 | 15643385e613152ee9fecca12dacadd196458c07 |
| SHA256 | 37ee2bb938dac62a1f046c51a6b039ff4f7f92bbaca9008b3b49394a63874173 |
| SHA512 | 6f4393489d76279a564572d665fcdd0f9a5568a87537c99c348494921c596f4fc63b0e16d182994ac802df3acef4188015a0e253a114c79d4eb22ecf3ebd59e0 |
memory/4004-90-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1516-91-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jmpngk32.exe
| MD5 | 6586733f648e93aa1dd728c04a2db825 |
| SHA1 | d46e1916b5d77221f1287451098ec819cfb01170 |
| SHA256 | dd01a4128e46e05e2e794c4cf41e40080faa6b5c3adc3e82fdc241940544f942 |
| SHA512 | 5fcd79151ec0f3150bdf2a6aa727771c46c972fb4867562989c29b23f51cedd8429c703d72caf3bff929b4c56ae8f24b6b8ef76e4373c4595944f77da1bb6d5f |
memory/3052-99-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4132-100-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jbmfoa32.exe
| MD5 | 353951728ae3620711fd5d1c2cff4d29 |
| SHA1 | c2dfd2f3e8ccc741254560940dbd96134f154ae6 |
| SHA256 | 45baf3c7334a4ccfabae4b56692d357819e1342e941f6cacb5e06c87c42dfedc |
| SHA512 | e73c4c9bf16707ebddc5c65bfc051f46f035a4dd0728c205b2a7e86a33603656da5c2e643cd0e52455a2557c5317bf0fce1474f8ce3ed47665a2deb7843d11c0 |
memory/2520-107-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3684-108-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jigollag.exe
| MD5 | 6ff68a9993fdd0d696ad37bdd9359c20 |
| SHA1 | 1ed8151c80f4e18b8dac9d1c9fd5c340457beea3 |
| SHA256 | 5cc31a5151b32b10358cd6122d6ba3dbe1e9815e3842849aac1790c2bccb9a03 |
| SHA512 | e0b081d558603af04805a532e194d67bf8d845d3caa208eefa8c639f148a266f973311f0819c074d6ed743ad374b693d7eaa5ebbdb68d443d1c8f76ec0f62aa3 |
memory/1260-117-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3100-125-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jdmcidam.exe
| MD5 | 17aae0db44ba80975c9d50de04bf6a64 |
| SHA1 | 05139d50f379c60a5709dd9b203844839cac0444 |
| SHA256 | 8dd52167701b350977862bbdd19e2832cc456728b497ea2a57ecdcb19d14a3a7 |
| SHA512 | 69704097c87e8c4c750ba322f933c8956cd781751b086fc6fa8ff7586cc0e47b1f5ba067d31603f68f21128eaa26a07fb93c41fbab2e083f4db602e673db26b9 |
memory/5056-126-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Jkfkfohj.exe
| MD5 | 5492c6ef864bfce1ce6e918543d2827a |
| SHA1 | b455baf3cd55ee007bf9ed6c28fc12a79b060dd8 |
| SHA256 | d97c106e327c0760f16b32609cd3056da3b5fd88b7b36565acd2ed9ade3555f1 |
| SHA512 | 58edd580901ed00c743c2ab37fd2408028e0f887fa649bea555ddcdf3e09a4d2336e802aa9432392c1d1887bc69bcdd73b8ed0e196335b9ac0e05630d769a6a2 |
memory/3888-134-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1932-135-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kaqcbi32.exe
| MD5 | 8b0836db93fd6652a48d83d476068c42 |
| SHA1 | 73fc74ed70df223d123f7b75ce63c2cfb8cf0a76 |
| SHA256 | c0d3b80e409095487f71d07eeca79d4b003c5da98cdbe56e23efe8ae44f06b69 |
| SHA512 | fc8082930cbb9b4b391a906ab3159db5ff057a4ae1c4c087aa4759608d1cc014f5e877f763c32b313ddc90ee797c3b9ebfdcf4d78006549929c0f912244e0d93 |
memory/3536-144-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2808-143-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kbapjafe.exe
| MD5 | 9f75a7ff5521ddbb4c2ed3fb1b01bcef |
| SHA1 | e962cdfc9a51e4cde88cbf66f4a6c8934285e0c6 |
| SHA256 | 563491bc6c07b80cf96a94bef3a54f1bc6aa6264c163e42e99ba885f90756b1f |
