Analysis Overview
SHA256
bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8
Threat Level: Known bad
The file bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8 was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 03:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 03:33
Reported
2024-06-14 03:36
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gangic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghhofmql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjlhneio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlhaqogk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hellne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ilknfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gdopkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gangic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gdopkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fpfdalii.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fhkpmjln.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghhofmql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ffbicfoc.exe | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gobgcg32.exe | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Idceea32.exe | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fiaeoang.exe | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghfbqn32.exe | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| File created | C:\Windows\SysWOW64\Gangic32.exe | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gangic32.exe | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpajnpao.dll | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhfkbo32.dll | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojhcelga.dll | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhggeddb.dll | C:\Windows\SysWOW64\Fhkpmjln.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gicbeald.exe | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gmgdddmq.exe | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gogangdc.exe | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| File created | C:\Windows\SysWOW64\Anllbdkl.dll | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbdqmghm.exe | C:\Windows\SysWOW64\Fpfdalii.exe | N/A |
| File created | C:\Windows\SysWOW64\Qhbpij32.dll | C:\Windows\SysWOW64\Gdopkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdpfph32.dll | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgnijonn.dll | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| File created | C:\Windows\SysWOW64\Inljnfkg.exe | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Globlmmj.exe | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Goddhg32.exe | C:\Windows\SysWOW64\Gdopkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiekid32.exe | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Polebcgg.dll | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| File created | C:\Windows\SysWOW64\Ieqeidnl.exe | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gdopkn32.exe | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Icbimi32.exe | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Idceea32.exe | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Filldb32.exe | C:\Windows\SysWOW64\Fhkpmjln.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghfbqn32.exe | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gpmjak32.exe | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldahol32.dll | C:\Windows\SysWOW64\Gangic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnnclg32.dll | C:\Windows\SysWOW64\Ghhofmql.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ioijbj32.exe | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ilknfn32.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gmjaic32.exe | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hdhbam32.exe | C:\Windows\SysWOW64\Hlakpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Khejeajg.dll | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Henidd32.exe | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjjddchg.exe | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Inljnfkg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Inljnfkg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghhofmql.exe | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| File created | C:\Windows\SysWOW64\Goddhg32.exe | C:\Windows\SysWOW64\Gdopkn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hnagjbdf.exe | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlhaqogk.exe | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| File created | C:\Windows\SysWOW64\Nfmjcmjd.dll | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fhkpmjln.exe | C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikkbnm32.dll | C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fjlhneio.exe | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gbijhg32.exe | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqiqnfej.dll | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipjchc32.dll | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| File created | C:\Windows\SysWOW64\Gicbeald.exe | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hiqbndpb.exe | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| File created | C:\Windows\SysWOW64\Phofkg32.dll | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hiekid32.exe | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fphafl32.exe | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| File created | C:\Windows\SysWOW64\Qlidlf32.dll | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gpknlk32.exe | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| File created | C:\Windows\SysWOW64\Fphafl32.exe | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| File created | C:\Windows\SysWOW64\Fndldonj.dll | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlakpp32.exe | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlidlf32.dll" | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll" | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fhkpmjln.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fddmgjpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Inljnfkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" | C:\Windows\SysWOW64\Gdamqndn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" | C:\Windows\SysWOW64\Ghhofmql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" | C:\Windows\SysWOW64\Gldkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fpfdalii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hdfflm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fpfdalii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fbdqmghm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll" | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll" | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fjlhneio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncnkh32.dll" | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hellne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" | C:\Windows\SysWOW64\Gogangdc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gicbeald.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe
"C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe"
C:\Windows\SysWOW64\Fhkpmjln.exe
C:\Windows\system32\Fhkpmjln.exe
C:\Windows\SysWOW64\Filldb32.exe
C:\Windows\system32\Filldb32.exe
C:\Windows\SysWOW64\Fmhheqje.exe
C:\Windows\system32\Fmhheqje.exe
C:\Windows\SysWOW64\Fpfdalii.exe
C:\Windows\system32\Fpfdalii.exe
C:\Windows\SysWOW64\Fbdqmghm.exe
C:\Windows\system32\Fbdqmghm.exe
C:\Windows\SysWOW64\Fjlhneio.exe
C:\Windows\system32\Fjlhneio.exe
C:\Windows\SysWOW64\Fmjejphb.exe
C:\Windows\system32\Fmjejphb.exe
C:\Windows\SysWOW64\Fphafl32.exe
C:\Windows\system32\Fphafl32.exe
C:\Windows\SysWOW64\Fddmgjpo.exe
C:\Windows\system32\Fddmgjpo.exe
C:\Windows\SysWOW64\Ffbicfoc.exe
C:\Windows\system32\Ffbicfoc.exe
C:\Windows\SysWOW64\Fiaeoang.exe
C:\Windows\system32\Fiaeoang.exe
C:\Windows\SysWOW64\Globlmmj.exe
C:\Windows\system32\Globlmmj.exe
C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
C:\Windows\SysWOW64\Gbijhg32.exe
C:\Windows\system32\Gbijhg32.exe
C:\Windows\SysWOW64\Gicbeald.exe
C:\Windows\system32\Gicbeald.exe
C:\Windows\SysWOW64\Ghfbqn32.exe
C:\Windows\system32\Ghfbqn32.exe
C:\Windows\SysWOW64\Gpmjak32.exe
C:\Windows\system32\Gpmjak32.exe
C:\Windows\SysWOW64\Gbkgnfbd.exe
C:\Windows\system32\Gbkgnfbd.exe
C:\Windows\SysWOW64\Gangic32.exe
C:\Windows\system32\Gangic32.exe
