Analysis Overview
SHA256
217fe9a2d54aa35f33750874cb5b645ff669b757d222fc5a1043fd53d1b0abf5
Threat Level: Known bad
The file e0342216680f7d78e977b5ebdde8ba70_NEIKI was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Malware Dropper & Backdoor - Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 03:33
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 03:33
Reported
2024-05-09 03:35
Platform
win7-20240508-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bpcbqk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjbmjplb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bpcbqk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgbdhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eloemi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Faokjpfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhfagipa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bommnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ealnephf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cllpkl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cckace32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkmmhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cckace32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hmlnoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dbpodagk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Efjcibje.dll | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpmgqnfl.exe | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| File created | C:\Windows\SysWOW64\Niifne32.dll | C:\Windows\SysWOW64\Cckace32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmafennb.exe | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbidmekh.dll | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| File created | C:\Windows\SysWOW64\Cllpkl32.exe | C:\Windows\SysWOW64\Cpeofk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjlanqkq.dll | C:\Windows\SysWOW64\Cpeofk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Glfhll32.exe | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiqbndpb.exe | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbelkc32.dll | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmbmkg32.dll | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmlnoc32.exe | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| File created | C:\Windows\SysWOW64\Polebcgg.dll | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjbmjplb.exe | C:\Windows\SysWOW64\Cgbdhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eajaoq32.exe | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fphafl32.exe | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iaeiieeb.exe | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cckace32.exe | C:\Windows\SysWOW64\Cjbmjplb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djnpnc32.exe | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Lopekk32.dll | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekklaj32.exe | C:\Windows\SysWOW64\Eijcpoac.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Flmefm32.exe | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fiaeoang.exe | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgilchkf.exe | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hhjhkq32.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkhcmgnl.exe | C:\Windows\SysWOW64\Dbpodagk.exe | N/A |
| File created | C:\Windows\SysWOW64\Djnpnc32.exe | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dchali32.exe | C:\Windows\SysWOW64\Dkmmhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ilknfn32.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Idceea32.exe | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eecqjpee.exe | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gddifnbk.exe | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbniiffi.dll | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| File created | C:\Windows\SysWOW64\Glfhll32.exe | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| File created | C:\Windows\SysWOW64\Pacebaej.dll | C:\Windows\SysWOW64\Bommnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bioggp32.dll | C:\Windows\SysWOW64\Cjbmjplb.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpmjak32.exe | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpmgqnfl.exe | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Enkece32.exe | C:\Windows\SysWOW64\Eecqjpee.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmcoja32.exe | C:\Windows\SysWOW64\Ealnephf.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmhfjo32.dll | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Epaogi32.exe | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gelppaof.exe | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| File created | C:\Windows\SysWOW64\Omabcb32.dll | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Bommnc32.exe | C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaqlckoi.dll | C:\Windows\SysWOW64\Cllpkl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Epaogi32.exe | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| File created | C:\Windows\SysWOW64\Eijcpoac.exe | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmlapp32.exe | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiekid32.exe | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bommnc32.exe | C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpeofk32.exe | C:\Windows\SysWOW64\Bpcbqk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cllpkl32.exe | C:\Windows\SysWOW64\Cpeofk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmlapp32.exe | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hiqbndpb.exe | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhjhkq32.exe | C:\Windows\SysWOW64\Hgilchkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Qinopgfb.dll | C:\Windows\SysWOW64\Bhfagipa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eajaoq32.exe | C:\Windows\SysWOW64\Enkece32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Faagpp32.exe | C:\Windows\SysWOW64\Faokjpfd.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmjaic32.exe | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pfabenjd.dll | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hejoiedd.exe | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpocfncj.exe | C:\Windows\SysWOW64\Hiekid32.exe | N/A |
| File created | C:\Windows\SysWOW64\Henidd32.exe | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Faokjpfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll" | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bpcbqk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Flmefm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lilchoah.dll" | C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cllpkl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cckace32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dkmmhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgnljad.dll" | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll" | C:\Windows\SysWOW64\Hnojdcfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgbdhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" | C:\Windows\SysWOW64\Dkmmhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll" | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djnpnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dbpodagk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dkhcmgnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll" | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bpcbqk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epafjqck.dll" | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll" | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hjjddchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qinopgfb.dll" | C:\Windows\SysWOW64\Bhfagipa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cpeofk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll" | C:\Windows\SysWOW64\Enkece32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe"
C:\Windows\SysWOW64\Bommnc32.exe
C:\Windows\system32\Bommnc32.exe
C:\Windows\SysWOW64\Bhfagipa.exe
C:\Windows\system32\Bhfagipa.exe
C:\Windows\SysWOW64\Bpcbqk32.exe
C:\Windows\system32\Bpcbqk32.exe
C:\Windows\SysWOW64\Cpeofk32.exe
C:\Windows\system32\Cpeofk32.exe
C:\Windows\SysWOW64\Cllpkl32.exe
C:\Windows\system32\Cllpkl32.exe
C:\Windows\SysWOW64\Cgbdhd32.exe
C:\Windows\system32\Cgbdhd32.exe
C:\Windows\SysWOW64\Cjbmjplb.exe
C:\Windows\system32\Cjbmjplb.exe
C:\Windows\SysWOW64\Cckace32.exe
C:\Windows\system32\Cckace32.exe
C:\Windows\SysWOW64\Dbpodagk.exe
C:\Windows\system32\Dbpodagk.exe
C:\Windows\SysWOW64\Dkhcmgnl.exe
C:\Windows\system32\Dkhcmgnl.exe
C:\Windows\SysWOW64\Djnpnc32.exe
C:\Windows\system32\Djnpnc32.exe
C:\Windows\SysWOW64\Dkmmhf32.exe
C:\Windows\system32\Dkmmhf32.exe
C:\Windows\SysWOW64\Dchali32.exe
C:\Windows\system32\Dchali32.exe
C:\Windows\SysWOW64\Dmafennb.exe
C:\Windows\system32\Dmafennb.exe
C:\Windows\SysWOW64\Epaogi32.exe
C:\Windows\system32\Epaogi32.exe
C:\Windows\SysWOW64\Eijcpoac.exe
C:\Windows\system32\Eijcpoac.exe
C:\Windows\SysWOW64\Ekklaj32.exe
C:\Windows\system32\Ekklaj32.exe
C:\Windows\SysWOW64\Eecqjpee.exe
C:\Windows\system32\Eecqjpee.exe
C:\Windows\SysWOW64\Enkece32.exe
C:\Windows\system32\Enkece32.exe
C:\Windows\SysWOW64\Eajaoq32.exe
C:\Windows\system32\Eajaoq32.exe
C:\Windows\SysWOW64\Eloemi32.exe
C:\Windows\system32\Eloemi32.exe
C:\Windows\SysWOW64\Ealnephf.exe
C:\Windows\system32\Ealnephf.exe
C:\Windows\SysWOW64\Fmcoja32.exe
C:\Windows\system32\Fmcoja32.exe
C:\Windows\SysWOW64\Faokjpfd.exe
C:\Windows\system32\Faokjpfd.exe
C:\Windows\SysWOW64\Faagpp32.exe
C:\Windows\system32\Faagpp32.exe
C:\Windows\SysWOW64\Fdoclk32.exe
C:\Windows\system32\Fdoclk32.exe
C:\Windows\SysWOW64\Facdeo32.exe
C:\Windows\system32\Facdeo32.exe
C:\Windows\SysWOW64\Fdapak32.exe
C:\Windows\system32\Fdapak32.exe
C:\Windows\SysWOW64\Flmefm32.exe
C:\Windows\system32\Flmefm32.exe
C:\Windows\SysWOW64\Fphafl32.exe
C:\Windows\system32\Fphafl32.exe
C:\Windows\SysWOW64\Fiaeoang.exe
C:\Windows\system32\Fiaeoang.exe
C:\Windows\SysWOW64\Fmlapp32.exe
C:\Windows\system32\Fmlapp32.exe
C:\Windows\SysWOW64\Gpmjak32.exe
C:\Windows\system32\Gpmjak32.exe
C:\Windows\SysWOW64\Gbkgnfbd.exe
C:\Windows\system32\Gbkgnfbd.exe
C:\Windows\SysWOW64\Gelppaof.exe
C:\Windows\system32\Gelppaof.exe
C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
C:\Windows\SysWOW64\Gmjaic32.exe
C:\Windows\system32\Gmjaic32.exe
C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hmlnoc32.exe
C:\Windows\system32\Hmlnoc32.exe
C:\Windows\SysWOW64\Hnojdcfi.exe
C:\Windows\system32\Hnojdcfi.exe
C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
C:\Windows\SysWOW64\Hejoiedd.exe
C:\Windows\system32\Hejoiedd.exe
C:\Windows\SysWOW64\Hiekid32.exe
C:\Windows\system32\Hiekid32.exe
C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
C:\Windows\SysWOW64\Hgilchkf.exe
C:\Windows\system32\Hgilchkf.exe
C:\Windows\SysWOW64\Hhjhkq32.exe
C:\Windows\system32\Hhjhkq32.exe
C:\Windows\SysWOW64\Hlfdkoin.exe
C:\Windows\system32\Hlfdkoin.exe
C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Ilknfn32.exe
C:\Windows\system32\Ilknfn32.exe
C:\Windows\SysWOW64\Iknnbklc.exe
C:\Windows\system32\Iknnbklc.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 140
Network
Files
memory/2792-0-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Bommnc32.exe
| MD5 | a1d79e0ec4bfe65209a3347f2e6decc9 |
| SHA1 | 600e6657a7f1b7d01be94a7e365f0ec62d6c72f2 |
| SHA256 | 8a793c909b28655f05c20bf19b476821143a06e44f833fd9c8859a11ef5f7899 |
| SHA512 | 63346a6052e96ab24fbefc159b575c8e9db85c4afeae1889707c31b45ed43e6b076c144675c546259e393aacbd812aa2dc6234757bc4795aaeff769b5950e5ca |