| SHA512 | dded0ab3bb1fc56804faee29c036fbba9926c277b9950b353828a09bb2b56ec1a0017a3bd39bf31d0ae12ae88b15c80991beb26c1af795d2f60cda051e6268b0 |
memory/1548-152-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2396-151-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kkihknfg.exe
| MD5 | b95f56df9827b92debe6c3f547f49c87 |
| SHA1 | 79c59e0aacbddea762160f228fe26f0b05189651 |
| SHA256 | d5927feb57e6e26eda9e57a069067d3c11a2a98d084e2fdbb00064618b4c675a |
| SHA512 | 7fb6e0fe9ef0f609bf192d12d059cca9e0efb49bf31c5ec786634419478429ca11334f5fae019b1834d2cd22f774933dec0af98b1f537261c9cb087c8eff0c94 |
memory/4988-161-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3884-162-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kdaldd32.exe
| MD5 | e374930ceecc07a2822f615b8f0166fc |
| SHA1 | dca5b03f69f82331b14ac117f091d828d79f1291 |
| SHA256 | 4fae8afc362a0252388ef6b9aaa80bd980c677a56a821dee06ca2cf06fc331d6 |
| SHA512 | 8479797433bd6b1a16b05df624a32c65d8a47920f15d71ac6708d87e4d723d4c961ccc7e1f75fc9ff54e2d79846ecda1dba0c9df09760a969b67edb0a20585fe |
memory/1628-171-0x0000000000400000-0x0000000000441000-memory.dmp
memory/884-170-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kgphpo32.exe
| MD5 | 2977692ca5b9c147f27f3ce7ebdafa6a |
| SHA1 | 2fe817c2195ec2a7e5edb051b68a922fee369291 |
| SHA256 | 45541e61d8dc2c0fad5906c9017b0fb07b5b9d07077d7f0e9bd45781a48785b9 |
| SHA512 | 167163a84918d51b8d3900608cf4c9bbe3a7f3d6b962c03242dadd4f3baa81b246e8d21540641b36152cc5f6cc445d294eb5a37f454a60c88e1608aea21988a0 |
C:\Windows\SysWOW64\Kaemnhla.exe
| MD5 | bd978624354a2df79658d25e14083a40 |
| SHA1 | bd4fb4914f14a755cefbd8b20d9c0acc85ebee7c |
| SHA256 | 4af29722034162b1e809971dfb9afe8a43d4dedffc1f95e321156868df6bbfa6 |
| SHA512 | 20f08416c8771c1567a19f79ed2c4f51da1939baeb816e384976739fcb32a54fd4c92744aeb0add283d8ee28a7ea47ec4fe12a4cb3f19656e30bee0e8ae6230f |
memory/1388-192-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3980-202-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kbfiep32.exe
| MD5 | a4d31ef50ddbb9628b634567fa6921a8 |
| SHA1 | ee2488070bd15f6281690e5d510b5a47122e64a5 |
| SHA256 | d1045a6d615dcabc711d4b3d0586f560d6d35a9d034fd374da87c0df0cc29b73 |
| SHA512 | d095b088a45887ed2c679a057baccf0fca9f190595a5fd62064c371aa9921ac73bb2e04b143fa11a5e05ead914b41af61aa6fbf7fae668d62c9c936c6535cea9 |
memory/3068-206-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kmlnbi32.exe
| MD5 | adc4c39be85ba01042799982c7232a7d |
| SHA1 | 343c3ce5112da6adbd588ae8ba548ebfae0d4539 |
| SHA256 | 105f7eeed9b2be3bb8e49ac5a56ed28a4f338b69e78e10eb1df2360cc6d65b7d |
| SHA512 | f743b8f3d26dabb0c4d4ea45232b86af50a5f493367425cc8d4cc96a9fafdc6b0b33caa56d16985a9433626084e752d961b72499d5d7ca8695616047fee05d1c |
C:\Windows\SysWOW64\Kdffocib.exe
| MD5 | ca690cb66535ab2be844be4c789b91aa |
| SHA1 | 952d13a3a1be85707e81928ccb63f8cc3af72269 |
| SHA256 | c944a925f40db4be4075a83e11c917e34e62b387a478a7b96eedf22a24ca4a2c |
| SHA512 | 878b2206753c26cc701c60ae984754d67bc78d35aec4c38e663be150829cfce7edc2c8d1c4b004902079935a39b5549ef27392b458fb36b113fb98eb4d31d525 |
memory/5056-242-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1932-252-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kajfig32.exe
| MD5 | 38a1fe276b326dcb22d633f41e9caa1d |
| SHA1 | 91d23c19eec831ed57f57b4a1a01ed1e9be957e4 |
| SHA256 | 4488f4b3570df61a81f62447223b83be0acea2801e28636c66b1fe88c288c39c |