C:\Windows\SysWOW64\Gejcjbah.exe
C:\Windows\system32\Gejcjbah.exe
C:\Windows\SysWOW64\Ghhofmql.exe
C:\Windows\system32\Ghhofmql.exe
C:\Windows\SysWOW64\Gldkfl32.exe
C:\Windows\system32\Gldkfl32.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Gbnccfpb.exe
C:\Windows\system32\Gbnccfpb.exe
C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
C:\Windows\SysWOW64\Gdopkn32.exe
C:\Windows\system32\Gdopkn32.exe
C:\Windows\SysWOW64\Goddhg32.exe
C:\Windows\system32\Goddhg32.exe
C:\Windows\SysWOW64\Gmgdddmq.exe
C:\Windows\system32\Gmgdddmq.exe
C:\Windows\SysWOW64\Gdamqndn.exe
C:\Windows\system32\Gdamqndn.exe
C:\Windows\SysWOW64\Gogangdc.exe
C:\Windows\system32\Gogangdc.exe
C:\Windows\SysWOW64\Gmjaic32.exe
C:\Windows\system32\Gmjaic32.exe
C:\Windows\SysWOW64\Hknach32.exe
C:\Windows\system32\Hknach32.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hdfflm32.exe
C:\Windows\system32\Hdfflm32.exe
C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
C:\Windows\SysWOW64\Hicodd32.exe
C:\Windows\system32\Hicodd32.exe
C:\Windows\SysWOW64\Hlakpp32.exe
C:\Windows\system32\Hlakpp32.exe
C:\Windows\SysWOW64\Hdhbam32.exe
C:\Windows\system32\Hdhbam32.exe
C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
C:\Windows\SysWOW64\Hiekid32.exe
C:\Windows\system32\Hiekid32.exe
C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
C:\Windows\SysWOW64\Hcnpbi32.exe
C:\Windows\system32\Hcnpbi32.exe
C:\Windows\SysWOW64\Hellne32.exe
C:\Windows\system32\Hellne32.exe
C:\Windows\SysWOW64\Hhjhkq32.exe
C:\Windows\system32\Hhjhkq32.exe
C:\Windows\SysWOW64\Hacmcfge.exe
C:\Windows\system32\Hacmcfge.exe
C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
C:\Windows\SysWOW64\Hlhaqogk.exe
C:\Windows\system32\Hlhaqogk.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Hogmmjfo.exe
C:\Windows\system32\Hogmmjfo.exe
C:\Windows\SysWOW64\Icbimi32.exe
C:\Windows\system32\Icbimi32.exe
C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Ilknfn32.exe
C:\Windows\system32\Ilknfn32.exe
C:\Windows\SysWOW64\Iknnbklc.exe
C:\Windows\system32\Iknnbklc.exe
C:\Windows\SysWOW64\Ioijbj32.exe
C:\Windows\system32\Ioijbj32.exe
C:\Windows\SysWOW64\Inljnfkg.exe
C:\Windows\system32\Inljnfkg.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 140
Network
Files
C:\Windows\SysWOW64\Fhkpmjln.exe
| MD5 | 96cbb4ff310ae82c9b99404ba4450f12 |
| SHA1 | f54c57bc8520ca9be67e093d492bf4020a1307a2 |
| SHA256 | bfacc572c816b20985250b149278e0621db83690ec5c8bad0a6268d828938ae4 |
| SHA512 | 70749b12cadf344b07ce392f499a5f83188da87c7aa6e7d139bc9abdf46e59b54ce311892a98a0f9df1f4edf75db15d5c020f4bc00d4efd0774c922c2627a45b |
\Windows\SysWOW64\Filldb32.exe
| MD5 | d3b8d5f5369b995cc7b47870525b6db9 |
| SHA1 | e40437671ebdc2f9a311e5720e013a9d63459da7 |
| SHA256 | 863c3f3a57c2c1937b8e00238f602ac17cb79fa135aef78609629231192c38e0 |
| SHA512 | f5aeef92e69187d6aa1248c3c8925790d7c935aa583d1b73a481143d77f9a5d36344201f88634c2493ff0d160f4af9036ee9928f1ed041f46ca35be038ad233b |
C:\Windows\SysWOW64\Fmhheqje.exe
| MD5 | b9ae3d1245ac5c685fd430ae3b997e46 |
| SHA1 | 031ab8d8b721497af27905bde90f1d05dec7f5f9 |
| SHA256 | 3ee78ef0e150dd5e928fe48706348f8e9c270e04973d4830db496cc26332b5a7 |
| SHA512 | 141fa290d63c28dadab215d4f16e486a627d8456334987e331c476ea09d44e9907fe2ba5a234f4d961917f783b0168d616598a186842c2bdfb635d3bc7eedde9 |
\Windows\SysWOW64\Fbdqmghm.exe
| MD5 | 65484a323e89a351ff9607691cf48246 |
| SHA1 | 238dabd9703b868d7b8fcaae3d0f32092d7b739d |
| SHA256 | 2733be2326bb4cbcf77f5bc84391fe746db3f39fbcd9a9e034712de160039422 |
| SHA512 | bffaa57803493d058ece986647273211626f3c4a78fa7bdc73ec7960d0f54fd7dbd6dc20adb9031e6ddd7cbe480892d5f987ccfdeb76a7a6422716525d81e09a |
C:\Windows\SysWOW64\Fjlhneio.exe
| MD5 | ee5f4918a80a2fbed3475d84e4f04273 |
| SHA1 | c417f72f1bc34bd1f48bbf361ab366219e6e0479 |
| SHA256 | 532f23cada6d45005105c64d90de58f61d49e5e0f64dc4d17b5ed088d33aa496 |
| SHA512 | a026884c16f2521c9d45bad76fdeff8c4d491feaa641356e6b998a524566e532c6cf4707fa4eaea7611038022e2c01dc5a2ad5c3b14a0e1dac2794bfe6f90d23 |
C:\Windows\SysWOW64\Fphafl32.exe
| MD5 | 04e15a292a9a7668fc646dad804d4167 |
| SHA1 | 217fcc115a5808cb7c546293a63405c769ec9508 |
| SHA256 | 39bcbb415691750a6192dce46f948019a7df7fcb1fec55c2ac4ee86b52cf4803 |
| SHA512 | 7694acb653c85260b2a4cc540faf563184988a7c2ee916030ff5f4d7d640cc50f92dc1b6805e2888473e2350cc2e3c867067db9e26851edddd619f1880138218 |
\Windows\SysWOW64\Ffbicfoc.exe
| MD5 | c291c3faefefea5e92ca49e416803565 |
| SHA1 | 09b244f536c40b5b0dde90a34393f003b8c7eb3e |
| SHA256 | 5f7c4975ba3863fb92bd6a4197644c09070e443daf6b787b3ca9c7f357e74c44 |
| SHA512 | 213a79f365362fd6d3c03a9d2ade8a582448316072199a680068c49cbf18770752ae4402e78f29eb075ddf635e9a63ca7a7b1e1cc7a80efbdae08d903c81750d |
\Windows\SysWOW64\Globlmmj.exe
| MD5 | 7699cd4a670d7f13cc2fc27a2b563126 |
| SHA1 | a0dcfcecc0fe4cd049f7cfe71b701ba9e208344c |
| SHA256 | 77d7a820f3138e0484205b8e1bca5ba3dade24e19a37daae46d1b09a99824167 |
| SHA512 | ed38019b777fca2301c4c16d8c728de592169d8e9d0a097c8e4ea615fc7d30b70dd94ba24a9065c025a4d8d6c2441bc1da21a6a7e2191bdf9f653e34eb043258 |
C:\Windows\SysWOW64\Gpknlk32.exe
| MD5 | 7f124a265adc0fbf85e7773c0da94939 |
| SHA1 | f936a9a3e50b9b4870c43ba1f4e90e01ef016086 |
| SHA256 | 335c8c0847d8414a2f80ac1ac5d4745c00720b3bfed2404bd8d94189d3f70593 |
| SHA512 | a85c8c38696ff21b312e3e2286f05d84e105972aa24153512b94887f1ff72e12287fd50b4d8c37a34f96b872b498600ae63548fb72d3a216d6195c0ca65475a5 |
C:\Windows\SysWOW64\Gicbeald.exe
| MD5 | 93d20093bf917b8bdf1d2fc6b151c4b2 |
| SHA1 | c78d995a52c52d703c4e3fe8635d5608166e7495 |
| SHA256 | 5d203aeacd352c53b36b20dbe04674534ccd9c50dd3dba218f661b11d06c8c90 |
| SHA512 | 0acbd554ceed797dcf716159792ec22fa46d7241a2fa8c96ee21cb7138d569249205c038f301c7337957a923aa6d278017100f78214b9378933cad9cf80eca7a |
C:\Windows\SysWOW64\Ghfbqn32.exe
| MD5 | b1cbd640c331d93c0daf016a1c29d6a5 |
| SHA1 | 24750cbc8d5985c3d11376929e4217cff73c1876 |
| SHA256 | 9b2c2866d9b91d2abf15c344d181de2e6bc6e579d21b1ed568e9564452fa333a |
| SHA512 | 41bca240c22d54d42b86cfba710d6b9168e3937bbad9a8b78e6e8b60079e10871c8544a0499f31ed88801926ef6d9d7219d600cbac6a3d7e7a9b6b4fba468648 |
C:\Windows\SysWOW64\Gbkgnfbd.exe
| MD5 | e03c0b9a900b52fd5d2730c59e65b0dd |
| SHA1 | 0287a30f078407be5b72781d84e81ad695de5fc9 |
| SHA256 | cbb0b6f2fca1e02d9a1598552314e21d2e1667f7bf1ae435745337487d9c429f |
| SHA512 | 4c022bcea5e8a44e35627438af70b4feb7510abe8027fe52dc31e13f3559853b3a906636dd0dc28fa15acf18b3f6df6e14bad2ed58d8a867658c4581747f1cae |
memory/2452-260-0x0000000000440000-0x000000000047E000-memory.dmp
memory/936-281-0x0000000000250000-0x000000000028E000-memory.dmp
C:\Windows\SysWOW64\Gdopkn32.exe
| MD5 | fe58d6a3dc97ab2d020e082acb31f86f |
| SHA1 | 2f9da41d7da1f199b2bb6b91bfa4afe71194e5d9 |
| SHA256 | 7feaaddcc638c191c2c321b644042177939ec5df0659850427b681f7d30d17a4 |
| SHA512 | ac2c0d50155a4e4b58e2ab45bac4824715ada4ae867c395a9e596f43f5378f9408dbb30ab659e2be853810f67eba725458bae13d84a1cbc213791c7bb49b64a4 |
memory/2760-332-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Gmgdddmq.exe
| MD5 | a3ed5f7b53c0765e672fa230d5248216 |
| SHA1 | 2153c2bca84d3141b275c4725122f0ebf5ae2ce8 |
| SHA256 | ab702d945d601ec2c47820178426b50eef4b9dd032ec045d26d6bf5d1148483e |
| SHA512 | f4cd9c34a17fc464322f15f7f3eda849367d8d99fbef16795469eda6bf018f622a44dde4b242e09194501f9c7c16f50b550c6521a73a24eaedf63522cec290a9 |
memory/2628-346-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3004-357-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Gmjaic32.exe
| MD5 | 975fd2230a68a2955f685717a3a00180 |
| SHA1 | ec736abb97dc4826b11c36e7910a6f9dd6346e6d |
| SHA256 | 5ac666ca538e8b4fdf0bc7b142dada508f61a292846b95e25b3e6a5b9f7b0b3a |
| SHA512 | 4dacede1ca4027bfd73820b7fcab57912271de41317c9a90f2e4fedd9238a593c7f834c788ce304349e497482d1e7e0db69e484ecb0cab1b00cf28f1c61957da |
memory/1528-368-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2592-397-0x0000000000400000-0x000000000043E000-memory.dmp
memory/668-419-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Hicodd32.exe
| MD5 | 71ab47d815eb050da3c8915af24598b5 |
| SHA1 | 9e7c49fca5f4036a0ba046413f8ce2fba394da47 |
| SHA256 | e852e648546a7752797636cd35b8a16be73b1e182ad713488d0197159e885074 |
| SHA512 | 75a96e0b62ab6abe46121da9d1561bb817971b438d36739258b5a8c208fca5a342a9e8840f3816f56d9b4faa271ae1e85458b0643ba9d0ba93951b68ed8206a3 |
memory/2864-466-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2448-484-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2448-493-0x0000000000270000-0x00000000002AE000-memory.dmp