memory/1704-19-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2792-13-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2792-12-0x0000000000250000-0x0000000000294000-memory.dmp
C:\Windows\SysWOW64\Bhfagipa.exe
| MD5 | 3700babbe11ed9e4f0844d3de9211135 |
| SHA1 | d8723f182db2048d4abb31924e1a9e212ff48137 |
| SHA256 | fc5c363eee265aa7aa584858c6000924ab081d0ef3b68f52ebfaef8183a7f95e |
| SHA512 | 96f663a2442fbbdd39e719e6efa2670e519dae765f1a75fc669b0a8477a49fb14b5fa38148e6a940598ba85514393a50312bdcec5f83dccae6ad8f5f1ee671da |
memory/1704-28-0x00000000003B0000-0x00000000003F4000-memory.dmp
memory/2140-27-0x0000000000400000-0x0000000000444000-memory.dmp
\Windows\SysWOW64\Bpcbqk32.exe
| MD5 | 7b157e1659d007d0b0a718fddaa1e246 |
| SHA1 | fefe81d3888fda43a660da322a61dfd1d1922703 |
| SHA256 | 0f81d5782c60972daa4bb2b247804cdc6654801139a43c78542a4aad3c2a8709 |
| SHA512 | dbae2013594d83cfed9a48b35f1bc220a4980cbb8e655777127de99829b605218f1612ccb3ff05a0ea5c11c0079713f2e07909b1ba1a88289c4b0ecc8dad4e57 |
memory/2140-36-0x00000000002D0000-0x0000000000314000-memory.dmp
memory/2752-42-0x0000000000400000-0x0000000000444000-memory.dmp
\Windows\SysWOW64\Cpeofk32.exe
| MD5 | 5270dd1cc4c2a74ec9f59a6637f145df |
| SHA1 | 3e99ad488e235d900f419e6fe4ab99c1df98f3d6 |
| SHA256 | ab6584cdca55bcbad7fd5ddad3121fbbe0a995e4c4369e492dd77696f3e04c2a |
| SHA512 | 38bd83ffd65d1fd9ffe7312afa1865f5a02b64853b3bf2af305915b2b91c5aa201e1e750d4fc3f685e758929cdd635f8303ee17589a53b28893b5397fc22556c |
memory/2752-54-0x0000000001F40000-0x0000000001F84000-memory.dmp
memory/2668-56-0x0000000000400000-0x0000000000444000-memory.dmp
\Windows\SysWOW64\Cllpkl32.exe
| MD5 | 41ef8877deb5a1a22c86168e9bca9272 |
| SHA1 | 965584bbddeb99a7fc64b468bb5ee156049d4c13 |
| SHA256 | 1781e516f2d4cad36ac542c182b1901f3ea894f12e6220f3d79c79c5330b2421 |
| SHA512 | 38f8d98b3a921e158c9cb13bcdf0a54493359403c46218d37632e5c9569efe45f09cd7958eb5df6412b01a4523233b98ba82d714b5cf9d8478af6871cefd923d |
memory/2668-64-0x0000000000280000-0x00000000002C4000-memory.dmp
\Windows\SysWOW64\Cgbdhd32.exe
| MD5 | cfbee77636293d34427db3fc25697ca8 |
| SHA1 | f847b280b5d13c4aadd734cb2e8cc41dc6f02dbf |
| SHA256 | 098216bb64a89ef9f8d47e33d2dbb8f96e8238435c295cb795e4abac16d7a952 |
| SHA512 | 1d035ebdb7df0f29fd51f00aaf522745cbed02e7c0f2ac43379cd7236f912f5611c86e4446a6c22b83390ca288930e8a2608ce0867a49af8738028d911c50e5c |
memory/2680-77-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2552-83-0x0000000000400000-0x0000000000444000-memory.dmp
\Windows\SysWOW64\Cjbmjplb.exe
| MD5 | 4bf8b71f6ef202b1681925d831e36766 |
| SHA1 | 5e3008cfc4dc360f80fa6e0c670052fa269cc392 |
| SHA256 | 442790b0102ddd58710d3baf8cb565d63b51b6649a33ecab6d6c58196ff6a509 |
| SHA512 | 7a417f20bdc6dca2963a747cf1e2a464ca91165c4d8328af1b98096fbd7a6430e6f370d3a7ad2cc233cc466c403f2ed9b4e67cef74e3481db0a31767eea80688 |
memory/2552-91-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2844-110-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3056-109-0x00000000003B0000-0x00000000003F4000-memory.dmp
C:\Windows\SysWOW64\Cckace32.exe
| MD5 | b5e750ef828e883cb6bf9510f8959469 |
| SHA1 | 23b81685521ed9c2e6c4c4f07863f4c5c6d73c60 |
| SHA256 | 235ac95a492377fdbb294fbecad42cb4e3dad4f212520d7118cffb76ebb777bb |
| SHA512 | 6b082dc53a5fd762adc3d9d2b6144c0586943f5953f42625014b86c1e20a4d3a3dfc6a4addf50cbefe9837a6d0034575221ddd835f3dab06bcc81368858fdc09 |
\Windows\SysWOW64\Dbpodagk.exe
| MD5 | d9e221228e1f3c984a5dca5b80d5a48a |
| SHA1 | 68a1cfe18808e30522b121e0309d84a4964fe5f0 |
| SHA256 | efcfe7ec20bd8898b4dbb5b2993dad43341b5ee9166dff906a4ee343f29ca0f2 |
| SHA512 | 42a31d272ba08b71557e8222423192c80763b751026b5daef1a630d245329a1196db40517938c57d944482ab33e26f486bd47e72d4e7bb1e3020fcfb15ce236b |
memory/2844-118-0x0000000000250000-0x0000000000294000-memory.dmp
\Windows\SysWOW64\Dkhcmgnl.exe
| MD5 | ce48b4922c6c493aa32267b3cc5013c4 |
| SHA1 | a4c76588ec123b28cc38b26add3569906e910de0 |
| SHA256 | 70bcaf2adacc938cff7d089f6913eb4ccbdb2f782d65ebc6dc76e56ea9b1b27f |
| SHA512 | 414b5a389e644bdd11377d16004504c154bb6b09d2cdbf326d546f95ea53f13ec633b78db27839a704363478b68c72a3b42744b23214961fac4dbe8f46fed41e |
memory/1216-137-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2244-129-0x0000000000400000-0x0000000000444000-memory.dmp
\Windows\SysWOW64\Djnpnc32.exe
| MD5 | 806921e8d3da330df6263bb1a8f0f392 |
| SHA1 | 7eb328168789d754525e8b9b54bd09a3e1cc1089 |
| SHA256 | a26f7408fddcdcae4522c3029fe1d54bc7e1425d8d932d1756b2094adae2388c |
| SHA512 | 836acbe3ef44707aaa148685af0e36c39cdea3d9bac3e5f30890804b996d138986d3f8eb65cf4add8d0a44b1ab66ab7f0dca0919d0887afbd0fe4839922c8c0f |
memory/1216-149-0x0000000000250000-0x0000000000294000-memory.dmp
\Windows\SysWOW64\Dkmmhf32.exe
| MD5 | 8da2186429cb530b591f5b205294285a |
| SHA1 | 1af97f96b61c7a2d2f3084e5f76d95bbfa426b28 |
| SHA256 | d611a64d4a5dc36d1c29a2ec35dddeb517984d61de67b3fa6addeb339ac42591 |
| SHA512 | 21a5d80c11aaffcfffff694da6d44ce99fb45ded72df330c54663ec0d06e39c06c1ef6cc9a1c9a458385f35f8720d8ab19925dec5d4a2c8ec340f3d3f32dcef3 |
memory/816-163-0x0000000000400000-0x0000000000444000-memory.dmp
\Windows\SysWOW64\Dchali32.exe
| MD5 | 09db81da593b28d3e8a8922d7edfde79 |
| SHA1 | ccab545a553976b8d2b04c1121d9cc47556e45af |
| SHA256 | 2a639a040e84118c57b00a830605471c318c7e7808796cfdb3d1e069d034e6e1 |
| SHA512 | a3052dbde301c40d0fa1dccd20a5274633b5dd35c67ba587319da4969602e12d0be68c945a18ed769bda5e6c9844dda77d2cad54064b0f13d1ba017892f457e5 |
memory/816-171-0x0000000000330000-0x0000000000374000-memory.dmp
memory/3048-182-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Dmafennb.exe
| MD5 | 297b50ae42a6d94940dbe36bf3300244 |
| SHA1 | 40925eec700f34a50174ecb9d31b2ade122403f3 |
| SHA256 | c99d1b1774d95c94c156ecb6faa64cd8920a585480a18f54533228cc4d2a8a32 |
| SHA512 | e04d2a3c9dcb997426605b5c3689be0bc3faad141a16beb7dab887ca103583aa356d0de51b748a40a435afe5065a4dc191e0c585ec225e72806d19e9dabde661 |
memory/2216-190-0x0000000000400000-0x0000000000444000-memory.dmp
\Windows\SysWOW64\Epaogi32.exe
| MD5 | 46a14a44b2d9bde8c6a1e190cfe09034 |
| SHA1 | f31d54a43d168adbf9f2df9fd1d7d99351c0d936 |
| SHA256 | 57c1efcc3c5c2e644d67b3f8346f165d1d2a5de7529671d551ecc49a21fd1c1e |
| SHA512 | 9f754c0697229991b7a23cb13cc54f28adcba22c58b387baa1c09dc63bc77b9e80e245963aaa4ddd653644dfd1e0a5af9a800270966dd28379919f336c3c50ed |
memory/2216-197-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2088-209-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Eijcpoac.exe
| MD5 | 580cae8a33edafc268084f632d2577b3 |
| SHA1 | e76dec23439df128390fd3d89b7db581fdde4e02 |
| SHA256 | 228fb20883671a1430ce98a4ede9c65f60c1ed3cf898a4dca72c22bca181534e |
| SHA512 | 1462f17e673fbc0c66161210575646e79348de33a03a9202a328fe4ca2e4cf77ede4ab707451d7505acf0ccbc6970b288d8da84bf28bf0542ca59f9b0e4dd270 |
memory/1476-218-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2088-216-0x0000000000250000-0x0000000000294000-memory.dmp
memory/1476-225-0x00000000002D0000-0x0000000000314000-memory.dmp
C:\Windows\SysWOW64\Ekklaj32.exe
| MD5 | 11d1b50279c9212bf37d239c0a690d31 |
| SHA1 | 61f7c992b4a5dc212b036dbc8b286e34ce156b6a |
| SHA256 | 627018daf455db189bfeebeb49bf75c9cfc410ad49c84900887574978fc877eb |
| SHA512 | bc9d85855b263adad5dc130b953d08ffdf4c802c421efa8eee0c68b043e7d141fbc6bb4f0b05eb11b5c80de8684d29d1d5fa52586921fb549114c88c6687fe01 |
memory/996-239-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3028-238-0x00000000003B0000-0x00000000003F4000-memory.dmp
memory/3028-237-0x00000000003B0000-0x00000000003F4000-memory.dmp
C:\Windows\SysWOW64\Eecqjpee.exe
| MD5 | 7c8950c00eed5005fb50371ecb1d2878 |
| SHA1 | 781d8d472916baaf4165616cc8477137c71a71e9 |
| SHA256 | 9498561826aa21d2fe0cf627b6150c48e60e1198bbb41bb9da492af5cecf5148 |
| SHA512 | 7b72418c57704a6d72ca20c3ca06dcde716822afc627d42103a15ed492594f76cbfc46c42aaebebb274b4e8f36012e37749db18d6954331239d398766243b799 |
memory/996-249-0x0000000000310000-0x0000000000354000-memory.dmp
memory/996-248-0x0000000000310000-0x0000000000354000-memory.dmp
C:\Windows\SysWOW64\Enkece32.exe
| MD5 | 980c9c7ebd4c4cf46b6eb95ca30c2b36 |
| SHA1 | 17c8ee20977f81f49925d70616e902ba40498a0f |
| SHA256 | 4f86b98bc521a0bf79b0d4d230b69fb8df870a40ac1c54b38d4e5e249421b6de |
| SHA512 | 3c4c294ad4dc4fc0ce97c4c1c0f24a90ef8f63e8710438bcdc98506ec4411033753f9f1178ae0f6065592d00e4f4d42a4c635db1be58183c0d1b8af4b317e014 |
memory/2020-250-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Eajaoq32.exe
| MD5 | c7fadfc35ded8aff1ec06ca7f3a23072 |
| SHA1 | b0f9728ce1a917d0563f5fcee74cd6cf17952730 |
| SHA256 | e19373783ff777797d819c0d41a2e6d800f80d73d7658070f89a6932a338713a |
| SHA512 | 3ada52266aca5694c7ddd997ea50962d532a45193bcada2028a58bd1a710c8b6119daa1f87c5ab60818b20e392585e149bb49de6485d415255b9232a7bbd5348 |
memory/1276-263-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2020-260-0x0000000000300000-0x0000000000344000-memory.dmp
memory/2020-259-0x0000000000300000-0x0000000000344000-memory.dmp
C:\Windows\SysWOW64\Eloemi32.exe
| MD5 | 0c12cfa11f8ec1ad189d92af39ac9840 |
| SHA1 | eea1b339abbc18bc6f894ddb0a97f84cde7d4021 |
| SHA256 | 89a731bf804173992cd512b9269ef00a4205c499feb9210f0b5e0a1c47b91b87 |
| SHA512 | dca11733a34d85ebf5e41c4abcb68e9c0da8af6578543a5bf16e63f04664771a397492b247e859d668022ffc1dc85f697eceb3456e988c2cddec2aaa3bad1e4d |
memory/1276-271-0x0000000000250000-0x0000000000294000-memory.dmp
memory/1956-275-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1276-270-0x0000000000250000-0x0000000000294000-memory.dmp
memory/1956-282-0x0000000000260000-0x00000000002A4000-memory.dmp
memory/648-283-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1956-281-0x0000000000260000-0x00000000002A4000-memory.dmp
C:\Windows\SysWOW64\Ealnephf.exe
| MD5 | 87bfd040232ad720aa0a2828a32cd2d4 |
| SHA1 | ceac6e93a0c5bfafc02ce0456466379152e74c17 |
| SHA256 | da2dc74f32ae527030f79ce8b98116eed0f464dad3547bc0857761216da114f5 |
| SHA512 | 655cde157e46ffb48d5e1510999efd10e1def7aed8b970dc11930577c71da6a98267d9c9c916aa1db9353b45bae1b3b55a13ed4b074682c8e9d24fe160411e7e |
C:\Windows\SysWOW64\Fmcoja32.exe
| MD5 | 857b8f5321a29e4ddb45a2f534bc3152 |
| SHA1 | 84f10097ed937d1bfeefb177a82f64c7c803aec0 |
| SHA256 | 28ed660a7542443a3f577fa44e548bca96e893f1e8804d8ebaeb12be69ae1100 |
| SHA512 | 53e9b9edce8a4564ad0f25d7d4609510f13709f230a24236f5c1c207f0e9eac24a505b2c3b723cb6e95564e71cfda0a346b5f065a882c06f3af526a808a746cb |
memory/2976-300-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2976-298-0x0000000000400000-0x0000000000444000-memory.dmp
memory/648-297-0x0000000000250000-0x0000000000294000-memory.dmp
memory/648-296-0x0000000000250000-0x0000000000294000-memory.dmp
C:\Windows\SysWOW64\Faokjpfd.exe
| MD5 | c8b9149f0ca330fa7c62e5ef914fb7e8 |
| SHA1 | cc309f878e84414ef73513a93de1a312a769969c |
| SHA256 | 786f2811c48923db241f2fe375fa42b8e8537d4ac9d7074d577720d637d77a95 |
| SHA512 | 4b3d185bbdffadd4709ad41585d5bc61bdac71ba0d171cbb9441462ffa11a3d3da74db74a73d5c4daf0e79dda9f8007fae37740fd71669ccf2a10dfb15c09a44 |
memory/2332-305-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2976-304-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2332-315-0x0000000000260000-0x00000000002A4000-memory.dmp
memory/2332-314-0x0000000000260000-0x00000000002A4000-memory.dmp
C:\Windows\SysWOW64\Faagpp32.exe
| MD5 | 3d031ee228be1bb50af42c4c3977e85d |
| SHA1 | 0366fe7f01a6dfb4b6ee5e77485ea0f34dafeaaa |
| SHA256 | 03d709e9c38d710b5c02e35a94ca4224daf14d29618486ac606d639929d42e2a |
| SHA512 | 28e7ab644e31c36850ae718c4a843344d613dd643d7dbc3aa05bc3737a4ca55c8e80ce17e51b630810dbcb69e6b34527f6b4c5ae9738db3a529c68060fe14701 |
memory/880-320-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3008-327-0x0000000000400000-0x0000000000444000-memory.dmp
memory/880-326-0x0000000001F40000-0x0000000001F84000-memory.dmp
memory/880-325-0x0000000001F40000-0x0000000001F84000-memory.dmp
C:\Windows\SysWOW64\Fdoclk32.exe
| MD5 | 13a551c71ae49df842d71a5b475b7d84 |