| SHA512 | 1259e9c1b8330dfbb13f44b5e07cbd2fbf64136ef8ae19efb83dd75c1e16ccb3e1e758ef427544cefe5e51786ff4aa07d1094cb51aa4d8a474bf634466ec2482 |
memory/3692-253-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kkpnlm32.exe
| MD5 | 1290ebe60b31baffbecfcba339277983 |
| SHA1 | 7d7992d197c328efc80032fb778a09edf4094aba |
| SHA256 | 73e103613fe8c302dee707e61c80d4c43cc70cc43d2d4ae72d79704758a969d2 |
| SHA512 | a158251915c5f3810bbe968cb93b03008ffb55eb5c1efb77ca4e7339aa332b1fb0c4fd1fd7895b63268575f2424082932dd8430a77934faca369fdf84f517183 |
C:\Windows\SysWOW64\Lalcng32.exe
| MD5 | 7d74cdf603b1a4f4eff21632b67ad1e1 |
| SHA1 | 50f0b40a3c9416d911f6ebe11f0263babd8b36ca |
| SHA256 | 4a87037e77b1cb25b17ab199bab8bee74604bdaf6a051547ec24c8a79346e989 |
| SHA512 | 56793c88067177d048c15874a8b119f0c934dbe46f29fa8e2f7e31aa0300382f91d5ca7abae9fd364f27f22801c495fe61e2873ddbfb5d32ba7c2bfcf1cd43cd |
memory/1584-291-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3112-290-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1548-297-0x0000000000400000-0x0000000000441000-memory.dmp
memory/116-298-0x0000000000400000-0x0000000000441000-memory.dmp
memory/436-289-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4332-288-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1996-287-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3120-300-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3884-299-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3536-285-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Liekmj32.exe
| MD5 | df4bf8098ed707fd16a4ecbee8c34b9d |
| SHA1 | 8568ca4dc3f47096f6aa2d5e82e75706d6963916 |
| SHA256 | c90eed5192a729f44514802f686445b56ab3ab19bdc7200f6b467783ea793aae |
| SHA512 | 7e4a57080ad847d3e18e33129b4c6a90ad2e40c177403babaea39d0e4c9ec32eba9fa2b7d63e6f17c6bbaeaa40ff205eb957a414949c7bbf3a36bc3c02ff4466 |
memory/4416-245-0x0000000000400000-0x0000000000441000-memory.dmp
memory/456-244-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1976-243-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kcifkp32.exe
| MD5 | 9c2f9f8c7e078a7c9cfb1f6ab9616b61 |
| SHA1 | ea4e6a4c008a5bc2f2daf1e00725ead9209386ce |
| SHA256 | 7f75e1f02b288604b7f274d188df2a315691f402fc431b0c7bd6352ce87fc296 |
| SHA512 | d30874a97739c411ce61ac0a8691e7cd17c009e8c81b7d95c24ca17e595418739104d427e67867a2cb8fcba269194039482a627c682439a7326f4bd2494c08b8 |
memory/2032-220-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1260-219-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kknafn32.exe
| MD5 | cc5a87e4dc6bc71e055dbf972269e7d2 |
| SHA1 | d85b9d4abf92ccb7833a583e6d8c41355cd8ba91 |
| SHA256 | 82157ff781618566f7dcd5985179282ab26642c28e40ea05e07f2f70f5b3c3a4 |
| SHA512 | 55d258dec28ed4fa5259044183fc812fc5e481f4c3293822640a8ada118d6803c86468b94df0fd3fdb8344fd2154f0a0491a43d96e12bfd676ab92f3dd958d70 |
memory/3684-205-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4132-201-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Kphmie32.exe
| MD5 | 237bf150ba3163bb30c96c39eed18518 |
| SHA1 | 32ebef0a1450e801e1d573aca0b2ac5deb3bf13b |
| SHA256 | 1a44425670583a95d2d55c2898f1b9dd61594044756426c7629972b510b0237d |
| SHA512 | 745900c72c9d398d288416e75a3e3083b7c04717b6055dfc75201fd3500195f0bc8951ecc1e4493fcb6a20d5a532072499fa657c0626a1cd483ec18fd1a2aca2 |