memory/2344-503-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Hellne32.exe
| MD5 | e4c1d6f224b646fd1157a5a80f1f2e1a |
| SHA1 | ab7f6ac3726b00626f04560ae5dafc1861d5b900 |
| SHA256 | 3438c4e3ab4ce63e6df6da53a8da822dbc1b215bed447005832d9b99e4e6a951 |
| SHA512 | 48eebef7498dfe04d6ed421617b93016b3622f8749cadf60c206f6ad7b2bf6ee10ecc775b71cba333f2d5370744913306438b240b23ea18ef58b6b0a5b881c20 |
C:\Windows\SysWOW64\Hhjhkq32.exe
| MD5 | 0670a4d12a293cc93828b3a6d2d08f90 |
| SHA1 | 39ee4b8cd842aac49f45f772bc64f1f693836348 |
| SHA256 | 8c6e13b4553c76c062e23f487f13378f55072490d78be8c467415ff558a26207 |
| SHA512 | 00dcd0cda67e1e6302c2c045d0dfab35a9124bfd22fb3585dbeed8a9cf49f969dc26caad1297d9d9e6f4be13ce19b4c6f3fb8d20436edc77185aec4460602361 |
C:\Windows\SysWOW64\Icbimi32.exe
| MD5 | 9f4e02dbf44430677c4d06b0dedf17ca |
| SHA1 | 6063d834836c62eaf0f07fc9520600e643402bd3 |
| SHA256 | 053c48469481549290218fb38820f015aae48272949c3098dd226e021d385125 |
| SHA512 | 6e0a4024f8bb95483639e266243784dccfab13facb6e4ef810b558fe8acdbb8fed8798199e2d35104a7a1f2a42cde473003d5746f2cc2145781b401ad47a6cca |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | b18afdbf26ce94a380e90cde89c25bbf |
| SHA1 | cb77bac3266c2ac14bd52c7f5ff6b1f1766d29e2 |
| SHA256 | 296bd3488df3c0bc9b36e97c27e0fce7aeb80b3f9a3b49f4d998a33d8ecd7b21 |
| SHA512 | 42252819fff3bd905fee30da45e54c45bbfd97252611c5ec22d91004c26775778462ec0fe44dfe56a7b655a28ed3c2726635c50b340899a34b42768eae45a00e |
C:\Windows\SysWOW64\Inljnfkg.exe
| MD5 | cb94170bb7334f2616921eda5f50cf64 |
| SHA1 | 6a7ddcccb0d7deb7a77e57831acac93906ca61be |
| SHA256 | 721a27cef679c2c4b6830475aea03c71a645fabc9ff56b7be18a120e32373aa3 |
| SHA512 | 5b3c820c5d6f34295448a34dda65c40a045bdf3d36622446e64f58aa131e01592872ebfabd57faeb108e1b636869e7c33b42a8cc89e373a2c975cf62e812dad0 |
C:\Windows\SysWOW64\Ioijbj32.exe
| MD5 | 406d0dd753ef9833b8a131116ac197aa |
| SHA1 | 6435bee29387518171e3b7675b832ed6685fc209 |
| SHA256 | 70d59f710b8c11e7a1716dd8cbb9d3a4c7967a8469b2b6f7b1afbec3cf09aea4 |
| SHA512 | 9093e964719e4ed95b0d14a2e8368e12c188a7a7ee8c4c3a81e98130fba3ccf76bbe326ca0be5225766487f8c7d7ea5bf52d2e63cd3b0f3791a2cd6393635656 |
C:\Windows\SysWOW64\Iknnbklc.exe
| MD5 | c5f3da158196c5a071a84a1996436004 |
| SHA1 | 1d1d919449f5f8dad056a059eb5032b0e7359c6e |
| SHA256 | e69f5b675afb8d2ef4f7b0678c31d86914669f72caa55524eae8610c983971af |
| SHA512 | 896fef55167186a2a16a1dc5de4a367afee0fa7985ed2f7ccdb71397a2e5a4a8d74b015083cef01b8e8bf4ea9e56163e21d550db50df39660e13662bf570f37b |
C:\Windows\SysWOW64\Ilknfn32.exe
| MD5 | 379e0de10ae7053ff20c81db3fa4a2c8 |
| SHA1 | c51d7ed93a9b193e946132d6ab98b113bfa2e7e8 |
| SHA256 | 6b2bb6217aee9fe6370d1bfd2828273409d4eb7a51416ee959f754ad47dfa027 |
| SHA512 | add1ff275051587821315628c284481607cb5977467f37bae245f031503982d4698826714157b7da85bdded270c283328967052bb41fea5b34a06fb5aeb738d6 |
C:\Windows\SysWOW64\Idceea32.exe
| MD5 | c742d700cc2581ec8b178fe1f5b6684a |
| SHA1 | c024b9472d170e4501b1539f8b7c99288fc1716b |
| SHA256 | c59efe58dd91259e6fab59733e7da3a39f5a3db25a384de9c82632fa2e168002 |
| SHA512 | e5644d0174eecbda0eb08ee667a1fe74c2f36dc376d6bba4d3a80eb58183c48f94ac8e64dedac9db04c4f431c373b4924cb96dc54dbfa6e890a66e93333d8013 |
C:\Windows\SysWOW64\Ieqeidnl.exe
| MD5 | d44c4b634f92cc8e1774a5bb5ae82b72 |
| SHA1 | f0864f2b37b92ee346e2a7568cc1f3bb75766718 |
| SHA256 | 3381b8a13f0f95e4e75f23e09ce203fd22b8459b4bfe8a1f4151a57b307a825d |
| SHA512 | 9cafba763f6b634f10df1437c74955473efbd2ab357740cc040d28c4445ace51d8c82b48920d69643401569f9f1b2111ebf4d39911b94853a51f891b120d515d |
C:\Windows\SysWOW64\Hogmmjfo.exe
| MD5 | 39090eaea2396fb14247fa6b352ab94b |
| SHA1 | 923f693c9b682b3faf9dff3999dc37cf6a4c170a |
| SHA256 | 86e679af012744e06bd22bc2ceb266b4ba2a27c704126be18392f9ce69b99176 |
| SHA512 | 013ecd69468c3254b9fafbf7c694ad5302090a60ddca4d0cd9cce7b6c43d031afa59175bdd89b0b708b02ef3c2a578c718e644502d0cf2054d86e27f5f6be96a |
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | e1b64b5e90666b60cb313a3482f9a0c7 |
| SHA1 | 28e24bee357ffa541e69eb5fa3f1402a0bcde6c1 |
| SHA256 | 2eb824c7c4206d4593a018fcd9ebe321cca89f48a852d1ecabaf2417d06db07f |
| SHA512 | e4da24271d46edd9019b2ae374b04adca25f835dd9cba2deeb1f1e54c4e8811734319b740d43de43a4d09da52f45ed1559f525211feb0953c7e2525b1e46a70d |
C:\Windows\SysWOW64\Hlhaqogk.exe
| MD5 | abc588f7e89b55259034e2644c4106a4 |
| SHA1 | 9b62bdff6b42ee495a5550490f87c2a044ef8bc2 |
| SHA256 | 116584014c285a783e8478cd0741ae597621a05611bb537b2c85e0f84ac722cc |
| SHA512 | f9d7b6530c1879ee124fbc2c3a3a6b9a8a7bbff75a8c6a47b9ae16fff89eda383c506afb52333f0e463c3c6f707bbbd749d3b54dbf62c69bd7be98e71585e331 |
C:\Windows\SysWOW64\Hjjddchg.exe
| MD5 | 466f1ff4b81b1889669621249b4b5dcf |
| SHA1 | 6e1850511e12338ef7a46faaef36e54121439fe2 |
| SHA256 | 991077a9a5c6933c2d49db49acaa0a3e0d0653360a768c660c60de0c33278e4a |
| SHA512 | b5d7608bc3f26bfcf475e98b8974c42d769bce70dc3dd9aa3a433a8a8a6337f7e029f9da5cc12e25de2ab17c9a0e21b05dbe0af2346fb23ce71eacbbbbad7a8d |
C:\Windows\SysWOW64\Henidd32.exe
| MD5 | 384c35c1842e2edd44be2c9db152bdd2 |
| SHA1 | eb4736f207ed04199da1a2d1d275fd884509ba13 |
| SHA256 | dc85e54d83a18f97bce32aab147470e6518bdb741a614c1b9c7a4786b6b97944 |
| SHA512 | 01a077b47dae65076fdb15e57a50ff2e3817e26df19a58cf08ff70835163f9534ad5586cb43ff1cd753067c8a54975ceef63ba7e6353ba78424f7963865d6410 |
C:\Windows\SysWOW64\Hacmcfge.exe
| MD5 | 63dc835e8eb0068628e61d8208015274 |
| SHA1 | 7b2fb4e69fbf83efd42030bc126b14d7567dce26 |
| SHA256 | ee61a6f605b1081eab194464c719c892bcbd9cf5accc3d604ab147eee55eb2b9 |
| SHA512 | 5ab9fa6af7f420bdeadddfee36b62443bf5305bcf4d1405338f7ea7baf5e16495ea0f67f0594d781c920e0ae753ed68c8e41d629c0fa918c25cf216d173b2e87 |
C:\Windows\SysWOW64\Hcnpbi32.exe
| MD5 | 37eddb1a9dc95ef6e418e8223781af99 |
| SHA1 | 379bfac192513c32ff2c530e0883db5ef73b851b |
| SHA256 | b41e9e861c728ee3d575e4cc4c63c51dd0dd74aa833d23f2d2a18e3bcbaba019 |
| SHA512 | 1a6b559a803a64a38a3473bd8305aa98751d3d8b5ade793384b427a2fc6d08a647da4cba68806b142c48c0697d726348522e4c8ceac4cdefc9f81a7a63e1a8b4 |
memory/2448-492-0x0000000000270000-0x00000000002AE000-memory.dmp
memory/1760-483-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/1760-482-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/1760-481-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2864-480-0x0000000000300000-0x000000000033E000-memory.dmp
memory/2864-479-0x0000000000300000-0x000000000033E000-memory.dmp
C:\Windows\SysWOW64\Hnagjbdf.exe
| MD5 | d055496ca9a9a03a088e0948d0d401fe |
| SHA1 | 8d09703fa92e1282a6ea9e80e47aa0b0ec8161b8 |
| SHA256 | 83eb23ac4738b0f77cfb980b0c082aa42b61a8c320fd1b3c30ed14953cbca7ca |
| SHA512 | 8c2e03a169f8db212c844f85d5a85fc3458642e1c7b31f12cae1e9039dd4d99ccc011da4aa813866a3469fd4d908b2098a38ad971c58fb078360499d50bf29f0 |
C:\Windows\SysWOW64\Hiekid32.exe
| MD5 | fd0434c8e1734d1251bace9c9858953d |
| SHA1 | b89072410ef64590d95e5c03a800aa82b6677fcd |
| SHA256 | 8a2d171e9f241a96ee0969d29a2f5f0c83b008efd8abc30848d11e58beb5b71b |
| SHA512 | 822aa77d41ea41f788978c25317b6a17b61fbdfeda75a28ea8e0cbe24fcd37d294630505b2951b3c878d7b86903999fd5d893be64a71805ded538f063f235a0d |
memory/872-465-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/872-460-0x0000000000280000-0x00000000002BE000-memory.dmp
C:\Windows\SysWOW64\Hggomh32.exe
| MD5 | 57b6e115d3d7d7a4453030bf743cc06c |
| SHA1 | 6e404307b29fb7bed343a06d5e91c0bd59df7d92 |
| SHA256 | f4d6c354bb147c0aabc94eda8df32690a5a48512000132a5cebe6f4854c907c3 |
| SHA512 | 54dc3fc59ea161b074a2c6d3c40261c378a84cca56efbef619c3d5e7184e737f0d291efcdafb2c9a5ebe62181c53d792c7c1aa5471e84057102753c0692aa3df |
memory/872-451-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2584-450-0x0000000000250000-0x000000000028E000-memory.dmp
memory/2584-449-0x0000000000250000-0x000000000028E000-memory.dmp
C:\Windows\SysWOW64\Hdhbam32.exe
| MD5 | 5f47e0ce4a4703ce725ee590727a9dcc |
| SHA1 | bf805a3c703dab956402657a903991aac9b08fb8 |
| SHA256 | 98a6c94d0e7eac1907412ea5a278f135a658a9a93cdc0e04eabd908c21546445 |
| SHA512 | 505c22e3d4708b607bdc19b3b40652316c2c7ef90d8efa269d6aa249ac72d44a0874d8f66e13719be786315b412489f6044dd0cd848d9fa1c213f6c972c8e966 |
memory/2584-443-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2560-439-0x0000000000250000-0x000000000028E000-memory.dmp
memory/2560-438-0x0000000000250000-0x000000000028E000-memory.dmp
memory/2560-433-0x0000000000400000-0x000000000043E000-memory.dmp
memory/668-432-0x0000000000250000-0x000000000028E000-memory.dmp
C:\Windows\SysWOW64\Hlakpp32.exe
| MD5 | bff36f60da5b865c8653c0b2ff2316e2 |
