Analysis Overview
SHA256
3e028e5d31bfd22c72a116a92b0e2d30811c7df6c66691d5fbdac55416723d90
Threat Level: Known bad
The file 95045afa4561cfd463467f7907210a30N.exe was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:16
Reported
2024-08-25 09:18
Platform
win7-20240729-en
Max time kernel
32s
Max time network
16s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhdcbjal.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Niilmi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ombhgljn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lppkgi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mqgahh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mlnbmikh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkoidcaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lppkgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lednal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lolbjahp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nndhpqma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nglmifca.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nmpkal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojdlkp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojdlkp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oenmkngi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lcqdidim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njaoeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oepianef.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lgjcdc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mlnbmikh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mffgfo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nglmifca.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbaafocg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncejcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mfoqephq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lafekm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkafib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olgehh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oepianef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Klimcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkjeod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njmejaqb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnhakp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbodpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhgpgjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njmejaqb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkqbhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ofmiea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lkafib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcqdidim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mffgfo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mhdcbjal.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nplkhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ljhppo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lolbjahp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mogene32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nbodpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lkoidcaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lamkllea.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ljhppo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnknqpgi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lahaqm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ncejcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lamkllea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lhegcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mliibj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mnakjaoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nndhpqma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ombhgljn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oclpdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mhgpgjoj.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Cpikne32.dll | C:\Windows\SysWOW64\Mcendc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkqbhf32.exe | C:\Windows\SysWOW64\Mlnbmikh.exe | N/A |
| File created | C:\Windows\SysWOW64\Mffgfo32.exe | C:\Windows\SysWOW64\Mkqbhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qegpeh32.dll | C:\Windows\SysWOW64\Nnknqpgi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ohnemidj.exe | C:\Windows\SysWOW64\Oepianef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lkoidcaj.exe | C:\Windows\SysWOW64\Lafekm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcendc32.exe | C:\Windows\SysWOW64\Mqgahh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mhgpgjoj.exe | C:\Windows\SysWOW64\Mnakjaoc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lafekm32.exe | C:\Windows\SysWOW64\Klimcf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mogene32.exe | C:\Windows\SysWOW64\Mliibj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Niilmi32.exe | C:\Windows\SysWOW64\Nbodpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jligibpk.dll | C:\Windows\SysWOW64\Oclpdf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oepianef.exe | C:\Windows\SysWOW64\Ofmiea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkccob32.exe | C:\Windows\SysWOW64\Lhegcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcqdidim.exe | C:\Windows\SysWOW64\Ljhppo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceahlg32.dll | C:\Windows\SysWOW64\Niilmi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Idomll32.dll | C:\Windows\SysWOW64\Njaoeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgomoboc.exe | C:\Windows\SysWOW64\Mogene32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbodpo32.exe | C:\Windows\SysWOW64\Nndhpqma.exe | N/A |
| File created | C:\Windows\SysWOW64\Dpmmdfgc.dll | C:\Windows\SysWOW64\Mgomoboc.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhgpgjoj.exe | C:\Windows\SysWOW64\Mnakjaoc.exe | N/A |
| File created | C:\Windows\SysWOW64\Oepianef.exe | C:\Windows\SysWOW64\Ofmiea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lamkllea.exe | C:\Windows\SysWOW64\Lkccob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mnakjaoc.exe | C:\Windows\SysWOW64\Mhdcbjal.exe | N/A |
| File created | C:\Windows\SysWOW64\Nndhpqma.exe | C:\Windows\SysWOW64\Mhgpgjoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnknqpgi.exe | C:\Windows\SysWOW64\Ncejcg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nmpkal32.exe | C:\Windows\SysWOW64\Njaoeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckhkbc32.dll | C:\Windows\SysWOW64\Lafekm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lcqdidim.exe | C:\Windows\SysWOW64\Ljhppo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oenmkngi.exe | C:\Windows\SysWOW64\Oclpdf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cealdmqc.dll | C:\Windows\SysWOW64\Lahaqm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ljhppo32.exe | C:\Windows\SysWOW64\Lgjcdc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eighpgge.dll | C:\Windows\SysWOW64\Ojdlkp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lednal32.exe | C:\Windows\SysWOW64\Lahaqm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgcdjk32.dll | C:\Windows\SysWOW64\Mhdcbjal.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbaafocg.exe | C:\Windows\SysWOW64\Nglmifca.exe | N/A |
| File created | C:\Windows\SysWOW64\Mqlenpag.dll | C:\Windows\SysWOW64\Lamkllea.exe | N/A |
| File created | C:\Windows\SysWOW64\Eefpnicb.dll | C:\Windows\SysWOW64\Lcqdidim.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcgjllbn.dll | C:\Windows\SysWOW64\Mogene32.exe | N/A |
| File created | C:\Windows\SysWOW64\Klilah32.dll | C:\Windows\SysWOW64\Mqgahh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mhdcbjal.exe | C:\Windows\SysWOW64\Mffgfo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Klimcf32.exe | C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mffgfo32.exe | C:\Windows\SysWOW64\Mkqbhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpamlo32.dll | C:\Windows\SysWOW64\Ombhgljn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lahaqm32.exe | C:\Windows\SysWOW64\Lkoidcaj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mliibj32.exe | C:\Windows\SysWOW64\Mfoqephq.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfdjpo32.exe | C:\Windows\SysWOW64\Mcendc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nndhpqma.exe | C:\Windows\SysWOW64\Mhgpgjoj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncejcg32.exe | C:\Windows\SysWOW64\Nnhakp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dpeack32.dll | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofmiea32.exe | C:\Windows\SysWOW64\Olgehh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ofmiea32.exe | C:\Windows\SysWOW64\Olgehh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iinnfbbo.dll | C:\Windows\SysWOW64\Oenmkngi.exe | N/A |
| File created | C:\Windows\SysWOW64\Ciomamim.dll | C:\Windows\SysWOW64\Lkoidcaj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mfoqephq.exe | C:\Windows\SysWOW64\Lcqdidim.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjmiknng.exe | C:\Windows\SysWOW64\Mgomoboc.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkffpabj.dll | C:\Windows\SysWOW64\Mkqbhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iknkfi32.dll | C:\Windows\SysWOW64\Nbaafocg.exe | N/A |
| File created | C:\Windows\SysWOW64\Lafekm32.exe | C:\Windows\SysWOW64\Klimcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Niilmi32.exe | C:\Windows\SysWOW64\Nbodpo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njaoeq32.exe | C:\Windows\SysWOW64\Nplkhh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmpkal32.exe | C:\Windows\SysWOW64\Njaoeq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oclpdf32.exe | C:\Windows\SysWOW64\Ombhgljn.exe | N/A |
