Analysis Overview
SHA256
2ae3a68d6910cf91f6da42ac0ac61c147a9394c4fd2bad59de4c90bb860fdfd7
Threat Level: Known bad
The file dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Malware Dropper & Backdoor - Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 03:21
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 03:21
Reported
2024-05-09 03:24
Platform
win7-20240220-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ekholjqg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dcknbh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Eiomkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gphmeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Emeopn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gkgkbipp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekholjqg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fehjeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fehjeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hodpgjha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gfefiemq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fphafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Epieghdk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ggpimica.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gpmjak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Djbiicon.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ggpimica.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghhofmql.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghmiam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eihfjo32.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ffpmnf32.exe | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfefiemq.exe | C:\Windows\SysWOW64\Gonnhhln.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjenmobn.dll | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hiqbndpb.exe | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Idceea32.exe | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnagjbdf.exe | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhfkbo32.dll | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Epaogi32.exe | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Emhlfmgj.exe | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkihhhnm.exe | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njmekj32.dll | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdfflm32.exe | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Olndbg32.dll | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbkgnfbd.exe | C:\Windows\SysWOW64\Gopkmhjk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eihfjo32.exe | C:\Windows\SysWOW64\Dgfjbgmh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fnbkddem.exe | C:\Windows\SysWOW64\Fjgoce32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Faagpp32.exe | C:\Windows\SysWOW64\Fnbkddem.exe | N/A |
| File created | C:\Windows\SysWOW64\Feeiob32.exe | C:\Windows\SysWOW64\Fbgmbg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gejcjbah.exe | C:\Windows\SysWOW64\Gangic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iebpge32.dll | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gacpdbej.exe | C:\Windows\SysWOW64\Gmgdddmq.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghoegl32.exe | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Epaogi32.exe | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ecmkghcl.exe | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emhlfmgj.exe | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpdhmlbj.dll | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mncnkh32.dll | C:\Windows\SysWOW64\Gbkgnfbd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjhhocjj.exe | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jamfqeie.dll | C:\Windows\SysWOW64\Ekholjqg.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkabadei.dll | C:\Windows\SysWOW64\Enihne32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffpmnf32.exe | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcqgok32.dll | C:\Windows\SysWOW64\Fiaeoang.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hnagjbdf.exe | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File created | C:\Windows\SysWOW64\Djbiicon.exe | C:\Windows\SysWOW64\Dchali32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dcdooi32.dll | C:\Windows\SysWOW64\Fdapak32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fiaeoang.exe | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Maphhihi.dll | C:\Windows\SysWOW64\Emhlfmgj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffnphf32.exe | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gpknlk32.exe | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiqbndpb.exe | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebedndfa.exe | C:\Windows\SysWOW64\Enihne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gphmeo32.exe | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hdfflm32.exe | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iaeiieeb.exe | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmibbifn.dll | C:\Windows\SysWOW64\Hogmmjfo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fckjalhj.exe | C:\Windows\SysWOW64\Fehjeo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fdoclk32.exe | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gpmjak32.exe | C:\Windows\SysWOW64\Gfefiemq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gddifnbk.exe | C:\Windows\SysWOW64\Gphmeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hknach32.exe | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Henidd32.exe | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Egdnbg32.dll | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fehjeo32.exe | C:\Windows\SysWOW64\Ealnephf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gaqcoc32.exe | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkpnhgge.exe | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Khejeajg.dll | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| File created | C:\Windows\SysWOW64\Enihne32.exe | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| File created | C:\Windows\SysWOW64\Kegiig32.dll | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghkllmoi.exe | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkkemh32.exe | C:\Windows\SysWOW64\Ggpimica.exe | N/A |
| File created | C:\Windows\SysWOW64\Hodpgjha.exe | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjdbnf32.exe | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffnphf32.exe | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll" | C:\Windows\SysWOW64\Djbiicon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eihfjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ffkcbgek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iknnbklc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdnbg32.dll" | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Emhlfmgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hknach32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fnpnndgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll" | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} | C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Emhlfmgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Efppoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Efppoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ffnphf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fjilieka.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dgaqgh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Faagpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll" | C:\Windows\SysWOW64\Feeiob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Iaeiieeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobdlg32.dll" | C:\Windows\SysWOW64\Dnlidb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gonnhhln.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" | C:\Windows\SysWOW64\Emeopn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fmjejphb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" | C:\Windows\SysWOW64\Ghoegl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll" | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ekklaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Geolea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpocfncj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhjhkq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamfqeie.dll" | C:\Windows\SysWOW64\Ekholjqg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gangic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gbnccfpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll" | C:\Windows\SysWOW64\Efppoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" | C:\Windows\SysWOW64\Eiomkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gddifnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hahjpbad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloeodfi.dll" | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe"
C:\Windows\SysWOW64\Dqhhknjp.exe
C:\Windows\system32\Dqhhknjp.exe
C:\Windows\SysWOW64\Dgaqgh32.exe
C:\Windows\system32\Dgaqgh32.exe
C:\Windows\SysWOW64\Dnlidb32.exe
C:\Windows\system32\Dnlidb32.exe
C:\Windows\SysWOW64\Dchali32.exe
C:\Windows\system32\Dchali32.exe
C:\Windows\SysWOW64\Djbiicon.exe
C:\Windows\system32\Djbiicon.exe
C:\Windows\SysWOW64\Dqlafm32.exe
C:\Windows\system32\Dqlafm32.exe
C:\Windows\SysWOW64\Dcknbh32.exe
C:\Windows\system32\Dcknbh32.exe
C:\Windows\SysWOW64\Dgfjbgmh.exe
C:\Windows\system32\Dgfjbgmh.exe
C:\Windows\SysWOW64\Eihfjo32.exe
C:\Windows\system32\Eihfjo32.exe
C:\Windows\SysWOW64\Emcbkn32.exe
C:\Windows\system32\Emcbkn32.exe
C:\Windows\SysWOW64\Epaogi32.exe
C:\Windows\system32\Epaogi32.exe
C:\Windows\SysWOW64\Ecmkghcl.exe
C:\Windows\system32\Ecmkghcl.exe
C:\Windows\SysWOW64\Ejgcdb32.exe
C:\Windows\system32\Ejgcdb32.exe
C:\Windows\SysWOW64\Emeopn32.exe
C:\Windows\system32\Emeopn32.exe
C:\Windows\SysWOW64\Ekholjqg.exe
C:\Windows\system32\Ekholjqg.exe
C:\Windows\SysWOW64\Ebbgid32.exe
C:\Windows\system32\Ebbgid32.exe
C:\Windows\SysWOW64\Eeqdep32.exe
C:\Windows\system32\Eeqdep32.exe
C:\Windows\SysWOW64\Emhlfmgj.exe
C:\Windows\system32\Emhlfmgj.exe
C:\Windows\SysWOW64\Ekklaj32.exe
C:\Windows\system32\Ekklaj32.exe
C:\Windows\SysWOW64\Epfhbign.exe
C:\Windows\system32\Epfhbign.exe
C:\Windows\SysWOW64\Enihne32.exe
C:\Windows\system32\Enihne32.exe
C:\Windows\SysWOW64\Ebedndfa.exe
C:\Windows\system32\Ebedndfa.exe
C:\Windows\SysWOW64\Efppoc32.exe