| SHA1 | 968dcb75f1913f420995eee2c04c5466cf03b6a6 |
| SHA256 | 7cc3354235aaaceb19993731f0017be181238ab6f7749c8f27db1d3dd465d4e9 |
| SHA512 | b2411d8b963d616e2d9f7e907647e824d40e93f402949da7fddc48b03612977f6a356eef8cdae51cde09e73e38f6ea1d2c87f14207e0ac618249b10e60701482 |
memory/1780-418-0x0000000000250000-0x000000000028E000-memory.dmp
memory/1780-417-0x0000000000250000-0x000000000028E000-memory.dmp
C:\Windows\SysWOW64\Hcifgjgc.exe
| MD5 | eeee1b60b05e9f1ad5e6fcacd47f6aea |
| SHA1 | 27b28fe67825b2d6181533759b8f4f166c4a79c8 |
| SHA256 | 2f254aec05d1c25979625bae833e4a463eba85a1a4ee60294b9d171978f4f651 |
| SHA512 | e98b04c0c28583cb9c334eabea7393e1627c1ab9e470c3e047d51e2bf4d72c5aaa211521e669dfc46a7ed7484b6eb20a4bb583219205221a689b6ccb56662382 |
memory/1780-412-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2592-411-0x00000000002E0000-0x000000000031E000-memory.dmp
memory/2592-410-0x00000000002E0000-0x000000000031E000-memory.dmp
C:\Windows\SysWOW64\Hdfflm32.exe
| MD5 | 738c79180ff368f201b787f12084d99a |
| SHA1 | 7ffe2d0cff76967972ad291bfdb2598aadd8cc9f |
| SHA256 | bae5542b855a7ae9e001e871c4f5be03728391ce06b5e0cd5fdac4b08b54747f |
| SHA512 | 3e91029405ea048286d63fa8943dfbbb0f502dbd6a40a5310832cc7b252f58e49246695629b7b1a1a1ac62bdc19f9426610c9fe8d32dbbcef49346caa37f0ef5 |
memory/2540-396-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/2540-395-0x0000000000280000-0x00000000002BE000-memory.dmp
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | bf539ec5b1a33d51bef04756cbef4801 |
| SHA1 | 0780fd269f19c364bb3b7405aa4f647be1d9f195 |
| SHA256 | c50c55ce08574d7ab6c3ffc1d544a44c9a480d1ed456995852aea6b17313042b |
| SHA512 | 2b0a7a5fa4eb87dfaa222e318cc36d7b945fd63cd715a6a4ecff98cffc6487c0a3eed763386b517c3d440c432c0d1162041c551814fa61abc0ef3f0d67c2e482 |
memory/2540-386-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1828-385-0x0000000000250000-0x000000000028E000-memory.dmp
memory/1828-384-0x0000000000250000-0x000000000028E000-memory.dmp
C:\Windows\SysWOW64\Hknach32.exe
| MD5 | 29230c6e90602e4fc85ff922ac153f3b |
| SHA1 | fdd68330d963ab021da916e2e44dfc9ab6b7ef0b |
| SHA256 | 2dc4aab16e4ede3e9e2c6afddeb3fee180a9e6668d898289db335c1851c8c40d |
| SHA512 | 032bd5b34e34ca1485bc2a77d1e82785fbe0fbff29dabf7a32565987ac7cc76a9174e55cf61e6d6f51ff6bce85e0099ca007b5bec07d7db5fc02dbcfbbfb267e |
memory/1528-375-0x00000000002D0000-0x000000000030E000-memory.dmp
memory/1828-374-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1528-373-0x00000000002D0000-0x000000000030E000-memory.dmp
memory/3004-367-0x00000000002F0000-0x000000000032E000-memory.dmp
memory/3004-362-0x00000000002F0000-0x000000000032E000-memory.dmp
C:\Windows\SysWOW64\Gogangdc.exe
| MD5 | 66409698aa574eee24784a19e9b82934 |
| SHA1 | 5470f368b6d0c430d107931fdaee25dba010183c |
| SHA256 | 558ff0c55c3c8d9ad9af6ad191e911dc6c92578f88105f8970531e5bb89f0fe6 |
| SHA512 | 6f5277dc5850956c76c00f5a9b52dce1547866ee36896f43ff36b620adb1c0ab9e5052474d98610e7065af6b1139fdcc2ccd085ddf953783e6717e521aa0f800 |
memory/2628-352-0x00000000005D0000-0x000000000060E000-memory.dmp
C:\Windows\SysWOW64\Gdamqndn.exe
| MD5 | ad8988ccfdd81cf6f153c332f985a5b0 |
| SHA1 | 16de0ec5eab7f230d60b41457480971b82ef1efb |
| SHA256 | f7026b892e058dd68f94468ca9f88fd2c73041536ec813fde5facbf531cad44a |
| SHA512 | 5ef07c3b420f5c3368c8fc43d7e0d28e0e4fe2588274b627099791ea05c3485a7bbc6818873c7c030d3729712ada57fd67a39fb70d2305eb331fcecd5615a75d |
memory/2628-348-0x00000000005D0000-0x000000000060E000-memory.dmp
memory/2760-345-0x0000000000250000-0x000000000028E000-memory.dmp
memory/292-331-0x0000000000260000-0x000000000029E000-memory.dmp
memory/292-330-0x0000000000260000-0x000000000029E000-memory.dmp
C:\Windows\SysWOW64\Goddhg32.exe
| MD5 | b358a5de0eed1163a0b841379776c73b |
| SHA1 | 28b0c2503a7e389a0665c5a69a7983c58e5ec30c |
| SHA256 | 795c6d42a46feca363d430d4fd4987f151e166c88b47af97aeea06515bd10943 |
| SHA512 | 4bb334707c124f3425a2e4a805edbbbadfbafc5fa90901ace0a73f4cd9b8a4866325553429bb29e2f8913da019b1d0c9d2e7f76f9f1514fab983f8793ec3be98 |
memory/2084-324-0x0000000000260000-0x000000000029E000-memory.dmp
memory/292-326-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1480-311-0x0000000000290000-0x00000000002CE000-memory.dmp
memory/1480-310-0x0000000000290000-0x00000000002CE000-memory.dmp
memory/2084-309-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1480-308-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Gaqcoc32.exe
| MD5 | 7125348b35a710814b504bda9eafdc07 |
| SHA1 | e038e3655c293e43c7000ce13572ccfc2bd10db8 |
| SHA256 | 17484bf75a9e56033b1d93d8754382a8d69c2f6ab81d6a61a277964bfe989d52 |
| SHA512 | 6d0a2ffb4c8b37c934d660339aa93563f506738b5ef107543ffdd8e46ccbe0742b1dc1bcb8eb0a2e4b1e3dc82863bdc7d11c87aea05a23ff37b59ae33c10283c |
memory/2024-304-0x0000000000250000-0x000000000028E000-memory.dmp
C:\Windows\SysWOW64\Gbnccfpb.exe
| MD5 | ec5530ab051f3e5ff5a52831c7fbb17a |
| SHA1 | 0c059eb59fb4297a264d0dd12c62ca352cd78ae3 |
| SHA256 | 74ba0008ca84c2f2436bbfd63e1d2e27ff931f52592afb5212b3bcd8b8859e76 |
| SHA512 | fada666ef44c13d84de18ff208777b532bbdab08a84ee353cb07dd928fa7a8a715e4197f486d17120f3a31762ede4d5193dcd97e554bb485877caab9b7173298 |
memory/2024-290-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2460-289-0x0000000000280000-0x00000000002BE000-memory.dmp
memory/2460-288-0x0000000000280000-0x00000000002BE000-memory.dmp
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | 906b8f1b43e7c8290d27ba3f77a1f9e1 |
| SHA1 | 86c44529158fca8c25d01f32096b2f1ba5ee54b6 |
| SHA256 | f94f7b654cfbf0229ad19b9211ca56b17c779e17008bcfdc3a689618b72118c7 |
| SHA512 | 7cad425586b3fa49dd504ad4faf05a22ed30ce0fda88b0079039765f02ef5a7a2c520633306bd38429db060ee55b26dae0c302c5d532c0c56c3eefc135a3baab |
memory/2460-284-0x0000000000400000-0x000000000043E000-memory.dmp
memory/936-283-0x0000000000250000-0x000000000028E000-memory.dmp
C:\Windows\SysWOW64\Gldkfl32.exe
| MD5 | f7648144cc15ea2b8503ef880e754ac6 |
| SHA1 | d3177ad932ccdf2499bf40c2037c3f11070b6d7f |
| SHA256 | 70928faa22dedb3f694c8c30d612130e325b5c9a2f7466cf1196f8884226a587 |
| SHA512 | 263e4601e93ad6f796b6aed0389aad67882ca217c06fa9e28a0ca508669c9fdd0b62552bf98466cd4341e8dd0ed8edd4b7658a3c6753fd1520c8f592794251d1 |
memory/936-268-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2332-267-0x0000000000260000-0x000000000029E000-memory.dmp
memory/2332-266-0x0000000000260000-0x000000000029E000-memory.dmp
C:\Windows\SysWOW64\Ghhofmql.exe
| MD5 | 9803168419334bfb854ca94e2c90d710 |
| SHA1 | 07d73c8fa000859f78e823858e481366e97d316e |
| SHA256 | 7fbda7ca82be9f2e0a7e7d4421c342635d57419ac6f3fd99c50bfe19a3aaf7b3 |
| SHA512 | 9f159e5d482cdf02e2cf0819cacdaae4f92b02cde7fee5769c5598bbd084f5aff547028dcb6fbbd55145dc5c0934ae8e45c94d71b9779f2d2c63ad5e1dd73786 |
memory/2332-261-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2452-255-0x0000000000440000-0x000000000047E000-memory.dmp
C:\Windows\SysWOW64\Gejcjbah.exe
| MD5 | 778fde85aec4d02c7105122b76162243 |
| SHA1 | 618558e785feef53a5de70cd16501e99fb7c741e |
| SHA256 | ded4b7de6f9c8d0103f453e84efcc1dbc82df5164e5f1790a7b11001e47e63c3 |
| SHA512 | d18b020d8a5866181cec1b529e9cc8177ca4586e2833162a0009d17bc572fcac53f48fb169e3ffab67861c9222640bba8806cc2120004305435254efec711221 |
memory/2452-250-0x0000000000400000-0x000000000043E000-memory.dmp
memory/828-249-0x0000000000280000-0x00000000002BE000-memory.dmp
C:\Windows\SysWOW64\Gangic32.exe
| MD5 | eb19f8f435d6e66f0a918e6f43e8c100 |
| SHA1 | 2f15e8be89403fcc3d3dddeaf4f45672d09254d4 |
| SHA256 | 1f334ba0fe0f0130b96c3c105759e066ec50cf9cb37a4fcc2b7bcde2e59b27dd |
| SHA512 | 3497937181919164680c19636f4cf8b8013996ae6803c45aab1327337ef058d6bf6dcbd63d521e51944115f33643c0cf10389dd511355f03cf7504d7e18adfbd |
memory/828-236-0x0000000000400000-0x000000000043E000-memory.dmp
memory/752-235-0x0000000000250000-0x000000000028E000-memory.dmp
memory/752-234-0x0000000000250000-0x000000000028E000-memory.dmp
memory/752-225-0x0000000000400000-0x000000000043E000-memory.dmp
memory/884-224-0x0000000001F70000-0x0000000001FAE000-memory.dmp
memory/884-223-0x0000000001F70000-0x0000000001FAE000-memory.dmp
C:\Windows\SysWOW64\Gpmjak32.exe
| MD5 | da8199573e122c8115b54e5f329ef9b0 |
| SHA1 | a131641ac6f90ddd490e48591703eb1bd587980a |
| SHA256 | 0bfac956630f978990157a22c485a112318afaca3fd193357bbf325d8dd02b9f |
| SHA512 | 0363a72876857251afc303a21c9f45fa9a6e5da64a87c187bba5a58eda8e982b8d376501b851f0cb24e5304b35ed6e000c033980edea9897f32a3f4b40768630 |
memory/884-217-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2808-206-0x0000000000260000-0x000000000029E000-memory.dmp