| SHA1 | 7570edf0f9aa8aa321ea7caf2a7745fd3022cbee |
| SHA256 | 2ffe8082dda53069b0e1a054982981ff24d698ab1999f9d433a427e287851e28 |
| SHA512 | a8d6c37f5969925cb0175c38795a6d980810433c8d5e47ae3462e767ab69c27eea1bc178324836a3558099c7ee2e4a054568f9ea78e58a05bc97df942cc9e82b |
memory/3008-328-0x00000000002D0000-0x0000000000314000-memory.dmp
memory/3008-329-0x00000000002D0000-0x0000000000314000-memory.dmp
memory/1608-340-0x0000000000280000-0x00000000002C4000-memory.dmp
memory/1608-339-0x0000000000280000-0x00000000002C4000-memory.dmp
memory/1608-338-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Fdapak32.exe
| MD5 | c44d2c5b748ac872d4bc8cc972a72e11 |
| SHA1 | 6663715a35514fd3a243acd1e8d1614d963f3f32 |
| SHA256 | 23e0c6b98f890829604ed2372abda81abf50e12a239b4b414565c130e096c6e9 |
| SHA512 | d3a9255788ba0dbb3675e724d76a3ce2efc18222a602607beeda43897107aeca424e249eb92622e3cd4699114455c7c3388ec489d18e9d5259eff150d915d3c6 |
memory/2480-341-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2480-350-0x0000000000250000-0x0000000000294000-memory.dmp
C:\Windows\SysWOW64\Flmefm32.exe
| MD5 | 81795f2b23908bd115f1a7174fb8c6f6 |
| SHA1 | a430c2d77ad2abd91919d79179ba777b40e1206c |
| SHA256 | cee1d4b26bccaa02bd340f28642bc715ad546920e6989e36f61f2b44a846a497 |
| SHA512 | ffdd95a7b8d54282cab0bd6131d36abe0e6b3d21b0c1e4f97b370b468ab8b9e5bdaadd93815110d356c459a974474a9f9bffb3ddfee6adf9f77e91c80789600e |
memory/2480-351-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2928-357-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Fphafl32.exe
| MD5 | bd51b7aae7cfb386c08acaef939b1c77 |
| SHA1 | f23b6209874a0b628bf50071b442d1da902af043 |
| SHA256 | 9fa6b375fb894757508cfc1bc485ffd47e05b661e35720fdaa8eee7f86cc7a4f |
| SHA512 | 0771acd938fef5fc9801d3aa5f3cf6da2f169049dbcffc0f48c5b3a56d9160a23fd9251e7a75b097d8905f7fee85429fb58b7469e277b472002bc434521cf5bb |
memory/2928-362-0x0000000000310000-0x0000000000354000-memory.dmp
memory/2928-361-0x0000000000310000-0x0000000000354000-memory.dmp
memory/2728-363-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2148-374-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Fmlapp32.exe
| MD5 | 4fd7f8b1f8be28d4b756ff3fa6cde569 |
| SHA1 | e22f3a36fd61fc057fc1e133c5de14741d571862 |
| SHA256 | 8b7c1186662c98662b5f37f3d7125a301fe4028858bf32e6be392668b19d8928 |
| SHA512 | 77a8e3dd7a02cd39c9e4dcf4c0819de26c3ff9de6a8d9bf03a475ca3f156047074f11b6e34deb96092bbd510568e72b89b7cc3651d04df6d6bdacc26c0826a21 |
memory/2728-373-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2728-372-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2644-385-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2148-384-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2148-383-0x0000000000250000-0x0000000000294000-memory.dmp
C:\Windows\SysWOW64\Fiaeoang.exe
| MD5 | 9124e4252f7ff6ff4ceb13edfffd7868 |
| SHA1 | 0aa27928768d72845b029ae6c5ecbd59c4bb4a9f |
| SHA256 | c5670517420534308a9e0d75650eb86f9d114f38611a113a0ccfa83f3cfaa019 |
| SHA512 | 72ec5f07a78699de4c9eb4d2b63f14b45f318439420a16b8aee5ba1272f9023e3a0f33b6d7ce75954b0b227fb4540487c6f69a367f4226ba275d5c89d61dc474 |
memory/3040-407-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2508-406-0x00000000003B0000-0x00000000003F4000-memory.dmp
memory/2508-405-0x00000000003B0000-0x00000000003F4000-memory.dmp
memory/2508-404-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Gbkgnfbd.exe
| MD5 | 10688baa60a9964300debfcf5bb178bf |
| SHA1 | b562bcae5ba277f8d2edaefc489633ab7b7fdf48 |
| SHA256 | a6b48ac3bb431ed1e2dc606878eb268adcded1bdf3017a151e41299ea523869e |
| SHA512 | f035eba1c7f45137ef7a7e44ffa92b01afffee9f866ea2ea908bb8bd0e58a1f66fba219656be1f78bd93c005015cef0a8cad5d60af94f932649e21a1ea5db751 |
memory/2644-395-0x00000000005E0000-0x0000000000624000-memory.dmp
memory/2644-394-0x00000000005E0000-0x0000000000624000-memory.dmp
C:\Windows\SysWOW64\Gpmjak32.exe
| MD5 | 44f46c01821e02e450f1c2283ca14156 |
| SHA1 | ffdd178ad8a847df8a6c5b012e92a0c5bbacc700 |
| SHA256 | 1fb1decced1b40bd7bd897233cd8f3082eeb95024d5a246a58e3806d29a89e8b |
| SHA512 | 12323e7f445f3fd018830ec7294f662f8c317af93c9ffb9924f9b575816fed07e6a2d4e067940dd1935bbab6c180b88cbc6899c31106a126a57cafaad16ce709 |
C:\Windows\SysWOW64\Gelppaof.exe
| MD5 | 1b80d974b6192082da377ab11d56da60 |
| SHA1 | ebabc1f4faa9da63253243427d9eca3cc52633d4 |
| SHA256 | 9a09fe36f490bc15143a18778ec1eaf537bc56b2185dbc51be62a42a07907cff |
| SHA512 | 1a94500f9bd8acc942b1658fcc04dfa57bc1247882a7d43995b9b059e650132b687d920c8e57f0ba0b67c4e79a504ab1989bac07508ae929fc35ae85a1d90b5b |
memory/3040-417-0x0000000000300000-0x0000000000344000-memory.dmp
memory/3040-416-0x0000000000300000-0x0000000000344000-memory.dmp
memory/2840-422-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2840-424-0x0000000000250000-0x0000000000294000-memory.dmp
C:\Windows\SysWOW64\Glfhll32.exe
| MD5 | 952a3ae5f214cd9ea4fd5115a651c741 |
| SHA1 | 083fcda780c6abca0c070a3f67fe9fa6a548798e |
| SHA256 | a3a4b580eb5eda47a1c2b013881a359a3e3100d26013d5f0af1c18d5e7cf998a |
| SHA512 | 11153a09c72b72e643e5ac91cdf7d2a73b35ee9be891f3283a74c79e22551a0aa62e6f9819c578c194a8c2731e25a61dc37e93651158e387b6a7445d39d095d1 |
memory/2840-428-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2576-429-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Ghmiam32.exe
| MD5 | f11a3293acec1d97ece9f00c02439e11 |
| SHA1 | f0e6b3cfd476ee39c430fe3f4b15e04059bbda74 |
| SHA256 | e0f0c828ee609e7981a32e070c768ea8a1e42ce81e7102f9932ffbfef099ac6b |
| SHA512 | ee75073a530bb8e2a6e237c4cd0e194d62275b8d8201ba7bfe6933be45615057d7936f1ae1d71638398646d3feae18280913756fa601c7f70c4cb8cdc0588715 |
memory/1704-439-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2792-438-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1072-440-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Gmjaic32.exe
| MD5 | 257ce8e24171964ebca5a668f6674e5a |
| SHA1 | e70de73a97e614ceb8a58073aa0f9ec437baeb8f |
| SHA256 | 4c3308ba37545428273332d783d8023bbe024e56f315996cc67159fafb013d2f |
| SHA512 | 49e676d74ed1c73a4ff632aae5a38a7bad336f1118d8721bc758d9eab2b621a1fa5abeb7c74b230da213dcf0872a714bb10603d1f35a64b2d348d8625a4a51f1 |
memory/2140-449-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1912-454-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Gddifnbk.exe
| MD5 | 13fbfd015c4654b89b3b8db0724d8148 |
| SHA1 | c808102aa9df489e887c2d9f2606d53fcadb773b |
| SHA256 | bdb8a3b4d86d6558e1e29662ccb76d49b4d100020bac01fdee52565fc2eb1730 |
| SHA512 | b11764dd3618042f33997c322ab9eb9892cdc2c51038972fabafde2f65a7972966cb07833f4e0de6c2f3f26dd3ed0548e35eed69232e98e8f9fc24850ff56d23 |
memory/1184-459-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | 5cce47c98be28235232bcfbdf39adcee |
| SHA1 | a2ccf24d7e0ebd7c7af73c9c6f743156ce5ee76a |
| SHA256 | ff99ecf597c1d7b8d562c5c91ed0d089214d3ee9f5bc1e7c6a57b5516f62628d |
| SHA512 | 4ab87f312a55cae67935084403abb1f706d289a02298bfb560f0bf943ff22f39458c3e41c22949f89a47bd689791ddcf6321fc2dcc0af7d8ad8c0b6a57e48be1 |
memory/1720-474-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1184-470-0x0000000000250000-0x0000000000294000-memory.dmp
memory/1184-469-0x0000000000250000-0x0000000000294000-memory.dmp
memory/2752-468-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Hmlnoc32.exe
| MD5 | 8902c466ead788b5b5ce93b9b6298365 |
| SHA1 | 119f063fffb4283d680d51bcadecaf51b7a0e639 |
| SHA256 | 1859fb5652b9d037398e326a719c1ca9bc7fe0471f4e5b835b1163938c32e7ff |
| SHA512 | 567cd9f88c8f8f335ccbb87edf8e88b90c11465a47d51ea57ea56e017741fe2982977dd4a3e98989e042ca4f91b4d1d5369f62a6696d4fc569e0748a8037c523 |
C:\Windows\SysWOW64\Hnojdcfi.exe
| MD5 | 1f3dbf4e381b98de2b0808e4b7d7c9be |
| SHA1 | 0e5b0a3f6af6600c0315b00006260686a6327abc |
| SHA256 | f638c9bc3f6abd2187c7ba7dc6a825c718c5a37c41762a0b07066ef185718c4b |
| SHA512 | e21b5b592e4be036bf8c8a4daf276335ca860c3e0854d5da5c26841bf892c272ea36a819333a08e5562509dfab8b18cebd5591ecd101e13f0a96e010bef0a77d |
C:\Windows\SysWOW64\Hpmgqnfl.exe
| MD5 | c43b4868e75f1bd4033c07a03b2c5dd7 |
| SHA1 | bc571dccca830495f73e3bbf8679c35f9760f7a1 |
| SHA256 | 1e075a1f839ba3a9c686183729f775ad2b31f5205a9d9d623b2b11866f4d07e7 |
| SHA512 | 3317f3905f27f33365a37e31591f6cde94bfe2119cbef745422b2293205c10dcf3b2f71b7b2e09b23da2fd3daec9943eb0ffb1aae490000218b01dbb1989788a |
C:\Windows\SysWOW64\Hejoiedd.exe
| MD5 | 4d4d0012654543b0856d4bcceba90320 |
| SHA1 | 837a0fddce793fc42844a79163979d9cb85d0a2f |
| SHA256 | 8abf93f76c96b2d6f5c616b49793a61b514c0adec47b480e07e9b88b6f66a891 |
| SHA512 | d555e222591b4fe711487bf82ae0547a467c8bc6c53d54bfd1693a1631400dcfb472c8bcfdb6c9e8953856ec76ead72e3226a523664861ecf7c303cf82793a10 |
C:\Windows\SysWOW64\Hiekid32.exe
| MD5 | 1ca824008ed8b678ae107cf999b2dd05 |
| SHA1 | e11db7645fdfacb5a0d108a28677d646c7a7c335 |
| SHA256 | abfb2a186cb9b78a60acd0942e59cc3b794f1f8f7d32e285917d72b1c216addb |
| SHA512 | 9ad6264d5d0cd4e92e94777e030f9c79b7dc7da2fde296afcca500a1b394d5fb131f0d143f498e0256f7e7004a7913eba964d9cbd7e8de35ce2e3bcd3af4e2e4 |
C:\Windows\SysWOW64\Hpocfncj.exe
| MD5 | 55a3b762ee4134379fe4a342372d4f3b |
| SHA1 | 63e882d2c1d31e424ac1b717d7c2debd217eaa2f |
| SHA256 | 2b73ad84b200c4332cf567da0c75a0ef82ec7507b5a53f0dad3610243fcc264b |
| SHA512 | 1ff22b488bf2626882821c9ca23d17421fe0b324997efc80871126b204d054625ba927facc810765b0bba1f6ed333104eadf457d9ac2f35ddd56ef56d78a2eea |
C:\Windows\SysWOW64\Hgilchkf.exe
| MD5 | b18f2117066d78ff197edc84231cc170 |
| SHA1 | 1379b1627de40899690aa0d9cbd40d1c37a4387c |
| SHA256 | aa106c016da73ffbb283d4095716c4af8c6179f44ddc86e133cdf489a39db6fa |
| SHA512 | dbbaec388befeaae9a84f61228c65802c11519e7bc43dd04c4aa4c7ea83b7ae6b7e081e2e13418f116dda2dfce8b2d8990b04219b64f5d64b776a9707ab6affb |
C:\Windows\SysWOW64\Hhjhkq32.exe
| MD5 | 69ea1bc006b95fd0c41daa50e39dfdde |
| SHA1 | d8db5924ca8c9bac94a6aa0594b07a7eef2abf22 |
| SHA256 | 81cfd31dfc9baa565f5ee7940df7688582331513c38d9462b628f3982f361cfe |
| SHA512 | 0a0d492f0e06d64efcc50bc63fb3488c72705b4670c22d5d4b732fb163d380b52bf4f439145b386c51c9cb615d9990989ae818862df06a94f59a6c36f8d7e59c |
C:\Windows\SysWOW64\Hlfdkoin.exe
| MD5 | 6918b79ed3a3dec87fc87ebe49247a07 |
| SHA1 | 8ae75568eea403ec0902bce9bbc0e0ca2122bb36 |
| SHA256 | 573b1ad0b73beeaed7e42f06f673450de7b4493958cdf1a6e682aafa5b49a98b |
| SHA512 | 23291f068ac13bde10658a715872a153b397b541326a18cd3c45d983215957f42ae929c57ff12c6963bcc10f8309847b8a26274314d5080be952b47453e61814 |
C:\Windows\SysWOW64\Henidd32.exe
| MD5 | 0c3fa412b9f5651317edadec720d7996 |
| SHA1 | bd1e25bde68331b084c45fbd531dadc6176b16aa |
| SHA256 | cae29489852e8d593db740174e6c6548f76658fc5dda1171770d91235c55ddb6 |
| SHA512 | 4ce7ff79bd6f2aa1c7deddb20a27f47d2bf84601ae521c625ec55b70af95439c3369e3ef90294dd82218406fa671f90712e4284aeab003aeffe6d4ee42d8b012 |
C:\Windows\SysWOW64\Hjjddchg.exe
| MD5 | b79349412e8fb1483754b328b876ec74 |
| SHA1 | 729e262227c6ddc0aa5ad5e23b3ff27510d84637 |
| SHA256 | 80b4d4b355dd3a871abb56938ed727feed57fad89d1ead2f390dfefcb8aac058 |
| SHA512 | db186883611752f3bae25a5dee856972a385a929558cdb5a52b5fb88c8b4d74723ae9c8d32bc8850eab6f7caebd3c6acf9b8a06ef2e71dd870e1b68d0e1ce4f3 |
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | ba765bc71e02475c1e5a087dfb63b4c4 |
| SHA1 | f8752a377f6babd8fb12d59e40069fa62e57f77f |
| SHA256 | 07777ae8080be86df9836bb597d66b83b4c584ba98253a3e45d91faabdc80320 |
| SHA512 | 509a7fa74b9f5b684796add205956d72e532ff527c506fef3423570015c4e3d4cfe30c0e4a3b5f04fc18e3a614ec984137c00f4adc536aa5e224d0038e36a571 |
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | a3f9ee6b6f22bb9bb0b2c9e77669125b |
| SHA1 | 0c1ae7473aed3b746c6f13df553b781f27a39d87 |
| SHA256 | b4cd997a185092d5cc2ef6fb3b76ff7818f18112a54a9d3a2cbb8b1b5dd96643 |
| SHA512 | cbcc0618c92cba9f802d8b031f7215679c32ca4037a6bf07d476e9e295c23a94da9301e577c8cac4fb584e1152103cf5634529c6ee90c5e8e56694bddff0a4a8 |