C:\Windows\system32\Efppoc32.exe
C:\Windows\SysWOW64\Eiomkn32.exe
C:\Windows\system32\Eiomkn32.exe
C:\Windows\SysWOW64\Elmigj32.exe
C:\Windows\system32\Elmigj32.exe
C:\Windows\SysWOW64\Epieghdk.exe
C:\Windows\system32\Epieghdk.exe
C:\Windows\SysWOW64\Eiaiqn32.exe
C:\Windows\system32\Eiaiqn32.exe
C:\Windows\SysWOW64\Ejbfhfaj.exe
C:\Windows\system32\Ejbfhfaj.exe
C:\Windows\SysWOW64\Ennaieib.exe
C:\Windows\system32\Ennaieib.exe
C:\Windows\SysWOW64\Ealnephf.exe
C:\Windows\system32\Ealnephf.exe
C:\Windows\SysWOW64\Fehjeo32.exe
C:\Windows\system32\Fehjeo32.exe
C:\Windows\SysWOW64\Fckjalhj.exe
C:\Windows\system32\Fckjalhj.exe
C:\Windows\SysWOW64\Fjdbnf32.exe
C:\Windows\system32\Fjdbnf32.exe
C:\Windows\SysWOW64\Fnpnndgp.exe
C:\Windows\system32\Fnpnndgp.exe
C:\Windows\SysWOW64\Fejgko32.exe
C:\Windows\system32\Fejgko32.exe
C:\Windows\SysWOW64\Ffkcbgek.exe
C:\Windows\system32\Ffkcbgek.exe
C:\Windows\SysWOW64\Fjgoce32.exe
C:\Windows\system32\Fjgoce32.exe
C:\Windows\SysWOW64\Fnbkddem.exe
C:\Windows\system32\Fnbkddem.exe
C:\Windows\SysWOW64\Faagpp32.exe
C:\Windows\system32\Faagpp32.exe
C:\Windows\SysWOW64\Fdoclk32.exe
C:\Windows\system32\Fdoclk32.exe
C:\Windows\SysWOW64\Ffnphf32.exe
C:\Windows\system32\Ffnphf32.exe
C:\Windows\SysWOW64\Fjilieka.exe
C:\Windows\system32\Fjilieka.exe
C:\Windows\SysWOW64\Fmhheqje.exe
C:\Windows\system32\Fmhheqje.exe
C:\Windows\SysWOW64\Fdapak32.exe
C:\Windows\system32\Fdapak32.exe
C:\Windows\SysWOW64\Ffpmnf32.exe
C:\Windows\system32\Ffpmnf32.exe
C:\Windows\SysWOW64\Fjlhneio.exe
C:\Windows\system32\Fjlhneio.exe
C:\Windows\SysWOW64\Fmjejphb.exe
C:\Windows\system32\Fmjejphb.exe
C:\Windows\SysWOW64\Fphafl32.exe
C:\Windows\system32\Fphafl32.exe
C:\Windows\SysWOW64\Fddmgjpo.exe
C:\Windows\system32\Fddmgjpo.exe
C:\Windows\SysWOW64\Fbgmbg32.exe
C:\Windows\system32\Fbgmbg32.exe
C:\Windows\SysWOW64\Feeiob32.exe
C:\Windows\system32\Feeiob32.exe
C:\Windows\SysWOW64\Fiaeoang.exe
C:\Windows\system32\Fiaeoang.exe
C:\Windows\SysWOW64\Fmlapp32.exe
C:\Windows\system32\Fmlapp32.exe
C:\Windows\SysWOW64\Globlmmj.exe
C:\Windows\system32\Globlmmj.exe
C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
C:\Windows\SysWOW64\Gonnhhln.exe
C:\Windows\system32\Gonnhhln.exe
C:\Windows\SysWOW64\Gfefiemq.exe
C:\Windows\system32\Gfefiemq.exe
C:\Windows\SysWOW64\Gpmjak32.exe
C:\Windows\system32\Gpmjak32.exe
C:\Windows\SysWOW64\Gopkmhjk.exe
C:\Windows\system32\Gopkmhjk.exe
C:\Windows\SysWOW64\Gbkgnfbd.exe
C:\Windows\system32\Gbkgnfbd.exe
C:\Windows\SysWOW64\Gangic32.exe
C:\Windows\system32\Gangic32.exe
C:\Windows\SysWOW64\Gejcjbah.exe
C:\Windows\system32\Gejcjbah.exe
C:\Windows\SysWOW64\Gieojq32.exe
C:\Windows\system32\Gieojq32.exe
C:\Windows\SysWOW64\Ghhofmql.exe
C:\Windows\system32\Ghhofmql.exe
C:\Windows\SysWOW64\Gkgkbipp.exe
C:\Windows\system32\Gkgkbipp.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Gbnccfpb.exe
C:\Windows\system32\Gbnccfpb.exe
C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
C:\Windows\SysWOW64\Ghkllmoi.exe
C:\Windows\system32\Ghkllmoi.exe
C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
C:\Windows\SysWOW64\Gkihhhnm.exe
C:\Windows\system32\Gkihhhnm.exe
C:\Windows\SysWOW64\Gmgdddmq.exe
C:\Windows\system32\Gmgdddmq.exe
C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
C:\Windows\SysWOW64\Geolea32.exe
C:\Windows\system32\Geolea32.exe
C:\Windows\SysWOW64\Ghmiam32.exe
C:\Windows\system32\Ghmiam32.exe
C:\Windows\SysWOW64\Ggpimica.exe
C:\Windows\system32\Ggpimica.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gogangdc.exe
C:\Windows\system32\Gogangdc.exe
C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
C:\Windows\SysWOW64\Gphmeo32.exe
C:\Windows\system32\Gphmeo32.exe
C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
C:\Windows\SysWOW64\Ghoegl32.exe
C:\Windows\system32\Ghoegl32.exe
C:\Windows\SysWOW64\Hknach32.exe
C:\Windows\system32\Hknach32.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
C:\Windows\SysWOW64\Hpkjko32.exe
C:\Windows\system32\Hpkjko32.exe
C:\Windows\SysWOW64\Hdfflm32.exe
C:\Windows\system32\Hdfflm32.exe
C:\Windows\SysWOW64\Hgdbhi32.exe
C:\Windows\system32\Hgdbhi32.exe
C:\Windows\SysWOW64\Hkpnhgge.exe
C:\Windows\system32\Hkpnhgge.exe
C:\Windows\SysWOW64\Hicodd32.exe
C:\Windows\system32\Hicodd32.exe
C:\Windows\SysWOW64\Hnojdcfi.exe
C:\Windows\system32\Hnojdcfi.exe
C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
C:\Windows\SysWOW64\Hejoiedd.exe
C:\Windows\system32\Hejoiedd.exe
C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
C:\Windows\SysWOW64\Hcnpbi32.exe
C:\Windows\system32\Hcnpbi32.exe
C:\Windows\SysWOW64\Hjhhocjj.exe
C:\Windows\system32\Hjhhocjj.exe
C:\Windows\SysWOW64\Hhjhkq32.exe
C:\Windows\system32\Hhjhkq32.exe
C:\Windows\SysWOW64\Hodpgjha.exe
C:\Windows\system32\Hodpgjha.exe
C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
C:\Windows\SysWOW64\Hogmmjfo.exe
C:\Windows\system32\Hogmmjfo.exe
C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
C:\Windows\SysWOW64\Iknnbklc.exe
C:\Windows\system32\Iknnbklc.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 140
Network
Files
memory/2064-0-0x0000000000400000-0x0000000000447000-memory.dmp
\Windows\SysWOW64\Dqhhknjp.exe
| MD5 | e7bb1bcd7106157d923ed9bdd2c098bf |
| SHA1 | e8a5710826f6b2cd10ab3674e3dbadb95b6b155d |
| SHA256 | b23510a821e6ca5280c673d2fa2a1b9bbbe3ae7a302455ff71330f597c87c925 |
| SHA512 | 26415b12fa6db12b932ca613ec5a5a2bb8db413d3bf59ae0392e26ca6cd7ae9db043b8c01159f813d36635833f8cf8d6878adee6eb0b6fea7cadc988789b2720 |
memory/2928-18-0x0000000000400000-0x0000000000447000-memory.dmp
\Windows\SysWOW64\Dgaqgh32.exe
| MD5 | 683d3b451eeab5dc2f0fea91fc4d2ef6 |
| SHA1 | 9354abaf5c42a98a18308cc7e7ae265e3056ffbd |
| SHA256 | 2f26864b36920ae8e4428e3070cc7cec8a77a1371e82e3de8249b61d52371969 |
| SHA512 | 3fa7fa2fa477fac537404bd5760c605014a4d24dc65c97c6c270066f77b2f2df41f24eea637a1bb68f5c13b7ea318fce3760f2e4befa501e43da6c9b66b957e0 |
memory/2064-11-0x00000000002D0000-0x0000000000317000-memory.dmp
memory/2360-31-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2560-39-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dnlidb32.exe
| MD5 | 29f5714b4745d441f364a6e467bc2b27 |
| SHA1 | 05c7c365a5d7a9cd50560672a9c08db50b098f5b |
| SHA256 | 737352c41be27e9a075f096d044eff922cad1ba9e7c0757af587a55f1d3aa382 |
| SHA512 | 3b00e84f21e5d4b98cf22ef112ea315205218c7b10ad8dd2a3b5a28948b589179dae4c61289fd84874ae0d533a137ee9cc0d9d8b3eb6e4094b57fdaa20312c84 |
\Windows\SysWOW64\Dchali32.exe
| MD5 | 941d569f8161ad5c520e17f9d951ee24 |
| SHA1 | c670bc8661691b0b3ea04df0746a2040f1d39607 |
| SHA256 | 1519cafd13233c88393a50ce88364d4d55c12ae093256ac9e9f89eabe520268a |
| SHA512 | 823cf45a233da92d3988aff6e1d099b4c3335e3bd2d5baebdbb6a7728ea1d23bcc048f2000a7da2ebce54a6144916b6acc83477bfaa2c4ef1f03ec235aece034 |
\Windows\SysWOW64\Djbiicon.exe
| MD5 | dad08cfc7859b8a562b4444698aa2c08 |
| SHA1 | a2be1918dc2514e32ccd99df2742539df0b9ac3c |
| SHA256 | 8b4f14513c40a71b782cea87d4f1e13e3ad5dc4149d8518008bc7b8fb54e4437 |
| SHA512 | fffc85af570bf91607881acc2236fcf9bb2044e14188499684dc9488c6ef85c45aeeec7c15029b2aeb175721826c1b795dc7b1c80156b2b66ab38e41d8b278a9 |
memory/2588-64-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2708-66-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2560-57-0x0000000000290000-0x00000000002D7000-memory.dmp
C:\Windows\SysWOW64\Flcnijgi.dll
| MD5 | ef8d9848cf5bd1c5abfc2b649ea8fd6f |
| SHA1 | fb2776ac69453f3d854ae23f25aae927d44906d0 |
| SHA256 | beeffbab5b7cb530b956139ba6d7237f7b939bcc037ef60955daf6b1de48ac6e |
| SHA512 | 8faddc14d906fced5713ca611c201cc43c3b4bc349b7f48dce554868c054344d59882a994c06a349cd6183c4ee877114e2d4f4f8496ef1803e87842101b24ecf |
\Windows\SysWOW64\Dqlafm32.exe
| MD5 | 95294a64854dd4c625d5720ec0042069 |
| SHA1 | 7f347e9ad7809cd749416dfa159c7a159a19b214 |
| SHA256 | 245a6b1c233c2f413f4bd61cc3f14719ee08d1deb0c7d03131946abcb19d2bde |
| SHA512 | a3cf10789ea8033b1a7edb39637370527d25f2a2ee928106410edd3264cceb16f54bbea7585d61a7508575cd9fbb5d0c2006649e9bf71340e779f380bd6adb7f |
memory/2484-84-0x0000000000400000-0x0000000000447000-memory.dmp
\Windows\SysWOW64\Dcknbh32.exe
| MD5 | 8fa13f4ca26626d6169daea250a3b081 |
| SHA1 | e8ed774e456f4080579d73a1a93bdc7c5779cc65 |
| SHA256 | 890176a48ba2bf40e53cb14d87b55b8c3cf2ea9a0a72286e06ec4eaa71d87000 |
| SHA512 | 38e1cf9524247e4ecd6abfca5c808147c48295ca6ac60f1fb325a457c0be696208b4f66a4db77ca78998f49b9fc30e051207c5767b235dc8433a39bb531e56b9 |
memory/2484-92-0x00000000002A0000-0x00000000002E7000-memory.dmp
memory/2500-93-0x0000000000400000-0x0000000000447000-memory.dmp
\Windows\SysWOW64\Dgfjbgmh.exe
| MD5 | bf5493169159e066c845e8212da5e480 |
| SHA1 | bbc32f1a13a91763079756f2ee4769cb511f60dd |
| SHA256 | d515c269803c2dcfbffaf4b322cdd7fdd6c8f31646b32fd67c699ea485ccf154 |
| SHA512 | eecd450534aec32e1a16890631a0852432410acafa607f4a9bca286db313d5e126b29c377949594abe19145bc73a87f6a6b85266f222cab22984681d8830d902 |
\Windows\SysWOW64\Eihfjo32.exe
| MD5 | 58e8da433dc499f22cca89a8c9aff02a |
| SHA1 | c386d508f145a1f7496b67ad694dc2205d7bd4d6 |
| SHA256 | 580369fb3ae25619b9f73a7f66020a4e8763b747ba14ffc2063b6a9f155a6089 |
| SHA512 | 26f50e0623de2e8230b2e52bf748b071958b3c1f10533eb73ebd9e267f4050ec58c89218c23440e6da839687fa707f8879255447985f025f0a07832b710b1614 |
memory/2900-111-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2740-124-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2768-132-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Epaogi32.exe
| MD5 | d3be8bb2c63e2c3b739e876e478d25f4 |
| SHA1 | dc76b49dfc38b115708bfb96a4448d22ee0ef76d |
| SHA256 | 636d27462b14287f1192b9ec77a6bf135efc18c5584c3786c8bbdbd91e5fd368 |
| SHA512 | 2432d9a60c5ea75d82fe47c994ab1dc25fbe2e5e534272577f736d60c749161b3fc89c78957a1d18d485c7eb91e7c39f1e44bb2941c1118252a4d205bf61f415 |
memory/2220-153-0x0000000000300000-0x0000000000347000-memory.dmp
memory/2220-152-0x0000000000400000-0x0000000000447000-memory.dmp
\Windows\SysWOW64\Ecmkghcl.exe
| MD5 | 22550452cc8a11eac844402cff4cc2e8 |
| SHA1 | 44f850bd16ca64bc6b3b2b3e902cc367f9321f79 |
| SHA256 | b3cad5485e1d862fef3d254f176f22f3f8840dbc2f1ac042c2e3e18528d4ce86 |
| SHA512 | 4409c01f29c191fb0d4043392f15a91d56d9f1675a699e498ddf858211c49d481c5fcec96c39cb0bf59c189993ef1dee26e7fe40f1325cfabdf25fb2f29ccb4e |
C:\Windows\SysWOW64\Ejgcdb32.exe
| MD5 | ff82c206bb484fbda329b67024c5c043 |
| SHA1 | 4d3f38ca4ea660a8c10c65d2a2189119a53a31b4 |
| SHA256 | 257d482ed19375b79e30a47e6921f021b084630c3fcd51defd55fed271e42912 |
| SHA512 | 6a8b1c008bf6c4c563055cf6b319630a3ea24f770c98c2a98dec4f85c6b7b1494e7a170fc9cba573605a1abace6de3ff75ae5e48838b1ec53ef3617bea6ca342 |