memory/2808-204-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Gbijhg32.exe
| MD5 | 35451159d2a60be72a3aecb689f595b2 |
| SHA1 | e9a36532ec8dcfdd9f7515c0c9c82ff491cc09d4 |
| SHA256 | 44ff2d2db4667caa7bd2727c495ac29424bfa9d93ff3d3af21f8ed7392e32078 |
| SHA512 | 669d1c5b3a923d7fa4656cec1efde9e1fa97386c4ba34182be2fae833e58ea92f77032ed9fcbaf72c4eb85fc2bab1c91a631767edab8305b69320c36304a5b89 |
memory/1620-186-0x0000000000400000-0x000000000043E000-memory.dmp
memory/480-173-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1988-160-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1384-158-0x00000000005D0000-0x000000000060E000-memory.dmp
memory/1384-151-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Fiaeoang.exe
| MD5 | 5305ba6cd089a7dd1a9028bb07b65353 |
| SHA1 | 7145a5ea2613dd6a8a49b79ce41c142d6aa63b72 |
| SHA256 | b874a6b6f2768bc9886ce02293b5f584e0b7fb2a930d638ce76d014622f24ed0 |
| SHA512 | b06a7051263d072d21b8a80e0bc2217617794a93f51b43a9d5d542446eefde90d2aa8b7d5a39912e09c79ed65658cf6fc697fc45288a301e2e19b84532a5ee22 |
memory/2020-133-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Fddmgjpo.exe
| MD5 | c90c6f74cdbff7d878b80626d7e1127a |
| SHA1 | dd45ff22e607120619643470d6f4369cb0993cd7 |
| SHA256 | 55e70a10288944ad97a1e7f1cc79bb6c08c257cf575a553e9aaeb5d60e2f3628 |
| SHA512 | 9a2d2588d73d3af99a20c77ce50c6f11b105a8109db16c6db936519bd3e1b5404ac748fddc79995e56cc33539889f433601cddb2d4b224dedc97d67495683ab4 |
memory/2552-120-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1964-112-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Fmjejphb.exe
| MD5 | 8675214542638153b1de298fb8dd6f78 |
| SHA1 | d03b4daafed8b62ba0c6303f07b6274866f77497 |
| SHA256 | 0522c5b17d6546a60569ba6b3de329faf591d70d20d42d81bb5351fbba0b89b1 |
| SHA512 | 7446f12b70f085e757657350a20c7e4430c4089f8651371e51000e4c16d9f5884bfbf49c44cc165f21bb8ab095be8d1e6e7ef840f985425da8105f92162c2bb2 |
memory/2288-94-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2512-86-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2520-75-0x0000000000260000-0x000000000029E000-memory.dmp
memory/2520-67-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Fpfdalii.exe
| MD5 | 77e44bccf1251496d5acc8170b98a9cf |
| SHA1 | 7bb987bfca039a96dd1c3330b011bf6fc065751c |
| SHA256 | 32058373e752a2b97ffd8cd81120fa1c1ba5c0a1fc73e58384f7427ab9503f80 |
| SHA512 | bbcd3638e6809c99cbc46548e068bf10d6c80d9b4062a2ab88d3388d8835336696ebf507456481be496918ead689049360fabc8a269fc2588ca7165f9c8745a9 |
memory/2724-54-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3020-36-0x0000000000270000-0x00000000002AE000-memory.dmp
memory/3020-33-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1584-22-0x0000000000250000-0x000000000028E000-memory.dmp
memory/1584-19-0x0000000000400000-0x000000000043E000-memory.dmp
memory/788-14-0x0000000000440000-0x000000000047E000-memory.dmp
memory/788-6-0x0000000000440000-0x000000000047E000-memory.dmp
memory/788-0-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 03:33
Reported
2024-06-14 03:36
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kajfig32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Majopeii.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibojncfj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kibnhjgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbdmpqcb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kaqcbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lddbqa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iabgaklg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ifopiajn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jdcpcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kinemkko.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kaemnhla.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idofhfmm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgghhlhq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgdbkohf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmqgnhmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcpllo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lddbqa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jdcpcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ipegmg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmlnbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Idofhfmm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lnjjdgee.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdiklqhm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdopod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpepcedo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kipabjil.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lijdhiaa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Majopeii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jjpeepnb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ipegmg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Laciofpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ipqnahgf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jplmmfmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lcpllo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjmhppqd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdiklqhm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Imihfl32.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Mgnnhk32.exe | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Imbaemhc.exe | C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe | N/A |
| File created | C:\Windows\SysWOW64\Jidbflcj.exe | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcifkp32.exe | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fibjjh32.dll | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| File created | C:\Windows\SysWOW64\Bclgpkgk.dll | C:\Windows\SysWOW64\Ijhodq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qnoaog32.dll | C:\Windows\SysWOW64\Jjmhppqd.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgneampk.exe | C:\Windows\SysWOW64\Laalifad.exe | N/A |
| File created | C:\Windows\SysWOW64\Lppaheqp.dll | C:\Windows\SysWOW64\Jigollag.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lpappc32.exe | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngpjnkpf.exe | C:\Windows\SysWOW64\Nqfbaq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Majknlkd.dll | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncihikcg.exe | C:\Windows\SysWOW64\Nqklmpdd.exe | N/A |
| File created | C:\Windows\SysWOW64\Imgkql32.exe | C:\Windows\SysWOW64\Ijhodq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdcpcf32.exe | C:\Windows\SysWOW64\Imihfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jigollag.exe | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcmofolg.exe | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnfmbf32.dll | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndidbn32.exe | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Opbnic32.dll | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaimbj32.exe | C:\Windows\SysWOW64\Jjpeepnb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojmmkpmf.dll | C:\Windows\SysWOW64\Kpepcedo.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghiqbiae.dll | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nqklmpdd.exe | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mglppmnd.dll | C:\Windows\SysWOW64\Lnjjdgee.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Majopeii.exe | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Maaepd32.exe | C:\Windows\SysWOW64\Mkgmcjld.exe | N/A |
| File created | C:\Windows\SysWOW64\Nklfoi32.exe | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkdeek32.dll | C:\Windows\SysWOW64\Kdopod32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbmfdgkm.dll | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lkdggmlj.exe | C:\Windows\SysWOW64\Lcmofolg.exe | N/A |
| File created | C:\Windows\SysWOW64\Qekdppan.dll | C:\Windows\SysWOW64\Jidbflcj.exe | N/A |
| File created | C:\Windows\SysWOW64\Laalifad.exe | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lilanioo.exe | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbkhfc32.exe | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| File created | C:\Windows\SysWOW64\Jibpdc32.dll | C:\Windows\SysWOW64\Ifopiajn.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgbefoji.exe | C:\Windows\SysWOW64\Kdcijcke.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kibnhjgj.exe | C:\Windows\SysWOW64\Kgdbkohf.exe | N/A |