| File created | C:\Windows\SysWOW64\Lolbjahp.exe | C:\Windows\SysWOW64\Lkafib32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ohnemidj.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lafekm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mnakjaoc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lahaqm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mhdcbjal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncejcg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbodpo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njaoeq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olgehh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klimcf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mjmiknng.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbaafocg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkafib32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njmejaqb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgomoboc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mkqbhf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lhegcg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lgjcdc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lcqdidim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mogene32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkccob32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nkjeod32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfoqephq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mqgahh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oepianef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojdlkp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oclpdf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oenmkngi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lolbjahp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ljhppo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nglmifca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmpkal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mffgfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mhgpgjoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nnhakp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ohnemidj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lamkllea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Niilmi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nnknqpgi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ombhgljn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofmiea32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mliibj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mcendc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfdjpo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nndhpqma.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkoidcaj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lppkgi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nplkhh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lednal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mlnbmikh.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjgehii.dll" | C:\Windows\SysWOW64\Njmejaqb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Depojmnb.dll" | C:\Windows\SysWOW64\Nndhpqma.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekfdc32.dll" | C:\Windows\SysWOW64\Lppkgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mqgahh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajicf32.dll" | C:\Windows\SysWOW64\Mfdjpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbodpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nbaafocg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkdfong.dll" | C:\Windows\SysWOW64\Klimcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkffpabj.dll" | C:\Windows\SysWOW64\Mkqbhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lafekm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mliibj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpikne32.dll" | C:\Windows\SysWOW64\Mcendc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcdjk32.dll" | C:\Windows\SysWOW64\Mhdcbjal.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mnakjaoc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nbodpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpeack32.dll" | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oiglfm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkgliff.dll" | C:\Windows\SysWOW64\Mfoqephq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ofmiea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oepianef.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lamkllea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfijb32.dll" | C:\Windows\SysWOW64\Mhgpgjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ncejcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oclpdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhkbc32.dll" | C:\Windows\SysWOW64\Lafekm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mhgpgjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mhgpgjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njaoeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lgjcdc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lppkgi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgjllbn.dll" | C:\Windows\SysWOW64\Mogene32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klilah32.dll" | C:\Windows\SysWOW64\Mqgahh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mhdcbjal.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nkjeod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ombhgljn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligibpk.dll" | C:\Windows\SysWOW64\Oclpdf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lednal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mhdcbjal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nmpkal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinnfbbo.dll" | C:\Windows\SysWOW64\Oenmkngi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lahaqm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjfdadn.dll" | C:\Windows\SysWOW64\Lkafib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nglmifca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nmpkal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eighpgge.dll" | C:\Windows\SysWOW64\Ojdlkp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdfjnimm.dll" | C:\Windows\SysWOW64\Olgehh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Klimcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mlnbmikh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mnakjaoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknkfi32.dll" | C:\Windows\SysWOW64\Nbaafocg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ncejcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mfoqephq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafbcl32.dll" | C:\Windows\SysWOW64\Ofmiea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lhegcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nglmifca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oenmkngi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lkafib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lkoidcaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lhegcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mfdjpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mfdjpo32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe
"C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe"
C:\Windows\SysWOW64\Klimcf32.exe
C:\Windows\system32\Klimcf32.exe
C:\Windows\SysWOW64\Lafekm32.exe
C:\Windows\system32\Lafekm32.exe
C:\Windows\SysWOW64\Lkoidcaj.exe
C:\Windows\system32\Lkoidcaj.exe
C:\Windows\SysWOW64\Lahaqm32.exe
C:\Windows\system32\Lahaqm32.exe
C:\Windows\SysWOW64\Lednal32.exe
C:\Windows\system32\Lednal32.exe
C:\Windows\SysWOW64\Lkafib32.exe
C:\Windows\system32\Lkafib32.exe
C:\Windows\SysWOW64\Lolbjahp.exe
C:\Windows\system32\Lolbjahp.exe
C:\Windows\SysWOW64\Lhegcg32.exe
C:\Windows\system32\Lhegcg32.exe
C:\Windows\SysWOW64\Lkccob32.exe
C:\Windows\system32\Lkccob32.exe
C:\Windows\SysWOW64\Lamkllea.exe
C:\Windows\system32\Lamkllea.exe
C:\Windows\SysWOW64\Lppkgi32.exe
C:\Windows\system32\Lppkgi32.exe
C:\Windows\SysWOW64\Lgjcdc32.exe
C:\Windows\system32\Lgjcdc32.exe
C:\Windows\SysWOW64\Ljhppo32.exe
C:\Windows\system32\Ljhppo32.exe
C:\Windows\SysWOW64\Lcqdidim.exe
C:\Windows\system32\Lcqdidim.exe
C:\Windows\SysWOW64\Mfoqephq.exe
C:\Windows\system32\Mfoqephq.exe
C:\Windows\SysWOW64\Mliibj32.exe
C:\Windows\system32\Mliibj32.exe
C:\Windows\SysWOW64\Mogene32.exe
C:\Windows\system32\Mogene32.exe
C:\Windows\SysWOW64\Mgomoboc.exe
C:\Windows\system32\Mgomoboc.exe
C:\Windows\SysWOW64\Mjmiknng.exe
C:\Windows\system32\Mjmiknng.exe
C:\Windows\SysWOW64\Mqgahh32.exe
C:\Windows\system32\Mqgahh32.exe
C:\Windows\SysWOW64\Mcendc32.exe
C:\Windows\system32\Mcendc32.exe
C:\Windows\SysWOW64\Mfdjpo32.exe
C:\Windows\system32\Mfdjpo32.exe
C:\Windows\SysWOW64\Mlnbmikh.exe
C:\Windows\system32\Mlnbmikh.exe
C:\Windows\SysWOW64\Mkqbhf32.exe
C:\Windows\system32\Mkqbhf32.exe
C:\Windows\SysWOW64\Mffgfo32.exe
C:\Windows\system32\Mffgfo32.exe
C:\Windows\SysWOW64\Mhdcbjal.exe
C:\Windows\system32\Mhdcbjal.exe
C:\Windows\SysWOW64\Mnakjaoc.exe
C:\Windows\system32\Mnakjaoc.exe
C:\Windows\SysWOW64\Mhgpgjoj.exe
C:\Windows\system32\Mhgpgjoj.exe
C:\Windows\SysWOW64\Nndhpqma.exe
C:\Windows\system32\Nndhpqma.exe
C:\Windows\SysWOW64\Nbodpo32.exe
C:\Windows\system32\Nbodpo32.exe
C:\Windows\SysWOW64\Niilmi32.exe
C:\Windows\system32\Niilmi32.exe
C:\Windows\SysWOW64\Nglmifca.exe
C:\Windows\system32\Nglmifca.exe
C:\Windows\SysWOW64\Nbaafocg.exe
C:\Windows\system32\Nbaafocg.exe
C:\Windows\SysWOW64\Nkjeod32.exe
C:\Windows\system32\Nkjeod32.exe
C:\Windows\SysWOW64\Njmejaqb.exe
C:\Windows\system32\Njmejaqb.exe
C:\Windows\SysWOW64\Nnhakp32.exe
C:\Windows\system32\Nnhakp32.exe
C:\Windows\SysWOW64\Ncejcg32.exe
C:\Windows\system32\Ncejcg32.exe
C:\Windows\SysWOW64\Nnknqpgi.exe
C:\Windows\system32\Nnknqpgi.exe
C:\Windows\SysWOW64\Nplkhh32.exe
C:\Windows\system32\Nplkhh32.exe
C:\Windows\SysWOW64\Njaoeq32.exe
C:\Windows\system32\Njaoeq32.exe
C:\Windows\SysWOW64\Nmpkal32.exe
C:\Windows\system32\Nmpkal32.exe
C:\Windows\SysWOW64\Ojdlkp32.exe