\Windows\SysWOW64\Emeopn32.exe
| MD5 | 0f2e8d821f4a50786442d7fba8135fe0 |
| SHA1 | be3ce203514be7c77d0121e3955492de374f4287 |
| SHA256 | 2f99863712b09dff2677b30a507033ce9d610ef6dc2eb906ce4e1b3d82d6cdda |
| SHA512 | e557069624568ecd2eeefe4cb408517ceed0ed2952fb386dcfc92a031c86166af58f4ae13e7201c734512cdd273c98a624eb6a523f1d7ae1de6f311b3a87f3c6 |
C:\Windows\SysWOW64\Ekholjqg.exe
| MD5 | 0709ead7de99f40d56d1a98b0f3fe024 |
| SHA1 | d9cab3f3096c4c446728c98aa0543ae156f26c67 |
| SHA256 | 1b09293b865ee47cda5004def57d8ede3b472d7c126e6d3b88e2c97f22f11cb2 |
| SHA512 | d9072e31b35ddf220ce0efc578d154b105215f0e35f13e834d9b1b52c6e6e7cd4a0d6e7fcb375ef149f9d645a30df54ec8ef82dcdbbba8867c24e1b58a54634a |
memory/864-197-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2236-196-0x0000000000400000-0x0000000000447000-memory.dmp
\Windows\SysWOW64\Ebbgid32.exe
| MD5 | fadb7a3848484c37c46f2a727171dd39 |
| SHA1 | 0edb7a9604617a59e177bb9769a1fe8b60cc23b9 |
| SHA256 | 3010c94319c74614516a31bfb4f90b5115fba299ac912046df6fe8fcc71392c2 |
| SHA512 | 5e31d3997550311363d21c97d7c96d6a8e5eed39ea2d052aa99b1d26caf81cf5ad380805865f7bdf838c5264f286e47601f72f37f0485199177ee541ff3f4111 |
C:\Windows\SysWOW64\Enihne32.exe
| MD5 | 1a8b56701753f2baf697c48e46198d95 |
| SHA1 | 1f7d442ed48dfa685fc26f11d378f059282ca8c3 |
| SHA256 | 8df0df28bc107d668f6eeebdc060bc0372db97409b3ca1db0f6755a6d3fcccd4 |
| SHA512 | b21824068c9ff232482bea34810d236f2bd30b1e3dcb7c791c87ec388280e4ad53fae1aa176626f2fec49080a3c77d48a17b1f6b023f575274a6ef0b370a586c |
memory/2092-289-0x0000000000450000-0x0000000000497000-memory.dmp
memory/1640-318-0x0000000000400000-0x0000000000447000-memory.dmp
memory/708-317-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2716-346-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2472-384-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Fjdbnf32.exe
| MD5 | 98a8bee82f1f0e3a2547152acb1e6de0 |
| SHA1 | bf1d3d4f5104fa26d951690ca6fb1d5e19602df7 |
| SHA256 | 227fe7fc14d9b89c0b5f756c582c4b79ee7e437f006946d424a95c4a6db83b48 |
| SHA512 | 7f70b7a47c02b44d06bf011e4628a8c1e49606e63db39ef60757a0d66b772ba1fee6af9584c9fd90ef8f1426a3b68fcd97a2e1a2157292ae3bea81d2760f712b |
C:\Windows\SysWOW64\Fnpnndgp.exe
| MD5 | 207300508dbc6778b82f380dd3e3d544 |
| SHA1 | 66d0ef12df47901024c2f77a313aa61108e9fb5f |
| SHA256 | f87f840ac9bdd29218e1d8e5b8027e2ac1f92a1ec70383fa27ae87a3f6cd10d5 |
| SHA512 | 62eb0d1065302faf72dd1ec6fd417a0afdafff2adf07505a1934c62e3eb4d5985b1fdc810d830b0bc55bd36ff8a47e1dd540c1cb43825d0e31c61811631014f6 |
memory/2468-401-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Fejgko32.exe
| MD5 | ea2194efc481a04ba2ed6714a3598274 |
| SHA1 | d34fd006eb7f8ee7e783fd7dd3b3c60faa498c38 |
| SHA256 | 588363044715ed7e3c53756d246d48e83fd22ba003584dec0803394569c64965 |
| SHA512 | d9c7315e7521ac69cb9f992efc241c5d8fc64a627c9fc9be375315da911c61df0aa4b3193085651b8c15abd226825ce25340e2fc8b93be5b6b64ae4e15bb5afa |
memory/1984-442-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Faagpp32.exe
| MD5 | 740915b502ec68ed339418ee15c7d6e6 |
| SHA1 | d751af1e8a6593fb7fb82c6a13ecb3c0ef2226ff |
| SHA256 | b59f9d32e4f215827ab390f937a0d8fc0554d3baa534a94c31b992f887b43d18 |
| SHA512 | d528fbbaa81a7ad613c1ddf26706f747df863b448f079131da4d193ce1939946dd71a91c1a314106d9f05ff774dd5159f43a8eb9abbf4335cb6d7b903a1acc34 |
memory/1536-488-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Fmhheqje.exe
| MD5 | c2da0e1291c1e64c981aadf976a32ae8 |
| SHA1 | fdbb53e12db5597865c71a0201dc5819f5557eb6 |
| SHA256 | f43710e73d0aa8faed4203f1cc49f421fa1bf994c9ec6257a547fc84a71d38f5 |
| SHA512 | 13a9201bc31fef2359d88f96b3cfdce6858ff53703c9228607011a4d6b8300f33c6a18f1b41ba464fe3be6a720f3e9fc27a04b2b4fb6e9f4715c9d60cabf5c40 |
C:\Windows\SysWOW64\Fdapak32.exe
| MD5 | 333c5a705e0cb1fab61d7f8bc457cfa4 |
| SHA1 | 9e8bb7d128b1d1925aab3b1b6df12b26c707c748 |
| SHA256 | 782c358818730aa5e8a13d704229db1e449e9e64b1e838348539576549cd83d0 |
| SHA512 | d3a496817be957e928447bea0334408888b074d8121872d40323791362ae0d84abb9dc4324ee1ff9342afe99e8935ecf02cb4ddd1a4483d434d20e01211d1902 |
C:\Windows\SysWOW64\Fmjejphb.exe
| MD5 | e1d85c7ed8449fc5671e179714935619 |
| SHA1 | b5e41857260c171213a3d93df3f80741250706bb |
| SHA256 | 3d69ea60b5d390a91466f7a78db42890093dd2d75901ef7f67488ae5ccfcea7c |
| SHA512 | 3e7e68795db948827661c1b66af999fdbe01777b6348261c38c1c44383b24d16acba8389baeefff44a92d8662d7d7025a74e7082d6500241791b07ec73f027ae |
C:\Windows\SysWOW64\Fddmgjpo.exe
| MD5 | df4d61eaa00fd43951d2c1f081385000 |
| SHA1 | 3a3f8b25af83f6a1497bbb6408e43b1312cd421b |
| SHA256 | 2108d93f61af64cf7dc0fc78882cf8c065cf557e17192d1c758f8fc6339ad9de |
| SHA512 | 54c536e308a4fc79d6f552effb29d4d29a8131993e5fcc95184f32011a03ad09d7fff2685c8d467e9f6703408562cebb8b162502fd66384b739a447ab9f6665f |
C:\Windows\SysWOW64\Fmlapp32.exe
| MD5 | 346d64bb6d6c057288574623ee044ba9 |
| SHA1 | 67db980f882ce88d5408e59a2874c4a2cf445cb4 |
| SHA256 | 95e86fa17ccc29e71ba80b3748260ced6be00b8a3aa5632060d780cf7975fa65 |
| SHA512 | 933da976c505ffb84e64b67c19e6dddf64298788e092cdbaa88ca8dcbc4486422c788afa6e6a0871a9284bdd87a5899eb6b897444def9cb9744d2654fd196ef2 |
C:\Windows\SysWOW64\Globlmmj.exe
| MD5 | 9bd1fe7288cc3ff57d6cbec334e452cd |
| SHA1 | 0cd2b4ca4464d70ee40511c77533599e439d2ad7 |
| SHA256 | 1f21499139301b0206916248438610d7df6017f252877b6e213764545c033d76 |
| SHA512 | d60cc7a456c14a0f156d237faf9f33413efddd3f157b6c0afdbeab35c144768a863ee7d8db428253a566f647b47adbddabf700541143eaf5d2e68be342c200b0 |
C:\Windows\SysWOW64\Gonnhhln.exe
| MD5 | df639e587af1e522705f4729a69e73a5 |
| SHA1 | d93a211a565eef20e762eec384922e33641cdf59 |
| SHA256 | af83845c9d32465342fe5adae43367224ea16c84fc7b408cabef8433600d2ab0 |
| SHA512 | 1d7f55eac0389c4af7e49b132272024e6350056f4a25b01bb986e9cbed7fab979b9dc62b838de7ff3ced3f96b9f9d4f857f91dd82a6b9bc609cb7342b3b8aa92 |
C:\Windows\SysWOW64\Gpknlk32.exe
| MD5 | a9eb3a941172d2fa46b110520f3c8be1 |
| SHA1 | 3a87b9a5d1e9dbf7ce35b7914f71eda4fd267064 |
| SHA256 | 33fdd9bd2cdfec6e3d6dd48d61ccd354dd05389ed6e5f86bfd1667ea2d718188 |
| SHA512 | 2fb8b13a01c690999e039fef88e5159c05defe251affd7efad54aefdbf83de249f83488133a41e188788f734b95f6fe95a1786de933e722acc45fa36550ea0e7 |
C:\Windows\SysWOW64\Gfefiemq.exe
| MD5 | 8ab5bdee2bd66592f9d34354d44ed506 |
| SHA1 | 11073032bd93dd51b1bfc59565e2cf5cc69a9035 |
| SHA256 | 6a1b0246affbca12567092f512943bdce225462a1204aeba337e7965bb9bf14a |
| SHA512 | 68b63484239a81e5706b7affe3f5b1c9b48263a9490e1b3dcbfee6083908d6568218939a589fd0fe7b75f1901591859d37f15615709d14d03e79f6cda2edc2c4 |
C:\Windows\SysWOW64\Gpmjak32.exe
| MD5 | d62b372facda0c7e90c01b3a9b6dbeda |
| SHA1 | 4d00c5bde6f392bfd38fba7705c3a05f1d0a7bf1 |
| SHA256 | db5bd9cc9e357e57ac04a5bd6ad2909f4404ad5eb688020a0ffbef2ef1d772ca |
| SHA512 | 2ffcdd6a1da2773d3bf8e3e01fc45bc4bdf64f4db0321afb90af032fbe0101528137756698facda8fd78ba900f6a58ecb6569b33e0b6e290480662bd1e305c84 |
C:\Windows\SysWOW64\Gopkmhjk.exe
| MD5 | 47b9a4d8f11a53797658aa41184a4117 |
| SHA1 | 1c3d5d60d50d912fa262430dc805c539b7b6f7a1 |
| SHA256 | 9574e174cfb911e44ad9f3bff10f1ef0247931721c97eaa7c4432eb6b1152d0e |
| SHA512 | 1b55273975e663c3f745426ed140b94fc534b61617d9a6206185e7a8c40971e7806f9f26f85748d25400cd071e3bd698518bcaf34b336e33e4a12720cb868167 |
C:\Windows\SysWOW64\Gejcjbah.exe
| MD5 | 72349c69a8890b4de3ca144f8f046c63 |
| SHA1 | 3a120fb6e74f67ba07247caba3c3cab7060df102 |
| SHA256 | 9c6cdde432e86757ccd42958623636bb2933cb90054facc747d6f35f4d2c8a3b |
| SHA512 | 86215a2408a8e80c1c9d4f297fe14cead7f451952bab3955a40333c99527d1a0d35fb3392070f6c71688c2a98ac3639ca69964ce5a5662e0460801255c5df421 |
C:\Windows\SysWOW64\Ghhofmql.exe
| MD5 | 060127181ffecd5eadb43c52ee5dae9d |
| SHA1 | 13f2b630c97749cdfa4ddc5b1ba2bc2a2d95e036 |
| SHA256 | 2fee5ed84f895f807afa78ccc263c1b646d654ab9e3bb5d64ef622d61583678d |
| SHA512 | b15a8e1912870831762a843049f3ebe248c21f3e50790de6a4f3748b51caa650be1b0939f35147f168284077417d7e0a9d893413607d7629efee9b4b7cce914b |
C:\Windows\SysWOW64\Gbnccfpb.exe
| MD5 | 45181256871141b4aa5620a46f7f4f94 |
| SHA1 | 5ec14df87cfe4fb289a630e0aabc341c49c3f9dc |
| SHA256 | c950d0436b3044552efed9171180a0072138a870699196b82b0810547f8d93ca |
| SHA512 | 49457181fb5bfc0ed2c797a457bc396a32075ef15badae316e97ca4bad7e22ef94d192008067c91070f8686900e902d2db36b3d7d5f188e6a3b81a252ef5e4bf |
C:\Windows\SysWOW64\Ghkllmoi.exe
| MD5 | 24473ab6933c3635d7819dd3bdb976f4 |
| SHA1 | 7786beb8f38331906ec7704bc24e3dc6074a3a3c |
| SHA256 | a368dd53b20b2e82447fdc1b1d6972ce6595ec1eb3c9f0cd3372550121468448 |
| SHA512 | dd866f3925dcfb929dbde7c87ac9aefd2148b852da0a8868395109bdf3b56941f4d763dbc29ba35ac706b6ade6427a181e85d171b17bcf02ce8801160cfc8a28 |
C:\Windows\SysWOW64\Gaqcoc32.exe
| MD5 | 2265e28afbabc71a7166a50738376a7a |
| SHA1 | 1fb68f303d355ddfbdf2539f49bc7720ceb764ba |
| SHA256 | 8ba470eec68c72fa3275049f11b8fbdff0ea1cb2c7eb0d9a9e68e3a47d747835 |
| SHA512 | c0f31e891000c0c5c0101d4d748de2787cb96b806bdeb838e7419746f083e6148057a94d4a87d86f35768eb1ee6240d1654cf48f53b602b2b4236b7541f8a1ca |
C:\Windows\SysWOW64\Glfhll32.exe
| MD5 | cc16415fd3289f98c06c74b0fa3d9116 |
| SHA1 | 72c4dd10f5ae440c925ee712ae0873ea5e24a114 |
| SHA256 | f54a5a30b868c1e1f20ef573fb6c58990c512564156523d37ee073afd9e2d561 |
| SHA512 | 9717e2e4c56c41c3c7a18a628738342c29902e21797da6a9fa1edf5f3c1b22cf792734ff44bca42466c8357f7248ebf4c9e85eeace2a8e71380b2dae10efb007 |
C:\Windows\SysWOW64\Gmgdddmq.exe
| MD5 | 29feaf87d9aeccd2c0622475e453622d |
| SHA1 | 597df9422110b81d0d60cb2db77231c4cf42c974 |
| SHA256 | f37f3e7122aa01cde13b05907dea54b33e64cb734d5f65b164f9e9ba4d13b48a |
| SHA512 | 6a23ca7401f7540df820fbcdca68fa8288a994faf4609a3822f212887d59d947cbe388ac16574fad077abd13b4e35f60a12d1490e64ec2bd70b82ac255371f6b |
C:\Windows\SysWOW64\Gacpdbej.exe
| MD5 | 97e1382a254810c7bed377b036c13f75 |
| SHA1 | 4fa7987ab1b94b2a64004391571598c6b6e217e1 |
| SHA256 | dfe269d4233cc25d8d414c626a828b4c18f70b8cdcb1e1c7c5fc095e678890da |
| SHA512 | 3b3849e7e6c52b170f8cfce47646579d9bc4ac08526c95e507b1a3d19d4bf4a19d50272be7f483a9f91281d59561c9b6b3d058a504c2c5b9c9f09c0a5b9dbfa1 |
C:\Windows\SysWOW64\Ghmiam32.exe
| MD5 | 12f5f43363a4aa03021dd738b315a08b |
| SHA1 | 8ee9591095e8ba6d2f4f8878c1eef6bb21510661 |
| SHA256 | 0a71a7782a16bc4ffc3abbc4be8f7b28b677f593de68add60a203d2e47efa45e |
| SHA512 | 203e639f59903458fcd2574968d5d0f935623f6b11ad0a8f6f5add7e93ade5738a8eaacf749cebae7fa50fbc286bba9e1189dad2ad5d072e5e6957bdcf7bac8b |
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | ddf88fe1732d380d06832980b18eae61 |
| SHA1 | e9f306ae2904ec89f96ab3350132948f2ff68100 |