| File created | C:\Windows\SysWOW64\Mahbje32.exe | C:\Windows\SysWOW64\Lknjmkdo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjcgohig.exe | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkgmcjld.exe | C:\Windows\SysWOW64\Mcpebmkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Npckna32.dll | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebkdha32.dll | C:\Windows\SysWOW64\Idofhfmm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ggpfjejo.dll | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofdhdf32.dll | C:\Windows\SysWOW64\Kkbkamnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngcgcjnc.exe | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File created | C:\Windows\SysWOW64\Honcnp32.dll | C:\Windows\SysWOW64\Jfffjqdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgpagm32.exe | C:\Windows\SysWOW64\Laciofpa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lphfpbdi.exe | C:\Windows\SysWOW64\Lnjjdgee.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Laalifad.exe | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdemcacc.dll | C:\Windows\SysWOW64\Lnepih32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ljnnch32.exe | C:\Windows\SysWOW64\Lgpagm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbhkac32.exe | C:\Windows\SysWOW64\Njacpf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgllgqcp.dll | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| File created | C:\Windows\SysWOW64\Kilhgk32.exe | C:\Windows\SysWOW64\Kdopod32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmccchkn.exe | C:\Windows\SysWOW64\Lkdggmlj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgengpmj.dll | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nklfoi32.exe | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ngedij32.exe | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnolfdcn.exe | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Imbaemhc.exe | C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdiihjon.dll | C:\Windows\SysWOW64\Kbdmpqcb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbgkjl32.dll | C:\Windows\SysWOW64\Laciofpa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kckbqpnj.exe | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll" | C:\Windows\SysWOW64\Kpjjod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mcpebmkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll" | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jmkdlkph.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kpepcedo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lphfpbdi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nnolfdcn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iiibkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjpeepnb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbmfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iabgaklg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll" | C:\Windows\SysWOW64\Lcpllo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll" | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll" | C:\Windows\SysWOW64\Kbdmpqcb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lddbqa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll" | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll" | C:\Windows\SysWOW64\Mdiklqhm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mcpebmkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll" | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll" | C:\Windows\SysWOW64\Ijhodq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll" | C:\Windows\SysWOW64\Laciofpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngcgcjnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Imdnklfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jdcpcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll" | C:\Windows\SysWOW64\Jbhmdbnp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kaemnhla.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll" | C:\Windows\SysWOW64\Lcmofolg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll" | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ipegmg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kajfig32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll" | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbhkac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ifopiajn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kckbqpnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll" | C:\Windows\SysWOW64\Lpappc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nqfbaq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbhmdbnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll" | C:\Windows\SysWOW64\Kdopod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kilhgk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kipabjil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Imgkql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kcifkp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mgidml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mkgmcjld.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdpalp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kacphh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdcijcke.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kgdbkohf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lilanioo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nklfoi32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe
"C:\Users\Admin\AppData\Local\Temp\bf7748c1c539e109da21d179c56190d74391562b8979c6f5880ea6de72cba5a8.exe"
C:\Windows\SysWOW64\Imbaemhc.exe
C:\Windows\system32\Imbaemhc.exe
C:\Windows\SysWOW64\Ipqnahgf.exe
C:\Windows\system32\Ipqnahgf.exe
C:\Windows\SysWOW64\Ibojncfj.exe
C:\Windows\system32\Ibojncfj.exe
C:\Windows\SysWOW64\Ifjfnb32.exe
C:\Windows\system32\Ifjfnb32.exe
C:\Windows\SysWOW64\Iiibkn32.exe
C:\Windows\system32\Iiibkn32.exe
C:\Windows\SysWOW64\Imdnklfp.exe
C:\Windows\system32\Imdnklfp.exe
C:\Windows\SysWOW64\Idofhfmm.exe
C:\Windows\system32\Idofhfmm.exe
C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
C:\Windows\SysWOW64\Iabgaklg.exe
C:\Windows\system32\Iabgaklg.exe
C:\Windows\SysWOW64\Ipegmg32.exe
C:\Windows\system32\Ipegmg32.exe
C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
C:\Windows\SysWOW64\Imihfl32.exe
C:\Windows\system32\Imihfl32.exe
C:\Windows\SysWOW64\Jdcpcf32.exe
C:\Windows\system32\Jdcpcf32.exe
C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
C:\Windows\SysWOW64\Jbhmdbnp.exe
C:\Windows\system32\Jbhmdbnp.exe
C:\Windows\SysWOW64\Jjpeepnb.exe
C:\Windows\system32\Jjpeepnb.exe
C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
C:\Windows\SysWOW64\Jplmmfmi.exe
C:\Windows\system32\Jplmmfmi.exe
C:\Windows\SysWOW64\Jfffjqdf.exe
C:\Windows\system32\Jfffjqdf.exe
C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
C:\Windows\SysWOW64\Jbmfoa32.exe
C:\Windows\system32\Jbmfoa32.exe
C:\Windows\SysWOW64\Jigollag.exe
C:\Windows\system32\Jigollag.exe
C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
C:\Windows\SysWOW64\Jbocea32.exe
C:\Windows\system32\Jbocea32.exe
C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
C:\Windows\SysWOW64\Kbdmpqcb.exe
C:\Windows\system32\Kbdmpqcb.exe
C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
C:\Windows\SysWOW64\Kaemnhla.exe
C:\Windows\system32\Kaemnhla.exe
C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
C:\Windows\SysWOW64\Kpjjod32.exe
C:\Windows\system32\Kpjjod32.exe
C:\Windows\SysWOW64\Kcifkp32.exe
C:\Windows\system32\Kcifkp32.exe
C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5516 -ip 5516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 420
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1564-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1564-5-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Imbaemhc.exe
| MD5 | aee08a641ffeb338aaf282fd3558ae1d |
| SHA1 | 12b20b0f1fa3aac4365d481960cb7491ca7fa6da |
| SHA256 | 773e2d06c354d317e96032103cb4221288736ed532b55e00a15a228b42c677c2 |
| SHA512 | b3cffb672308cd60d780bd1d1d790a3b03df73acd575d4b4c6a123fbd8f4016ca531147c5108298abad98f8e833f418d957c745c90f4938a6d3c28ea55c4aa6e |
memory/2208-9-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Ipqnahgf.exe
| MD5 | 24f6e17b3d67853f00eb7b417bb91e3f |
| SHA1 | 278c9ddb0369aa2324b2edb964213957e9441602 |
| SHA256 | ea5e26e1f97064ca177ee64cd9d01b2b3c4c15d739252cd3cc5c1992989f04a6 |