memory/1492-195-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1516-191-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1628-310-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2540-312-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1936-313-0x0000000000400000-0x0000000000441000-memory.dmp
memory/372-319-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Lgneampk.exe
| MD5 | 552e02560754294d0bc4ada358f79f20 |
| SHA1 | 821ace64aac53c9664652c29dc6ea23416b08d99 |
| SHA256 | 49efd8a0ce3d3e7595997be1f40c3b6d098fcff379da389598052d6fbc759ffc |
| SHA512 | 32131f59af0f10c421bf8d7677bffcfe3b4cf0e253b00cc9d5e249b67c56e53de2b3b8dc7b532c7c08e779615d9a200121b59efa11faf948a8b457d9338a89c7 |
memory/4796-326-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3068-325-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1008-332-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4408-338-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2700-348-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1656-350-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1528-356-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1692-363-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3120-362-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3180-373-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1936-376-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3708-380-0x0000000000400000-0x0000000000441000-memory.dmp
memory/372-382-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4008-383-0x0000000000400000-0x0000000000441000-memory.dmp
memory/924-390-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4796-389-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4592-397-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1008-396-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2800-408-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4408-403-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1280-411-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2700-410-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1952-418-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1656-417-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4532-425-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1528-424-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3264-432-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1692-431-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3784-438-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1016-444-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4008-450-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3364-451-0x0000000000400000-0x0000000000441000-memory.dmp
memory/1588-458-0x0000000000400000-0x0000000000441000-memory.dmp
memory/924-457-0x0000000000400000-0x0000000000441000-memory.dmp
memory/4592-464-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Windows\SysWOW64\Nqiogp32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Njcpee32.exe
| MD5 | b95aa43b666b7d9ef8f53c1358a8bd09 |
| SHA1 | 414ac1ee2576725550dcaf23aab11eaf9d63be84 |
| SHA256 | b3b5380799f9df94a4dc48147e9780b15bd13e53db73cb57a27ef0b777b6e791 |
| SHA512 | c8a1ef933d4f80428b50e61e417c26f18cbb31199a41cff192e666802bf6783567598911d9fb9e3a1db61b61f6df9d1a65351b755064f37f4eafb23b4d816b75 |