| SHA256 | 8053d03b91924fb26274e2ae28bf56f24177e6b6ae17015c9a2e7d4116cdb939 |
| SHA512 | d7405f12d64ea23cc41eb2565f8d5601391ee26bc967ba45e89d4031bc8c9a8a8c18c1e38e261df5b3d3fa0ad2b014e64fc547acf66ac162a0d36e6d37a57b24 |
C:\Windows\SysWOW64\Gaemjbcg.exe
| MD5 | ad6e80b1ad4b0a90d06e35f0907f80e7 |
| SHA1 | 72b25f080d47818e7311e17fc4296d85b867241f |
| SHA256 | 8142933032e97cfadd02f3e8497ee679c54bc9ed4c1c3617ca3fe15cfe6ec102 |
| SHA512 | 55247d6a901e5da37dbc6aa2a8dacaab4da01ebb1182e44fb96a8abc7507e43f5cd9f37c0e17e156936a21c9e0beca9ee5b42fd3fb0f1e758c210d21b5d9c06e |
C:\Windows\SysWOW64\Ghoegl32.exe
| MD5 | 832fa0a8dcdfb140820e1afcc632bb9b |
| SHA1 | 5a45d9564b1b810a9079ae6f6a8dfa10509829cb |
| SHA256 | 4eca083e66c41e33f3356a3eecfec9ae6ee2522c3c7b9a4d1ce0931bf02d26d9 |
| SHA512 | ad393b490b37879d9143833766f2ecf87cfc65a831280ed0e154e753dec852868137184065600497b0eab3fcf3ff1796b10854bea1b0835e426c8a4113f2adae |
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | f1a449c09acdfb5aed7209d8aa49bf4f |
| SHA1 | 4783dbf06502b094c8aad1905494a9ccc03f1166 |
| SHA256 | 21eff6052c0858b01444efb428d26b069a0149f6bee631a3b012302033ba5a46 |
| SHA512 | 7404b4aab947567d0217eee8bbee0b8070fe490c0469b07441826fc694dc8852825024da432a59e6e6c734d58ea5c9f1ff09ef5d4444ceae3649a8c8e2e3e091 |
C:\Windows\SysWOW64\Hpkjko32.exe
| MD5 | dfab905078e5d9ef688416d40190ad4d |
| SHA1 | 655bcea9892bb1161f2fd6b11a69ca0857ccbda2 |
| SHA256 | 2f66138286dd39ac64d84df3810b3bda9344a90216ae9a69661370b807ff152a |
| SHA512 | 33fe27e87976dcdd85ae93b6eaf3d1534581dc8d9f04df46efaeb0df962064b1a06fe45fddd98d32ecb1253f6124ac618e96b9804de4cc63149c40e586f4f1b0 |
C:\Windows\SysWOW64\Hahjpbad.exe
| MD5 | b4b4b41eec26adcc0c4611e3481a81ee |
| SHA1 | 0ccfe9edaef93f8bc1502038e8ac70fdc8ec50a9 |
| SHA256 | fb694f35d960a2baf29ca725166e2fc97482c34fd641f389e452ce6d51f2fb3b |
| SHA512 | 6e58fb326e56d4c1d5de41e0ab85841eb3eef6312ca85d84b94ea1b0b594462fca6848ca5d514605743bca4068e07d499a0d2bbc8a0e387ce2929add4645dfdb |
C:\Windows\SysWOW64\Hdfflm32.exe
| MD5 | a6069a01bfaa58cb921f559a4a4f4441 |
| SHA1 | dca1fff2a7c2c7b7e8a367c1dbdaa12d7243618b |
| SHA256 | cdadb63f5e367926a5ae95be3f1b7609a2b3f01d52e5b673b00d4bd630ebdb16 |
| SHA512 | 6675544e33bf8df06c3effa9e96e9ade36bf96eea25c8cfb8807c84ba1f8a5bd226eda186086605ce1b27fa9239005cf0834f8d3b127e1f6018aeff43437cc22 |
C:\Windows\SysWOW64\Hgdbhi32.exe
| MD5 | 4a0d63ab9da3e9d9dc76bea45858a3ba |
| SHA1 | 5ec0dc45ef422476134467ccd6fb8bf8eabf9870 |
| SHA256 | 3222073e958d8537649b8c3eab8689985c46a3b2377d97e19d5853e70acbf5b9 |
| SHA512 | 1cf0f4b6ded690ecbc28816b4e7f312a4559fc730f7f6799a3ed6973055212dc5ec7941f2b2213678b831c646cb5ba4fb70b8ddf122beb49f9a3ab5b416b8952 |
C:\Windows\SysWOW64\Hkpnhgge.exe
| MD5 | 2a28080913ece25a9f776104574b340f |
| SHA1 | b889296ec9f5af5b252073fc21fe1e0c581722ae |
| SHA256 | fafeacd5dff95ca4c985a2f3c79fa2e2548dee4647f64fe57486cb40aea8da2c |
| SHA512 | ed34cfc96af7cbfc0b8153e38cb11361c2a04d64842ea62a40799f3b752b45c25504d75b415632de58bc39f5fbb258a171a2e84a7b74ab9af80c6293b99a718e |
C:\Windows\SysWOW64\Hicodd32.exe
| MD5 | 6fa43a565a49ec503a3ad53768c623b3 |
| SHA1 | ba452bfb4771db497028bf2d059cbe1d88a269fe |
| SHA256 | 63f523222e5b12285482937e07de6bf3198281fb5a80b5d9fa5b5804b935d8e8 |
| SHA512 | 26e4c0d8f2ac2e47552567c13daaeccea405aa229d42e2ac7e8c50d5a7d0257fd47d42b4d9208301a4a00b7c16166ecd2f2b48ee98da9dec088fb5800ea21de2 |
C:\Windows\SysWOW64\Hknach32.exe
| MD5 | 84855e35d979f885b91ebdc87f8ce8f1 |
| SHA1 | 622cf95b992493b6b97d85e54e60cf14bf9fff1c |
| SHA256 | f14801c378313243ae4a9000d8430bc360089f2ca534b863fdb16f4edaa97e20 |
| SHA512 | 3b5620179e32238c2950817e41d04a0ddd10459fa566d5b8b35962d2106f74deb61b28dc162a974f54b0153a405ca0c1dde068214cea62b74f6aaa469a208356 |
C:\Windows\SysWOW64\Gddifnbk.exe
| MD5 | 7d8fd633797c9fd3f3b30e6cf8bf1e09 |
| SHA1 | 3261001079986bed34280284b39fe6ec9ca1b974 |
| SHA256 | e82bf0e80b51d2bf2e749e3271d5d1720cfaff45cb0dcf60f83181548d1606fe |
| SHA512 | eb4bc4abe301a27e1f0eb7a8093f86f557c296ab9a47e29147d9cc3d7fa61bb7e2db7e6b6c6a6d89abae33b5c1f49e4e689ad4d2d5672b06e09faa2f14320213 |
C:\Windows\SysWOW64\Gphmeo32.exe
| MD5 | f70e7b3943aee1c014d90767eafb6ab7 |
| SHA1 | 47daef427eb679bbc18e0d222caf3f48c512a790 |
| SHA256 | 0d7c9948f74c0dce7e12cb2597a3787bd386bfcd40ecc4571584c9d60a52dfe9 |
| SHA512 | ad20852ecab8929f968bba5f5c2c5198c2a82a2cbc30c76763bb7a3dd1ac8d2fc6eedce22898c697fcc309a1bdbe3d3dfbf2917e9d644bdb56bd084cb0e1d10e |
C:\Windows\SysWOW64\Gogangdc.exe
| MD5 | ac540877f39a1c8e3ee457543b384613 |
| SHA1 | c0e44600f7bf2f9affac22f96c430eb44f36ed6e |
| SHA256 | 8d0e985bddca86347581c255782ec84447636bfa0fc71da8d3fa47062d184f31 |
| SHA512 | 3fa6a355adfd00f85167434327d361b54aef76752b27b88d9acc71e085ff665d8eb22a1d713668eaea3246ed78d75fa25e9791cc3920bdaec8694751ec547ca6 |
C:\Windows\SysWOW64\Ggpimica.exe
| MD5 | bfb581f81602d08715ed2512ee50957b |
| SHA1 | 7b581a79b78d34ebeabc47fe219a4ec2e293a22d |
| SHA256 | 4e396025f476fdcdbcdc12deae5284b0a46849a671c3ea9cffe4302b87f729d1 |
| SHA512 | 26421cf37e4da0091cdb2e05327e04fe52db958d3e8275b5a101157d20404d243db006d13c0951b7c51d9e9fc95d87999687035677a6aad2a680d2aa6ca61252 |
C:\Windows\SysWOW64\Geolea32.exe
| MD5 | f7978978f6ef5b98596e16244a223e0e |
| SHA1 | 99067ac6c14fd548969c79e4f96d0ead8ff6d6cb |
| SHA256 | 5400d7abb61a03337cb832ec2cb20cb1e49b9acf3dc1aa5317f6d0f2dd6ee686 |
| SHA512 | 27fdc299f933d7bfde80b839ba88a029710105c975af3680df82576719b721e093fa937388d0fb0a521711204af0e57cec4e453ff968d5afdf77570ec2875a3f |
C:\Windows\SysWOW64\Gkihhhnm.exe
| MD5 | 4e0dc81552e5ad61f47d202a5c1f4c7a |
| SHA1 | dadc550ccbea9e056e947b98d300af7338b27dab |
| SHA256 | 5a97faef5451bd039b5f03e2a262fd20e8e670f407d2a269c261c731c3583129 |
| SHA512 | 1c6bb2cf1ab21858c71bb8eaf466494a009863263ed5145867452515a61d9f59d529cb80eb25a5bdb46e8acaaface7b19b388d941482a0e7d3a0cb77e1a25a07 |
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | 3cf1d420fa5e2a01573ed24a41a8d687 |
| SHA1 | 01e1d6044298306229e587ed7f8a2a9937d0913f |
| SHA256 | e1d97032b6019b9b1b55c045fc8c51138cb7337645424df969790f86d4acc668 |
| SHA512 | c9166d294b81642dcf1c855fb7cbc6bb719cc1e741770956302bf2069c2ced2a0a884c2aa2a642fd30b8ac4dfeea6565d7850ba3acba49996eb5a88cbe4af4d8 |
C:\Windows\SysWOW64\Gkgkbipp.exe
| MD5 | d9f0dc5922069e7ebe1eee901d8c370e |
| SHA1 | c2aa2bec6375043dd2f93825447ab9cd14c141d7 |
| SHA256 | 7d24472a787403c853615315ffee693a188cbaf0b63683a07475d7972ce00ebf |
| SHA512 | 11fb4d49dd13a2e66818369c5b94101cb5bf2c8c606dda53e71288f0b42e70192cda809053244ffda6d10e80b7fa73fc59d008e4d835815bbdc4bbd98e85b387 |
C:\Windows\SysWOW64\Gieojq32.exe
| MD5 | 62abd76c4eded2b655e66762f26c805d |
| SHA1 | b22f1580829f0764b52c18ff3f9b3326852fe475 |
| SHA256 | 1e127c4ec4b19ade2c135aff1011359a53ed3fddeb45f44589b7899e6d994d20 |
| SHA512 | 3d13f488e2362fd8dadc449313cc142740d052898b9ab5904501ffa899ac7994b29e65a3078331c9f999524de296c6ccddeed9cc0a0edafc6164d9abdce45853 |
C:\Windows\SysWOW64\Gangic32.exe
| MD5 | 7292e60322b541c9acd734440488a076 |
| SHA1 | f8426584b6cf54c8879d8440e3c1368b039d97ab |
| SHA256 | 416a90acdd02515dd29cac395e7f9a1e8e8aff308cc8e4dc1062e1e5ff9af78d |
| SHA512 | 89775f99d30cd888d134eaa86f7daf2a88e7c0602cccc0ae7cf142a7521306d0f0325447762526cc8364911c5254877aab5f04693cbdf053f72ee3ba7b5978dd |
C:\Windows\SysWOW64\Gbkgnfbd.exe
| MD5 | fcd653ae485a53cec8dcdee5ed9f8e42 |
| SHA1 | bd47fac13543e77948869184b4c0410b57c1d078 |
| SHA256 | 5236da8955942683717c91193d97d9d03cb69a8302005a0ad707bab803d5c381 |
| SHA512 | 34f6db2b02c89a29c3d3d8dbdaf97b3f8a6cd4e31330d1b9afdc748f9e395d0117893169acb3309ee8714ec4490c133ee843fa0941c18a8796a423f2b31e0bed |
C:\Windows\SysWOW64\Fiaeoang.exe
| MD5 | 8393a294d84638f0bb5021969f038cbd |
| SHA1 | 70368e86034e245b43183952d69e2705269ee36f |
| SHA256 | b2c888057695c22e9b3b5361a813cdbd523724f8039e8a88b50a507f2cad5415 |
| SHA512 | 5e82def54386364ecfe9944f37264f0002d75c47b6a1b2bfef56b4c12416af38fdeed33d7d6093f918f61a64b48cf26d2bad0335bf62d4348e280bfbb820f6a4 |
C:\Windows\SysWOW64\Feeiob32.exe
| MD5 | 336c4756b8d0e2261db1f8638bacb604 |
| SHA1 | 49623556b1b1b511f1fed4088aaef851d4fd3a5b |
| SHA256 | 717431e1083a689cc1fa4a2f0109028f274104a249ba39b38f5fd628d6567d20 |
| SHA512 | 405709aa166593a7acef567702c6659f50aaa64588d38f0a496aecf0745115a7bd83e3202bf132abb7c622b86a531097c903f17fe7bab094d8a31f991c59dccf |
C:\Windows\SysWOW64\Fbgmbg32.exe
| MD5 | db2c05f0bfcd79a874653f21cbd7fe7f |
| SHA1 | 8a8d647c01f4f045c60cc00c655b29b86813eefe |
| SHA256 | b37c9a9fa31b84e6f765f1e05890b90d819865362d0af7560741918d44e81161 |
| SHA512 | 7e3eae696c7b3a9e974162d5494dd0dc408ec3020e99e01939c4e3efbb72f67bffcdd8ddb0a05bd7d685ab07161c4f6067b92aaa836f78683301b58465285bd2 |
C:\Windows\SysWOW64\Fphafl32.exe
| MD5 | 9cfb3aa5c0a2931ccaf4ec1cbdb78c5d |
| SHA1 | bdf5bcfb38fb64958d72eb2294e985ac63974a07 |
| SHA256 | 8494ab7c24b20975db091146b13791758374dd024ae1200c624f66751e63539b |
| SHA512 | 7b87c495fb7fa8409bf7972d9af345f437c3adb8df70b295ff04b5e3243bc2124fc52be6462e169b028b81ea2a53e7b8b04f6647cfa9bd89ca45b4c6d3ff602a |
C:\Windows\SysWOW64\Fjlhneio.exe
| MD5 | ad1b7ad76d699d78721da90215174db0 |
| SHA1 | e17438fb78b0eb8fef201af3147bac222d26bb4f |
| SHA256 | 46a49bfac27f97be32fff1903acd53c42877e2ca1a430003364e650b5fddaf00 |
| SHA512 | efb02d66b7f8db2f3ecca00178d1b04263b4af48dc83e9728ffc8d3c3e13b81f5580e44891fe2455241edbcb5bae87e5ce6612d37174e3c20336defcdb9cd883 |
C:\Windows\SysWOW64\Ffpmnf32.exe
| MD5 | 04a28f32af12693e075a6dd8eeb8ffa9 |
| SHA1 | 78f9645c37fe90ded719f1b3c0934bcdb92bfdb0 |
| SHA256 | 406c5f935bd90537aa3cd5cbcf54c0424d817010075a71be99ee37123dc69d13 |
| SHA512 | 3265e7c33c460eb46b920fec4a922689c7ecac38a6ffd866dd5bb99cb8279a246676a80d2a29b9f766d0ab4d147fd9ddf74a27b90f4e10151f0775f4276cfb8a |
memory/696-503-0x0000000000250000-0x0000000000297000-memory.dmp
memory/1536-498-0x0000000000260000-0x00000000002A7000-memory.dmp
memory/696-493-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1536-492-0x0000000000260000-0x00000000002A7000-memory.dmp
C:\Windows\SysWOW64\Fjilieka.exe
| MD5 | db85c3831dd33867a3222bab8a9c571c |
| SHA1 | 80b4609e261ccbc9a3443ccfb58191bcc7976e8b |
| SHA256 | 33a2257ac3e3e1ece07a37647e818b70e44500720e397efe28664827957e1cfb |
| SHA512 | 9f58b3f2e04df919d540344dee4953ab69848dbdb488a6389daf078f01d63c7f63a7546b5483b4d7ad35b6846f30b9e4c8205603dde649cfbb29d8bf941c5d57 |
memory/612-482-0x0000000000250000-0x0000000000297000-memory.dmp
memory/612-481-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Ffnphf32.exe
| MD5 | f59e50143c6773291026533f53ca5010 |