| SHA512 | 06a998bcab12a40db243ae06a41475a8151ead8836d78c2fcc7e78406835c1a12ff4fff4290b4575d14bd8fe0e951001e5aa6412d6cf0a12cb7bc36f4f326a68 |
memory/1340-21-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Ibojncfj.exe
| MD5 | dc4305dc652e8f9fed6674cf0da88544 |
| SHA1 | 27e699a92b1eeeb3f07bcd4925a0ed7fd3f3f397 |
| SHA256 | d5023b398ad053dba225685fd953c29d555a2dbdc3f48b426f6c667f351b7be3 |
| SHA512 | 250ad8114106c9625f2e299b93a8f9b355f9f46710160f6a5a7afb84c3ac5b560dcafc1839dd25d3d5340b6336a1cc41ba5151cc747e027176a68df004436ebd |
memory/3608-29-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Ifjfnb32.exe
| MD5 | 0358d6897cbebf19a491af0482976257 |
| SHA1 | ca52dfbf67e47cfeb7189a342da7a6e46a3c9c36 |
| SHA256 | fcf455526bac9a76dca878ea76084b2a96d86d08a55c76171f50b934fc1e13b7 |
| SHA512 | 406789bea1f15e5ba1b033953f32540ad25954ce4ae14525b3b64c0a1740849535005584361a150e038c4a2955178e0b6b50ef003e190def0f5f265df4bf30da |
memory/432-33-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Iiibkn32.exe
| MD5 | a4da7169cdd00a6e7cdb4533eb5167f1 |
| SHA1 | a1f1673d372773658a7238ca8cad4a9dddbd669f |
| SHA256 | 849465e6c88d259d7efa53562faebaf9cf52f4b46fdfda3054fefa03a69b4e72 |
| SHA512 | b790b055b1f2eaf8ac2a56b2bf0629eeed3144642e6ef1bdc0fad8c60aedd6fa01a5f014bd11060c3f89cfeeb2b7cfbdbfbe0bf32ba735fd1e1418e04c6748eb |
memory/740-45-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Imdnklfp.exe
| MD5 | 6a2e0a34e3bdd6d8188346a0eb5e6156 |
| SHA1 | 6ebaff41447f99890d01012387e4c05277032be1 |
| SHA256 | 99a7fbb1a10f6cd9a8b46cbf456f5b6e6ea7bb7d6b9c6a03d5c55a2c54dc78b5 |
| SHA512 | 2993361b154e49d82f78f4a32cbf1dcce0ce45ecef91a1f680527aa80930baaffe6e59e699a4cf86b3ea52cb9ec5f8d5c8b2cb039d95cc944f107a1fc1d3e940 |
memory/4636-49-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Idofhfmm.exe
| MD5 | a21322d969ea48c1eee1cc8fe63ba818 |
| SHA1 | f28e6da265b8acf83ad5497aefa71ea9fe699a59 |
| SHA256 | 9153bc894c75281fd31c68ccf899308be951d56f7c86b4ce4a0820aba1c85587 |
| SHA512 | 6a71c6342182cbf16b844ed0db98021532e0b0c8675c22d59ea7f82918aeb319d2a9bd1f1d9c510e05d3eed872d32d9a263fc4ba8ee64cc6674282a5decb1f30 |
memory/4196-57-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Ijhodq32.exe
| MD5 | a23a3d6894c702524b54f0c3a72b7b99 |
| SHA1 | 2454ddb6ae725a74eba653623a0f72b35f2e9de6 |
| SHA256 | eb267bbd2c82e0c5f7edc4c9d50bc5e7970f83f82b1b7254228d653fc8c8f66b |
| SHA512 | 4b915e805830eb8a47b0d5aaab6ca767f08cd62d3e35e28b5cd641033d43fb3565ed0429b564eb730abdf806d8406dfee0d10455c16c6d2097ca3ed6fee2ac4d |
memory/4308-65-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Imgkql32.exe
| MD5 | 139de2d99ab715f6233158bc1efba7c8 |
| SHA1 | 00b03d369f6b11c7919c4107d763e32c07791759 |
| SHA256 | 590f1b121c06b50e4b17884eeda39e7dfd263d06321c933c11c5952440df9a26 |
| SHA512 | a7407702265d482765197192019140d370a0816b4d702a132ed8dbc9bbb152939e1c126a3edefc879476927b25dee604834ff817dafab14aa27301b8f870569f |
memory/4480-73-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Iabgaklg.exe
| MD5 | 08228fc94fede2a8a3ff959e73b43aba |
| SHA1 | c60cfe6d8a0d2439229281d0af46a25dcb6324f5 |
| SHA256 | 7e0e71a47434b2ef38def418600d69d899ce90554199eef048fd76f32705f9d2 |
| SHA512 | ca3f2cc16963f21f9b1771f5c6b8ecc17839b587cb30ea923ecc7844783cfafb05e2dc7183ccdf10c5fbc3e58cf9c96644118b934a4e9c170bb37dbb954cfbf6 |
memory/5040-81-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Ipegmg32.exe
| MD5 | 724e6b0a1cae0567b41c057973e3bb6c |
| SHA1 | 0c027c53970c6e907a5e52523920804822c89ece |
| SHA256 | 5c76ede6ed27734145c96af917735f1e85d3741514642e506b4639e8b820da92 |
| SHA512 | edf2962fd75b6cb892c6ac945fa9c0052d31472faebb77e2f31e31ea4f597f7f6248d7db321ff963399badac236a5a20384d4b5a2c236c9ca79cea3de5a01ca3 |
memory/1996-94-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Ifopiajn.exe
| MD5 | eb48bc6e0dcc19e97680a3294d7cb7eb |
| SHA1 | fef8bc077b07f791da60a497ff3a7af0af74010d |
| SHA256 | 4bfd22f9aa81da953168b01877719b97e1219186ea9043de2c864eb375f0b1a5 |
| SHA512 | 33ade0de39a0863c2fb5e3fabd324713ef2dc2631c0fa31863be3cb5d4ccc7fda6b560a42b2edc9b0aabc39444323f551d35b5123031780eb152e32349f82623 |
memory/1728-97-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Imihfl32.exe
| MD5 | 8f9eb763f2a976b13702d4d416b8ba6c |
| SHA1 | b3a74fb422240a7edfab9a7a8c10e17fae2fa1d0 |
| SHA256 | 57d9d741862b0f3ab48ab14b88b2c09fdc396d03bac2ca7affd249a3f89ab8d4 |
| SHA512 | 40d41f9c023cde58b670110029b5bf3df1c2c4f703a492b345cf6ac47ed864a40ecaf16f2ea519295fd49af83fb066c8adeb7110dc652484f4d00beabf508a0f |
memory/2236-105-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jdcpcf32.exe
| MD5 | b58722ec93b2e741718ee4dfd9b5f0cc |
| SHA1 | ebeece6f4d63b04e47a6bc202be86bd7930590bb |
| SHA256 | 86da68a2048e5b55a4f2d5014cae28cd03e674d8eb4077be7a774892dc5c1e41 |
| SHA512 | 8c8fd992724701275435628a5e8f681f71a35f8f14ca99ae5de0831146e7edaa776098761c483e1efa553e2d66a14d8b66909d6630c71aa4f34245af051befa6 |
memory/1000-113-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jjmhppqd.exe
| MD5 | 259332703ada1be343a0880671d5b48a |
| SHA1 | 922bf9ae3e5e7ebb220392ef48beb632671aae01 |
| SHA256 | 496d2b464c96c0a358edcc1364c60c5da6f487399f1aa041e7084ba348c86865 |
| SHA512 | 1f9545915e42f26b1ca39b8276f603439079334c00986c482806daa19589f887ebaed24d3ad9da864113c49286cb180f9c9957f74eeb41cb7baf6cda3e40d748 |
memory/5032-121-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jmkdlkph.exe
| MD5 | ea6fe27d5fb7206543443d30bf7395a3 |
| SHA1 | 83cf7f63c18ed1d12d4ede076316090970a77057 |
| SHA256 | 8b40b0a7b5941eeee687268f7d2d079c11ea1d40cee8261efd506bbd27627700 |
| SHA512 | 3ed87999d2b16fe9185df65062e03f1ed3bad78928c497786dafddcf1b9baf0ee863a2f0b5ef30c9389b3606803c092df2e629622194b09fa1d56116fd6aaf02 |
memory/2796-129-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jbhmdbnp.exe
| MD5 | e648f47b111224afc86e2e53fd068c00 |
| SHA1 | eacbdc7a8978ffbdae8ac3be94735b939dedd79a |
| SHA256 | baef285571b8fb7ff08cdb7c4bbf22bc5c1d23d20a01ddf7448d8a43ebcfbf18 |
| SHA512 | 5796dd2dcc3fdfe0a55933eb043f704536818cb775c4085f5db62a84024bc72219ab52b672efa858a0029b63c557973a9b3b3437e48875f5ca316349db94c5df |
memory/516-137-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jjpeepnb.exe
| MD5 | 76b5d37fad1c587bef8f252e7928f1f8 |
| SHA1 | 15062350193eac74a36365d392902d11ba365a32 |
| SHA256 | d8078cbf734c3fe50a2f8f599f3628f03521be00933d1252a93a8aad0e17d683 |
| SHA512 | 1d75407498f20fccc1a8c2b7f41a3319a733be7a9be109a60135fb83c2598fbe79e0d833833d955abe182782fda43e3f15ca3f4fc06b94ffa514c46c1e1e0d85 |
C:\Windows\SysWOW64\Jaimbj32.exe
| MD5 | 701652069e11caad1c52069e433b15d7 |
| SHA1 | 5549fb13ff805fdedd444b9adffc1f0d45a221b7 |
| SHA256 | bad430b2aef5548901dfa8f9e9e8e0c458102f7965aa7a6f9bf7edfdb4c566e6 |
| SHA512 | 60e637295b33445a429674cb39f8671a20e349b462c6a1955de49df3c00bc6eb4ff8bcb23e139df492320042f669eace29860ac9daf0770c92723796e6e52fc9 |
memory/1448-152-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4808-153-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jplmmfmi.exe
| MD5 | ca192ea26beeac58cc871bd76eecd370 |
| SHA1 | ff6a87834db05798a583736597e02eeb18d53713 |
| SHA256 | 94b85228a7a94942fd7360092c880dda2804dc16b18c66bbe051dd9dac944dd9 |
| SHA512 | fc8813caf7ae3e020f69fe2377884ca089d708126c547f7e4b7d10b0cdd3404b8c936f011883e044efdc71c5ff95ef8405b375d93ce3d69cb56c14479733ef42 |
memory/1196-161-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jfffjqdf.exe
| MD5 | 76fc63bf1ecfb4fe04c0cecb8cf9f429 |
| SHA1 | 19870399b06a198d5a49c31f1474953a2b7b48f2 |
| SHA256 | 02c58aab9072798d06c2b7c2e128782d5d6add3c819d426010c98853afabf183 |
| SHA512 | 66d84f01dc0da204c7b1167f245035ebbc8547bcd5e23ff3661a7edc77d6bedd75348f3fa748cad7d77662b8026b548218378960b6b2b8ef68cbe2ecee327547 |
memory/1668-169-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jidbflcj.exe
| MD5 | c8c4749d21dd54235efc091b52985877 |
| SHA1 | 297bba4314f3ad907a24ae1ddac5b3cc889fd292 |
| SHA256 | 8956e875f5f4bb81d48d4390fff0da7faafcdf60391224fe41b93f09fc6d81fd |
| SHA512 | 6280893508128f94a73efc3c97726971d54fe6ab98ade40b1dc3e2ddc9ef5985a12a54e42806ca9c0482b6fb6281314349fff30f4194f485f4624acb35438ea8 |
memory/4940-177-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jaljgidl.exe
| MD5 | 54c2398a8b58428279ce83ea6c7c8fe2 |
| SHA1 | 0bc852de6036fddce36f7d8cf723ac7b6039089b |
| SHA256 | 472b71a34a2bbea23264eb9770768f7aa137afa03886cb76ceaf82977969e717 |
| SHA512 | 13f1ef2632c44284ef0c7ff6b488fae94593519b6eea570cc42c1ab040b2b8ce17453f93842f69d3395ba0b015af843fa0399a6bd361e5b792fa2330d040e1cc |