C:\Windows\system32\Ojdlkp32.exe
C:\Windows\SysWOW64\Oiglfm32.exe
C:\Windows\system32\Oiglfm32.exe
C:\Windows\SysWOW64\Ombhgljn.exe
C:\Windows\system32\Ombhgljn.exe
C:\Windows\SysWOW64\Oclpdf32.exe
C:\Windows\system32\Oclpdf32.exe
C:\Windows\SysWOW64\Oenmkngi.exe
C:\Windows\system32\Oenmkngi.exe
C:\Windows\SysWOW64\Olgehh32.exe
C:\Windows\system32\Olgehh32.exe
C:\Windows\SysWOW64\Ofmiea32.exe
C:\Windows\system32\Ofmiea32.exe
C:\Windows\SysWOW64\Oepianef.exe
C:\Windows\system32\Oepianef.exe
C:\Windows\SysWOW64\Ohnemidj.exe
C:\Windows\system32\Ohnemidj.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 140
Network
Files
memory/3036-0-0x0000000000400000-0x000000000043A000-memory.dmp
\Windows\SysWOW64\Klimcf32.exe
| MD5 | 3d7405000440e9583b1291f7a0644ad4 |
| SHA1 | b33d4ee1a3087370516a3b607d9bd5a82c95859a |
| SHA256 | 8026b65fd1d548b5abf663eb0399ba2eb8fd521e85a7f696822d4a7e5ce3bc4a |
| SHA512 | 6e798e0531d5a866a63feee670d92aa4e96e5301cd3e1d33ce17853d556046a6a7f1ce59fad0e403e06bd1607e03091a8706496258bcffe4bc996bee30f68bed |
memory/1464-14-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3036-13-0x0000000000250000-0x000000000028A000-memory.dmp
memory/3036-12-0x0000000000250000-0x000000000028A000-memory.dmp
memory/1212-28-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1464-27-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Lafekm32.exe
| MD5 | ab26234a22ae91195ed87e734a6ab38c |
| SHA1 | c1acd2888595be55b20cdb9e229c409ddc92b552 |
| SHA256 | 3f8e86f5e709bf0f672c220ef8fba66393a4e1efbbbcb5e8f0d79f9ea6491e98 |
| SHA512 | d900be38ca21df0c2ed814a1ff871b880d0358fe0cdbf0be45c90f1135a35518e8207a5b8223cf40701d26b32cd943f29c63784b0b3dbd094ce9c8bfca8046d0 |
\Windows\SysWOW64\Lkoidcaj.exe
| MD5 | ea1161bfca1d3ac641790b3da8edec68 |
| SHA1 | a8e7a625e98e50e54a669521db05f33d936a14a6 |
| SHA256 | ff1187e1d4edc0d950b260d794ca1092af6a4ea7c145942b162aaa0b12c9fa71 |
| SHA512 | f08388b0d596b57eb68329de9249bb7436193dbce8a811b98771d0847b0d921f03175053936d6d7d459f7b480b56e038949e34c1789d05de4d30644ece865ca6 |
memory/2888-42-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1212-40-0x0000000000300000-0x000000000033A000-memory.dmp
\Windows\SysWOW64\Lahaqm32.exe
| MD5 | 4a73c425c8d9a901ad33a505bf718c08 |
| SHA1 | 84261ee5bd4b43353ff6a2a741e4770af60d0a92 |
| SHA256 | fb75640214599be1d118e5028b569a5d8db52832e375ea8ee518b0466e53fccc |
| SHA512 | 42cb2845f3c696a139c53c4b503afbdd3adee3eefccb639f94615eb9173efc860682903424b71287a51eaa9eaa3b55d3266549780207a0710b8bb10c0b551cc6 |
memory/2168-61-0x0000000000400000-0x000000000043A000-memory.dmp
\Windows\SysWOW64\Lednal32.exe
| MD5 | db5eecf6b4f6ab8e90dc34b48253cb10 |
| SHA1 | 88630b676369d2beacc0d1108b01434dbad69001 |
| SHA256 | dcf9c7289e5a914387e5853380fe74e9b06b9c83350268beb2850a19e6ffb8a6 |
| SHA512 | 8e781a35a5294088b6c37998f50d31bad3fe119e198adc1b6ac8042adc0917c8b252f0d73e6b9ce8bec88f3fa5b0e62ffef9c3486488ae57c27068a6d0cdfe61 |
memory/2944-69-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2888-54-0x00000000002E0000-0x000000000031A000-memory.dmp
\Windows\SysWOW64\Lkafib32.exe
| MD5 | ab1ae3ccc621ab367424685002bec2de |
| SHA1 | c2bed6bc99cc764b9856a90a238ed3f8c269d7e0 |
| SHA256 | 036906d63bc6ac96362b3924a6c7f0228243e939db8930e4c00b6ce03d6704d8 |
| SHA512 | ae5456e4fd01af100f779d67b0bacd1345e04feb76f8df01c9dbffe2966be2cfbc6f2d9e87cfb59dc251bc6c649cea83bb56adc7f41325e74d33e154776d1256 |
memory/3064-96-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Lolbjahp.exe
| MD5 | 3ae11da612e0f1fb7a2598b6752707ce |
| SHA1 | c27687090a97da48c4e672bd5cbb6cad78499d9e |
| SHA256 | a172a7c25d384a42fe54851a490601c44b208e8e656377b7b4463ced69baec05 |
| SHA512 | 3240315e460c120b3aa985d0006fea169a323b3ced7e23e965ad979741121c3b74360b7392149975f7d19344e6220589a286c019bf7ef543f291efb689af6ff8 |
memory/2612-83-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2944-82-0x0000000000250000-0x000000000028A000-memory.dmp
memory/3064-104-0x00000000002F0000-0x000000000032A000-memory.dmp
\Windows\SysWOW64\Lhegcg32.exe
| MD5 | 03390418787a87da8ce0d32d72a69730 |
| SHA1 | 1fc2dcee3d8eaa4af6f96580c2da4237c01bd507 |
| SHA256 | 1b153d5e62bdcd3f39aa66ffd4cc132bf11552b1e20f80d307509f78e7d8f609 |
| SHA512 | 3ed429aa7e53ce2455956230800f2e643dedf709ce1426d33a1ece951c6c9400001a4bf0aa3e3edf4d42e4102e8f827589d739999ac73bd608934b46ea67c54c |
memory/2712-110-0x0000000000400000-0x000000000043A000-memory.dmp
\Windows\SysWOW64\Lkccob32.exe
| MD5 | f7623d5d5765f455866df8ebbd9fbb2c |
| SHA1 | 6ebaed891189daa048a9a436b1978df2c45fb0d3 |
| SHA256 | d0e85e414f8d645821b4ec2ad0f603f9763310bf66f7a6330f76693f877e953f |
| SHA512 | 32362b76ecb759bf7614876c5845ae4e97e85231b62e8008f9f9b0ee4f2c9db1d01dc86378948af5167ef18d2a225e282f34cf78ca966c633f52297118fc10a9 |
memory/2472-123-0x0000000000400000-0x000000000043A000-memory.dmp
\Windows\SysWOW64\Lamkllea.exe
| MD5 | 45c5e25388d0b40bcaf1f1e7140cbf89 |
| SHA1 | 73d24c1b4c66d227c42a49e128856a2e4842ceeb |
| SHA256 | 47f5e78b673bcc8cb77ffb5b7827f03702e1df82fd55abd6e6c342677c132aac |
| SHA512 | 6c7901ee020210cb10b26bf2de7993db714d8d5928c073550653e965b632eb9d4cef516daeb7d63dd55f0e3cac83157f4c8c97b72bfc4ede8debae914203ebb2 |
memory/2188-141-0x0000000000400000-0x000000000043A000-memory.dmp
\Windows\SysWOW64\Lppkgi32.exe
| MD5 | 19cdfd78176fb26e4a398ae941dd970a |
| SHA1 | 4130805723304a37ed9ac52d97165d6501266eeb |
| SHA256 | 141dc3319c0b00ccebbb186168992446b7764d841948f15562b4d97e2772c143 |
| SHA512 | 8c99c375f8168423d7957cf139a0bf61200a60667a5297457a883343873f24e43d30882338d055e0d0af9722aadc5afb279775bda43c5ee9ab9e352aa4d3cb59 |
memory/884-149-0x0000000000400000-0x000000000043A000-memory.dmp
\Windows\SysWOW64\Lgjcdc32.exe
| MD5 | d7e29b25b3e83e7775fd6d12a37be93e |
| SHA1 | 818f0ab4df4b8db20054b91c5d54c98f8335df6f |
| SHA256 | 47e3117dea240aa2bcf47edc74b8814ec9f52b0974183ec3c95298d0bf932e3e |
| SHA512 | d2b3027f2b339373ab1768a5982ebe7301f3b0e3049e63356dcf359d0c794cc55ed4ee5a303eab81ccadfc8e113022667974b1847e792bfd325d2d8f3c3515c3 |
memory/884-157-0x0000000000250000-0x000000000028A000-memory.dmp
memory/884-162-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Ljhppo32.exe
| MD5 | 1936b717632145d1426aebba92fa9640 |
| SHA1 | 5d338b737c5d60a864b4089861806a6bc1617273 |
| SHA256 | b7bc6b5c70313a3554b37b3027f50f39a4aa554399db854e58c9aa5cef24fe56 |
| SHA512 | a9d5b3961d072901e7488db31d010a5febaa297dc77fe64fc6afea69de8a51596ba7a5122e7469cd08759d993b746e909584acc5d34398d4f2c10bbca068683e |
memory/2448-176-0x0000000000400000-0x000000000043A000-memory.dmp
\Windows\SysWOW64\Lcqdidim.exe
| MD5 | e2ffec7b2ede96e17682faa890fea279 |
| SHA1 | bb8c76985fdbaf31a0a6576f3c5ae1bfaae3cafc |
| SHA256 | 4dbb27fcde107d160c5e200dba9495e9a948b1c9f2bfbd3b99fe75081978ec86 |
| SHA512 | c4b2e755c5dec34c2bfda30dd4cbd813efd42cf08a75bb3b419d6e7871fe446d212e08bb71e30e3b3a54a8ebf51e01756407ccb395281cf4b322e5f1878b91b0 |
memory/2996-201-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mfoqephq.exe
| MD5 | 3233e6b9c2e6eb3a042965e27256cb9f |
| SHA1 | b1e2edd27a1eed885ac855bda8b23e4df4b0d377 |
| SHA256 | ac6cf81e0ad16c669e50a22f55446dd1310d53dba04abfccf816cb90b7670d61 |
| SHA512 | f383ed99e6103f01a06a3c682e1b1c5f6cd5540e5bf71ff7d8371076bed2ff05abd56e1bce6392fb89af49127c38c8adbf69169d654c674321e831571138d7df |
\Windows\SysWOW64\Mliibj32.exe
| MD5 | ecd40a8b073c04a9314320c5c16f230c |
| SHA1 | 288fce1d1bc9160eeec3c5599fb0fef83ee6e629 |
| SHA256 | 3967f3cea1b963eb1e1b3e98c842f341a5b89dc541a50230d5b3ecf5f39c11b7 |
| SHA512 | b42f2d8bcdae006f6f6af705f9b70c1f5add82a0349b4160638d8aef3b3b18ffe97e8e508bceeffeba57bae0226dc49e2f5f7fbf165eaec6d1e7bb873553da4e |
memory/2236-226-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mogene32.exe
| MD5 | bc7e5e5308ba5aa3f5a40a73b58be8a2 |
| SHA1 | 667930ded46cfe606567fa39fd687f755a6175f7 |
| SHA256 | 2d575032033c8fcda5e0a898d5377448f403ffb0af9945a5ff7fae0e78413e38 |
| SHA512 | cede68ba5a6c32ebc02ee484a8da6d18bbed98dcd9b2127a33d81a114018ab36d1162cb9e5c1a165fb7aef7fe6d9dc3a0f7e8e7b7281034ae6996be019010674 |
C:\Windows\SysWOW64\Mgomoboc.exe
| MD5 | 2c5e25299a6d7003752307d79197b398 |
| SHA1 | 99562c24d2819b0e7e4f8cb2f47ecaa064ca33ce |
| SHA256 | 4bf7eb47a93ac0b7976daf8343b2c4d2e3140c04031b919ea03632ba773868a4 |
| SHA512 | 9dc963adb77e17cff2767c87788b65e7974291f035048e1df67498703388a24c4c8c4373e355be81199eab0a9604d5e421bf42c795a0e1411602b2e0b87af844 |
C:\Windows\SysWOW64\Mjmiknng.exe
| MD5 | a5d7ecb6dc84a543a670d771710f4cd4 |
| SHA1 | f2dcdffb707dd777d8414e1af3d3bdb912163c22 |
| SHA256 | 0abbde0237aeab7c79d385f1c4983029f78fa745de5cc32cf6708a79417612bb |
| SHA512 | 97f7b2864a59e67b4150aee50d7adc225e1e1ddc6235681b1d00a996b31dcefe24c5d9c327434e6566c115a09782393832576bb0e4610a2854d8a4099f86f638 |
memory/2296-240-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2296-246-0x0000000000250000-0x000000000028A000-memory.dmp
memory/828-260-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1764-259-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Mcendc32.exe
| MD5 | 411fce4716866faa2a8b3b2de752dcc7 |
| SHA1 | 8b285b09e782d4fd2a2a3d0950da2bc63018de1d |
| SHA256 | 7cdd3f466322468145b2f54c28df7da203580751fd687967ecedb1537f6e3340 |
| SHA512 | 4e79717d73433a6f281d5de18441421463bb1c77f81097e15d6fdea5887ba758fb303c7c3df8eac59e9fc63c1f4dcbe64485272e24ec63b6dccb5fee406b9f07 |
memory/1764-255-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Mqgahh32.exe
| MD5 | 003ecd7b35c431f2a12fe412bcdd2f6c |
| SHA1 | 961547d071dbe51d49c9d4baa0577afc3e0ed719 |
| SHA256 | 6060ac9d74534145a678412918acce47a9e82cc8e7489b1ac83fba2a7dce3938 |
| SHA512 | 6519fffde49a303b15c21272c7c78492ac5f08b58b0893a105c01f3ab9c9f699238b3d7a411225de1b6e36e55948594b4daefd34eddbcf61599acbe6cfc35f3e |
memory/2196-271-0x0000000000400000-0x000000000043A000-memory.dmp
memory/828-270-0x00000000002D0000-0x000000000030A000-memory.dmp
memory/828-269-0x00000000002D0000-0x000000000030A000-memory.dmp
C:\Windows\SysWOW64\Mfdjpo32.exe
| MD5 | 241ee1b3bbc5983c454564e3e44b2745 |
| SHA1 | d8b4ecba8760705eead5ceb5279f666cc2602f50 |
| SHA256 | 76d4459342764799f85614352f2381b20f88a60f944e579063b2c17e2b33d2ef |