| SHA1 | bf7f907668687f739b36c5cf0f517697bcf62cf0 |
| SHA256 | 0765c124d349426269d114ad53c3fd4134d32d4814985be553eb51426f0118ba |
| SHA512 | 97a2b6bf9b63841a65afe84b9307931712ac3ea15eef72cb6386730920e62466483ab39b5e1cc52b9585a8fb0cf9f53def0d974470125ba05bac47eb27fa0d7f |
memory/612-475-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1068-471-0x0000000000250000-0x0000000000297000-memory.dmp
memory/1068-470-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Fdoclk32.exe
| MD5 | 79500607a6ef30dc2a9e78e6b50b0a01 |
| SHA1 | 2f4e42cd36915742fb1f6c183fbf05f6b8f4acc3 |
| SHA256 | 7b1dce73227702096038d88ffa408bbbe58cb2e9c69d774af6e96f3058b8552d |
| SHA512 | a620cdfee2002c2f4070127ae7589ddb47f60812d4e9eb3c423cacbf14b0cadbee34e9a110d2f2253599ba948d075ab71b97c22db24bf57f080413421256c84a |
memory/1068-461-0x0000000000400000-0x0000000000447000-memory.dmp
memory/324-460-0x0000000000250000-0x0000000000297000-memory.dmp
memory/324-459-0x0000000000250000-0x0000000000297000-memory.dmp
memory/324-450-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1984-449-0x0000000000290000-0x00000000002D7000-memory.dmp
memory/1984-448-0x0000000000290000-0x00000000002D7000-memory.dmp
C:\Windows\SysWOW64\Fnbkddem.exe
| MD5 | 3acae53907c114f02d5fd0e1af6fcf0f |
| SHA1 | fed844b69e7406ab811508348ea71bce2a9b8267 |
| SHA256 | 6b46f3fe33e6910fb0a1ed2114326f262cf7d505b0cf690f8f144274c9e6cf18 |
| SHA512 | 784ce691e8751affebe8b6beb81ac68daca9a068f6f7baad9f1716d1ffa2343e3eda82b10ecc16e0db7f2a2e253a2857dab3cff78402b45a05f30e1d4f2d6580 |
C:\Windows\SysWOW64\Hnojdcfi.exe
| MD5 | ed50ba35c8175d7e250cfdc73a310dbf |
| SHA1 | 1e8bc75d1c90d1076e978f97a82cb0e524f43c0f |
| SHA256 | 4cd8a428bb288c93d3c3e67497f4f49be09d330e0fc34f9f40f82725c5609584 |
| SHA512 | 867442a4086089f22c03b395848bbc91e1b87ae7d2da4f1cc07e32a6605d35f96bff7748f645d0f3e3dc9f333a44e8ca38460d0a62b3d9b6f95d828a15290e5f |
memory/684-440-0x00000000002D0000-0x0000000000317000-memory.dmp
memory/684-437-0x00000000002D0000-0x0000000000317000-memory.dmp
C:\Windows\SysWOW64\Fjgoce32.exe
| MD5 | 3bd82b641ed2d3747423041e0e66315d |
| SHA1 | c7c208a7d923beccae116017e637cc4a40524abd |
| SHA256 | bd4ff7e515ecff7dcc205d2fae91e172365a8eb72554ede9134360e0c4ee2764 |
| SHA512 | a7a53b003653d4f9ebbbeb687882af446591daaedf8849ac35c44fa16e15cd0dcb57d14281cecaa2bc2e4cd89b66525157b02c0f64c5863e8de1349701b8d6b4 |
memory/684-431-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2260-427-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2260-426-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Ffkcbgek.exe
| MD5 | bc2a18e0dbca278fca490fe68d1ec8c4 |
| SHA1 | 5207d8799fd990b383db794af8ef7a1b603134c9 |
| SHA256 | 06697c11668a94ac23bce2505bcfcc687d872a2137b1b21fc80ebd5acd1994b2 |
| SHA512 | 2685a3271ca7efa249ee715b0533f9deabe5ed649a7bea8033e8f2af9ea023bc479831d5dcc2070000be8208bb0e10ef7b6f3e96eb39cfc2c310c5b8c988c099 |
memory/2260-417-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2728-416-0x00000000004D0000-0x0000000000517000-memory.dmp
memory/2728-415-0x00000000004D0000-0x0000000000517000-memory.dmp
memory/2728-414-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2468-410-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2468-395-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2472-394-0x0000000000450000-0x0000000000497000-memory.dmp
memory/2472-393-0x0000000000450000-0x0000000000497000-memory.dmp
memory/2640-383-0x0000000000450000-0x0000000000497000-memory.dmp
memory/2640-382-0x0000000000450000-0x0000000000497000-memory.dmp
C:\Windows\SysWOW64\Fckjalhj.exe
| MD5 | 8beb17785d8ba2a7ffbb8232e716c784 |
| SHA1 | 3fde509caae04655279e520a23a6342b6b98a3cd |
| SHA256 | 2a963e8ae70354a9439b121f200fc31c76a285467b7b8f0d61dbe9f41bd12ee1 |
| SHA512 | 188b66998018e028b7a19b77219e566120de20a254818592872313e1ff0afd6b98b94dbd8d560c62f29ed9f9d4764915adc2ec7f7610b978a8d832d740af2c23 |
memory/2640-373-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2668-372-0x00000000002E0000-0x0000000000327000-memory.dmp
memory/2668-371-0x00000000002E0000-0x0000000000327000-memory.dmp
C:\Windows\SysWOW64\Fehjeo32.exe
| MD5 | f5aa17275515e84ce45973da915ed2aa |
| SHA1 | 69192cefa6b416450376f3357164d970e08a9722 |
| SHA256 | 20664b3bbb9c73e2b49a2b6c19a4b95c363ea657f57faa2fe2e048624637137e |
| SHA512 | d98231e920bc27f59faca07ad3c066756a10931d5f5cc591ec081425dcf86027177ad8cf46da4832d95f99a05ef6e9d8d67fb2a06bf04f221466822e625f8c1b |
memory/2668-367-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3048-361-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Ealnephf.exe
| MD5 | fd3a47081fc5c73ab42d3adaea3572b6 |
| SHA1 | d4b9b8f64e6ccfe809aa56126978d441c115994a |
| SHA256 | 4a9f45331b1c4d4128afce9321f42cdcb3409053963af88eb7bcbaa6b05efbb5 |
| SHA512 | f0b91b7d804af3fa6d27c0d0ec349d5f6bf1218c525c8b17104785dcba6ea3a0ddb402fbd7c3d7de0ae6c70ca25f5f7d8656a5a6872ccc3861b469bea3c6e514 |
memory/3048-360-0x0000000000250000-0x0000000000297000-memory.dmp
memory/3048-351-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2716-350-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Ennaieib.exe
| MD5 | 7eb144e83760b822251761616f4e129b |
| SHA1 | 9d91691c8e668b0b49b23eaf889e2ff64709a5a0 |
| SHA256 | 0dbb8475484c2be6755f1435768dadcaca0dbf6fff281a5ff4a659d3d7a43185 |
| SHA512 | bcc617bac9c39c444c787350c30ff500b039a14bd0a57135aae8cb9a3e52388cf7e24f75bf7a7adfd8395304a6ae5124b9eff429190151d299b864b5710df28a |
memory/2716-340-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2012-339-0x0000000000270000-0x00000000002B7000-memory.dmp
memory/2012-338-0x0000000000270000-0x00000000002B7000-memory.dmp
C:\Windows\SysWOW64\Ejbfhfaj.exe
| MD5 | 3f9f6b805cdc601e3d244c685c547670 |
| SHA1 | 151d448e1d9aa790499115b1cce7f6c67e21f01f |
| SHA256 | 4ccf3175ff2f119e5c906f76bd935d94789a3381868703b8e33c2386ce76a703 |
| SHA512 | 6d206597df0654f0c9a1bedb3634e894a336fed476fe5f5d115ccaedd88ed014f4d267098186787f8875c031adb70bb15c905ea085cf5ead66d88f0277b65f32 |
memory/2012-333-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1640-328-0x0000000000290000-0x00000000002D7000-memory.dmp
memory/1640-327-0x0000000000290000-0x00000000002D7000-memory.dmp
C:\Windows\SysWOW64\Eiaiqn32.exe
| MD5 | d62920880bcf280b0462e83a2f8876d1 |
| SHA1 | 958da312bdae8adf421db1b9dad447ddddd412f9 |
| SHA256 | 14d5397ad919ccd2e31fd7ba25c75a145c480cf8e9e379784f1bcba07014d620 |
| SHA512 | 0a41a1690bedf26f7b8050c42f34f29fbf0fd50994b623d2ba051b606e02176ab7ea0c35491920b1201f9123ee9a2a13689f56ccd16eddaa8f0499df0f2839f1 |
memory/1044-316-0x00000000002E0000-0x0000000000327000-memory.dmp
C:\Windows\SysWOW64\Epieghdk.exe
| MD5 | c98bc3ac12dc240966913b756ce334d2 |
| SHA1 | 05cb0b5d0e9c60970090da6848178d9ee9613b1d |
| SHA256 | ccb1284fdde3c9dd68ce375c521ce7890ead8ceeae10d1a62aba9640de3f19b8 |
| SHA512 | 27a26b0a7cc1b9a0a0b324a84059503dcb7fb65edd38d832c8be09c3c6c77ef0e6fe6feb90d3594487a3c41b5bea21f8b75a501ff361942d6720b18d44259790 |
memory/708-312-0x0000000000250000-0x0000000000297000-memory.dmp
memory/708-311-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1044-310-0x00000000002E0000-0x0000000000327000-memory.dmp
memory/1044-309-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Elmigj32.exe
| MD5 | dca1e9427f518a311e29f319ce0b4644 |
| SHA1 | 0aa81300da48888fd23aa888582d63940de22338 |
| SHA256 | 1592f0d4f520809cd63e403857bac65e39a0019c79c3d6497ee785d7fda10171 |
| SHA512 | 6070c596cdbbcbf25f796e809467d257a6bbff95f21c9544fba123984b048ed3d623250b9289a3e544df7f05ba1c63792301575828352b63794b927a6eb3e65d |
memory/1360-297-0x0000000000250000-0x0000000000297000-memory.dmp
memory/1360-294-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Eiomkn32.exe
| MD5 | f38d3088cba58d56b9479b924b4eb0db |
| SHA1 | 8156e2fd5e350d990102f2e80355051ff1976610 |
| SHA256 | d4d2565c69ad57ce4335a377450cff41f926b7613a02d2592843324769d8c828 |
| SHA512 | c3f70d780da85b2e7fd3641c7aba7872a015f85ab682e3af2fc3467a187c0aaed8d741e15d90bd8a97572bc80dfb51404a89601e3b66b952fef4f8f675602feb |
memory/2092-287-0x0000000000450000-0x0000000000497000-memory.dmp
memory/1360-283-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2092-282-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Efppoc32.exe
| MD5 | 956913fdf9318f51b031816403a2264c |
| SHA1 | 75ff12726c0b2073201c0f82208f67dc7fb0430d |
| SHA256 | e09521fb7a32e7d8d6cc7b50bf20c440b91f2ba2eae4189fe42c14d06ebeded7 |
| SHA512 | 1ded15c3237ccc826b247dd8cb837e1f8b03a911118293f18a6083c8d7122e6f0d880ff80e2276a9fa8e00b4db1830a3d7e896c3d06ee455e8b706028e696da1 |
memory/2328-278-0x0000000000300000-0x0000000000347000-memory.dmp
memory/2328-276-0x0000000000300000-0x0000000000347000-memory.dmp
memory/2328-271-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2152-270-0x0000000000250000-0x0000000000297000-memory.dmp
memory/2152-269-0x0000000000250000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Ebedndfa.exe
| MD5 | d2b5236ec8d529f88086d056a3382606 |
| SHA1 | a493ffe8284dd7d5fc93236e3e18147ba142a621 |
| SHA256 | 8aebad31915631d97c33ed39b8b66c06949db2ddcae706450efefa146549a4b7 |
| SHA512 | 41e54b702936b6b10f3a45296c612430588189dc11c40ad0da602ee898e411cbabbbb469b90150bbbec7f5dd62f05e8218da3c82571049237c60dde85fea7bc4 |
memory/2832-252-0x00000000002D0000-0x0000000000317000-memory.dmp
memory/2832-251-0x00000000002D0000-0x0000000000317000-memory.dmp
C:\Windows\SysWOW64\Epfhbign.exe
| MD5 | 986d4950111413f130d3bedd00b86e36 |
| SHA1 | 12be5649e000ec2c31b110f0d06d04869669b66a |
| SHA256 | b5dcbb051f2af6e1f2971f410bcf70addb28e9f6c9daa045f1db97c368474aa4 |
| SHA512 | 5085a04493bfbfab660a96be51fb84fe0880799bc1055d8a5933b3cd387b8563d44d87fb666bcc5ebbdb1d2b9274dd9dff3ff4dc174bae0280f717ff70c0d44d |
memory/2292-242-0x0000000000450000-0x0000000000497000-memory.dmp
memory/2832-241-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2292-240-0x0000000000450000-0x0000000000497000-memory.dmp
C:\Windows\SysWOW64\Ekklaj32.exe
| MD5 | cd754a0efb00171da475d5ea092fe029 |
| SHA1 | c732c0237fdec3839fbf04e319ff4b3b6ab75f2a |
| SHA256 | af35de7c7e06a6c080c24ab67780fdd6f0f036c87f6df8e5a06ad5887adc5771 |
| SHA512 | 9a7c3b6dd197098af428c306b971e482b940fda0480327ff6e7e917462e8d833e436bd1efc6cc386a1ead998a7b2ba45a999106f0be8cc6923b2b74a4aaa8a0d |
memory/1120-231-0x0000000000450000-0x0000000000497000-memory.dmp
memory/2292-230-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Emhlfmgj.exe
| MD5 | 46680c6345b3e13d75eff5eb0b57b45e |
| SHA1 | 61d9815511a0d019b80f2793207641ff0e0e6f24 |
| SHA256 | 740287aba63b1d3e170474607879c19722e6e50d6380311ec2871ad26396c681 |