C:\Windows\SysWOW64\Idceea32.exe
| MD5 | a14787dae4fb2c6b4e6521055daa35ce |
| SHA1 | 38886e13b98c94cc1cc38fc4c714aa3c0f9a5c36 |
| SHA256 | e72a6b5d9c9b5969301e777d7b4e08a8b3904070ede11f9c4711859f304f8232 |
| SHA512 | 4b759c3e6e28a9faff86b014c98b85fb7b795e3894c4e28dd40646cba7e3d517e37273cd07842df54ac25acbb3c81a5fa9cc1c3864094d94fe4f78f4ce77d224 |
C:\Windows\SysWOW64\Ilknfn32.exe
| MD5 | b61e82e6532cac5fd8b5a46e813b4b3f |
| SHA1 | 9cf7d0287d17a935ce4f3a2a732716a374b8be8e |
| SHA256 | 319111f451712fc6cf68ea6ca97154e08c7167ea80a49b92907a7bab0598b13e |
| SHA512 | 69e5eab04fdab0efe5f854d7932afcb178583bf2dea4e7e96417136bd6e4b109c3d06dc3231c3bca2ffe4fda05daade6eb176aa28e9ae57b17539745703fdfc6 |
C:\Windows\SysWOW64\Iknnbklc.exe
| MD5 | 1c46365b619af3a9583e6ca6fec12d18 |
| SHA1 | 679ba418494bc318985d937f860d56b4fe1f2fe5 |
| SHA256 | 122931fff83eb3e50a1427537fbaefdfb75e709e97bb7d8f700ed0b5f402f734 |
| SHA512 | dfced4a7fdec60d2414b1bf9a8b96340f50554a0da21d0ebe0dc222e45866a84ebf1a46085b99e7d5ed7e5cb7ea74313ac42336cb31251b9e298bb3141c3f3e9 |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | a443b8e4e29de8c6dde68fc84a7cfb2d |
| SHA1 | 600691e370b8910d5c0994a21340b24989763fd8 |
| SHA256 | b7c6360cf146f6b876575968200fd2831050050d3de9d3f9af0875dae42aef1a |
| SHA512 | 883eefc434ecc472a22ccf469441c3284033fce43ffbf694581d12c15e8e2a8bd385b0ff12592ae067c863ebd02734971be1c047838cb0f849858d9367c7d8d6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 03:33
Reported
2024-05-09 03:35
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jifhaenk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdeoemeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gdqgmmjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hbpgbo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pqdqof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Echknh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lffhfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Llemdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pgefeajb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pjcbbmif.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acnlgp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hoiafcic.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbaipkbi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpppnp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lbabgh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nggjdc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgefeajb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Colffknh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ffddka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkaejf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfaedkdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jbjcolha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdlnbm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghaliknf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndaggimg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Elbmlmml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mcmabg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngmgne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Febgea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hfcicmqp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpbmco32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nloiakho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acnlgp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddgkpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gkaejf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfankifm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pncgmkmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amddjegd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Demecd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eolpmi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hfifmnij.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jmpgldhg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfhdlh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mcmabg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfolbmje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkgqfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eepjpb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmdqgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lmdina32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdkldb32.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ibnccmbo.exe | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Blfiei32.dll | C:\Windows\SysWOW64\Pcppfaka.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjokdipf.exe | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfpgffpm.exe | C:\Windows\SysWOW64\Deokon32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dknpmdfc.exe | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| File created | C:\Windows\SysWOW64\Chdkoa32.exe | C:\Windows\SysWOW64\Colffknh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jplfcpin.exe | C:\Windows\SysWOW64\Jmmjgejj.exe | N/A |
| File created | C:\Windows\SysWOW64\Kibgmdcn.exe | C:\Windows\SysWOW64\Kfckahdj.exe | N/A |
| File created | C:\Windows\SysWOW64\Medgncoe.exe | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Odkjng32.exe | C:\Windows\SysWOW64\Olcbmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qihfjd32.dll | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnnlaehj.exe | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Echknh32.exe | C:\Windows\SysWOW64\Eolpmi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncfdie32.exe | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fojlngce.exe | C:\Windows\SysWOW64\Fkopnh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdnjgmle.exe | C:\Windows\SysWOW64\Fbpnkama.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdjinlko.dll | C:\Windows\SysWOW64\Pmoahijl.exe | N/A |
| File created | C:\Windows\SysWOW64\Afoeiklb.exe | C:\Windows\SysWOW64\Aeniabfd.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnbmefbg.exe | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File created | C:\Windows\SysWOW64\Bqhimici.dll | C:\Windows\SysWOW64\Fljcmlfd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekcpbj32.exe | C:\Windows\SysWOW64\Elppfmoo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Febgea32.exe | C:\Windows\SysWOW64\Fcckif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogpmjb32.exe | C:\Windows\SysWOW64\Oqfdnhfk.exe | N/A |
| File created | C:\Windows\SysWOW64\Gdqfah32.dll | C:\Windows\SysWOW64\Camphf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kboljk32.exe | C:\Windows\SysWOW64\Jpppnp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmdqgd32.exe | C:\Windows\SysWOW64\Kboljk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcgdgamg.dll | C:\Windows\SysWOW64\Colffknh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qmmnjfnl.exe | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmngqdpj.exe | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| File created | C:\Windows\SysWOW64\Najmlf32.dll | C:\Windows\SysWOW64\Odkjng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aoohalad.dll | C:\Windows\SysWOW64\Kbaipkbi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ofqpqo32.exe | C:\Windows\SysWOW64\Ocbddc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkaejf32.exe | C:\Windows\SysWOW64\Gcfqfc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pfolbmje.exe | C:\Windows\SysWOW64\Pcppfaka.exe | N/A |
| File created | C:\Windows\SysWOW64\Aqncedbp.exe | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Fgfkkboc.dll | C:\Windows\SysWOW64\Eepjpb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pgefeajb.exe | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pqpgdfnp.exe | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pcncpbmd.exe | C:\Windows\SysWOW64\Pqpgdfnp.exe | N/A |
| File created | C:\Windows\SysWOW64\Qmmnjfnl.exe | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmcfdb32.dll | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ligqhc32.exe | C:\Windows\SysWOW64\Lfhdlh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Imfdff32.exe | C:\Windows\SysWOW64\Ifllil32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ibcmom32.exe | C:\Windows\SysWOW64\Ipdqba32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Caebma32.exe | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fhglla32.dll | C:\Windows\SysWOW64\Ecjhcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mnebeogl.exe | C:\Windows\SysWOW64\Menjdbgj.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjpabk32.dll | C:\Windows\SysWOW64\Pjmehkqk.exe | N/A |
| File created | C:\Windows\SysWOW64\Qopkop32.dll | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hqdeld32.dll | C:\Windows\SysWOW64\Kebbafoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcnhho32.dll | C:\Windows\SysWOW64\Odmgcgbi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pnfdcjkg.exe | C:\Windows\SysWOW64\Pfolbmje.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Deagdn32.exe | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfaedkdp.exe | C:\Windows\SysWOW64\Jcbihpel.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbjiol32.dll | C:\Windows\SysWOW64\Megdccmb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Migjoaaf.exe | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Elikfp32.dll | C:\Windows\SysWOW64\Ghaliknf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kdgljmcd.exe | C:\Windows\SysWOW64\Kplpjn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nebdoa32.exe | C:\Windows\SysWOW64\Ndaggimg.exe | N/A |
| File created | C:\Windows\SysWOW64\Nokpao32.dll | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| File created | C:\Windows\SysWOW64\Fhpili32.dll | C:\Windows\SysWOW64\Eofbch32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgefkimp.dll | C:\Windows\SysWOW64\Mlefklpj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qddfkd32.exe | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Alcidkmm.dll | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ippohl32.dll" | C:\Windows\SysWOW64\Jmmjgejj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljodkeij.dll" | C:\Windows\SysWOW64\Ldleel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" | C:\Windows\SysWOW64\Dknpmdfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlqgg32.dll" | C:\Windows\SysWOW64\Hecmijim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll" | C:\Windows\SysWOW64\Kplpjn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aqppkd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Acnlgp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hmcojh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhmbin.dll" | C:\Windows\SysWOW64\Miemjaci.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiigifj.dll" | C:\Windows\SysWOW64\Dahode32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbhfjljd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Llcpoo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gkaejf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kipkhdeq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll" | C:\Windows\SysWOW64\Pcppfaka.