| SHA512 | 0442bf44b30ac024bc9aaa06614ffbf311fe527e5ce12223c112cebb26298f93e4c8293e48801471347d6985cbb0aab09406de3da5e3a59ca9f61cbfef4be381 |
memory/1756-282-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2196-281-0x0000000001F30000-0x0000000001F6A000-memory.dmp
memory/2196-280-0x0000000001F30000-0x0000000001F6A000-memory.dmp
C:\Windows\SysWOW64\Mlnbmikh.exe
| MD5 | 7ccc69d10c27e8a4fba80ee44137b152 |
| SHA1 | b2a3fc0e63fffd1547de4801afd7064bf3c3a547 |
| SHA256 | 8c5847e9ee70831a741cba989a932113d20e2d934ccfdfead0868b8d5ca1c2cb |
| SHA512 | 55b79738e240b0a9a1f795acfc7fb40da41c1f22ae74386f3794b00c9d13c19897b174e95b6e7f6cc558ab1bbc414e36cc5d5ffbe18b79f222cc66985a2cf7f4 |
memory/1756-288-0x0000000000270000-0x00000000002AA000-memory.dmp
memory/1756-292-0x0000000000270000-0x00000000002AA000-memory.dmp
C:\Windows\SysWOW64\Mkqbhf32.exe
| MD5 | 40ade1002d50f251488f968319619cd1 |
| SHA1 | f1665eeca8f7ae3c263a10bb0dbb86317b5a4069 |
| SHA256 | 94793c2b62363ae835de07ddb968fd6f6a072cd37de9126799aa4dfe619ef862 |
| SHA512 | 67a51c4aa57f7c5a11caacc7a7acc0e43ddf2d3b973d13bdff4311bdf44ee8a61366e73382cab65aa10e61074f0e93a2554c60e1a93bb4b0f1758a03a4a7430b |
memory/908-297-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1364-304-0x0000000000400000-0x000000000043A000-memory.dmp
memory/908-303-0x0000000000260000-0x000000000029A000-memory.dmp
memory/908-302-0x0000000000260000-0x000000000029A000-memory.dmp
C:\Windows\SysWOW64\Mffgfo32.exe
| MD5 | d38cad8d3125b8973d925cbbb9eaac89 |
| SHA1 | 6e1e5450b2791558c7117c2adb8c84a257e19c96 |
| SHA256 | c5c6352e9ef00f7706ef4ff7399708d72fbcfe1d4908463cff1ffa6688c52e2f |
| SHA512 | 08aa6346862ebf8662038a7e4c45a79efc08dc0839c52524ad6caa8ea7480779084bf2d3e9e37bf62252aeee9bf61c1c6561d83a94068eb218475eb8412a3667 |
memory/1364-309-0x0000000000280000-0x00000000002BA000-memory.dmp
C:\Windows\SysWOW64\Mhdcbjal.exe
| MD5 | 859844f7d2a2acd6576d379bc31ba759 |
| SHA1 | bada03129dbbbdef2895b70b5e24cb9e9251e893 |
| SHA256 | dee6df36209f867181825154bcb76dea3f5fa52f98d55505b2b30b5a6f5ce741 |
| SHA512 | 971cd020bfe299f3efc67314e24dffb95df21ea8bec5beedb6589b120320949d7f13a9d6902a633dd8c17823ead8cb3b22b2efc70dc5a1948300d73c02a4cc7c |
memory/2516-315-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1364-314-0x0000000000280000-0x00000000002BA000-memory.dmp
memory/2876-326-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2516-325-0x0000000000290000-0x00000000002CA000-memory.dmp
memory/2516-324-0x0000000000290000-0x00000000002CA000-memory.dmp
C:\Windows\SysWOW64\Mnakjaoc.exe
| MD5 | 15131f1f29272fb3e3534e38e8d1e603 |
| SHA1 | c4d5f5809ceb1248ee10f8cdf7c508fcddcbfd19 |
| SHA256 | fbdf871049ddfe28e46a1d616c2ddc880b7a3e8500689e05624d138fea09678f |
| SHA512 | 097a4cf380870e1b59bf98376d95b5c25e0be3a8df288c2e39a952aa125ea19618517acd210449f6d89fab6620030adfd022fcf5c02ec8ea74246924b725ede7 |
memory/2876-332-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Mhgpgjoj.exe
| MD5 | d74d9c4046e71cbddad761b613f7fe87 |
| SHA1 | ae55bfca53b259bff8e761a027e47af438cd15b1 |
| SHA256 | 364196ffb1256faeb2bd7d0e8509d3c63097ae8f5032cc4cf0262c166471446e |
| SHA512 | d04a3a97dee471e058b722fd2a113f7ec171d2ffc03d202f82600489b056603e97b5a69a2fb225015941f116c77322e0e15a74c6d6edbe6d13e84b3e7082b85b |
memory/2876-340-0x0000000000250000-0x000000000028A000-memory.dmp
memory/2908-346-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2768-345-0x0000000000270000-0x00000000002AA000-memory.dmp
C:\Windows\SysWOW64\Nndhpqma.exe
| MD5 | 37c5b48a199afba814615eb037db30d9 |
| SHA1 | 03ea245f12a75908b2724845f4c08dce082c9422 |
| SHA256 | 9fc5958653745357d07b6563948cdcbe452cb47be9eb377956c1716c331fc825 |
| SHA512 | be7de90707bc68ac596e3338dd04afd18f292e4740b4c455870c5d51cfbfa24f2b19ddcc7db7a720b8159fb64f213cedd8cfae022fca57bbecb24756f80d6aa9 |
memory/2908-352-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Nbodpo32.exe
| MD5 | bc2f2a7906c4307ae8ddec52c04a7e7f |
| SHA1 | c77db41e66145d5a9099f872048d5b0d46941ef4 |
| SHA256 | 1b31e213dc607941e179bdf4c7f17b7bb43b4e389fa55716ab9bb286df471705 |
| SHA512 | 72236714e0eaa6138fca90bbd59cc2bd1e8dd52f7ab4c50a782c03ba32e9f8a5cf12ce79f358b6f376b6b0932d9d59768cf622a664cfbcc4ab47eddc98197668 |
memory/2800-361-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2908-360-0x0000000000250000-0x000000000028A000-memory.dmp
memory/2316-368-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2800-367-0x0000000000250000-0x000000000028A000-memory.dmp
memory/2800-366-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Niilmi32.exe
| MD5 | f9e6b6878c027728bfba5ab9b8c9e5bb |
| SHA1 | 43041e937e534d428eb5d410a1251ef049a9296a |
| SHA256 | 58ff067ecdaca47e59ceb118520c92153673385910f750217b51eac87d42388b |
| SHA512 | 1e2c0b6c271274f62865ea615ead1cf71b9c90d99e20f9a23631c3e0ee158c7d800867a8f5dbad8ed963f76d5d3f1eeaef8c6c8bf91bab2da8f3940caa400d33 |
memory/2316-374-0x0000000000260000-0x000000000029A000-memory.dmp
C:\Windows\SysWOW64\Nglmifca.exe
| MD5 | 18a89d50d4e1cba6966d50b3d637f926 |
| SHA1 | 0074fc5c31e774b8fc81e2f3887e056f86cf5b79 |
| SHA256 | d7757e74630e44887aac2fbcc8af599a246c90bcfd42688c969fe8a01915f13b |
| SHA512 | 3b02bd02265087cc17dad412c94ac6bdb7e884c255d5105609d2a72239fc5f1194c5f1e5b84391a675a4f6fa29d037a7202a3d6ccfb43b9ae42194111dbbfb0b |
memory/3036-381-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3036-382-0x0000000000250000-0x000000000028A000-memory.dmp
memory/1456-389-0x0000000000400000-0x000000000043A000-memory.dmp
memory/624-388-0x00000000002F0000-0x000000000032A000-memory.dmp
C:\Windows\SysWOW64\Nbaafocg.exe
| MD5 | da6f3c0f24f86c703a9ea439b2c70938 |
| SHA1 | 67155d9da1c681b942cb361649fe09e223281d0f |
| SHA256 | 90a20d3be1d8e144e7c47086865650c889a4bf6023c32b4cf6e2770ba6774229 |
| SHA512 | 78ca29aa44d6b6c6118e22f6e16bbd7629cd9b625114e9900560e3a57280a37f2c7f09a51fb93199d3dd1063b356b21f1ae21bbbc5dcc5f62b49de4288bc0ce5 |
C:\Windows\SysWOW64\Nkjeod32.exe
| MD5 | fbe216af2eaa56540cc04fcd63ed8e76 |
| SHA1 | ff43bc3826e5508755e2f6fe2868f23b1820409f |
| SHA256 | 6b3c5999d190b832cb432906121c5e00a9ab930abcd2d5e81b8d84bc2466915e |
| SHA512 | 0e20d2882b5caa6c2b7b681f06cd844a4db0d6bd503d0684d9b20034bfbaafb2e614a70488e7aad21d36ff03b2943e27d43b1e910182387d3b632600cea54004 |
memory/1456-406-0x0000000000250000-0x000000000028A000-memory.dmp
memory/1156-409-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1212-408-0x0000000000300000-0x000000000033A000-memory.dmp
memory/2056-407-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Njmejaqb.exe
| MD5 | cf09a81117ae97f9d25af319209e0aa5 |
| SHA1 | 74c98482194648a2bf823dd4380a65257539d901 |
| SHA256 | 1bde7affc25d5575463f970707b01a297f943f50636a4588d46f98e245b09acc |
| SHA512 | 48419270570fa56ec9e83c1be132f3ecf027be308d6dd8aa2e9117a93dbf79f7dc6ed3e4d0c62914f0e06979ce15c85fa052180223b0ad6f432712ba4be07dae |
C:\Windows\SysWOW64\Nnhakp32.exe
| MD5 | ac0935e7fc152e5662b046117f8418c7 |
| SHA1 | 96ff85824823cf4b43d8394b71902fc4a1e9e8ec |
| SHA256 | 5e8aa0fb6a4213776b35d2c3221a60128410947d733eedf5d17f1cfcf6d63186 |
| SHA512 | e599c8ac7f8f288b9e8fd109d74fc08b6f1cffdf9fb5174b8590d81ffbbff43148aa71d277761ab6b608b6e9519912dab5bf9f609ab87caac048805ef46f43b2 |
memory/2340-427-0x0000000000250000-0x000000000028A000-memory.dmp
memory/1052-428-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1156-426-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Ncejcg32.exe
| MD5 | 0fe3aafdc0d6893c7cae70dd911c8ddb |
| SHA1 | 0eb82be125ccd7a57eb2428231e2f7835f66fb7a |
| SHA256 | 6ffb654ded3db7911140a8b3c41514472f571ea354dd7154063a897e4796265e |
| SHA512 | a64e719bb2cd89851df4ac7cf87544cd7bf491846d7b143983204212d9a917e89d50d0722ae0cce9b80a5df2d635b3c12192fb013b04394dbf29b72f2a712992 |
memory/2944-437-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Nnknqpgi.exe
| MD5 | 874f49d32e090e9a973d2a54646c2c6c |
| SHA1 | b7686803044aceb389c7e420ea4b77247aacdef5 |
| SHA256 | 33763909581319c5a0de95f2bfe570e67395f912fd572c7ea8e1afeb466343b7 |
| SHA512 | 095d9da4ff3a33be4f4cbfdb31af96bca2ff54d7cd696318189ee65c567cf49244dcecc8e69acbb1aef8d8ef5b5871c854a3f632de0f4462b7f6252a36398446 |
memory/2612-438-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2204-448-0x0000000000250000-0x000000000028A000-memory.dmp
memory/1624-449-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2204-447-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Nplkhh32.exe
| MD5 | 515197daa9617dc8431c86713004c877 |
| SHA1 | a1c1f946b450c0e70508768f23e8928fd81d0878 |
| SHA256 | ec3940e5f07a0b470b4ff6c1041182b2f5298ad9ca70e802d852cb6b7643a28e |
| SHA512 | f60f06e58dc8855bf8b2485201a02ec42065eb2b14b766366ad4b927e37d11283057ded66a32250007d8f5fc3df8f97a0ab003411bd49833e5f8d481b3200ae0 |
memory/2428-460-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1624-459-0x0000000000300000-0x000000000033A000-memory.dmp
memory/2220-470-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3064-469-0x00000000002F0000-0x000000000032A000-memory.dmp
C:\Windows\SysWOW64\Nmpkal32.exe
| MD5 | d46a28911f35b638effb9ee5054a1609 |
| SHA1 | 43444b14ad6cbacca81abfacabc8d59030b40fb9 |
| SHA256 | 39d6305a18c829c783ee11d670fb7ad331e6404c2a132879bec3d2635cef2ca6 |
| SHA512 | 06f6ee95b203166b6193b4ac230901fd025838a53d741d1acfff34ce5d9e1783272bbc4365c3832da547824fdade00471442ffbb41d4ace6960f7785a99c72ae |
memory/1624-458-0x0000000000300000-0x000000000033A000-memory.dmp
C:\Windows\SysWOW64\Njaoeq32.exe
| MD5 | 23b84e8c3208293d17e969b0c22cdb33 |
| SHA1 | 6c2909b8ead1c86f4686ffc456ff4b978d09561d |
| SHA256 | 0343fe5fc9e195fbcf329b47803d54673c3c74b8b2a0a3557f2a8d05416b2e31 |
| SHA512 | 773779e19a1d230822f3d34c396fb232bbd9978b70a1747ca07646b278192d2a14be7bf5371a60b008dc677c67f73e69deae3fd33de0da5ec70cd2f711e2ad85 |
C:\Windows\SysWOW64\Ojdlkp32.exe
| MD5 | 083d7b8cf868cc462afddda11279a8cb |
| SHA1 | 48014b3c34a9b7ae24a9406f108575a5b949c2ea |
| SHA256 | 4f3ae0b47606915878b01e01d1f8c3754fa3cbbfe99a667a4bceadbc855bdf99 |
| SHA512 | ef92fd98a3646b32baa1142e437a706e9c6dfab578213a726d525b833233a9ac23f4cb9bec163400d6c11c02b7762b181a0b00c8ad85f5a58bcb41ae975a5e28 |
memory/2220-479-0x0000000000250000-0x000000000028A000-memory.dmp