memory/3076-184-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jbmfoa32.exe
| MD5 | 1791a8c539b81279a503824af5d59e80 |
| SHA1 | 0ac26025c9e8d1533d73564478cc6d4c9dea6e18 |
| SHA256 | 1ed2be40595af76e811665156b63c87c8824b829d3d79c740894b79f82380b5e |
| SHA512 | a52554aba8e4c5306499b7c262bc85697e975b57bda0c9104fb3432346afb34867769d54f311494aa3ea9e3db9c78dbfa7a5cd5bdb629891f11fdc852461b5d2 |
memory/3060-193-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jigollag.exe
| MD5 | 604b621ee4a6cff6eb1b91cb8bf420aa |
| SHA1 | cfa73abf94b9884a616254790668b1e8acdc2be5 |
| SHA256 | 2e1ad13c4a1d5a5083fe3e532c4ecebc8d4f3604531c38f7f2c3c0ebb08189be |
| SHA512 | 8db9820d988ea1d606b5dd15e73497c974d3190658ecfea5e2c76538df82b0faf99eae92721bef3325adcc888879ded20dfe87f283acd3cfe07da069ff2e084f |
memory/756-205-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jangmibi.exe
| MD5 | 2c7e6aeb8b17f306829c0cf4591574a2 |
| SHA1 | d851f67a4ed7f0b428b1d7cb9efd06c112ddde4c |
| SHA256 | aa0dfc99244e9a1167ecadffcc6ea7add8a6fe8580625304e187c6dabae34824 |
| SHA512 | 052ce0b6c2715e63bd12765e167dc3119cbf36b6c1a004c30451b32aaf6fe051d9123ac094b2ea5eeaf8d77cc31b8efa152a9d8e4cad12f6c087e7b8493358e5 |
memory/4892-209-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2560-216-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jbocea32.exe
| MD5 | 9678b064379f6d55e2a936fd99b09708 |
| SHA1 | f8f62fb619f174e0578c12a2737dbee2e270d3db |
| SHA256 | b4a757b2239da8bfefe8b693e199883ef9f828ce04e2c52e9ea91efee1c86b8b |
| SHA512 | 5fc675f3704a123c5494dc2507a760d04cda0887194ec2cb111dbbea169860e54ec04e73f49a5478aed3bb55e367c8645161d3af4930f0092cf7f6e4358b5d3b |
memory/3956-224-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Jkfkfohj.exe
| MD5 | 79b511c95ca77bb26617a011f202ee07 |
| SHA1 | 6df01a3052afec371cc1424d8dc7098a9bb84276 |
| SHA256 | f0fb1bd57f271574c001e6b579bd10fc12258c6a2148e5f456c7d99009f32219 |
| SHA512 | 12a06dd085dde3316e51a24e6e21912dd7ea22a023d2d65c7474a3f62d6f066395eabb5fbf8f739a7803e67f4336b8013b809ce87bfc51979cb7ca81341a4e93 |
C:\Windows\SysWOW64\Kmegbjgn.exe
| MD5 | 9b9ba78e4529acd857e2f3a7c93472b6 |
| SHA1 | 163596e55f5106cd8d58c9f962a6d4e8d03ce5f5 |
| SHA256 | 41fedba4e619ffca686cb7497568c491cb95db5b47748439ed54d1021494d0ba |
| SHA512 | 1983a52d919e6094f16f8fc9e9d33e6a85fc0f5d528ff1e3f341e30fcdce1ea981667eda3ceb6f8a36e29a81ee33a0b60ac72e647338343498f985e8505f5b27 |
memory/1444-233-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Kaqcbi32.exe
| MD5 | e2bcdf3e17b2776b30da68a456c218f7 |
| SHA1 | a9210a6a9dd04ae12e91db389a06fb40183c0671 |
| SHA256 | 785957dec48f66406942ad31305b09a40dc80bf026ff5cfe5c2ad2e43ac1e6b2 |
| SHA512 | 3de4bb2db3e0bfa897ae0fbcb14c8629facc40ec35ffb03c10e7b0ebbd7bda8c45415a854098eef33e00c473248a577f602f9b255c64beb498c61a78fb118206 |
memory/3052-241-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Kdopod32.exe
| MD5 | 4b98dbb21234d79e1fbe23a660f537fa |
| SHA1 | 5a860995965ade3744c051ba5a834d036731f6c6 |
| SHA256 | 372f7e381d1f40edbed8faf24197c0c18952990b231e7a0848b311c31acc8e72 |
| SHA512 | 1d7ed31320eaa2915b676c13bbf48d97a0cb4bd854e398d000eab287dc90caa4c4a2d1629d0db3761353ff0613cad7d444505d95614c4f00cb6d85ab1cf892ac |
memory/944-249-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Kilhgk32.exe
| MD5 | ebcb37e0ade30576267d1a0cc42508b2 |
| SHA1 | d5361bd974abba63cf936367b0627db96d5bd155 |
| SHA256 | a527ed2268d0d003d23e427c704c97971d4925b1208cd18d6a82622e0d1a4702 |
| SHA512 | 35c3e3e1d3fca1047f883defd5eb8a11db09fe3d1a709d9b30429bb551941213482c3c76a4e0b77fca5dbb2a51cdd7d4a3e84f6ac55b3c02e2d03a337a06a3c3 |
memory/3568-256-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1940-261-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Kpepcedo.exe
| MD5 | c0c784100d9ac9c6ffbda7ebc8ec44f9 |
| SHA1 | 1df52de153633ab6c6b4f1612c132681e7b11c5e |
| SHA256 | 00df54dddb0338c61a64d1726c20a9db3c76d6aa1d020495603a74af885b2bce |
| SHA512 | 76dc1deb014240ecafeb417c746a27649ef186a3d402ccda445d09a3fd3bb6dcc96028c5a0ba2c5e0cc3d26a37b3dacfd2ddfc4851c1f77fcc8cf65b992e4968 |
memory/1616-264-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Kbdmpqcb.exe
| MD5 | 95ece670fd2a80fc03a586f285bd2eb1 |
| SHA1 | ebaabada906f3b2b1a9b83867b679725eed482ef |
| SHA256 | 3c86284575fee5a3a46ad82eafcbca9af44877c5069a4f9bd0a6c0422bc200c3 |
| SHA512 | 821c7d3ba0029ceae5a35cd05d62287135e42f565af5441da1c66b144cf05979fa84f255ff7d8d3ab97d167fc1d942cf352574c9ad2bb8bcb7306d56f588d3fa |
memory/696-274-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2204-280-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3196-287-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3880-288-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3944-294-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2248-305-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3340-310-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1816-312-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1648-324-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4432-323-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2472-335-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3644-336-0x0000000000400000-0x000000000043E000-memory.dmp
memory/220-342-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4616-352-0x0000000000400000-0x000000000043E000-memory.dmp
memory/540-354-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1368-364-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2556-366-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3920-372-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2452-379-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2172-388-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4408-394-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4160-396-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4584-408-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5044-407-0x0000000000400000-0x000000000043E000-memory.dmp
memory/372-414-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1780-420-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1280-426-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4508-436-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5100-442-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2200-448-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2624-454-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2468-462-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3444-461-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1352-468-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3100-474-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2056-480-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3636-491-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3424-492-0x0000000000400000-0x000000000043E000-memory.dmp
memory/820-503-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4404-508-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5056-514-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3692-521-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4420-522-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1044-532-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5060-535-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1564-534-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4048-541-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2208-547-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4648-552-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3952-554-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4296-560-0x0000000000400000-0x000000000043E000-memory.dmp
memory/432-570-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1612-572-0x0000000000400000-0x000000000043E000-memory.dmp
memory/452-573-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4636-583-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4712-585-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4196-586-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4464-587-0x0000000000400000-0x000000000043E000-memory.dmp
memory/860-594-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4308-593-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\SysWOW64\Nafokcol.exe
| MD5 | 3c932a97a35ef4f8022fe91d2ba692ca |
| SHA1 | 4ae24542895dbbb0367f981450f5a42af913a965 |
| SHA256 | 133e0bcbe13a62e1345ec0f34c585fa7e82ec11dbc4c098e5e183329693b7a38 |
| SHA512 | 35902e1e1cf40f6e02fb96192df1e27c455469747c93d50bee104a7ee7cf4939b4c49a6fcdefb3a0aea2a0f46f318aaddd0ab376b329916cea2d0a4fbc779ba8 |