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chmndlge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll" | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kibgmdcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kibgmdcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll" | C:\Windows\SysWOW64\Menjdbgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ogkcpbam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cafigg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jpgmha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jmmjgejj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfelggh.dll" | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll" | C:\Windows\SysWOW64\Pfaigm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaekmb32.dll" | C:\Windows\SysWOW64\Dbaemi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gcojed32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ghaliknf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll" | C:\Windows\SysWOW64\Ncfdie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pfaigm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkokgea.dll" | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll" | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" | C:\Windows\SysWOW64\Agglboim.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dlncan32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pqbdjfln.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Agglboim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Colffknh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmgladp.dll" | C:\Windows\SysWOW64\Nebdoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Olcbmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Elbmlmml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gfbploob.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kdcbom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjihje32.dll" | C:\Windows\SysWOW64\Ddgkpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Accfbokl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Echknh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fojlngce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hkikkeeo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eepjpb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihae32.dll" | C:\Windows\SysWOW64\Gcfqfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genaegmo.dll" | C:\Windows\SysWOW64\Dllfkn32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\e0342216680f7d78e977b5ebdde8ba70_NEIKI.exe"
C:\Windows\SysWOW64\Cliaoq32.exe
C:\Windows\system32\Cliaoq32.exe
C:\Windows\SysWOW64\Cogmkl32.exe
C:\Windows\system32\Cogmkl32.exe
C:\Windows\SysWOW64\Cafigg32.exe
C:\Windows\system32\Cafigg32.exe
C:\Windows\SysWOW64\Cddecc32.exe
C:\Windows\system32\Cddecc32.exe
C:\Windows\SysWOW64\Colffknh.exe
C:\Windows\system32\Colffknh.exe
C:\Windows\SysWOW64\Chdkoa32.exe
C:\Windows\system32\Chdkoa32.exe
C:\Windows\SysWOW64\Camphf32.exe
C:\Windows\system32\Camphf32.exe
C:\Windows\SysWOW64\Cdkldb32.exe
C:\Windows\system32\Cdkldb32.exe
C:\Windows\SysWOW64\Ddmhja32.exe
C:\Windows\system32\Ddmhja32.exe
C:\Windows\SysWOW64\Dkgqfl32.exe
C:\Windows\system32\Dkgqfl32.exe
C:\Windows\SysWOW64\Demecd32.exe
C:\Windows\system32\Demecd32.exe
C:\Windows\SysWOW64\Dlgmpogj.exe
C:\Windows\system32\Dlgmpogj.exe
C:\Windows\SysWOW64\Dbaemi32.exe
C:\Windows\system32\Dbaemi32.exe
C:\Windows\SysWOW64\Ddbbeade.exe
C:\Windows\system32\Ddbbeade.exe
C:\Windows\SysWOW64\Dccbbhld.exe
C:\Windows\system32\Dccbbhld.exe
C:\Windows\SysWOW64\Dddojq32.exe
C:\Windows\system32\Dddojq32.exe
C:\Windows\SysWOW64\Dllfkn32.exe
C:\Windows\system32\Dllfkn32.exe
C:\Windows\SysWOW64\Dkoggkjo.exe
C:\Windows\system32\Dkoggkjo.exe
C:\Windows\SysWOW64\Dahode32.exe
C:\Windows\system32\Dahode32.exe
C:\Windows\SysWOW64\Ddgkpp32.exe
C:\Windows\system32\Ddgkpp32.exe
C:\Windows\SysWOW64\Dlncan32.exe
C:\Windows\system32\Dlncan32.exe
C:\Windows\SysWOW64\Eolpmi32.exe
C:\Windows\system32\Eolpmi32.exe
C:\Windows\SysWOW64\Echknh32.exe
C:\Windows\system32\Echknh32.exe
C:\Windows\SysWOW64\Edihepnm.exe
C:\Windows\system32\Edihepnm.exe
C:\Windows\SysWOW64\Elppfmoo.exe
C:\Windows\system32\Elppfmoo.exe
C:\Windows\SysWOW64\Ekcpbj32.exe
C:\Windows\system32\Ekcpbj32.exe
C:\Windows\SysWOW64\Ecjhcg32.exe
C:\Windows\system32\Ecjhcg32.exe
C:\Windows\SysWOW64\Eeidoc32.exe
C:\Windows\system32\Eeidoc32.exe
C:\Windows\SysWOW64\Edkdkplj.exe
C:\Windows\system32\Edkdkplj.exe
C:\Windows\SysWOW64\Elbmlmml.exe
C:\Windows\system32\Elbmlmml.exe
C:\Windows\SysWOW64\Ekemhj32.exe
C:\Windows\system32\Ekemhj32.exe
C:\Windows\SysWOW64\Ecmeig32.exe
C:\Windows\system32\Ecmeig32.exe
C:\Windows\SysWOW64\Eapedd32.exe
C:\Windows\system32\Eapedd32.exe
C:\Windows\SysWOW64\Ednaqo32.exe
C:\Windows\system32\Ednaqo32.exe
C:\Windows\SysWOW64\Eleiam32.exe
C:\Windows\system32\Eleiam32.exe
C:\Windows\SysWOW64\Eocenh32.exe
C:\Windows\system32\Eocenh32.exe
C:\Windows\SysWOW64\Eabbjc32.exe
C:\Windows\system32\Eabbjc32.exe
C:\Windows\SysWOW64\Edpnfo32.exe
C:\Windows\system32\Edpnfo32.exe
C:\Windows\SysWOW64\Ehljfnpn.exe
C:\Windows\system32\Ehljfnpn.exe
C:\Windows\SysWOW64\Ekjfcipa.exe
C:\Windows\system32\Ekjfcipa.exe
C:\Windows\SysWOW64\Eofbch32.exe
C:\Windows\system32\Eofbch32.exe
C:\Windows\SysWOW64\Eadopc32.exe
C:\Windows\system32\Eadopc32.exe
C:\Windows\SysWOW64\Eepjpb32.exe
C:\Windows\system32\Eepjpb32.exe
C:\Windows\SysWOW64\Ehnglm32.exe
C:\Windows\system32\Ehnglm32.exe
C:\Windows\SysWOW64\Fljcmlfd.exe
C:\Windows\system32\Fljcmlfd.exe
C:\Windows\SysWOW64\Fohoigfh.exe
C:\Windows\system32\Fohoigfh.exe
C:\Windows\SysWOW64\Fcckif32.exe
C:\Windows\system32\Fcckif32.exe
C:\Windows\SysWOW64\Febgea32.exe
C:\Windows\system32\Febgea32.exe
C:\Windows\SysWOW64\Fhqcam32.exe
C:\Windows\system32\Fhqcam32.exe
C:\Windows\SysWOW64\Fkopnh32.exe
C:\Windows\system32\Fkopnh32.exe
C:\Windows\SysWOW64\Fojlngce.exe
C:\Windows\system32\Fojlngce.exe
C:\Windows\SysWOW64\Ffddka32.exe
C:\Windows\system32\Ffddka32.exe
C:\Windows\SysWOW64\Fkalchij.exe
C:\Windows\system32\Fkalchij.exe
C:\Windows\SysWOW64\Ffimfqgm.exe
C:\Windows\system32\Ffimfqgm.exe
C:\Windows\SysWOW64\Fdlnbm32.exe
C:\Windows\system32\Fdlnbm32.exe
C:\Windows\SysWOW64\Flceckoj.exe
C:\Windows\system32\Flceckoj.exe
C:\Windows\SysWOW64\Foabofnn.exe
C:\Windows\system32\Foabofnn.exe
C:\Windows\SysWOW64\Fbpnkama.exe
C:\Windows\system32\Fbpnkama.exe
C:\Windows\SysWOW64\Fdnjgmle.exe
C:\Windows\system32\Fdnjgmle.exe
C:\Windows\SysWOW64\Fhjfhl32.exe
C:\Windows\system32\Fhjfhl32.exe
C:\Windows\SysWOW64\Gkhbdg32.exe
C:\Windows\system32\Gkhbdg32.exe
C:\Windows\SysWOW64\Gcojed32.exe
C:\Windows\system32\Gcojed32.exe
C:\Windows\SysWOW64\Gdqgmmjb.exe
C:\Windows\system32\Gdqgmmjb.exe
C:\Windows\SysWOW64\Glhonj32.exe
C:\Windows\system32\Glhonj32.exe
C:\Windows\SysWOW64\Gofkje32.exe
C:\Windows\system32\Gofkje32.exe
C:\Windows\SysWOW64\Gbdgfa32.exe
C:\Windows\system32\Gbdgfa32.exe
C:\Windows\SysWOW64\Gfpcgpae.exe
C:\Windows\system32\Gfpcgpae.exe
C:\Windows\SysWOW64\Ghopckpi.exe
C:\Windows\system32\Ghopckpi.exe
C:\Windows\SysWOW64\Gkmlofol.exe
C:\Windows\system32\Gkmlofol.exe
C:\Windows\SysWOW64\Gohhpe32.exe
C:\Windows\system32\Gohhpe32.exe
C:\Windows\SysWOW64\Gbgdlq32.exe
C:\Windows\system32\Gbgdlq32.exe
C:\Windows\SysWOW64\Gfbploob.exe
C:\Windows\system32\Gfbploob.exe
C:\Windows\SysWOW64\Ghaliknf.exe
C:\Windows\system32\Ghaliknf.exe
C:\Windows\SysWOW64\Gcfqfc32.exe
C:\Windows\system32\Gcfqfc32.exe
C:\Windows\SysWOW64\Gkaejf32.exe
C:\Windows\system32\Gkaejf32.exe
C:\Windows\SysWOW64\Gomakdcp.exe
C:\Windows\system32\Gomakdcp.exe
C:\Windows\SysWOW64\Gfgjgo32.exe
C:\Windows\system32\Gfgjgo32.exe
C:\Windows\SysWOW64\Hckjacjg.exe
C:\Windows\system32\Hckjacjg.exe
C:\Windows\SysWOW64\Hfifmnij.exe
C:\Windows\system32\Hfifmnij.exe
C:\Windows\SysWOW64\Hmcojh32.exe
C:\Windows\system32\Hmcojh32.exe
C:\Windows\SysWOW64\Hbpgbo32.exe
C:\Windows\system32\Hbpgbo32.exe
C:\Windows\SysWOW64\Hijooifk.exe
C:\Windows\system32\Hijooifk.exe
C:\Windows\SysWOW64\Hkikkeeo.exe
C:\Windows\system32\Hkikkeeo.exe
C:\Windows\SysWOW64\Hfnphn32.exe
C:\Windows\system32\Hfnphn32.exe
C:\Windows\SysWOW64\Himldi32.exe
C:\Windows\system32\Himldi32.exe
C:\Windows\SysWOW64\Hcbpab32.exe
C:\Windows\system32\Hcbpab32.exe
C:\Windows\SysWOW64\Hecmijim.exe
C:\Windows\system32\Hecmijim.exe
C:\Windows\SysWOW64\Hoiafcic.exe
C:\Windows\system32\Hoiafcic.exe
C:\Windows\SysWOW64\Hfcicmqp.exe
C:\Windows\system32\Hfcicmqp.exe
C:\Windows\SysWOW64\Immapg32.exe
C:\Windows\system32\Immapg32.exe
C:\Windows\SysWOW64\Ipknlb32.exe
C:\Windows\system32\Ipknlb32.exe
C:\Windows\SysWOW64\Iicbehnq.exe
C:\Windows\system32\Iicbehnq.exe
C:\Windows\SysWOW64\Icifbang.exe
C:\Windows\system32\Icifbang.exe
C:\Windows\SysWOW64\Ifgbnlmj.exe
C:\Windows\system32\Ifgbnlmj.exe
C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
C:\Windows\SysWOW64\Ibnccmbo.exe
C:\Windows\system32\Ibnccmbo.exe
C:\Windows\SysWOW64\Ifjodl32.exe
C:\Windows\system32\Ifjodl32.exe
C:\Windows\SysWOW64\Imdgqfbd.exe
C:\Windows\system32\Imdgqfbd.exe
C:\Windows\SysWOW64\Icnpmp32.exe
C:\Windows\system32\Icnpmp32.exe
C:\Windows\SysWOW64\Ifllil32.exe
C:\Windows\system32\Ifllil32.exe
C:\Windows\SysWOW64\Imfdff32.exe
C:\Windows\system32\Imfdff32.exe
C:\Windows\SysWOW64\Ipdqba32.exe
C:\Windows\system32\Ipdqba32.exe
C:\Windows\SysWOW64\Ibcmom32.exe
C:\Windows\system32\Ibcmom32.exe
C:\Windows\SysWOW64\Jimekgff.exe
C:\Windows\system32\Jimekgff.exe
C:\Windows\SysWOW64\Jpgmha32.exe
C:\Windows\system32\Jpgmha32.exe
C:\Windows\SysWOW64\Jcbihpel.exe
C:\Windows\system32\Jcbihpel.exe
C:\Windows\SysWOW64\Jfaedkdp.exe
C:\Windows\system32\Jfaedkdp.exe
C:\Windows\SysWOW64\Jioaqfcc.exe
C:\Windows\system32\Jioaqfcc.exe
C:\Windows\SysWOW64\Jpijnqkp.exe
C:\Windows\system32\Jpijnqkp.exe
C:\Windows\SysWOW64\Jbhfjljd.exe
C:\Windows\system32\Jbhfjljd.exe
C:\Windows\SysWOW64\Jefbfgig.exe
C:\Windows\system32\Jefbfgig.exe
C:\Windows\SysWOW64\Jmmjgejj.exe
C:\Windows\system32\Jmmjgejj.exe
C:\Windows\SysWOW64\Jplfcpin.exe
C:\Windows\system32\Jplfcpin.exe
C:\Windows\SysWOW64\Jbjcolha.exe
C:\Windows\system32\Jbjcolha.exe
C:\Windows\SysWOW64\Jehokgge.exe
C:\Windows\system32\Jehokgge.exe
C:\Windows\SysWOW64\Jmpgldhg.exe
C:\Windows\system32\Jmpgldhg.exe
C:\Windows\SysWOW64\Jcioiood.exe
C:\Windows\system32\Jcioiood.exe
C:\Windows\SysWOW64\Jfhlejnh.exe
C:\Windows\system32\Jfhlejnh.exe
C:\Windows\SysWOW64\Jifhaenk.exe
C:\Windows\system32\Jifhaenk.exe
C:\Windows\SysWOW64\Jlednamo.exe
C:\Windows\system32\Jlednamo.exe
C:\Windows\SysWOW64\Jpppnp32.exe
C:\Windows\system32\Jpppnp32.exe
C:\Windows\SysWOW64\Kboljk32.exe
C:\Windows\system32\Kboljk32.exe
C:\Windows\SysWOW64\Kmdqgd32.exe
C:\Windows\system32\Kmdqgd32.exe
C:\Windows\SysWOW64\Kpbmco32.exe
C:\Windows\system32\Kpbmco32.exe
C:\Windows\SysWOW64\Kbaipkbi.exe
C:\Windows\system32\Kbaipkbi.exe
C:\Windows\SysWOW64\Kfmepi32.exe
C:\Windows\system32\Kfmepi32.exe
C:\Windows\SysWOW64\Kikame32.exe
C:\Windows\system32\Kikame32.exe
C:\Windows\SysWOW64\Klimip32.exe
C:\Windows\system32\Klimip32.exe
C:\Windows\SysWOW64\Kpeiioac.exe
C:\Windows\system32\Kpeiioac.exe
C:\Windows\SysWOW64\Kbceejpf.exe
C:\Windows\system32\Kbceejpf.exe
C:\Windows\SysWOW64\Kebbafoj.exe
C:\Windows\system32\Kebbafoj.exe
C:\Windows\SysWOW64\Klljnp32.exe
C:\Windows\system32\Klljnp32.exe
C:\Windows\SysWOW64\Kdcbom32.exe
C:\Windows\system32\Kdcbom32.exe
C:\Windows\SysWOW64\Kfankifm.exe
C:\Windows\system32\Kfankifm.exe
C:\Windows\SysWOW64\Kipkhdeq.exe
C:\Windows\system32\Kipkhdeq.exe
C:\Windows\SysWOW64\Klngdpdd.exe
C:\Windows\system32\Klngdpdd.exe
C:\Windows\SysWOW64\Kdeoemeg.exe
C:\Windows\system32\Kdeoemeg.exe
C:\Windows\SysWOW64\Kfckahdj.exe
C:\Windows\system32\Kfckahdj.exe
C:\Windows\SysWOW64\Kibgmdcn.exe
C:\Windows\system32\Kibgmdcn.exe
C:\Windows\SysWOW64\Kplpjn32.exe
C:\Windows\system32\Kplpjn32.exe
C:\Windows\SysWOW64\Kdgljmcd.exe
C:\Windows\system32\Kdgljmcd.exe
C:\Windows\SysWOW64\Lffhfh32.exe
C:\Windows\system32\Lffhfh32.exe
C:\Windows\SysWOW64\Liddbc32.exe
C:\Windows\system32\Liddbc32.exe
C:\Windows\SysWOW64\Llcpoo32.exe
C:\Windows\system32\Llcpoo32.exe
C:\Windows\SysWOW64\Ldjhpl32.exe
C:\Windows\system32\Ldjhpl32.exe
C:\Windows\SysWOW64\Lfhdlh32.exe
C:\Windows\system32\Lfhdlh32.exe
C:\Windows\SysWOW64\Ligqhc32.exe
C:\Windows\system32\Ligqhc32.exe
C:\Windows\SysWOW64\Llemdo32.exe
C:\Windows\system32\Llemdo32.exe