memory/2072-480-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2416-490-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2072-489-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Oiglfm32.exe
| MD5 | 980eda0a8a88ad0b94eca610eff97f51 |
| SHA1 | 63a1a20bdfa6a0ff71925b7a5bdca50c72743e6d |
| SHA256 | a0a0e3bf9f6ba257eb0733227ed447c938635b97c09b3f9d28d428def3d6a710 |
| SHA512 | 9ccfadef54f3e26f541171e0dead8753dfd2733536a079b085a57bfb6866b6b8a858022064cbcfe1686318b69b44ccf6a6e085f09cbb71bad52a5fcd270e1837 |
C:\Windows\SysWOW64\Ombhgljn.exe
| MD5 | caa4dfdf7bca34af6ad3fc123192338c |
| SHA1 | 03e8898eecd33c015ec4be25dba1f5d29d9e19fb |
| SHA256 | 8197f9e4a98b1abec8f3bed2e8f9fbc6966eef320789e628a2a485ac9eee51e3 |
| SHA512 | 1394f544f463d00b143ad40ba559913175156a7b6a2a5fc595de1c4e5a1b0c268e816d4b6dc937f8aa44731014074e9b1efc59069ba12130e4bea22fc578570b |
memory/2504-499-0x0000000000400000-0x000000000043A000-memory.dmp
memory/912-509-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2504-508-0x0000000000260000-0x000000000029A000-memory.dmp
C:\Windows\SysWOW64\Oclpdf32.exe
| MD5 | f2fe4fb9d3e9e7bbf2dbcd38f3dc01db |
| SHA1 | 911bf3756c28bca33a5fbcb5cc9f4b6cbf2477d2 |
| SHA256 | cda49d8d66fd1b1813d1e0e83913ce6be9d1fd41bc841eb9a985d536c02c5dc3 |
| SHA512 | e10f355030d52152b57ac12e4161af5ac8340425289cf0abe025204cc9bd36b0667ab5ddcdb31b624448dec2b635585eae6ec3d2acd53ffcc713caee9bf3b497 |
memory/912-518-0x0000000000260000-0x000000000029A000-memory.dmp
C:\Windows\SysWOW64\Oenmkngi.exe
| MD5 | 431e2b13eb6fc21bf0c1dc08ec99ff1c |
| SHA1 | d22818b97f8d15ce5d3d85ef35cf400ea0cd51cb |
| SHA256 | 0e62e33ea386aeda7f55e72892f5a707cad9014d25d5831345a24e8e92aaa57f |
| SHA512 | 9af38e951d01fba92d320bae3e13a0d7476a6e224fe3138e88c61a53280d4faa1e229394c841dcc56578aa4f61db793d3fada9f1297b01960d69e0c35e156c64 |
memory/2436-528-0x0000000000260000-0x000000000029A000-memory.dmp
memory/1548-529-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2436-527-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Olgehh32.exe
| MD5 | 153193c00d361ad1ad56dde0750d0a34 |
| SHA1 | 95b0cdee311835868162ffd61375df295a381f44 |
| SHA256 | 65bd95f516ad9e8d2b3d884955fc5d409858cf80ff0b67707b50fbb6113e2575 |
| SHA512 | 7af45e0756627141af6e486daa73fdcc4637f104db1d2a2bacdbbe4c675fdcaa6b5f474582110ca9807e65740fd417a9b7cab8067d76bd2f12cc305b05d02261 |
C:\Windows\SysWOW64\Ofmiea32.exe
| MD5 | d3f7eb4cf10f7150ffa059b602fb4247 |
| SHA1 | bf8922e23ab88288cb537f42ae250acb7b9a2249 |
| SHA256 | d63f79887e6476e29aa67f77da1e7384d5dd07ed4eed0022420b9ed4dd045c64 |
| SHA512 | fbe7d9e79448d2fa535bca089ac267bcdf869ff2eb1da4ff3c2d755b9d3a84c0ae00bd482103663348bba0320c69f983e18832c0d8f31e7f6c911ac221e3ddf8 |
memory/688-548-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2460-547-0x0000000000250000-0x000000000028A000-memory.dmp
memory/2460-546-0x0000000000250000-0x000000000028A000-memory.dmp
C:\Windows\SysWOW64\Oepianef.exe
| MD5 | 158898b811f8cf8bb7ae97771ef7b372 |
| SHA1 | c30c5bc9fa22d0e0878249d801a5bdb82299210d |
| SHA256 | a4df7bc41ca5e0e5edde9a0d3043721cea6022f893d7fc36f5d79eec371ab78e |
| SHA512 | 1c7b94ab33230761920a46a5b6b7be8a23e8f677ca3cba0bc072ca8653007073e4e4853ff9b1a47d0d0275e836a4e59e30f6341e33cf94ab5fceec990f66d242 |
C:\Windows\SysWOW64\Ohnemidj.exe
| MD5 | 4b4ccef141b0c830d88ed4130d6d97cb |
| SHA1 | bf8e863fb8e53e285105dd28cb8ef7b484fd897c |
| SHA256 | c866bc2d6137d4b318abde5afb71bd899501eba2325fecab495b58148fc7f4e3 |
| SHA512 | 3e014ee7fd92cadb152e4e5be99425c0ea6b37af83fef17f5b77d67c8999470d81dbb440af1c57b4626e9aa86e614d0b531d9d8cf69356728ad2987fc21a83b2 |
memory/588-557-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1764-558-0x0000000000250000-0x000000000028A000-memory.dmp
memory/1764-559-0x0000000000250000-0x000000000028A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:16
Reported
2024-08-25 09:18
Platform
win10v2004-20240802-en
Max time kernel
107s
Max time network
108s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ocgmpccl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pnfdcjkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdehlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nilcjp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nljofl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nggjdc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pggbkagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdkcde32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndfqbhia.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oncofm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ocgmpccl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmoahijl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pgioqq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpablkhc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ogbipa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agglboim.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmannhhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdifoehl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfaigm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nckndeni.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ogpmjb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Meiaib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Migjoaaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pggbkagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njnpppkn.exe | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Qdbiedpa.exe | C:\Windows\SysWOW64\Qnhahj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdbnaa32.dll | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjjald32.dll | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Njnpppkn.exe | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pcijeb32.exe | C:\Windows\SysWOW64\Pqknig32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjcbbmif.exe | C:\Windows\SysWOW64\Pcijeb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qeobam32.dll | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| File created | C:\Windows\SysWOW64\Ijfjal32.dll | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oqhacgdh.exe | C:\Windows\SysWOW64\Onjegled.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ojaelm32.exe | C:\Windows\SysWOW64\Ogbipa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nilcjp32.exe | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bapiabak.exe | C:\Windows\SysWOW64\Bnbmefbg.exe | N/A |
| File created | C:\Windows\SysWOW64\Eflgme32.dll | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogfilp32.dll | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Danecp32.exe | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| File created | C:\Windows\SysWOW64\Naekcf32.dll | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgddhf32.exe | C:\Windows\SysWOW64\Mdehlk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mckemg32.exe | C:\Windows\SysWOW64\Mplhql32.exe | N/A |
| File created | C:\Windows\SysWOW64\Npmagine.exe | C:\Windows\SysWOW64\Nlaegk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmngqdpj.exe | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cndikf32.exe | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgddhf32.exe | C:\Windows\SysWOW64\Mdehlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Popodg32.dll | C:\Windows\SysWOW64\Pdifoehl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgqeappe.exe | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffpmlcim.dll | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ingfla32.dll | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nckndeni.exe | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| File created | C:\Windows\SysWOW64\Chempj32.dll | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdfkolkf.exe | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jffggf32.dll | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| File created | C:\Windows\SysWOW64\Deagdn32.exe | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmannhhj.exe | C:\Windows\SysWOW64\Pjcbbmif.exe | N/A |
| File created | C:\Windows\SysWOW64\Ageolo32.exe | C:\Windows\SysWOW64\Anmjcieo.exe | N/A |
| File created | C:\Windows\SysWOW64\Odocigqg.exe | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmllipeg.exe | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| File created | C:\Windows\SysWOW64\Lipdae32.dll | C:\Windows\SysWOW64\Pnfdcjkg.exe | N/A |
| File created | C:\Windows\SysWOW64\Panfqmhb.dll | C:\Windows\SysWOW64\Pcijeb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgioqq32.exe | C:\Windows\SysWOW64\Pdkcde32.exe | N/A |