| SHA512 | f82aafdbcf27282ab7be0b1f8843ff82a7084983f7afb43a57310ca73416682398abe7d63ca6224595c059af71a347fe309a734011e71f89859d729914927361 |
memory/1928-221-0x00000000003B0000-0x00000000003F7000-memory.dmp
C:\Windows\SysWOW64\Eeqdep32.exe
| MD5 | 37f2d6bd426b540ac067300677d2771b |
| SHA1 | ab9c600d6a810b5a263c93bd9b0dad35d15e09e2 |
| SHA256 | 906749a96bb07080cb9436b5194d0b7c9ae5d64feae38fad1fafcb9f1b8b7404 |
| SHA512 | 6f5d768c2068eb1520b52aa8450268e372f726a1ebc1a8c9186f26a11f60ae0f0476821180b8c5fefb9a24aa3f8a5f554f1eac56894068c826634c7e9b5f73a4 |
memory/1928-217-0x00000000003B0000-0x00000000003F7000-memory.dmp
memory/1928-216-0x0000000000400000-0x0000000000447000-memory.dmp
memory/540-174-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Emcbkn32.exe
| MD5 | 3fee08ded6c3f73635ee59b2d3df51f7 |
| SHA1 | e92057e46830436226b0ca842d2abcef8ad8207e |
| SHA256 | 5f34be4d1d10a1c94f8123ba98541363965e57365cc1a79f744d56a7531fc314 |
| SHA512 | 0365a557fc22923ac28819abab3e2e6ecf23d6e5a7b24ccca2480b20ebf5d4c4c47984aa41308f867adb09edf8244e542165cc9f49c814b46a0ec7d1f99ba90c |
C:\Windows\SysWOW64\Hpmgqnfl.exe
| MD5 | 985d3369bf178826228d936394a3157e |
| SHA1 | 57cee05f39298678e662219b331049fd41fef046 |
| SHA256 | 6f7d4e0378e617371f86b23d26c0c5b1ff5144430e56c79abbb9649a2608eef5 |
| SHA512 | ce0cc3869d13595c4c2e67d7d662a191dc9dd8d1284d52ceaf989f9c7a31e7b5f4d54505a2a470f7ad979be288aadce8a97dbb4faacc16fd1de6653c0cffd27f |
C:\Windows\SysWOW64\Hejoiedd.exe
| MD5 | 24bc914690632c79911b174bdaf3802e |
| SHA1 | eaec0f45a887b1f5b1225478683ceab356c4b047 |
| SHA256 | 2f4ebe4f2b8e0ab73cfea75142b08d2d8b1a581c9381d8bb6a60d1e551fa354c |
| SHA512 | 6f74d697f377bc93cdf2f6d055892ee5ca467c9990c3176ecfe3ea1fa3c5a096ffc34f83dea661f0381377185ad652d7ec76c432d06e839edc75127602c7a9c1 |
C:\Windows\SysWOW64\Hnagjbdf.exe
| MD5 | 9bc365f7f41f80c8961b85cbb5a73291 |
| SHA1 | 7770ed7ae3039921bfd7ff34c48e1ff99fa2299f |
| SHA256 | ef6c15c40a5660288c8b4c5f77e276a741ff4aacb160bc5b85c0e70413937d1e |
| SHA512 | 00b711202d2746aea7c1b53ceee355f6898e6c68abe318df7af41aa6e070ecc79387f3255ed0ff89e69889193873c271da157c5502207966db2087da1230f3ea |
C:\Windows\SysWOW64\Hpocfncj.exe
| MD5 | 8ad81cd1fe40a5087cb6dd83ced9377a |
| SHA1 | 9032443ea102a495cef94ee813fa3a320c879be4 |
| SHA256 | 35b2bcc02d37dfc439c6a6602f4cb803bd3b38a6ef42f16d7cccf664be724d38 |
| SHA512 | 041f298da5647b9366d737b4a6efb246f5a25275fef917f789530483a121497c2090ec55ef5dd15f9bb568ddb43b7722eb036af09bb0b802331ec952b2731b4a |
C:\Windows\SysWOW64\Hcnpbi32.exe
| MD5 | e9f9dee26649897b789724d1f27a77ea |
| SHA1 | 2c50d0b9c08a844a2561359a4bf069dfc4f71c68 |
| SHA256 | a9c0f0b39dd4cfb83ab0f0cd48f06a54eebf6eca880717d53ad3ceab5dbb910e |
| SHA512 | 146b0f12a1205d944c62eb18e6a38f3561bc7365d204f6e10935f3ead2ff41da9c7839b3f854bc9a668ee6fc79c0c8c10e2ad94e10e568e71706ac69457b5009 |
C:\Windows\SysWOW64\Hjhhocjj.exe
| MD5 | fcb0b7760bec79a220837ea9b899ec25 |
| SHA1 | f974d682d335876a3837bc29c6db48a80f0e3be4 |
| SHA256 | 2befb1cd7b04fe333853d557f42f037b59e2606d63c5524ed6b9b57f6c4f54a9 |
| SHA512 | 383e93c20d3d42cb606324dec428a2399509cdd3e8db3317460e55ea8750db4f37f4e0dcc608ec5319d63e9d55a6afe4b5979100249aea4cdb464dbfc82d6ed1 |
C:\Windows\SysWOW64\Hhjhkq32.exe
| MD5 | a23f2582ac16cd721eaba372bf6bc0e2 |
| SHA1 | 52ab422a8c44a819ab1acde54f0da3d5885b4933 |
| SHA256 | 68782a27be5f54b697a0a62fc735ae7e968c2059aa956e8a9c17d23a4e435163 |
| SHA512 | 13f9548b4be0a172378116c5741801cc63a39a6cf72fea316f1f1f4fa011731612a2379b15e4ffa28189764b42ef7cccbdf5ca4c89013a36403d791fa3e223cf |
C:\Windows\SysWOW64\Hodpgjha.exe
| MD5 | c1e9a9c84745e81541c4ad8df65abbc3 |
| SHA1 | 1d9849994a565f9b045645455fffb41b0de42163 |
| SHA256 | fe03a3e5848d2078a82a05dcd3f1285a2500de1b495b69e79454e3308a01d06e |
| SHA512 | 08e41bcbe7ea206522b30bb06b1d1218faeaa4c9bcad53e1b6cca512fb73227ca9ce736f5789a719ebc5ea63364c6dfc13b240ad519e5d6c3dda603d079bd8c3 |
C:\Windows\SysWOW64\Hcplhi32.exe
| MD5 | 1d5c8ee30eab6723ff2dbdf4937331b3 |
| SHA1 | 763c93aee4914bb3513a02c4a45a752698fa5390 |
| SHA256 | 07b272c3895d86bfaa7951c7ac92f6d82a1240260cd7338e34e5ed18ec38de7b |
| SHA512 | bd0d3236d54d82f5d9d891eee59bf30b1583929145647ebc47382224a2e8a7444592bed494212a017133eb7addcb896245ee553bca8cc00d2f8fb4b9bcf01535 |
C:\Windows\SysWOW64\Henidd32.exe
| MD5 | dd91199bf7a89504a130079050a05957 |
| SHA1 | 10023cf7c79d55fd1408b96fd6f410b6b4c60fa1 |
| SHA256 | c95660313d64ac69ed6662ee33fd0a90871e5637890ae7f00d081b84e5593f41 |
| SHA512 | 514bd32b0e834912d71b1d5516bc1e12cc000a5e025556e850c410708afaf1a3ebd93e420a375641ee3dd72ba4fedec635b4b6978731d4f9f7a89b7aa1c837ab |
C:\Windows\SysWOW64\Hjjddchg.exe
| MD5 | 0a759a6ea07d05e9ab7da64917984887 |
| SHA1 | 5d6129ad25b89df756724f4f61440b9fcc6e8a22 |
| SHA256 | 6500a8306afc6ccc950d7a0002a154abb659095e495262e667903a7dfa684c3f |
| SHA512 | 8889aeadd905a2789c27e5746767cbb249e170acccb77d6f601b4130729dc590daee42cba8f5287e7d7647fde80ba997d9dcb31d25f64ee8cec92502f555cc4b |
C:\Windows\SysWOW64\Hogmmjfo.exe
| MD5 | 2f4082b91753ec6c751cbeaa1a0d9f62 |
| SHA1 | 114047270df3769e2a16b48a30d0e2a152bff431 |
| SHA256 | fa379f0105a6136c47492b62f0936dff9b9f5aaf4a4e29c402acc815850afa44 |
| SHA512 | de352fcbc5b7346b5a62ffed550660e1bbda819c3b7ff3746d3adb08a3d6ffa257d4384d3151c8de0a1bd7d53dfc8c76af6eed0918c0e1356b8956c8820e6a7b |
C:\Windows\SysWOW64\Iaeiieeb.exe
| MD5 | 854693bd2f7176e21b04baae1c93785d |
| SHA1 | fa07b3485fa6ad917215280294c49ebba858bcd3 |
| SHA256 | 44523422b1bda3b5f79fe46decb3cf9d1d7143933225ec5722dd616afbcba327 |
| SHA512 | 0a45cc80b39e06ae0ce9ac528c1cc38d5ab6fce75c768e4128d5600ac44029e594c55483d0f86460b9befd76ca821f3c6f686506d8278e3b969ffbae4b65fdcb |
C:\Windows\SysWOW64\Idceea32.exe
| MD5 | 53615f8a50643b07416467dcb0d216d7 |
| SHA1 | 47693244ce2940db62dcf12aac383bdd27e2005d |
| SHA256 | 50e3c7d668bf9bea9663fdd79c1d7344b97f885d8f869777297cdc9736104553 |
| SHA512 | 4771390bd84f9349c48b68389292ca0827c235d90dbcb654bb8ae77a2c56780a6eb1902ecf9c8e3176ca0c5c964846e6d37644309390d90656ba1c603515b1d2 |
C:\Windows\SysWOW64\Ihoafpmp.exe
| MD5 | 2a2bb2fbb07d7833907548a1df4515c8 |
| SHA1 | 51b0a954f59340491217530d18100c5c15a07a6a |
| SHA256 | df90c23344d300d7bd27c8f038a2bb2eab4d02fa56d2a1b02b7d9bb051f54706 |
| SHA512 | 239e703ef9f7067f90941989983c413cf0986a4a3655d5191d9953c43251fdee39e7c099321dfbd93f6aae4c6dc17276317dfa98e6d533fb9de905d80a605ffe |
C:\Windows\SysWOW64\Iknnbklc.exe
| MD5 | 01eda7f141c840478311aa9af6a837df |
| SHA1 | d5d6579ffafc9b3b18d00267ddf4b66d9f74ca75 |
| SHA256 | 3f91bf2495cb950b56993f542cffbd31b05792980935ce495e3b9afed4b32ad7 |
| SHA512 | 63b9c486b219bc65cf017954c9c1f17ae38e1c7b72681da139321d5f79e1641ea038cf1d5f3eb2a3bd92aa5e6bf5853742831d4b4b11e7b1bf18df9cc4956728 |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | 9be260010bdec4c0bf25cf88f3832fe8 |
| SHA1 | 2eafd6c62314c2a58c9f3656fe97bca0a1c7c852 |
| SHA256 | 3d4c9de5d44daa9a47c57bb8d3bf1d91677af587d34a55ebee5a452a044b2a73 |
| SHA512 | fddca0bc79bc61b134727add3f7f3b932606a7bdc7046e531e123a5e3baef82b4fe2027e5ca89ca275e7f5c702262441bdfadaf45d981374244272dad4f3aee7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 03:21
Reported
2024-05-09 03:24
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
100s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dlegeemh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fbnhphbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Goiojk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hpgkkioa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hccglh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ipldfi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cpedjf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dpjflb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fcnejk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jfdida32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jaimbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jaljgidl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kinemkko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Denlnk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fcgoilpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ficgacna.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgmlkp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcbiao32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cafpanem.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ccmclp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ffbnph32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmkbnp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Gfcgge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Imdnklfp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Djlddi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jfhbppbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mnlfigcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dcfebonm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Epmcab32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hccglh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hjolnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kgmlkp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mcklgm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mdkhapfj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chebighd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Denlnk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fodeolof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gppekj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hfachc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjolnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ifopiajn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpgqpe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Commqb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpmfddnf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cipehkcl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fcnejk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpfijcfl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Caimgncj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffbnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fqaeco32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcqjfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Hfofbd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpgkkioa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ijdeiaio.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lilanioo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dohmlp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Fqmlhpla.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ddhbep32.dll | C:\Windows\SysWOW64\Ffekegon.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffekegon.exe | C:\Windows\SysWOW64\Fcgoilpj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbapjafe.exe | C:\Windows\SysWOW64\Kpccnefa.exe | N/A |