C:\Windows\SysWOW64\Ldleel32.exe
C:\Windows\system32\Ldleel32.exe
C:\Windows\SysWOW64\Lfkaag32.exe
C:\Windows\system32\Lfkaag32.exe
C:\Windows\SysWOW64\Lmdina32.exe
C:\Windows\system32\Lmdina32.exe
C:\Windows\SysWOW64\Lpcfkm32.exe
C:\Windows\system32\Lpcfkm32.exe
C:\Windows\SysWOW64\Lbabgh32.exe
C:\Windows\system32\Lbabgh32.exe
C:\Windows\SysWOW64\Lepncd32.exe
C:\Windows\system32\Lepncd32.exe
C:\Windows\SysWOW64\Lljfpnjg.exe
C:\Windows\system32\Lljfpnjg.exe
C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mmlpoqpg.exe
C:\Windows\system32\Mmlpoqpg.exe
C:\Windows\SysWOW64\Mpjlklok.exe
C:\Windows\system32\Mpjlklok.exe
C:\Windows\SysWOW64\Mdehlk32.exe
C:\Windows\system32\Mdehlk32.exe
C:\Windows\SysWOW64\Megdccmb.exe
C:\Windows\system32\Megdccmb.exe
C:\Windows\SysWOW64\Mplhql32.exe
C:\Windows\system32\Mplhql32.exe
C:\Windows\SysWOW64\Mckemg32.exe
C:\Windows\system32\Mckemg32.exe
C:\Windows\SysWOW64\Mgfqmfde.exe
C:\Windows\system32\Mgfqmfde.exe
C:\Windows\SysWOW64\Miemjaci.exe
C:\Windows\system32\Miemjaci.exe
C:\Windows\SysWOW64\Mlcifmbl.exe
C:\Windows\system32\Mlcifmbl.exe
C:\Windows\SysWOW64\Mcmabg32.exe
C:\Windows\system32\Mcmabg32.exe
C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
C:\Windows\SysWOW64\Migjoaaf.exe
C:\Windows\system32\Migjoaaf.exe
C:\Windows\SysWOW64\Mlefklpj.exe
C:\Windows\system32\Mlefklpj.exe
C:\Windows\SysWOW64\Mdmnlj32.exe
C:\Windows\system32\Mdmnlj32.exe
C:\Windows\SysWOW64\Menjdbgj.exe
C:\Windows\system32\Menjdbgj.exe
C:\Windows\SysWOW64\Mnebeogl.exe
C:\Windows\system32\Mnebeogl.exe
C:\Windows\SysWOW64\Ndokbi32.exe
C:\Windows\system32\Ndokbi32.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Nngokoej.exe
C:\Windows\system32\Nngokoej.exe
C:\Windows\SysWOW64\Ndaggimg.exe
C:\Windows\system32\Ndaggimg.exe
C:\Windows\SysWOW64\Nebdoa32.exe
C:\Windows\system32\Nebdoa32.exe
C:\Windows\SysWOW64\Nnjlpo32.exe
C:\Windows\system32\Nnjlpo32.exe
C:\Windows\SysWOW64\Nphhmj32.exe
C:\Windows\system32\Nphhmj32.exe
C:\Windows\SysWOW64\Ncfdie32.exe
C:\Windows\system32\Ncfdie32.exe
C:\Windows\SysWOW64\Neeqea32.exe
C:\Windows\system32\Neeqea32.exe
C:\Windows\SysWOW64\Nloiakho.exe
C:\Windows\system32\Nloiakho.exe
C:\Windows\SysWOW64\Ndfqbhia.exe
C:\Windows\system32\Ndfqbhia.exe
C:\Windows\SysWOW64\Nfgmjqop.exe
C:\Windows\system32\Nfgmjqop.exe
C:\Windows\SysWOW64\Nnneknob.exe
C:\Windows\system32\Nnneknob.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Ndhmhh32.exe
C:\Windows\system32\Ndhmhh32.exe
C:\Windows\SysWOW64\Nggjdc32.exe
C:\Windows\system32\Nggjdc32.exe
C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
C:\Windows\SysWOW64\Olcbmj32.exe
C:\Windows\system32\Olcbmj32.exe
C:\Windows\SysWOW64\Odkjng32.exe
C:\Windows\system32\Odkjng32.exe
C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
C:\Windows\SysWOW64\Oncofm32.exe
C:\Windows\system32\Oncofm32.exe
C:\Windows\SysWOW64\Opakbi32.exe
C:\Windows\system32\Opakbi32.exe
C:\Windows\SysWOW64\Odmgcgbi.exe
C:\Windows\system32\Odmgcgbi.exe
C:\Windows\SysWOW64\Ogkcpbam.exe
C:\Windows\system32\Ogkcpbam.exe
C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
C:\Windows\SysWOW64\Olhlhjpd.exe
C:\Windows\system32\Olhlhjpd.exe
C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
C:\Windows\SysWOW64\Ocbddc32.exe
C:\Windows\system32\Ocbddc32.exe
C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
C:\Windows\SysWOW64\Onhhamgg.exe
C:\Windows\system32\Onhhamgg.exe
C:\Windows\SysWOW64\Oqfdnhfk.exe
C:\Windows\system32\Oqfdnhfk.exe
C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
C:\Windows\SysWOW64\Ofcmfodb.exe
C:\Windows\system32\Ofcmfodb.exe
C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
C:\Windows\SysWOW64\Oddmdf32.exe
C:\Windows\system32\Oddmdf32.exe
C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
C:\Windows\SysWOW64\Pmoahijl.exe
C:\Windows\system32\Pmoahijl.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pgefeajb.exe
C:\Windows\system32\Pgefeajb.exe
C:\Windows\SysWOW64\Pjcbbmif.exe
C:\Windows\system32\Pjcbbmif.exe
C:\Windows\SysWOW64\Pmannhhj.exe
C:\Windows\system32\Pmannhhj.exe
C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
C:\Windows\SysWOW64\Pfjcgn32.exe
C:\Windows\system32\Pfjcgn32.exe
C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
C:\Windows\SysWOW64\Pqpgdfnp.exe
C:\Windows\system32\Pqpgdfnp.exe
C:\Windows\SysWOW64\Pcncpbmd.exe
C:\Windows\system32\Pcncpbmd.exe
C:\Windows\SysWOW64\Pjhlml32.exe
C:\Windows\system32\Pjhlml32.exe
C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
C:\Windows\SysWOW64\Pqbdjfln.exe
C:\Windows\system32\Pqbdjfln.exe
C:\Windows\SysWOW64\Pcppfaka.exe
C:\Windows\system32\Pcppfaka.exe
C:\Windows\SysWOW64\Pfolbmje.exe
C:\Windows\system32\Pfolbmje.exe
C:\Windows\SysWOW64\Pnfdcjkg.exe
C:\Windows\system32\Pnfdcjkg.exe
C:\Windows\SysWOW64\Pqdqof32.exe
C:\Windows\system32\Pqdqof32.exe
C:\Windows\SysWOW64\Pcbmka32.exe
C:\Windows\system32\Pcbmka32.exe
C:\Windows\SysWOW64\Pfaigm32.exe
C:\Windows\system32\Pfaigm32.exe
C:\Windows\SysWOW64\Pjmehkqk.exe
C:\Windows\system32\Pjmehkqk.exe
C:\Windows\SysWOW64\Qmkadgpo.exe
C:\Windows\system32\Qmkadgpo.exe
C:\Windows\SysWOW64\Qceiaa32.exe
C:\Windows\system32\Qceiaa32.exe
C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
C:\Windows\SysWOW64\Qmmnjfnl.exe
C:\Windows\system32\Qmmnjfnl.exe
C:\Windows\SysWOW64\Qddfkd32.exe
C:\Windows\system32\Qddfkd32.exe
C:\Windows\SysWOW64\Qffbbldm.exe
C:\Windows\system32\Qffbbldm.exe
C:\Windows\SysWOW64\Ampkof32.exe
C:\Windows\system32\Ampkof32.exe
C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
C:\Windows\SysWOW64\Agglboim.exe
C:\Windows\system32\Agglboim.exe
C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
C:\Windows\SysWOW64\Amddjegd.exe
C:\Windows\system32\Amddjegd.exe
C:\Windows\SysWOW64\Aqppkd32.exe
C:\Windows\system32\Aqppkd32.exe
C:\Windows\SysWOW64\Acnlgp32.exe
C:\Windows\system32\Acnlgp32.exe
C:\Windows\SysWOW64\Ajhddjfn.exe
C:\Windows\system32\Ajhddjfn.exe
C:\Windows\SysWOW64\Aeniabfd.exe
C:\Windows\system32\Aeniabfd.exe
C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
C:\Windows\SysWOW64\Anfmjhmd.exe
C:\Windows\system32\Anfmjhmd.exe
C:\Windows\SysWOW64\Accfbokl.exe
C:\Windows\system32\Accfbokl.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Bmngqdpj.exe
C:\Windows\system32\Bmngqdpj.exe
C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
C:\Windows\SysWOW64\Bcjlcn32.exe
C:\Windows\system32\Bcjlcn32.exe
C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bnbmefbg.exe
C:\Windows\system32\Bnbmefbg.exe
C:\Windows\SysWOW64\Belebq32.exe
C:\Windows\system32\Belebq32.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
C:\Windows\SysWOW64\Chmndlge.exe
C:\Windows\system32\Chmndlge.exe
C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Chokikeb.exe
C:\Windows\system32\Chokikeb.exe
C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Chagok32.exe
C:\Windows\system32\Chagok32.exe
C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
C:\Windows\SysWOW64\Cnkplejl.exe
C:\Windows\system32\Cnkplejl.exe
C:\Windows\SysWOW64\Ceehho32.exe
C:\Windows\system32\Ceehho32.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
C:\Windows\SysWOW64\Daqbip32.exe
C:\Windows\system32\Daqbip32.exe
C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
C:\Windows\SysWOW64\Deokon32.exe
C:\Windows\system32\Deokon32.exe
C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
C:\Windows\SysWOW64\Doilmc32.exe
C:\Windows\system32\Doilmc32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 9196 -ip 9196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9196 -s 396
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/2688-0-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2688-5-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Cliaoq32.exe
| MD5 | d3e845f46656be96d215ecb504185c80 |
| SHA1 | a5329f6a161a4e715bede82a09fc2f551fd8d30c |
| SHA256 | 0cecea27a712afc8b3a9609764c1e52b8209689a7f8bb765c2f8e1892c66cb1a |
| SHA512 | 8c7e2c644c042e734db24b70123d711a155f09ab346f232c7428354d8064bf6b0cbc66418033866b10ca881063dfad11b0b77ff17dd34587192fe3ccb51882cb |
memory/2352-13-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Cogmkl32.exe
| MD5 | 80f30a8f52260665817293e9c72e7014 |
| SHA1 | 92011141a849693001c720da42adba9af990cf9c |
| SHA256 | 467716ca2b7ef0b242be4b678ddaca905c2352602bc18b03a38189c19914a50c |
| SHA512 | 22382d3e664d63ef5b36b84a1d729a8f6b135c79183e187b8f77cb4bcf00476883c042e5395273bfa123b9f70ca9e385293985972eac1d8d97e1c361d0ef9243 |
memory/4656-21-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Cafigg32.exe
| MD5 | 698ab871fd432a9a5f6c93077bbefb4c |
| SHA1 | 33369762877cb2cbdfb3b12103b40112e91f9603 |
| SHA256 | 83490a11ed0938d6b222db488f078b11c9b7c2f27b7a8f1019d34e4460adebe4 |
| SHA512 | afe3f9d657a98ea03b2cc632da02ca77629d5907cf1f3f5c14798fdfe24814fe9ec70c16e16cff0039881da74a1852e7961d7b507bcbf9c1d7af968d1f722fff |
memory/1092-25-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Cddecc32.exe
| MD5 | 0354b11068f88c688d67da541ae39942 |
| SHA1 | 680e37b0529c757e9968deddfb5007c2834ed8dd |
| SHA256 | f6400e42bfc3aba4e4db66e3eb5009d14422c6e2e31e8ecec7f8393eeb29b73d |
| SHA512 | 775034f20b1c472be7e886f9b5d2bd6403c255e5abadaedb1de74aa29fd43d5000bc6dd1e8aa4aa03aee601e50cd9a728ec2abef7b4630ca839298aff50bc29d |
C:\Windows\SysWOW64\Colffknh.exe
| MD5 | 547a7ae8b5ae7a6618dcf5cae10ee145 |
| SHA1 | 523f60b4249374c13041a365eba0c1627ea995d3 |
| SHA256 | 31134bb39d50ddde99b2a6255a76138c642440049d852195a9468c2603afdd16 |
| SHA512 | 950fbbd475273a4f9105325cabeb1e9bca4dadf6ef8ecd6fd306031dd3e443836f15f2859c066302f0f507f8c9f3982ee0e2e7e1380f6411d0b94f36fbc4f75e |
memory/4408-37-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3124-45-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Chdkoa32.exe
| MD5 | d540c4023f491e69373453ab845ab04e |
| SHA1 | cf57d4e56ca383184de7fba53c7126cb78354523 |
| SHA256 | 7282fd4428fa183d58cd2e4d3d19fcb797480a5c2e21e45e16cecb56dd1a0380 |
| SHA512 | e6293cdd3f80c1415fc1f1ee26a7e46f33e04c26782492dc31a928c1daf2e5df9bfcbb985b208be4393704d829e0562bbcb785adaf44a7968170c9a59164a002 |
memory/220-53-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Camphf32.exe
| MD5 | 9b3e5d07316492633171308715b7d8a0 |
| SHA1 | 4ced08bfdffd04aa054b9df5a228ef43ecffd9cf |
| SHA256 | bff955ceb99ffd2c7dd55c0d9043d4ba70ccae1fe79fce4abc025894b0449576 |
| SHA512 | e85a0ab4871a31049267e8cc4671407a84a02403950ac4581bd6b627a7485eae48bb890aa16c32a4c3db4300dbd254809f3ab34649d337c7dc477bbbf0367c34 |
memory/2736-58-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Cdkldb32.exe
| MD5 | 55167cb172b70d87fa111022113ff2f6 |
| SHA1 | 348ca7061f35ed31a0e7f64ae1e0c6d969a3667a |
| SHA256 | 54a52020ce8bd7a430f913dea87a8fb555a80b8b293b92ee7681b75b3f5ee347 |
| SHA512 | f35707f4119f8ba6ab9734d3815d06d274e3a8c96a2827cfb95b71b62f1f77dfdc5bd84262e6b63f2ccfd705f4504054975a1022ccab6bdff633e10413266ac3 |
memory/2560-65-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Ddmhja32.exe
| MD5 | c959991ccf7f89fac53b2c538a88eba7 |
| SHA1 | 09c7de9572ddc3be26918b58e4d1b4a8fc7b1328 |
| SHA256 | 2a834208d38eaa53ef0d9830d11511dd3727a517b9854c8de709229c2e2aeb3b |
| SHA512 | 1db9de421bfdeed8e8e465233a6c47bc21c098defb4d158c7d9c6940b2b0b31c4d3fb2d81abd955d6f8f24f7432a68442150d8a9ab177f02418495295a14cfec |
memory/3908-73-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Dkgqfl32.exe
| MD5 | fa111b6c11d71f46c1838602e8eccde3 |
| SHA1 | 7894499e4fe775acc7e7b3cc61fda4ae45645091 |
| SHA256 | 0318eca28eec3a91a9bab40774f1272b297618cd56ab1d289815c4c0b3172e3f |
| SHA512 | fe1ba70c5be8295ccc07a4a0e52f29a26596d1666212332f9f838c1b281cefc139ad1b98baae3a38ff99c2ff0f2683dcb52161b71e69ab673fc60c66ed3758d5 |
memory/380-81-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Demecd32.exe
| MD5 | 02b76aa4c159844cc1569e70780edc14 |