| File created | C:\Windows\SysWOW64\Echdno32.dll | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjcbbmif.exe | C:\Windows\SysWOW64\Pcijeb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfdodjhm.exe | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmdkch32.exe | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| File created | C:\Windows\SysWOW64\Qcgffqei.exe | C:\Windows\SysWOW64\Qqijje32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogpmjb32.exe | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfddbh32.dll | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcijeb32.exe | C:\Windows\SysWOW64\Pqknig32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdkcde32.exe | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Medgncoe.exe | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| File created | C:\Windows\SysWOW64\Lommhphi.dll | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceehho32.exe | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcdmai32.dll | C:\Windows\SysWOW64\Ogpmjb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aqncedbp.exe | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| File created | C:\Windows\SysWOW64\Afoeiklb.exe | C:\Windows\SysWOW64\Acqimo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfiafg32.exe | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Mplhql32.exe | C:\Windows\SysWOW64\Mibpda32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojllan32.exe | C:\Windows\SysWOW64\Ognpebpj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ofcmfodb.exe | C:\Windows\SysWOW64\Ogpmjb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocpgod32.exe | C:\Windows\SysWOW64\Odmgcgbi.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofcmfodb.exe | C:\Windows\SysWOW64\Ogpmjb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oahicipe.dll | C:\Windows\SysWOW64\Afoeiklb.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnnlaehj.exe | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcpnhfhf.exe | C:\Windows\SysWOW64\Mpablkhc.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmcjho32.dll | C:\Windows\SysWOW64\Nckndeni.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmnpgb32.exe | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Baicac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afmhck32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agglboim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdehlk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgddhf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mnebeogl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nlaegk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afoeiklb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgimcebb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oncofm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojllan32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofcmfodb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcijeb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcppfaka.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjfaeh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojgbfocc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nljofl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofnckp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olhlhjpd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anmjcieo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Menjdbgj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mpablkhc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njnpppkn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Odmgcgbi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Meiaib32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bagflcje.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oqhacgdh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nckndeni.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdifoehl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pgioqq32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll" | C:\Windows\SysWOW64\Pdkcde32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfdodjhm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" | C:\Windows\SysWOW64\Njqmepik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojgbfocc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ocpgod32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pdkcde32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll" | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll" | C:\Windows\SysWOW64\Qnhahj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll" | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll" | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ocgmpccl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll" | C:\Windows\SysWOW64\Mplhql32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Migjoaaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pqbdjfln.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll" | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pgioqq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll" | C:\Windows\SysWOW64\Pgioqq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pncgmkmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pcppfaka.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mlopkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll" | C:\Windows\SysWOW64\Mdehlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll" | C:\Windows\SysWOW64\Ogbipa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll" | C:\Windows\SysWOW64\Pcbmka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll" | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pcijeb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pdifoehl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Baicac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll" | C:\Windows\SysWOW64\Ognpebpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmoahijl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll" | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" | C:\Windows\SysWOW64\Acqimo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Migjoaaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Odmgcgbi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll" | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll" | C:\Windows\SysWOW64\Afoeiklb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe
"C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe"
C:\Windows\SysWOW64\Lingibiq.exe
C:\Windows\system32\Lingibiq.exe
C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
C:\Windows\SysWOW64\Lphoelqn.exe
C:\Windows\system32\Lphoelqn.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mlopkm32.exe
C:\Windows\system32\Mlopkm32.exe
C:\Windows\SysWOW64\Mdehlk32.exe
C:\Windows\system32\Mdehlk32.exe
C:\Windows\SysWOW64\Mgddhf32.exe
C:\Windows\system32\Mgddhf32.exe
C:\Windows\SysWOW64\Mibpda32.exe
C:\Windows\system32\Mibpda32.exe
C:\Windows\SysWOW64\Mplhql32.exe
C:\Windows\system32\Mplhql32.exe
C:\Windows\SysWOW64\Mckemg32.exe
C:\Windows\system32\Mckemg32.exe
C:\Windows\SysWOW64\Meiaib32.exe
C:\Windows\system32\Meiaib32.exe
C:\Windows\SysWOW64\Mmpijp32.exe
C:\Windows\system32\Mmpijp32.exe
C:\Windows\SysWOW64\Mpoefk32.exe
C:\Windows\system32\Mpoefk32.exe
C:\Windows\SysWOW64\Mgimcebb.exe
C:\Windows\system32\Mgimcebb.exe
C:\Windows\SysWOW64\Migjoaaf.exe
C:\Windows\system32\Migjoaaf.exe
C:\Windows\SysWOW64\Mpablkhc.exe
C:\Windows\system32\Mpablkhc.exe
C:\Windows\SysWOW64\Mcpnhfhf.exe
C:\Windows\system32\Mcpnhfhf.exe
C:\Windows\SysWOW64\Menjdbgj.exe
C:\Windows\system32\Menjdbgj.exe
C:\Windows\SysWOW64\Mnebeogl.exe
C:\Windows\system32\Mnebeogl.exe
C:\Windows\SysWOW64\Npcoakfp.exe
C:\Windows\system32\Npcoakfp.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Nilcjp32.exe
C:\Windows\system32\Nilcjp32.exe
C:\Windows\SysWOW64\Nljofl32.exe
C:\Windows\system32\Nljofl32.exe
C:\Windows\SysWOW64\Ncdgcf32.exe
C:\Windows\system32\Ncdgcf32.exe
C:\Windows\SysWOW64\Njnpppkn.exe
C:\Windows\system32\Njnpppkn.exe
C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
C:\Windows\SysWOW64\Nnlhfn32.exe
C:\Windows\system32\Nnlhfn32.exe
C:\Windows\SysWOW64\Ndfqbhia.exe
C:\Windows\system32\Ndfqbhia.exe
C:\Windows\SysWOW64\Njciko32.exe
C:\Windows\system32\Njciko32.exe
C:\Windows\SysWOW64\Nlaegk32.exe
C:\Windows\system32\Nlaegk32.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
C:\Windows\SysWOW64\Nggjdc32.exe
C:\Windows\system32\Nggjdc32.exe
C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
C:\Windows\SysWOW64\Ogifjcdp.exe
C:\Windows\system32\Ogifjcdp.exe
C:\Windows\SysWOW64\Ojgbfocc.exe
C:\Windows\system32\Ojgbfocc.exe
C:\Windows\SysWOW64\Oncofm32.exe
C:\Windows\system32\Oncofm32.exe
C:\Windows\SysWOW64\Odmgcgbi.exe
C:\Windows\system32\Odmgcgbi.exe
C:\Windows\SysWOW64\Ocpgod32.exe
C:\Windows\system32\Ocpgod32.exe
C:\Windows\SysWOW64\Ofnckp32.exe
C:\Windows\system32\Ofnckp32.exe
C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
C:\Windows\SysWOW64\Odocigqg.exe
C:\Windows\system32\Odocigqg.exe
C:\Windows\SysWOW64\Ognpebpj.exe
C:\Windows\system32\Ognpebpj.exe
C:\Windows\SysWOW64\Ojllan32.exe
C:\Windows\system32\Ojllan32.exe
C:\Windows\SysWOW64\Olkhmi32.exe
C:\Windows\system32\Olkhmi32.exe
C:\Windows\SysWOW64\Odapnf32.exe
C:\Windows\system32\Odapnf32.exe
C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
C:\Windows\SysWOW64\Ofcmfodb.exe
C:\Windows\system32\Ofcmfodb.exe
C:\Windows\SysWOW64\Onjegled.exe
C:\Windows\system32\Onjegled.exe
C:\Windows\SysWOW64\Oqhacgdh.exe
C:\Windows\system32\Oqhacgdh.exe
C:\Windows\SysWOW64\Ocgmpccl.exe
C:\Windows\system32\Ocgmpccl.exe
C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
C:\Windows\SysWOW64\Pmoahijl.exe
C:\Windows\system32\Pmoahijl.exe
C:\Windows\SysWOW64\Pqknig32.exe
C:\Windows\system32\Pqknig32.exe
C:\Windows\SysWOW64\Pcijeb32.exe
C:\Windows\system32\Pcijeb32.exe
C:\Windows\SysWOW64\Pjcbbmif.exe
C:\Windows\system32\Pjcbbmif.exe
C:\Windows\SysWOW64\Pmannhhj.exe
C:\Windows\system32\Pmannhhj.exe
C:\Windows\SysWOW64\Pdifoehl.exe
C:\Windows\system32\Pdifoehl.exe
C:\Windows\SysWOW64\Pggbkagp.exe
C:\Windows\system32\Pggbkagp.exe
C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
C:\Windows\SysWOW64\Pmdkch32.exe
C:\Windows\system32\Pmdkch32.exe
C:\Windows\SysWOW64\Pdkcde32.exe
C:\Windows\system32\Pdkcde32.exe
C:\Windows\SysWOW64\Pgioqq32.exe
C:\Windows\system32\Pgioqq32.exe
C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
C:\Windows\SysWOW64\Pqbdjfln.exe
C:\Windows\system32\Pqbdjfln.exe
C:\Windows\SysWOW64\Pcppfaka.exe
C:\Windows\system32\Pcppfaka.exe
C:\Windows\SysWOW64\Pnfdcjkg.exe
C:\Windows\system32\Pnfdcjkg.exe
C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
C:\Windows\SysWOW64\Pfaigm32.exe
C:\Windows\system32\Pfaigm32.exe
C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
C:\Windows\SysWOW64\Qdbiedpa.exe
C:\Windows\system32\Qdbiedpa.exe
C:\Windows\SysWOW64\Qgqeappe.exe
C:\Windows\system32\Qgqeappe.exe
C:\Windows\SysWOW64\Qjoankoi.exe
C:\Windows\system32\Qjoankoi.exe
C:\Windows\SysWOW64\Qqijje32.exe
C:\Windows\system32\Qqijje32.exe
C:\Windows\SysWOW64\Qcgffqei.exe
C:\Windows\system32\Qcgffqei.exe
C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
C:\Windows\SysWOW64\Anmjcieo.exe
C:\Windows\system32\Anmjcieo.exe
C:\Windows\SysWOW64\Ageolo32.exe
C:\Windows\system32\Ageolo32.exe
C:\Windows\SysWOW64\Anogiicl.exe
C:\Windows\system32\Anogiicl.exe
C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
C:\Windows\SysWOW64\Agglboim.exe
C:\Windows\system32\Agglboim.exe
C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