| File created | C:\Windows\SysWOW64\Mamleegg.exe | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| File created | C:\Windows\SysWOW64\Lppaheqp.dll | C:\Windows\SysWOW64\Jmbklj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkageheh.dll | C:\Windows\SysWOW64\Hpgkkioa.exe | N/A |
| File created | C:\Windows\SysWOW64\Qnoaog32.dll | C:\Windows\SysWOW64\Jjmhppqd.exe | N/A |
| File created | C:\Windows\SysWOW64\Kckbqpnj.exe | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mdfofakp.exe | C:\Windows\SysWOW64\Mnlfigcc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gbjhlfhb.exe | C:\Windows\SysWOW64\Gqikdn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fijmbb32.exe | C:\Windows\SysWOW64\Fflaff32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjhfnccl.exe | C:\Windows\SysWOW64\Hbanme32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpcbnd32.dll | C:\Windows\SysWOW64\Kgdbkohf.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgkocp32.dll | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fcnejk32.exe | C:\Windows\SysWOW64\Fqohnp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dkfpkkqa.dll | C:\Windows\SysWOW64\Gjclbc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hccglh32.exe | C:\Windows\SysWOW64\Hpgkkioa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kpccnefa.exe | C:\Windows\SysWOW64\Kaqcbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmccchkn.exe | C:\Windows\SysWOW64\Lkdggmlj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgnnhk32.exe | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcplce32.dll | C:\Windows\SysWOW64\Ffggkgmk.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjbako32.exe | C:\Windows\SysWOW64\Jbkjjblm.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbanme32.exe | C:\Windows\SysWOW64\Hpbaqj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Anjekdho.dll | C:\Windows\SysWOW64\Jpjqhgol.exe | N/A |
| File created | C:\Windows\SysWOW64\Elhmablc.exe | C:\Windows\SysWOW64\Ejjqeg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djlddi32.exe | C:\Windows\SysWOW64\Dadlclim.exe | N/A |
| File created | C:\Windows\SysWOW64\Gogbdl32.exe | C:\Windows\SysWOW64\Gmhfhp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ilaidmmo.dll | C:\Windows\SysWOW64\Gogbdl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjlfbd32.exe | C:\Windows\SysWOW64\Gbenqg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iinlemia.exe | C:\Windows\SysWOW64\Ijkljp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Coojfa32.exe | C:\Windows\SysWOW64\Chebighd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejjqeg32.exe | C:\Windows\SysWOW64\Ebbidj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mdkhapfj.exe | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| File created | C:\Windows\SysWOW64\Jepjeoec.dll | C:\Windows\SysWOW64\Chebighd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejbkehcg.exe | C:\Windows\SysWOW64\Dchbhn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjebnamp.dll | C:\Windows\SysWOW64\Ejgdpg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fodeolof.exe | C:\Windows\SysWOW64\Fqaeco32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcqjfh32.exe | C:\Windows\SysWOW64\Hjhfnccl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iannfk32.exe | C:\Windows\SysWOW64\Ijdeiaio.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaimbj32.exe | C:\Windows\SysWOW64\Jfdida32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kgbefoji.exe | C:\Windows\SysWOW64\Kdcijcke.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dagiil32.exe | C:\Windows\SysWOW64\Dohmlp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Epmjjbbj.dll | C:\Windows\SysWOW64\Mdfofakp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogndib32.dll | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Qbplof32.dll | C:\Windows\SysWOW64\Gbjhlfhb.exe | N/A |
| File created | C:\Windows\SysWOW64\Kipabjil.exe | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kdhbec32.exe | C:\Windows\SysWOW64\Kpmfddnf.exe | N/A |
| File created | C:\Windows\SysWOW64\Jplifcqp.dll | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdemcacc.dll | C:\Windows\SysWOW64\Lcpllo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dadlclim.exe | C:\Windows\SysWOW64\Dpcpkc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nqklmpdd.exe | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Commqb32.exe | C:\Windows\SysWOW64\Clnadfbp.exe | N/A |
| File created | C:\Windows\SysWOW64\Gqpmkibm.dll | C:\Windows\SysWOW64\Denlnk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djnaji32.exe | C:\Windows\SysWOW64\Dagiil32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iannfk32.exe | C:\Windows\SysWOW64\Ijdeiaio.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaedgjjd.exe | C:\Windows\SysWOW64\Iinlemia.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jangmibi.exe | C:\Windows\SysWOW64\Jmbklj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kckbqpnj.exe | C:\Windows\SysWOW64\Kdhbec32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eenphlji.dll | C:\Windows\SysWOW64\Caimgncj.exe | N/A |
| File created | C:\Windows\SysWOW64\Maaepd32.exe | C:\Windows\SysWOW64\Mcpebmkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmbkmemo.dll | C:\Windows\SysWOW64\Ipnalhii.exe | N/A |
| File created | C:\Windows\SysWOW64\Njcpee32.exe | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ehonfc32.exe | C:\Windows\SysWOW64\Efpajh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dohmlp32.exe | C:\Windows\SysWOW64\Djlddi32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nkcmohbg.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mcklgm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Digkijmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jjbako32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jdmcidam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Iffmccbi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll" | C:\Windows\SysWOW64\Jjmhppqd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll" | C:\Windows\SysWOW64\Ngpjnkpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dadlclim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll" | C:\Windows\SysWOW64\Dchbhn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ffggkgmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kgbefoji.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnldg32.dll" | C:\Windows\SysWOW64\Bpcgdfaa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Epmcab32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jmbklj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gfcgge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbfpobpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" | C:\Windows\SysWOW64\Mjeddggd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll" | C:\Windows\SysWOW64\Nqklmpdd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bpcgdfaa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll" | C:\Windows\SysWOW64\Cidncj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll" | C:\Windows\SysWOW64\Ejgdpg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Eodlho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll" | C:\Windows\SysWOW64\Ijhodq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kbapjafe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chebighd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll" | C:\Windows\SysWOW64\Lknjmkdo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" | C:\Windows\SysWOW64\Nqiogp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll" | C:\Windows\SysWOW64\Jpjqhgol.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jkfkfohj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll" | C:\Windows\SysWOW64\Dokjbp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fijmbb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gmkbnp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Jfdida32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll" | C:\Windows\SysWOW64\Jdmcidam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll" | C:\Windows\SysWOW64\Kinemkko.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ljnnch32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Epopgbia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fqkocpod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jaedgjjd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hbanme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jmbklj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khkchobp.dll" | C:\Windows\SysWOW64\Cefemliq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ebnoikqb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fbnhphbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gppekj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll" | C:\Windows\SysWOW64\Hpgkkioa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll" | C:\Windows\SysWOW64\Ijkljp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lalcng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll" | C:\Windows\SysWOW64\Mnlfigcc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cpedjf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ecdbdl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Gogbdl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lpappc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll" | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ecmlcmhe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Fbnhphbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll" | C:\Windows\SysWOW64\Fbnhphbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll" | C:\Windows\SysWOW64\Ebnoikqb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebbidj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkfba32.dll" | C:\Windows\SysWOW64\Dpjflb32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\dd8ebb34c978e722c5f1019ccd7b01f0_NEIKI.exe"
C:\Windows\SysWOW64\Biiohl32.exe
C:\Windows\system32\Biiohl32.exe
C:\Windows\SysWOW64\Bpcgdfaa.exe
C:\Windows\system32\Bpcgdfaa.exe
C:\Windows\SysWOW64\Beppmmoi.exe
C:\Windows\system32\Beppmmoi.exe
C:\Windows\SysWOW64\Chnlihnl.exe
C:\Windows\system32\Chnlihnl.exe