| SHA1 | a4dbec0daa023de0f91565191e216cf624585b87 |
| SHA256 | c004c012c27eb7ec96fd332583d8271700f183421d156d242f3e552b7ed965f6 |
| SHA512 | df0d4403877b51f581e69367b588ed718ede3ddb3e5403589087ada2c2fbaf99b721e666f969ba579d8ab95fdb036185d702bf58e1307350191a5afc99351736 |
memory/5052-89-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Dlgmpogj.exe
| MD5 | 0137ed9ca6b1e7bbf59663550a722b52 |
| SHA1 | 4ddf65e29c50fd770d65d4699e6991468647c719 |
| SHA256 | 95fa743cd78b90203ee9c596e8662c06c13d78837841bc5e773c08a11eab7cce |
| SHA512 | a01917406849360118747aeb60718f31b885699ce83b0bb9fd52c2ce223f6242a536cbce5a0c98fe24688251b374a5bf22a7e211d3ff203a42fae29d8f78f26d |
memory/3524-96-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Dbaemi32.exe
| MD5 | db833ce7110f773b148f9452faf709dd |
| SHA1 | f4a910229da6a68552e9830306de54f6fbb452a5 |
| SHA256 | 5e176d0200e3a2003b9a5d59429b86980a882c988dc36e628548558605bef28e |
| SHA512 | b72176009b864bc6811d19995165b7ed8ec25efc89668ccce5bfc0269a148251780d8ef6755064ee501f57fa72323227f13a6fb56ea7a37c08c798a43a9dfabc |
memory/4256-105-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Ddbbeade.exe
| MD5 | 2b907d9f0a670f573c99eb3661a0f153 |
| SHA1 | e5f09c91e56cd3711526a17ed7533ab862b39d28 |
| SHA256 | 4d037e1f36bcd630b77a83d4a62d9a8d2e6ff51c256927ac399e7c2550cb2efc |
| SHA512 | 1673b7f4bf6850563a5f98c3a9af863ae73e839293f19520ee65821671e2be45e4c8af97922cb84cd00e6029b034adb8b9135d29750b254fd8be480a74e3afc1 |
memory/8-112-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Dccbbhld.exe
| MD5 | f7e6875512f25bcfa8a615b63afd95d4 |
| SHA1 | bf7f051ac8f83f743b983930de95fedfc32e9f88 |
| SHA256 | 3536c81ee49e6eb3e73c78f9f56d0ad863fc09510caee55076f4f29cc50f20ef |
| SHA512 | ed5281b1d707a51002eaa5619761b21004fddffaa0365898846e4c8a06d0c27048624cd391ec19a1813fc651aec68d2e104a31e99d2af0c3ef2033f850fba099 |
C:\Windows\SysWOW64\Dllfkn32.exe
| MD5 | eb34b077497dc8fb1a6a46a082fd5f1b |
| SHA1 | f89bdb45635cf51e0d8480e9bd1b328dc0d765e8 |
| SHA256 | aba86e02b4ffc371ccfdc53c88e68189b3987f30e73bb2b2212664f6404d9741 |
| SHA512 | 5a37735f17213c85fd333904d7e6ab87f68ea5820e7ef543802b2da0f9608fb070b8d51f0d6d14be5be01da94e14eed1508efbc4485c1b2eeebb3995d4104d03 |
memory/4396-141-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Dkoggkjo.exe
| MD5 | 3c767537b9bdbe2086ba4c92a12e1ca2 |
| SHA1 | ce57510b819b834e071cfe63f213f1eb88339902 |
| SHA256 | db515b7816f2e2c41c4fd0a81dc84fc2a13fc3a0d544a37a52126232fe93cfdb |
| SHA512 | a5e4ccdf4b3a5605375d7c7adb4e83222ca9b2d475d52c953816863d127ff15b814d2f5e837b2ae2e82306fa140d0142c96ec262f8b68409cb220bd7bfeb31fe |
C:\Windows\SysWOW64\Dahode32.exe
| MD5 | d8206e44bf52d164d64e532622265b30 |
| SHA1 | a5349b8765ebf8b1b50da022e89358bc47006054 |
| SHA256 | 75e45f3bb9f7ba7c97ff5bbd693a440959e0c9117297e5260a885a12af07f912 |
| SHA512 | f5e28504130eedd2aa630bb794102f6fed4c746817ae01f7e9a84ff26a4da017621b2c287714ef6a6214a9a062e78f155c233bd25b5a70b7255d8563547e0fb2 |
C:\Windows\SysWOW64\Ddgkpp32.exe
| MD5 | 7246d98a21341fa142a3a50fb80689b5 |
| SHA1 | 13653b99aa6bc7f4b5195b3a3c60b9ba7352ef52 |
| SHA256 | bb6881250a515a7a9cf710c74a3d96f859af8be4dd13371f11e4ab9ee9b9c769 |
| SHA512 | 4d47df9b164ba9dccf8297fac5743be109404db5abdc51cfe02aa880251bbee6338bfec2e08c6e25720e2600c510e416a9d51a19b75e6eead36b4f03521c3be0 |
C:\Windows\SysWOW64\Dlncan32.exe
| MD5 | 71cb3de555bfc7c33244991782685c28 |
| SHA1 | 9a5be523e7ac8471c30d06c8ede4d75c2caf1ada |
| SHA256 | b0c8108df2fb822615872cfd8201f4b1f8b6921888e016bad29587fa0e4ba00e |
| SHA512 | 89b6ada8e3c1deded8794bd5e1917061f3d393630c7a5dd4b55e5e9d8efb4964c4644cc421b37fbcc6200bf8a1551e9691672509f1fdfa9f904fa436252d9189 |
C:\Windows\SysWOW64\Eolpmi32.exe
| MD5 | d2b0a2305b83fecd476a2a33371bb95d |
| SHA1 | f02015b44a401b1b26a53851107595988c5bb9bf |
| SHA256 | eb773d1433e8d00b1da5d065a831d332c9a8a41cda958e0727b6732a77d45dcb |
| SHA512 | da2426f1cea7df915ea85084a315d63cca0658150e0d5edec49c6537977c3674d11b0f6b58f5008bc0ac73af5b317ae9bf569b6be98ae0b6fb3be1546181d362 |
C:\Windows\SysWOW64\Echknh32.exe
| MD5 | 3fac22974f2d9b2d4fe313bd9db20b10 |
| SHA1 | 52cca2de5dc64142f5babaf9e80da49e1bfd27c0 |
| SHA256 | 2ee946b8b84d4772a4e085936feb570dbe0b181a89205c259d8a98bbd11fe7d4 |
| SHA512 | bafabd6ffa4c14edfe8a0780d1ad66363ba265c082f1d06b8ca083533fc6d9f7f4149b9dcf07332b9662acd0bea7285b7eb9dcfc005872bb4c1c40255c07e799 |
C:\Windows\SysWOW64\Edihepnm.exe
| MD5 | 60fdf0e0774968548a5dd0c39fe1e714 |
| SHA1 | 237a01f73268572e3c1c994d12ecb4d8913e7dbe |
| SHA256 | 4745429a1e571338aef514f079c1c6a44d5dcd0ad99c531e4227ab4dc798bce1 |
| SHA512 | 376474973ccbe52cfeab09da07e675066ae3a8e0c2a5792e58b05bd0cd3f8aaefea698eee36c72e51850b822b98679880949dded15f6287937e2957990783289 |
C:\Windows\SysWOW64\Ekcpbj32.exe
| MD5 | 853711268a2c0aca8679efbac5c931f6 |
| SHA1 | 7bd89cff47714a66ba6853bed896ef82f9cfecca |
| SHA256 | 8d4b26b605f27543b50ad84cd19bdd528cb3492f2312a00cba1a8f48486974e7 |
| SHA512 | 932261d087df876a3e020583fe56780e278d1d405df60cfb08ddd019fd75fd6d71a948327a732cb28cfe666fe38c293dc448631f4149a5d9999216f7fa29091b |
C:\Windows\SysWOW64\Eeidoc32.exe
| MD5 | a7e26abb1f8a3a3611f24a14ec61d432 |
| SHA1 | 174679a5b8641196ec9fdbaaf7fa6092587cd783 |
| SHA256 | 0585a3e590dba53370209614aa2720911c95d23cac9735a38a1a8ea1dc1b8928 |
| SHA512 | 9e4fd9cbede523bab59faf519bc85414604301a3ea2e155dd04945abf72f88a70bb71beff8b0fd8495499a19c0bde6fe754de0ffb76155f6e614bb440b212d95 |
C:\Windows\SysWOW64\Elbmlmml.exe
| MD5 | a4e13e21b7df000a95998be9ad6bcc37 |
| SHA1 | b6ab4de3b13d582eceef7e433c811c89b6903170 |
| SHA256 | e1f3b7d75ebf5263ae5aeb6a99cf4aa770e0686fd752589e213bc39af0843813 |
| SHA512 | 5d914531b3553779079f7fe284ee2869c6bed6ca846664f7d6644243482a3874ac9b540e2981c6f709578b030b1963b6517e2686b28f32e78cac625b8fb3b81f |
C:\Windows\SysWOW64\Ecmeig32.exe
| MD5 | 9f59290cd10ce03f7dbf74d63e581f6f |
| SHA1 | 0caf8a900c21926da340e830161ea931cc1665b4 |
| SHA256 | 2cd1bf169927abaa3a5cbf297b178303fcb0b6470b183da5e61263a056311073 |
| SHA512 | 0fdef672a1359a1b800584e6701c4ac331b3b62f34c44d4c67cfe81da01fa465d8cd24c703b262472efe8e277feaf987eed5c909fa7e9b2db0071e2a91bc9bda |
memory/3724-338-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4788-350-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4332-367-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4960-366-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1392-365-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1960-363-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4544-360-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4848-359-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1884-358-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3340-357-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3912-356-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1848-355-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3312-354-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4412-353-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4940-352-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1088-351-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3484-349-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4676-348-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3872-347-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1032-345-0x0000000000400000-0x0000000000444000-memory.dmp
memory/464-344-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2956-343-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Ekemhj32.exe
| MD5 | cae4b6ed1fc84b2f4532c2b5018a3112 |
| SHA1 | 1262630bd920837369598f3de326700f8017eef5 |
| SHA256 | f1da4b87e5d667c441978d839f01382e3fd98a61fb7761d3104f1b618d9f0566 |
| SHA512 | 06029fcfc67a010d6fca8692f1bdd1bb00838e974ae965fc202716005c22011dddb4400d9df3c7da64574343131108822abb1599d1fa3e6217b32031a4abec88 |
C:\Windows\SysWOW64\Edkdkplj.exe
| MD5 | 41eb672b428e8ce003a6dee260cf701b |
| SHA1 | 445feef7dce64dc12287e2c4b7d04b5bf2dfc514 |
| SHA256 | 691ae76a0af1eeb8c853a032973684d95ff3b194cb7c29a4bbd89f6c39de4537 |
| SHA512 | 2fedf65c3a92ddd5e292e0b001e923bc61bf12bac5630f18d3a6b7eec36f92737df7ca1a7ff10caacd3c03440606b1c56b64e4a7629f2d2d03eb8137986086e1 |
C:\Windows\SysWOW64\Ecjhcg32.exe
| MD5 | 816ec42c8e66c1c585767f5b0a21b8fe |
| SHA1 | 035432b27000b80869c3ded9615974475e2804fe |
| SHA256 | 29be234d64cee7256eacc0d5bb0f0b6f855d1b1feeef368725e4e9e59ba8109b |
| SHA512 | 6feb765463e424062d5829a5be3826cedc87add430cf875627f150fcaa40896485aa9c2df9093e12362237327d4c656d05d9968bf84d248d9710b026e000213e |
C:\Windows\SysWOW64\Elppfmoo.exe
| MD5 | 996aec15957d359b9741d509dc12a8fe |
| SHA1 | 13f3829a05215783a59b28cce4c53e7d7cd8c6ad |
| SHA256 | f54dee24596c025bc8d93c2e30cc796b9fd908da5bf60cb9a408037b09beb3a5 |
| SHA512 | 6140637f891caabf0807eba1243786386bf96df0b348de5fef20d16d498acebc2e5ff966d077f704f129f0b44c422eb4b3bb809920b7450189eb19282f23e87d |
memory/4752-129-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Dddojq32.exe
| MD5 | 1e6ad03672f4481a8dee70937ee203f3 |
| SHA1 | 8055c321d2a828c6b8a26a51da7ac669921d2c44 |
| SHA256 | f727ac818ed831d4e77591f400de6618af7176939d7c9744edf63456cda807e0 |
| SHA512 | 3fdea3876c9f52d0d93dbf1fc3f4c109d9be8fa35ba08cf73ab06fc47de586d7b557753b260e239fba04ac8836e7cce600a69cfd01c9fe0428a4abbac2093265 |
memory/1748-125-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4912-423-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3884-429-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3460-430-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4684-428-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4896-427-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1284-426-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3576-425-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4276-422-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1836-421-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3036-420-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4368-417-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2868-414-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2672-413-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4488-412-0x0000000000400000-0x0000000000444000-memory.dmp
memory/60-411-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4856-410-0x0000000000400000-0x0000000000444000-memory.dmp
memory/732-481-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4456-498-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1988-497-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1012-503-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3096-502-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2788-501-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2988-500-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1560-499-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4192-496-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3644-495-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2644-526-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2768-525-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2120-524-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3388-493-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1728-492-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2860-491-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3940-490-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1636-489-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1412-488-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4924-485-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3400-482-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4248-527-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1228-537-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1672-539-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Hmcojh32.exe