C:\Windows\SysWOW64\Afmhck32.exe
C:\Windows\system32\Afmhck32.exe
C:\Windows\SysWOW64\Acqimo32.exe
C:\Windows\system32\Acqimo32.exe
C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
C:\Windows\SysWOW64\Bagflcje.exe
C:\Windows\system32\Bagflcje.exe
C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
C:\Windows\SysWOW64\Bfdodjhm.exe
C:\Windows\system32\Bfdodjhm.exe
C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
C:\Windows\SysWOW64\Bmngqdpj.exe
C:\Windows\system32\Bmngqdpj.exe
C:\Windows\SysWOW64\Baicac32.exe
C:\Windows\system32\Baicac32.exe
C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
C:\Windows\SysWOW64\Bffkij32.exe
C:\Windows\system32\Bffkij32.exe
C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
C:\Windows\SysWOW64\Bjfaeh32.exe
C:\Windows\system32\Bjfaeh32.exe
C:\Windows\SysWOW64\Bnbmefbg.exe
C:\Windows\system32\Bnbmefbg.exe
C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
C:\Windows\SysWOW64\Cenahpha.exe
C:\Windows\system32\Cenahpha.exe
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
C:\Windows\SysWOW64\Ceehho32.exe
C:\Windows\system32\Ceehho32.exe
C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7112 -ip 7112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 396
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3208-0-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Lingibiq.exe
| MD5 | 00959d2d793bfd723e1482b6ffd5e59c |
| SHA1 | c5bdfd553ed41a283a60fcf437bd16231cdd9593 |
| SHA256 | 3f490cb5a51f6df61318cf4a03a1a25a1532921b86d1aaa92a9770287a715701 |
| SHA512 | 18a03831412d45b16d5085b3fd3a959905204f65768ff15ec65cc49b98b10e29d3d9e2c0a8ae4446bea679f5bce6f432e72b0a27a0acbffdacf77a2dfd24ec12 |
memory/4756-7-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Lllcen32.exe
| MD5 | 9f091a457582d5e165cdd12e30f1c3d7 |
| SHA1 | f024a26fef45c9050f234a162e096f7b875dd0d6 |
| SHA256 | fa9ea80af90a1807b8a85207cc405e76fd64082a5bb93a0ed3e5e3240cec953f |
| SHA512 | 5549dd99d6b7779e0f3f2e6e5f2bca69f5ef2e962c36f814188c51326bddd54792399f9aff13cffb04529ad22c3b99a50fc68dec39b909ea19c9a42af0cb8ecb |
memory/3320-15-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Lphoelqn.exe
| MD5 | 8a0e252df92de3da69a3a9010b0f98db |
| SHA1 | 02d4cbfa7d193172d070b97021abaeff46dc271a |
| SHA256 | 4f42c5aa7beca99fc6be14ce6522d5a166d3da5db294bbc04c48f179c1801f3a |
| SHA512 | 8506b6149a13ca91ee2a7159d79b87365bb1ada686ceb58a3306253c4a563a1a063fae43588051b5c1f43b4449ee701e4a0f9572538577277826775f556cb315 |
memory/3780-23-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Medgncoe.exe
| MD5 | b67348e2901f2ee54edee9a634e1af6e |
| SHA1 | d0559b7b98d04dcbcd9542c76bb9141e5b7d159e |
| SHA256 | 0bdd903bd5219bf45284f447af55f74d520a503b55753bde898514383ba16048 |
| SHA512 | 721834ddbe69ab231066bfc951587fe773eacd6395721ac85a5c0f096a14eac037cbdd535c432e8f81f8d6c19f4a193b767c2246902d2388481f3a0416ba06ee |
memory/2656-31-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mlopkm32.exe
| MD5 | 9c2a28b46bf45f877fd0734af01bf589 |
| SHA1 | 8ec3d009078df6da46dcb7d983297df57775aec8 |
| SHA256 | 96976049de59f8d1ec0b0b7c71a1b4f9f3152672e0a539f3624f788f29b57fd0 |
| SHA512 | f56c10865c4c352bb50ff807dffeccc3443fa8c043153b4faaa59eeead04eda2f2a791a2ee8f0be1e4dee58fc55030327834c5633925d43791734c258480c8f8 |
memory/1900-39-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mdehlk32.exe
| MD5 | c8e1c51b77240c1466323a54040f1988 |
| SHA1 | 420be7996be18ca41fde5ab2f66c193264e8169b |
| SHA256 | 636ac3bba17768eab0551966c95b20d6a20d9e1689370dca63195c8d0e445a1a |
| SHA512 | f5ffeb80b85f1a9301bcfcec2c60fe8a54f3e74aed9cb2e9d64e51006380c02cdad06c3aa6cbc6a67d0e380b69517cdeaf7b5ed4db352c6e7b4cb77195f9a3f9 |
memory/2176-47-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mgddhf32.exe
| MD5 | 79f468011458f90e7c8b70ee32cc9e00 |
| SHA1 | 5d19360c81c6fa1077df5971d3c83f6edfa9385a |
| SHA256 | c422a94bb15ce27a72907b2544ed62cc7be7c5e73dfedc04b77a5e3e1723178d |
| SHA512 | c9328dd520f2cb88c14f46dc5fb586937bc5a7afcbd1c03f1dc7a125a699107261a3976f21da8e60fb3206ec22d37046e59bfe6bf5c0b2e826dfc658a205cb29 |
memory/4824-55-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mibpda32.exe
| MD5 | d9a47931165cce5c9c5f728e9eb7d8d7 |
| SHA1 | 2f21bc1d9522a1e8c045896feb285bd406b8e2fb |
| SHA256 | ffd6a49de76c7ca72663fdf3fe4f6aa8ba96fa5f1eef295d7ec98a198754aeac |
| SHA512 | d440fcc9987684ee8125b391735c899ba67a2184202cdce12a2c00fe40c3ab8fe9fee6b09365843c7a39abb849f0f1c1d21255f7a4edbdda377340d0f1528574 |
memory/1792-63-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mplhql32.exe
| MD5 | 9cedf4adb56de4edb8ea5f61e9aac342 |
| SHA1 | a00da68c01db8941362716d45fea825080d52558 |
| SHA256 | fb181b6af9f364df2cf09abe1d982c7efd66abef69422751cc096e82d6f64c0b |
| SHA512 | cb6690ae13203ceb1168d6aaa65e15a4cbdf53e3c21f497e648b82a479f67c185e16324f723ae8f36ca9525fcc34d845f281263736de626425a9c11eb07f4c00 |
memory/4944-72-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mckemg32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Mckemg32.exe
| MD5 | 41f3d0b347ef16dad269fca5bd1be2a3 |
| SHA1 | 189a434527d95a3d2cd9bafbed82ab132dbd8e30 |
| SHA256 | b5bb0c1baed8211b5040da62fe6d0fc29e8932e7a92c6497b2c4924953f812ac |
| SHA512 | 744ac5f6b728596fdde6f946e9c7d805225354ca14469c46eaf10f384a9b11510781ba24c8ecbd16e49d70930159f10aa6ad4ba6b0c405b448ead0a81ae366af |
memory/1604-80-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Meiaib32.exe
| MD5 | 5160c149f7487f4a764fa3cabb7894ef |
| SHA1 | 522db8eb8f92073e80d68c8075e18a1b1b6c3623 |
| SHA256 | cef81c16ebf4de67bc1fecf6fcc3ef379cdb890a16ae1c919fceb63bcac4ab5b |
| SHA512 | 3078cb9a67cf5866a39255fdd440f53c64bfc0665bc109068e842f515333ecf6c102f39863ebca270d404492b4958869768623786ce8e50f95ec2ebadbab638a |
memory/3096-88-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mmpijp32.exe
| MD5 | 0228c6bd8bb9af612989ed719e92ed4f |
| SHA1 | d219c892e0d915a0e2e561d952c103d7ceda6097 |
| SHA256 | e477b16c69243c4df6bcc714efb43900429358bc30eb9b119a264951fcfdaeaa |
| SHA512 | ff6118440e958a5cd8869b56b05562ad01164b2c2d896e666221d636134845c67fd322c0e6ecbbde011a47adbdadd28f99e930f75ba282e5a0eac4f229942631 |
memory/4584-96-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mpoefk32.exe
| MD5 | a9669157cf58ecc863f0f977989af7a0 |
| SHA1 | 1a4f3203450d190410411509c154f0adcc0aeb1a |
| SHA256 | 4148fd323b6846123a2654370c1326518f8063434d69405aaabc8ac7b274a59b |
| SHA512 | 7fb9d1767d32dfff4f36c7ae03e0b395db03b4c1e32106c6beb1d15265a8fc4d3ee36ec1fea704870a91fd646eca802a00007fab8ce28154a55dede8a647757f |
memory/2348-103-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mgimcebb.exe
| MD5 | bf6eac01400b1791c48402e847ca65a9 |
| SHA1 | 30f22792fe9f47cd87f91e898d5d38e80dfaed84 |
| SHA256 | c54ad5958ab5b5aa2180e281f08b636eaf6ae4eee26aa7271ee008e13a5584db |
| SHA512 | 9bc64b967596cb7a99494b2ddaf096266c0175c1924afee15b3e9738cc895d08701d4f007aa34683cd7bb843dff26ecb0477aa6897b25baa6adf393d303478cd |
memory/380-111-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Migjoaaf.exe
| MD5 | bb8c3489e637fb116f447c282efce680 |
| SHA1 | f80fe6be77933315b0f0c87325f6184a42a46998 |
| SHA256 | 4d78ee227ad6d5095efdf0b0d4b76a6d4cafa9c866f0e65e74a2a0361fd83107 |
| SHA512 | 777e57a3e62246c7682dab6b5f4dbe9db31eaf7036cecb18f0111247cbd0511d18dc9697f7d60c0b2e9b37475a5e0ad3a734736837d14ea38d3ab09ead358754 |
memory/1220-119-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mpablkhc.exe
| MD5 | 0b6b0f0d3a41c370c49362d746394709 |
| SHA1 | a52612c37703f793421312b50c04eded29b34624 |
| SHA256 | d67e4a04a455fd7b319b8170ff1badb460b1c976511316c839e3cf95fba9d18d |
| SHA512 | 62775d3f216c8987404c9fb330f9a49dc4db7f92e3452c4f7d664f51a70f1d5410e87b65712df7d71250b7c9fd247d5ebff160e389a45bd593175f4ccd0668e5 |
memory/2220-128-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mcpnhfhf.exe
| MD5 | 84ee3407b48abf81fcf7dafd27f65465 |
| SHA1 | 7692faee155077d7604e6f6f6981e9f5eba99ac4 |
| SHA256 | e93398b0bd02faa49bb4f3a4dede89b7cdc927c99bcc3f7bb0046b1b8d87b52f |
| SHA512 | b9dbb1dab44799ce7ce86f58c852417b7e324ea180571134fc23c2e2788ab550f8e7ffd39250bdc8d6dc02f62b6f9a513614620915ac1fa044320030af3abe1a |
memory/1672-136-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Menjdbgj.exe
| MD5 | 4b5eb9ddba8fe3043f7730850c8de17e |
| SHA1 | 0e575ac310d13b0f53bf686e5c5e673ca977a977 |
| SHA256 | a87f9c1b3f29157a40ff09a72240f7a9b28da779d3b55f4c904d8715650bdbbe |
| SHA512 | 4cc89e70c7ad75cd46bdf354236cf01d2be93c62f58e6b1f28ccfab80c0daaa620077687d465efaf48f6cdb7d7a5bf3e1ef1f3ef3b1b51a8f577456920c69d51 |
memory/3988-144-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Mnebeogl.exe
| MD5 | f6e52559263cbe0fbd31caaae3dbb4aa |
| SHA1 | 17c841a092fdacdf35c7c368da31367c8f277ade |
| SHA256 | 6660e3c68a23ed2baadc65d4d79bd5741f55450b2501517a22687545314641c1 |
| SHA512 | 5eeb1433c112d33802946d5b7f626f94385b8943114bd024645786d9bf4459e447042f562c8bab9757b9f889f2c8a8afd7c720734810f436756601e7836c0338 |
memory/3428-152-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Npcoakfp.exe
| MD5 | 94f05c18bf63ae9bd4e182e7e222b970 |
| SHA1 | 8bf86d810483c67167fea53bb810942e8ad1d197 |
| SHA256 | fde54ad1e100ee2d62a3baf1e80ba04fe8b3ad555f62df331d6779cc3e4729f5 |
| SHA512 | abe5eefac5a290ac1a16230b577f5610ca3d46696c51e8d1b79095e37bb9b70ba01ede9dd359387760ef289ce3f7604963bca63a6d32e74eb4fc5c612fc02f87 |
memory/2920-160-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4348-167-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Ngmgne32.exe
| MD5 | 9fc52989a4bb94d465afb126c04f8caf |
| SHA1 | 912f7485c1098d5b46bd75aebc731a17c269fc4c |
| SHA256 | d6b36b95a2730fd3f876d1dd4409c46019656630f3bc16dc0bfa2548c48579f0 |
| SHA512 | 26ba21e717cdc72edcc5cef591ee53eba75549d72d81f7dd39dfe565855498259b2623710fc82fd85fede48f02a3d0fe406cd8f714aa32b70c6e686a850d500a |
C:\Windows\SysWOW64\Nilcjp32.exe
| MD5 | 2220fdc3d30dcffcb0ee6edcb8b7c413 |
| SHA1 | 1e53a31d503eb143bf79d6f167baa9ee76203dad |
| SHA256 | d6824c45747e81f8bc59a218b577f216b3a1e276cf23497f471376a4595a8fab |
| SHA512 | 8e6051a28e2a17b4d9c137283fbbf1582092a7b95d8bc7a197497363cd935d88efde3ede3d7d8f670194874201b94cc504fe8cb9cd3768c8d18d01aa36a39a16 |