| MD5 | 23b6cbd6988539889abae1ca0e319929 |
| SHA1 | cc6ec408bdeb6dd359282fe39f2e20c4f84a6977 |
| SHA256 | 4dbe6d0929886de00276d25da3c6bdb7e57488aaeee56f39cd5838a89eb588a7 |
| SHA512 | 28534b24a38e7761c94ea5bb37e5bb56e8fe77281533b6dc70ab56f56ffc8cc6e7e745c2ea55e093382c2a96acb1b2a4f03cf769a2bd2877175cc1ad0ad63ce0 |
memory/1492-545-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1796-551-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2412-557-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2108-563-0x0000000000400000-0x0000000000444000-memory.dmp
memory/1160-569-0x0000000000400000-0x0000000000444000-memory.dmp
memory/5088-575-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2472-581-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Hecmijim.exe
| MD5 | 0006547b409275ac02a4d27145f8cb44 |
| SHA1 | 72f8f4dfc38ca9b7cd7a01a9a749af459d5ea1b3 |
| SHA256 | b0e32c4399f2ba3e35b62b7eb73070fa49a8c2c80e89ca37d8086991f67a2ba8 |
| SHA512 | 41a7878e1191c3d1347b85b96be29c71db29d72198b9503099f760d2cd62bae1f27b77d8e8f3cba20d40db3c0e7ff2eea8963601a91a34ca42e2dce3950be9e6 |
memory/3672-587-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4604-593-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2184-599-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2344-605-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Ipknlb32.exe
| MD5 | f7ef4b092fac9a3b36b424686199ae28 |
| SHA1 | 22d857f3e1d599b2f544a7fbdbbd6183bb390095 |
| SHA256 | 1b3bd3123e0c6e5aa7a7060c6673234be71d905ec83a3bfd3d28b67ee2a1b450 |
| SHA512 | 0e2da1486848b4df715f9006fee287727af543e90423c302d74b8e4b0a028a38844998547463b2b5461aa7d1ad3fdb4bdd457b72e1ce5ee7898814aab463dc05 |
memory/4452-611-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4868-617-0x0000000000400000-0x0000000000444000-memory.dmp
memory/920-626-0x0000000000400000-0x0000000000444000-memory.dmp
memory/3784-629-0x0000000000400000-0x0000000000444000-memory.dmp
C:\Windows\SysWOW64\Imfdff32.exe
| MD5 | cda05112526287f99d20e8ab4b31273b |
| SHA1 | 8fdb8a5ca0e6a5935d90bd00f6796e426500db68 |
| SHA256 | b337256fea96b8506fcff6c60922976cbdd1ece30d56145c14a817bfd723acf0 |
| SHA512 | 4083c827387507e8490eb63fbaee53418aa089162bfc2bc8053d70baa2d17c3a5c85235150f8c2b48579467e44697ed1900117756144e67a9dbf2f33bfbfd765 |
C:\Windows\SysWOW64\Jioaqfcc.exe
| MD5 | a1965b274847716fe40e825f05ca75c5 |
| SHA1 | c4a30bd8210d39610589c383008f51e4323d4a8f |
| SHA256 | 76ec9cb8a8629b9d3cf3939d77b022c5a005802d622779bffe93cb3f321f1558 |
| SHA512 | 6830ea2f798ac0f4bf8499e7a7df80a38bbcd7104803fa607bba287eb8995f50c96f13154194ce16788877e7ff7379fe124d89e633a79b6c2ab8749fb63aa863 |
C:\Windows\SysWOW64\Jmpgldhg.exe
| MD5 | 00aab2fa49ebcc88136300121c05ae29 |
| SHA1 | 09b500871002c63f0391b4f4fcb1e48517819df5 |
| SHA256 | 10857aa42194863b6c488f0cef08ec0808fcf886eb6589407831fef0e34a66ea |
| SHA512 | 293b02acf0ea5dcf2569ac334e2c618c6806010caf11f573f4673a6d506c3dada5ec61744a1e904e6ca9d3602e826ceaa7241adf1900e1334d40f296cbe7e80c |
C:\Windows\SysWOW64\Kboljk32.exe
| MD5 | 0f9d43be3e0bfdbfbdf2a8da8359eff6 |
| SHA1 | 1e5022589208a49d155b18a6ec08e1e6f4f9301c |
| SHA256 | 19c1cf76e90bf17c0030f83fe4daf2a960df70bfa642036995308a7f8cf7644b |
| SHA512 | 2ddae3afc431a5ffb5e8d293494c5024fed9aaa647bbc06004321c844a0e309e81dd5e7247a5b3372efb83f793e4eed5f34b7a53cfae240c168e9b77280d986a |
C:\Windows\SysWOW64\Kfankifm.exe
| MD5 | 94e4036eaa5d4c41fab77998be71e352 |
| SHA1 | f7342c0917943356a9cb1c89b8d7b4e11824d1fe |
| SHA256 | a7225f1c58a7ad03b82fe9cce7e4a8e6e0e7ca07764b5d29e7bcd8419ec0f302 |
| SHA512 | 7976d8d43fbd137a532662703779527ea3c94fc95f74fd3bda8ba8f7054a4b86d15a5fc801cf526a6082a73bf4aaf4c27b5e31e375f9f522d6418b4e061b419c |
C:\Windows\SysWOW64\Lbabgh32.exe
| MD5 | 5e359c91cc8716e881ff2b32fe1171f8 |
| SHA1 | ed5938159429e29e71dd70d933e4239b5c0dc17b |
| SHA256 | 5332c6c8786ea5ab2931ca189198f0a0d412a9d963830ea33bdaf82ca94ba651 |
| SHA512 | 8838627c91c8c432ecab7925f8a7bb09d7b09106f157a90626de690bbbd3f59be5430883b25af27e0d7bc2874198564c037f9f4fc57da42cf3251ddf46992683 |
C:\Windows\SysWOW64\Lgokmgjm.exe
| MD5 | 3a571af37c2b31f49e0da31e367bd14c |
| SHA1 | fc29f398d47e66792516d9c77a09cb1c3fff0e83 |
| SHA256 | dd95721b97aa29004cdc154d535d0486530f0bb9a5403915375b476ce764ad30 |
| SHA512 | b130615bedbd5727f778357cc32d1ffa41d4a8efefa60faf40c5a039ffc67e3c96973be0df4e669011a9bf81a719c50504e138a7112c1bb00f42a9e3f819c656 |
C:\Windows\SysWOW64\Mdehlk32.exe
| MD5 | c3b06f4c63519e62bc7304ad1fff2590 |
| SHA1 | df010dbeb9f92ebb49dee162f6d3b05cb8e91a23 |
| SHA256 | 70074dd625fc6727a53a86acc4c70ae1130cadd701ffa85d64b901f5037e1d4a |
| SHA512 | c959e9804ff07fc41238d226f4ebfdbcc8cef5dba8de0d24fb9bbb49e81a9df3a607c921347cf1cea620c36b5f7107a58838a62e328a7991bdda70bd9793293a |
C:\Windows\SysWOW64\Megdccmb.exe
| MD5 | d88513e677786545a8e2a7c6c1f29bbe |
| SHA1 | 800ac994396a3b3f2a025fd5b9881b9ccaf61e57 |
| SHA256 | 90d7d2e2c183fd3791e02e8d929fce38a02fe52fbeeb506306c1e5a3f974e017 |
| SHA512 | f4af7769cc63a7c48edc401398f3b343f3bdb74864d411ce5b675b712fcc377178acecbecccefc232bcbe58cc38b9df878db0b03a577464813dbf5faff5757a1 |
C:\Windows\SysWOW64\Miemjaci.exe
| MD5 | aac9570de9b4351fba4bcdedffbf72c4 |
| SHA1 | c00013a7c28e05964d2969fff02d238d5f84caa6 |
| SHA256 | ba9b5af8194056a5d9dd6fa8f1a11de24c3d4daf2b85aaa79f5549843644f529 |
| SHA512 | 8b296b4d8fb0267ca4a27685df62aec4abcb827dafc4c26a21d4eaa69bae572fb8edfc2f864ab2e86b18d5aff479a0bf89508b6f249b9b92a1928fa031368274 |
C:\Windows\SysWOW64\Mlcifmbl.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Nngokoej.exe
| MD5 | cb2c4e99ec203af95d081209624f769d |
| SHA1 | 5e261632c07552767ff4f2b5cea127ef85a71a49 |
| SHA256 | 09c46047708ed99a403f9081af9e73482202d86a33c0d2c5bbd31b11cf6be75a |
| SHA512 | feae6d53e720ed183f3c8626a2c6d77624132e61421bbfd904f8e20bbc029d27ef6639815491009d3ac745b349c07625f4acc1e025a453dd974380a3d65c739c |
C:\Windows\SysWOW64\Ndaggimg.exe
| MD5 | 565fd656ac823875d089e85d36dd0fb6 |
| SHA1 | 81f463c6bf7ce8c46e4b6d22b956ce3c0c6d414a |
| SHA256 | 0cde4715635a94a7250ea2ca2ccc69ce3fcd0535f0fb89f1b3e36b937c6b44c6 |
| SHA512 | ebd7f4100a78bfb7c9ca76326800f5b87a59c28fd03feff7df9ef472ea2b38e7804208101e5cd018470dd54c8607e36daa94933ccf391f262e2f946678036914 |
C:\Windows\SysWOW64\Neeqea32.exe
| MD5 | 96c8792392402fc38588fa843e1caed9 |
| SHA1 | af17bb47d6cb73c9d6fbbfa5886467c0e277648c |
| SHA256 | a0c3bc0aefe994eb25b5d3134ad2dbf64a063e6ea23501fcdbeab60669555111 |
| SHA512 | 5db2f55479c75b751437dd2d7c55849898e91713277542f75d3d8dfa79dbdd857796308c7e1b08476446527529b5a528c6e91b9b51560e7a29ba8038a56e8263 |
C:\Windows\SysWOW64\Ocnjidkf.exe
| MD5 | d6bf976f9b75b7bf9f7745a2b84b28bf |
| SHA1 | b76357247034262e03f7b83162b5efda40b967c1 |
| SHA256 | 49b073ada4e8b8aed87f28a486252183dde7d4fec6620132823fb527ea1c1f8c |
| SHA512 | 2b0098e583163d1f41675f827967b0d7bfb5b9e63e612b67d70eab2f664470102d10c030592dfcdaa33e94569354742ebbb3d1f3e381f37be15f2dce47fb1557 |
C:\Windows\SysWOW64\Ocbddc32.exe
| MD5 | 64abb326d22267dd1cdf312ed9753d80 |
| SHA1 | 966b191570fb117f7f54fcdc526c73c197ae438e |
| SHA256 | d7c91eb8b5327ab20502df0381cec4a357fa65c6ff55392193f3a5d158079505 |
| SHA512 | 5d276a3d03238b11287e713f2097210c5e4cb8dde1ad4573bdf16956dfa02cc6ecb86b0da2b898ec00c5df7b3151bce3eb99d2252269d26509b53aa2365efc1d |
C:\Windows\SysWOW64\Pcncpbmd.exe
| MD5 | 17c7bd653c861db602bbea2181d57058 |
| SHA1 | fb6e80332bb6e1e8f7a74dc1344d9666a059b550 |
| SHA256 | 69545f747fd269732e2696b26698c34ef91cf03e8cc4bcc8822d6e61e4e20d9d |
| SHA512 | 9a57b32f57ebffe2ed696902106dc84a4563728c07a37613b2569d18700c7da5965dbcbc2e92cd0cf27c6ea78f946544a355663ec0abac042102ec973fc7e8f1 |
C:\Windows\SysWOW64\Qmkadgpo.exe
| MD5 | 92de6d9caf178520d220368229d4681b |
| SHA1 | a8e95bc747af0be60d910a942921bb2989cb5d91 |
| SHA256 | a17945e0efe194648f896f210f3618fecc2cee25fc41efd90a28f6d8fb0b052e |
| SHA512 | e6b13a0810098aec3414f1c1fa1011df20c4b23bb741662752acc30dd9165b4e656f4dc448f53308d104a44ed1b508542f3ccadd3f0fc9c59f524b3d95b52dc6 |
C:\Windows\SysWOW64\Qffbbldm.exe
| MD5 | c7fef430106fc3a2c8e22b6fe2a1f629 |
| SHA1 | 255afcf9740618a958626b47d2759f55c2b017b7 |
| SHA256 | d0b4c09f7229205cdb200304361504da90c99e4ddc36f5bca2642cbaaa841dc8 |
| SHA512 | 72dff923b7739b6d8ac3b403404ca7761aefa2fefc81deb27d79499d16249ebdba1b4d4613f6048f79fcc788e1defa8511d136a26fd6bd502760a2928fae1f61 |
C:\Windows\SysWOW64\Ampkof32.exe
| MD5 | 8c18df48f2b2f266c81d80d14c3d68e6 |
| SHA1 | 1be7153c0eef400687cd3e9d34e1bb070bc00133 |
| SHA256 | 359d68204d9fdecb44e952c2b0ac815244808d4bc0ca498602d71b724629df77 |
| SHA512 | 8f76b5b20d5e49e815441e6dff01e5d86fa089ee5bbfab2b09f8a6de37155089f42e65133e79d3d862f513e27273dc3a3c51372a3623b0bbcad9273ed61db1e7 |
C:\Windows\SysWOW64\Aqncedbp.exe
| MD5 | 1661ce482598ba021b715fb8f06fa72c |
| SHA1 | 0b108659cc0ae46aab8f4d13cd145eec942b0a64 |
| SHA256 | a3f61e52742fd13da8054bfbafa3c8ebeb5310b431ddec305576d178469c6d55 |
| SHA512 | 934cd1da0a3ef6d496bb9eadf8d2c449fb1534889ed68f9509f952acf7af0f1cbc446e0a313e8abce65476f4ec9be6e6b2bfaa9d776e3a7cd707e347ac507254 |
C:\Windows\SysWOW64\Ajhddjfn.exe
| MD5 | 0fa9a27dd38a75cd169728bc9e613c69 |
| SHA1 | 5db4c48fbc2f1a3cef2ce5feb06f72abdca3f447 |
| SHA256 | 7b728ff08e756901c83533867e404f6aa94af32804dbc80ce67711c6d8686fa4 |
| SHA512 | b7dc08e89d6cfec399bfad7af18bbd2a8e41be02ba4431b53add7b676b6269c65437dbfdcb4285a3c68ee6164963b45cfd130801b19d7d7a3af7c8f86d94b94f |
C:\Windows\SysWOW64\Afoeiklb.exe
| MD5 | 08251c2c9c981facba67f4d0fdecf403 |
| SHA1 | 979fcf6ee9fbe2d569f3c407fc5acc8b8ea3d3c5 |
| SHA256 | 258cb9b7b24fcd005b94e7b55c05c032d689b6398aa79935b7992e800285e833 |
| SHA512 | e6bb43b3bedf2206131a47fc7bc256576a743161781d107c3b9ea096c5534c4f52a75897c5ecd22f31cb05e8c8c54d0fa9984eda369ee09d38e8b124d862a06e |
C:\Windows\SysWOW64\Bfabnjjp.exe
| MD5 | 8b5cb24743d0b2c81d27ba8aff4ce1d0 |
| SHA1 | 6380428d0f4db35528e384d8b9c7eefdbc08eb00 |
| SHA256 | 8775962a4270012f0f68c51e975d769ee4665c2cbb27a1dc4bd3c0a962179d80 |
| SHA512 | c8d89167823576b6ed249e23413519139c1c1255f6e05aec0f083f551d80da0581247a99d2396fd8402bfd3a1009ec9d388b1783aeace15d3c79662ef10816a4 |
C:\Windows\SysWOW64\Beeoaapl.exe
| MD5 | 3bcde58b821607d06cef68770a5b80d1 |
| SHA1 | 817a9f3cc9cdf9179629520cd96995b085cb5a81 |
| SHA256 | 903546dd2513f7dfe1e720b143fcb776cdf2afe6f81b623666c1f52b35b2d647 |
| SHA512 | f8993cb44276999b016825f6c458324b75d79ed9292607a75e9b297fcf8938064cad6ddc623b99c1b6f2a35087d572953b8dd00477ed6e6234f01203a8b1ee06 |
C:\Windows\SysWOW64\Cabfga32.exe
| MD5 | b85c60684499f171ed69b3a156dd9ee4 |
| SHA1 | 7336e03d73ac325a1cd1ca9be66d0c375cce2e64 |
| SHA256 | 6ffb8b47a536d4700c0525afd11d41aa29b1e476e4105d16ef5077e4dd69a8a0 |
| SHA512 | b0e95c9003b21acc59e68d9cfb5b2a6d466c4537507a8cccbdffdc6dd02917109a89869d6011a9958702179ec8187d5f9129ced92ae96b1ff749d6179d66c957 |
C:\Windows\SysWOW64\Cnkplejl.exe
| MD5 | 4a6a21442b969f5c28695a090a79d07b |
| SHA1 | de751f3b829697993333efbf6103036c7bfcddf4 |
| SHA256 | 4255c8db84039314c763b1f900b51c00d7e53c3cbb63ceae86a7e14f790c67d9 |
| SHA512 | 7799e9b433c87ae4740afdd0fc6838ed040fc4f53d171b152d84ae5440ffdb649b29f224c4c370e0a0c1025cd35da41772c4f69490dbefc4772bc78047eca168 |
C:\Windows\SysWOW64\Ddjejl32.exe
| MD5 | a731f11ea2ad0b8285c9ff411bcc8007 |
| SHA1 | 52966414b81c25b195aa187196edc8da85f41921 |
| SHA256 | 1388224e4195500141766c8b3ddf1b27740e7a8b77e8f925c34eceb0d92413fb |
| SHA512 | 3d7eeaada12e7630909d29d1916a1db6598476f0d948e80982c9c6627ec6b122bb43e5c3d4b60956887a33d24ab372357f6dbfed4a90af169c41780d0fded262 |
C:\Windows\SysWOW64\Danecp32.exe
| MD5 | 0dfc770cf5f2e7f41d9df38b8fbb5a81 |
| SHA1 | d7ad1a07219700f284ea7902cff3637db46d166b |
| SHA256 | 5553917ff1065c1e150d5f853429e96031fc8bf928814896127ba8dc5e486600 |
| SHA512 | df8bb6ac7dd2b85cd584d56e537044b292c98315af19910526c4b5bf81a72118532348bc1aebf46098057faa2356c3a2305bd97b1a04759bd268a7140f9ddb0e |