memory/2468-175-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Nljofl32.exe
| MD5 | 1de84523bf6dff39e3c9912b8dc061cd |
| SHA1 | 2cd4f21d2e03d64d14404f7e2bc650374a0ea39f |
| SHA256 | 5b98bee81dcae8db89d0370ac21283fe11250a85f08a4228854d61556875550e |
| SHA512 | 5af491bed92670ea50e979f425cf8e860b09dc8708c79aaf8d6ae72b9f57aa00644f2011ff4eb8471863a37cb2176a0a41b49b562ec988fa92d31b1648d0bfd6 |
memory/2636-183-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Ncdgcf32.exe
| MD5 | 8c814ffd246eb3c24a7e2fbe39e65426 |
| SHA1 | 8798e1da4ae667f83aecf4c3420891990ebc665f |
| SHA256 | 1cc62f860f939bd6332313283ad0a89b426d88f71cd39c0b28cf2a4a1e22462d |
| SHA512 | 451b114a544505d404e6e8097b6e00438aec5be462950c5576392df7aa0115afa86938e5609c514f7ad136e6d79b3e92b96640eaba5a8bf96722a5c9a05914ef |
memory/1492-191-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Njnpppkn.exe
| MD5 | 853861ad9ef363b6c7c1c2450dab1a9d |
| SHA1 | fbebda6798bbe0711a79aa80f295771705d3aca5 |
| SHA256 | 6ed6a6e01ce813b0081556586c1ab3201d2e00e79b72c4fbc62ba24786c4fcf0 |
| SHA512 | 8d19467fe3f8fa892f9447848b3b48d793bf36e309f02f3a3bce12cdb28882b1f7985e759e5d5ef326807a1862634246b4133ef6706b76fb92416432267e8440 |
memory/1572-199-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Ndcdmikd.exe
| MD5 | fd4d10bfba70de1a0ac91f4865abca83 |
| SHA1 | 65a11ddee0f106ca1429474321c24dcb913e4857 |
| SHA256 | ef638df4d0c1a9687cfe3ed30cc7d6b6393d47a5eec7c08bc5cffb77d88df4f8 |
| SHA512 | 88e49e22d93bf62397c73e2800980a9ac7db4f5b5f27369598076c66b948093f497a0dd97cb15f6ed7884652a7ddb5c84475ffa6bd67fac1364ac7f8c19d0f74 |
memory/4820-207-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Ngbpidjh.exe
| MD5 | 3eb13c71e7fc102288e505126de9f305 |
| SHA1 | f6a7ae1c5e4ffd9bfa9dfdbf46d350b7a9b2ab08 |
| SHA256 | 73da358b9b685f972a157b25dc9ee2eb6d6d0f539d9d5d9694d460b97e5fa5c4 |
| SHA512 | 8af3acf52be6d081acb9514147f8c5c03bb0b2aa26f71bd63a59f7dd2e20b6a65cd95e6821e72a705d47deb2856b78da5fc4509286d2be78259cf85629a818c4 |
memory/3556-215-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Njqmepik.exe
| MD5 | 8e03c80eff788161e17716ddaeeea070 |
| SHA1 | e0ef9e50b471b9c32b5dee27d81156b3243c00b7 |
| SHA256 | 6d2233c3987fd56c77d0eb9cc4e2b8235cf73043575bd883e3228c3ca95180db |
| SHA512 | 51d2d6c63229c82022f5e72d41c4b3bc477d51d02456fbab78b1241e92fc7f136fae096bb1bb3a10708727094c6a855e582f3dbd0305acf1be53ee34ed45656f |
C:\Windows\SysWOW64\Nnlhfn32.exe
| MD5 | 6c099e00c6ccdec63c04157edc75d27b |
| SHA1 | 0bc7217daa2dac469d6758e1c024a7acf0eacd97 |
| SHA256 | 763fc2847d35e1bd31356989ba245ba518435513dc404bd9b070a5b366744f5b |
| SHA512 | 798c06e824b7c77a6a7b17d20bc1acd548c2b07c4330b1bd74495cae2e0516832d08dbeee70fbff533473dc48066cdbdd75d7a1093ffc076604d8341903fecb4 |
memory/4916-232-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2280-229-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Ndfqbhia.exe
| MD5 | eb79851d2dd805a0c5fd8127ff6b200d |
| SHA1 | ecce518a5e6a63ea117cf4438cc214136df2a88d |
| SHA256 | f87d1af4e6083cc117d20abf5d544e4a50cc3652eb00f037a7fc2f7244f02179 |
| SHA512 | 1a8e253583f619c843bb4b77d58ea6e4f2b9d142d5d0015488f12c7a03fb2f749f57eb0605369fe6eba727c603ff078f9fcf8fd80657f1d806022ab68e34f8dc |
memory/3180-239-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Njciko32.exe
| MD5 | be71514ef85b6375205b75ed86b696ce |
| SHA1 | 8998ed2711544a06d458bcaf7f0936f882b6962f |
| SHA256 | d486839307e2ce194561559c03f628be4587241628ff55956f7620b21f8b1cb8 |
| SHA512 | 6a97fc8827270837e1892ffe0c8edcb5bb60ea6696ce02758d077d6db38b65097433b8fe55de142f5dbae80ee6055543849d40fe7bd42bcdd0c683e2f916ab4e |
memory/4356-253-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Nlaegk32.exe
| MD5 | 3c95c460e20474a2ff630baff0fee4e3 |
| SHA1 | d2aa9c221648b605b4d09664a047499d85801031 |
| SHA256 | 3a871db48aba66bb11de9762c215f27cccd9ef1e51e609e19fdcace444156515 |
| SHA512 | 686fda45a12c1d68babd498c27dac52d03b8bbf6f22a1f243cc2121cac693dc15b99053bfd6d69dd193b5cb00fd7140181fc9f9d7f6b81c065b4f40c12acf919 |
memory/2928-260-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Nggjdc32.exe
| MD5 | 6bb2ce6b6df17c804d98f4fd5ac336ea |
| SHA1 | fd91aa8cd6f91e968a799d85cb2a1e23da4b3323 |
| SHA256 | ef58147013c857c4f2593a2709cfbef24bec1dbf81bc53b152efda02cc528051 |
| SHA512 | 4a803ff2c22da9f2841b50bc95643d9df7a3969df3feeeeba8c0cb1b191db80435e51aa63cb2c9de10568b9dbd9b5338fb8d41cb19ff801aeefdafe484b2fbe8 |
memory/4148-268-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3820-266-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5008-279-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3152-285-0x0000000000400000-0x000000000043A000-memory.dmp
memory/464-291-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4396-297-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3936-303-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5056-309-0x0000000000400000-0x000000000043A000-memory.dmp
memory/452-315-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2804-321-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2660-327-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2580-333-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2544-339-0x0000000000400000-0x000000000043A000-memory.dmp
memory/976-345-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4520-351-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5088-362-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1948-363-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4760-369-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2464-375-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4840-381-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3080-392-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1376-398-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1188-405-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4772-410-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2364-416-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1288-422-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1232-428-0x0000000000400000-0x000000000043A000-memory.dmp
memory/456-434-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1116-440-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1476-451-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4648-461-0x0000000000400000-0x000000000043A000-memory.dmp
memory/320-463-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3644-469-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4264-475-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2304-481-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3620-487-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2524-493-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2668-499-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1420-505-0x0000000000400000-0x000000000043A000-memory.dmp
memory/432-511-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3332-517-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2640-523-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5048-529-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4572-535-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3208-541-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4628-542-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4756-548-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2556-549-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Ageolo32.exe
| MD5 | 1455c341770645c26dd69ef15e7d8624 |
| SHA1 | 8ba1804b5fd5e22ed6394229bb8df1a510799363 |
| SHA256 | 6fed6d741c2d395453a6e1113dffb608930e34d3da048269bcede523b63cba04 |
| SHA512 | 48a9520e3e4d2f146cc4c7343922cf6ce04f7afcd54164ebfd9ed9c9fa84a1e3c1c03800a4ac110357a0c9a6f63de11085a3be12a76593a1eb60b954fe51eac2 |
memory/3320-555-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3648-556-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3780-562-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1016-563-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2656-569-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5128-570-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5172-577-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1900-576-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5212-584-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2176-583-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5264-591-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4824-590-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1792-597-0x0000000000400000-0x000000000043A000-memory.dmp
memory/5308-598-0x0000000000400000-0x000000000043A000-memory.dmp
memory/4944-604-0x0000000000400000-0x000000000043A000-memory.dmp
C:\Windows\SysWOW64\Bmngqdpj.exe
| MD5 | 22512858137b218978239466c0419069 |
| SHA1 | 0d683557ecaf76412ab3ab603886079aa38f7a1d |
| SHA256 | 6d56d60e1d81e567d5c0e29e4959af4ae049920583bbb18c2e45aee6c7f4ef8a |
| SHA512 | 9f95542a121022e75ecfa49b7ae4ec0e30280292b5f8691706484dd98305a29f72da1ebbb98c82ebdc1f5f24576c9d1f8f88fb71f01dfd1b1812708371c9a6f3 |
C:\Windows\SysWOW64\Caebma32.exe
| MD5 | 8646e86181c0190ef7f4efe6be5b3500 |
| SHA1 | e45b4020dfc1074afe0dfaff8d78e61fd39b6fa1 |
| SHA256 | 84e97ee3f653a70fd615342e59983a6fb18e82f1d0b8b021c0b7e65fd980c9c3 |
| SHA512 | b9d4f60b2ea112e254cba80957226cd91d8e97fd9d63cbdda85dfe724da851de04b8e8ba8f411128e0811455f3bcc5e66f8182cf693f4daf6a85722e475c7cbd |
C:\Windows\SysWOW64\Dfnjafap.exe
| MD5 | c7628c6784f5ad7eeb78d6c12cc821cb |
| SHA1 | c24431d670e128d16c380d7ef65c312a202e0c4f |
| SHA256 | 516ac361212db38eb9ec20833619a8a2a1e479ca1afe3b80c1ce635a4715dd5b |
| SHA512 | 04b96eaefb240d47274369d76ae9d8f87ba6ce6f8e4b044990b5ea47166c9614c49d6ecf94a37a802af214a5019538084483d421acf1d81b0d6837054cec45e2 |
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | 7ead560bf020b8510f2691c65fcbc44b |
| SHA1 | 3ee3655e32362b8cf4b0596629f2d13ae80660d0 |
| SHA256 | ecd8c9f0e3113f00c8bd5fd1143145f0afae58c3ab09e7359580f54df3656d3c |
| SHA512 | 41b77a1a4fd9dbdc4d7d9fd2f996964c68e53e132e4aec9b880dae632ff57dbb533af68069ad26027f43177fe8d2d050930b535d41205c2483ebdf97fb8511b8 |