C:\Windows\SysWOW64\Cpedjf32.exe
C:\Windows\system32\Cpedjf32.exe
C:\Windows\SysWOW64\Cafpanem.exe
C:\Windows\system32\Cafpanem.exe
C:\Windows\SysWOW64\Cimhckeo.exe
C:\Windows\system32\Cimhckeo.exe
C:\Windows\SysWOW64\Cpgqpe32.exe
C:\Windows\system32\Cpgqpe32.exe
C:\Windows\SysWOW64\Caimgncj.exe
C:\Windows\system32\Caimgncj.exe
C:\Windows\SysWOW64\Cipehkcl.exe
C:\Windows\system32\Cipehkcl.exe
C:\Windows\SysWOW64\Clnadfbp.exe
C:\Windows\system32\Clnadfbp.exe
C:\Windows\SysWOW64\Commqb32.exe
C:\Windows\system32\Commqb32.exe
C:\Windows\SysWOW64\Cefemliq.exe
C:\Windows\system32\Cefemliq.exe
C:\Windows\SysWOW64\Chebighd.exe
C:\Windows\system32\Chebighd.exe
C:\Windows\SysWOW64\Coojfa32.exe
C:\Windows\system32\Coojfa32.exe
C:\Windows\SysWOW64\Camfbm32.exe
C:\Windows\system32\Camfbm32.exe
C:\Windows\SysWOW64\Cidncj32.exe
C:\Windows\system32\Cidncj32.exe
C:\Windows\SysWOW64\Cpofpdgd.exe
C:\Windows\system32\Cpofpdgd.exe
C:\Windows\SysWOW64\Ccmclp32.exe
C:\Windows\system32\Ccmclp32.exe
C:\Windows\SysWOW64\Digkijmd.exe
C:\Windows\system32\Digkijmd.exe
C:\Windows\SysWOW64\Dlegeemh.exe
C:\Windows\system32\Dlegeemh.exe
C:\Windows\SysWOW64\Doccaall.exe
C:\Windows\system32\Doccaall.exe
C:\Windows\SysWOW64\Denlnk32.exe
C:\Windows\system32\Denlnk32.exe
C:\Windows\SysWOW64\Dpcpkc32.exe
C:\Windows\system32\Dpcpkc32.exe
C:\Windows\SysWOW64\Dadlclim.exe
C:\Windows\system32\Dadlclim.exe
C:\Windows\SysWOW64\Djlddi32.exe
C:\Windows\system32\Djlddi32.exe
C:\Windows\SysWOW64\Dohmlp32.exe
C:\Windows\system32\Dohmlp32.exe
C:\Windows\SysWOW64\Dagiil32.exe
C:\Windows\system32\Dagiil32.exe
C:\Windows\SysWOW64\Djnaji32.exe
C:\Windows\system32\Djnaji32.exe
C:\Windows\SysWOW64\Dokjbp32.exe
C:\Windows\system32\Dokjbp32.exe
C:\Windows\SysWOW64\Dcfebonm.exe
C:\Windows\system32\Dcfebonm.exe
C:\Windows\SysWOW64\Dfdbojmq.exe
C:\Windows\system32\Dfdbojmq.exe
C:\Windows\SysWOW64\Dpjflb32.exe
C:\Windows\system32\Dpjflb32.exe
C:\Windows\SysWOW64\Dchbhn32.exe
C:\Windows\system32\Dchbhn32.exe
C:\Windows\SysWOW64\Ejbkehcg.exe
C:\Windows\system32\Ejbkehcg.exe
C:\Windows\SysWOW64\Epmcab32.exe
C:\Windows\system32\Epmcab32.exe
C:\Windows\SysWOW64\Ebnoikqb.exe
C:\Windows\system32\Ebnoikqb.exe
C:\Windows\SysWOW64\Ejegjh32.exe
C:\Windows\system32\Ejegjh32.exe
C:\Windows\SysWOW64\Epopgbia.exe
C:\Windows\system32\Epopgbia.exe
C:\Windows\SysWOW64\Ecmlcmhe.exe
C:\Windows\system32\Ecmlcmhe.exe
C:\Windows\SysWOW64\Ejgdpg32.exe
C:\Windows\system32\Ejgdpg32.exe
C:\Windows\SysWOW64\Eleplc32.exe
C:\Windows\system32\Eleplc32.exe
C:\Windows\SysWOW64\Eodlho32.exe
C:\Windows\system32\Eodlho32.exe
C:\Windows\SysWOW64\Ebbidj32.exe
C:\Windows\system32\Ebbidj32.exe
C:\Windows\SysWOW64\Ejjqeg32.exe
C:\Windows\system32\Ejjqeg32.exe
C:\Windows\SysWOW64\Elhmablc.exe
C:\Windows\system32\Elhmablc.exe
C:\Windows\SysWOW64\Ecbenm32.exe
C:\Windows\system32\Ecbenm32.exe
C:\Windows\SysWOW64\Efpajh32.exe
C:\Windows\system32\Efpajh32.exe
C:\Windows\SysWOW64\Ehonfc32.exe
C:\Windows\system32\Ehonfc32.exe
C:\Windows\SysWOW64\Eqfeha32.exe
C:\Windows\system32\Eqfeha32.exe
C:\Windows\SysWOW64\Ecdbdl32.exe
C:\Windows\system32\Ecdbdl32.exe
C:\Windows\SysWOW64\Ffbnph32.exe
C:\Windows\system32\Ffbnph32.exe
C:\Windows\SysWOW64\Fmmfmbhn.exe
C:\Windows\system32\Fmmfmbhn.exe
C:\Windows\SysWOW64\Fcgoilpj.exe
C:\Windows\system32\Fcgoilpj.exe
C:\Windows\SysWOW64\Ffekegon.exe
C:\Windows\system32\Ffekegon.exe
C:\Windows\SysWOW64\Ficgacna.exe
C:\Windows\system32\Ficgacna.exe
C:\Windows\SysWOW64\Fqkocpod.exe
C:\Windows\system32\Fqkocpod.exe
C:\Windows\SysWOW64\Fcikolnh.exe
C:\Windows\system32\Fcikolnh.exe
C:\Windows\SysWOW64\Ffggkgmk.exe
C:\Windows\system32\Ffggkgmk.exe
C:\Windows\SysWOW64\Fifdgblo.exe
C:\Windows\system32\Fifdgblo.exe
C:\Windows\SysWOW64\Fqmlhpla.exe
C:\Windows\system32\Fqmlhpla.exe
C:\Windows\SysWOW64\Fbnhphbp.exe
C:\Windows\system32\Fbnhphbp.exe
C:\Windows\SysWOW64\Fihqmb32.exe
C:\Windows\system32\Fihqmb32.exe
C:\Windows\SysWOW64\Fqohnp32.exe
C:\Windows\system32\Fqohnp32.exe
C:\Windows\SysWOW64\Fcnejk32.exe
C:\Windows\system32\Fcnejk32.exe
C:\Windows\SysWOW64\Fflaff32.exe
C:\Windows\system32\Fflaff32.exe
C:\Windows\SysWOW64\Fijmbb32.exe
C:\Windows\system32\Fijmbb32.exe
C:\Windows\SysWOW64\Fqaeco32.exe
C:\Windows\system32\Fqaeco32.exe
C:\Windows\SysWOW64\Fodeolof.exe
C:\Windows\system32\Fodeolof.exe
C:\Windows\SysWOW64\Gbcakg32.exe
C:\Windows\system32\Gbcakg32.exe
C:\Windows\SysWOW64\Gjjjle32.exe
C:\Windows\system32\Gjjjle32.exe
C:\Windows\SysWOW64\Gmhfhp32.exe
C:\Windows\system32\Gmhfhp32.exe
C:\Windows\SysWOW64\Gogbdl32.exe
C:\Windows\system32\Gogbdl32.exe
C:\Windows\SysWOW64\Gbenqg32.exe
C:\Windows\system32\Gbenqg32.exe
C:\Windows\SysWOW64\Gjlfbd32.exe
C:\Windows\system32\Gjlfbd32.exe
C:\Windows\SysWOW64\Gmkbnp32.exe
C:\Windows\system32\Gmkbnp32.exe
C:\Windows\SysWOW64\Goiojk32.exe
C:\Windows\system32\Goiojk32.exe
C:\Windows\SysWOW64\Gfcgge32.exe
C:\Windows\system32\Gfcgge32.exe
C:\Windows\SysWOW64\Gmmocpjk.exe
C:\Windows\system32\Gmmocpjk.exe
C:\Windows\SysWOW64\Gqikdn32.exe
C:\Windows\system32\Gqikdn32.exe
C:\Windows\SysWOW64\Gbjhlfhb.exe
C:\Windows\system32\Gbjhlfhb.exe
C:\Windows\SysWOW64\Gjclbc32.exe
C:\Windows\system32\Gjclbc32.exe
C:\Windows\SysWOW64\Gmaioo32.exe
C:\Windows\system32\Gmaioo32.exe
C:\Windows\SysWOW64\Gppekj32.exe
C:\Windows\system32\Gppekj32.exe
C:\Windows\SysWOW64\Hpbaqj32.exe
C:\Windows\system32\Hpbaqj32.exe
C:\Windows\SysWOW64\Hbanme32.exe
C:\Windows\system32\Hbanme32.exe
C:\Windows\SysWOW64\Hjhfnccl.exe
C:\Windows\system32\Hjhfnccl.exe
C:\Windows\SysWOW64\Hcqjfh32.exe
C:\Windows\system32\Hcqjfh32.exe
C:\Windows\SysWOW64\Hfofbd32.exe
C:\Windows\system32\Hfofbd32.exe
C:\Windows\SysWOW64\Hmioonpn.exe
C:\Windows\system32\Hmioonpn.exe
C:\Windows\SysWOW64\Hpgkkioa.exe
C:\Windows\system32\Hpgkkioa.exe
C:\Windows\SysWOW64\Hccglh32.exe
C:\Windows\system32\Hccglh32.exe
C:\Windows\SysWOW64\Hfachc32.exe
C:\Windows\system32\Hfachc32.exe
C:\Windows\SysWOW64\Hippdo32.exe
C:\Windows\system32\Hippdo32.exe
C:\Windows\SysWOW64\Hpihai32.exe
C:\Windows\system32\Hpihai32.exe
C:\Windows\SysWOW64\Hjolnb32.exe
C:\Windows\system32\Hjolnb32.exe
C:\Windows\SysWOW64\Ipldfi32.exe
C:\Windows\system32\Ipldfi32.exe
C:\Windows\SysWOW64\Iffmccbi.exe
C:\Windows\system32\Iffmccbi.exe
C:\Windows\SysWOW64\Iakaql32.exe
C:\Windows\system32\Iakaql32.exe
C:\Windows\SysWOW64\Ipnalhii.exe
C:\Windows\system32\Ipnalhii.exe
C:\Windows\SysWOW64\Ibmmhdhm.exe
C:\Windows\system32\Ibmmhdhm.exe
C:\Windows\SysWOW64\Ijdeiaio.exe
C:\Windows\system32\Ijdeiaio.exe
C:\Windows\SysWOW64\Iannfk32.exe
C:\Windows\system32\Iannfk32.exe
C:\Windows\SysWOW64\Icljbg32.exe
C:\Windows\system32\Icljbg32.exe
C:\Windows\SysWOW64\Ijfboafl.exe
C:\Windows\system32\Ijfboafl.exe
C:\Windows\SysWOW64\Imdnklfp.exe
C:\Windows\system32\Imdnklfp.exe
C:\Windows\SysWOW64\Idofhfmm.exe
C:\Windows\system32\Idofhfmm.exe
C:\Windows\SysWOW64\Ijhodq32.exe
C:\Windows\system32\Ijhodq32.exe
C:\Windows\SysWOW64\Imgkql32.exe
C:\Windows\system32\Imgkql32.exe
C:\Windows\SysWOW64\Ipegmg32.exe
C:\Windows\system32\Ipegmg32.exe
C:\Windows\SysWOW64\Ifopiajn.exe
C:\Windows\system32\Ifopiajn.exe
C:\Windows\SysWOW64\Ijkljp32.exe
C:\Windows\system32\Ijkljp32.exe
C:\Windows\SysWOW64\Iinlemia.exe
C:\Windows\system32\Iinlemia.exe
C:\Windows\SysWOW64\Jaedgjjd.exe
C:\Windows\system32\Jaedgjjd.exe
C:\Windows\SysWOW64\Jbfpobpb.exe
C:\Windows\system32\Jbfpobpb.exe
C:\Windows\SysWOW64\Jjmhppqd.exe
C:\Windows\system32\Jjmhppqd.exe
C:\Windows\SysWOW64\Jmkdlkph.exe
C:\Windows\system32\Jmkdlkph.exe
C:\Windows\SysWOW64\Jpjqhgol.exe
C:\Windows\system32\Jpjqhgol.exe
C:\Windows\SysWOW64\Jfdida32.exe
C:\Windows\system32\Jfdida32.exe
C:\Windows\SysWOW64\Jaimbj32.exe
C:\Windows\system32\Jaimbj32.exe
C:\Windows\SysWOW64\Jbkjjblm.exe
C:\Windows\system32\Jbkjjblm.exe
C:\Windows\SysWOW64\Jjbako32.exe
C:\Windows\system32\Jjbako32.exe
C:\Windows\SysWOW64\Jidbflcj.exe
C:\Windows\system32\Jidbflcj.exe
C:\Windows\SysWOW64\Jaljgidl.exe
C:\Windows\system32\Jaljgidl.exe
C:\Windows\SysWOW64\Jdjfcecp.exe
C:\Windows\system32\Jdjfcecp.exe
C:\Windows\SysWOW64\Jfhbppbc.exe
C:\Windows\system32\Jfhbppbc.exe
C:\Windows\SysWOW64\Jkdnpo32.exe
C:\Windows\system32\Jkdnpo32.exe
C:\Windows\SysWOW64\Jmbklj32.exe
C:\Windows\system32\Jmbklj32.exe
C:\Windows\SysWOW64\Jangmibi.exe
C:\Windows\system32\Jangmibi.exe
C:\Windows\SysWOW64\Jdmcidam.exe
C:\Windows\system32\Jdmcidam.exe
C:\Windows\SysWOW64\Jfkoeppq.exe
C:\Windows\system32\Jfkoeppq.exe
C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
C:\Windows\SysWOW64\Kaqcbi32.exe
C:\Windows\system32\Kaqcbi32.exe
C:\Windows\SysWOW64\Kpccnefa.exe
C:\Windows\system32\Kpccnefa.exe
C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
C:\Windows\SysWOW64\Kilhgk32.exe
C:\Windows\system32\Kilhgk32.exe
C:\Windows\SysWOW64\Kpepcedo.exe
C:\Windows\system32\Kpepcedo.exe
C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
C:\Windows\SysWOW64\Kinemkko.exe
C:\Windows\system32\Kinemkko.exe
C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
C:\Windows\SysWOW64\Kgbefoji.exe
C:\Windows\system32\Kgbefoji.exe
C:\Windows\SysWOW64\Kipabjil.exe
C:\Windows\system32\Kipabjil.exe
C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
C:\Windows\SysWOW64\Kpmfddnf.exe
C:\Windows\system32\Kpmfddnf.exe
C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6156 -ip 6156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 232
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
Files
memory/5312-0-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Biiohl32.exe
| MD5 | 44b9185ae56369fc679a88d2a87865c3 |
| SHA1 | 07e2dd5c000d86fbf8a0dc90a52dfe6843b2ea16 |
| SHA256 | 1b60f68da774a00c33b7c767c93a019e35df21aed0bd2d8a4aa4079fec826f80 |
| SHA512 | 4ccfffcca9c7cf356ee66504de2788ab33d5079340c954da5bfd534401243db7b4eae01b89d3fa6684aca4ca81cbd5c9fa7fd98faa307d324683b47a6026d7f3 |
memory/3096-8-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Bpcgdfaa.exe
| MD5 | c4b534a59ce32505e436f0d6bc493ed0 |
| SHA1 | 0bc65a1b0203af2ebd1549bec650212fbe18fc67 |
| SHA256 | 71427dc47f0750027f93ddb69eda3ccf2d9f678461a8d46c86644e3d8549b5dd |
| SHA512 | ca62e690d831dcdbf4832575f68aacae4d5282bd77210699fc10b56fbd258aa53a889c07fea01b1f89683af2379fa0281912b779c07edf7101670bc989e0e20c |
memory/3612-20-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Beppmmoi.exe
| MD5 | 7e1c501530cf5672c4c1ff01d977012a |
| SHA1 | b85cd6d7b8997c183026d6a63aa04b8480cbc726 |
| SHA256 | bc98c14628b9dc002649ef34cd23b74152859ae8e3277dbfd862bdbdca9ba061 |
| SHA512 | ab30c3cff1231e7f4ee9f04a50af1747f56d5ed9989b97091ba3b3b85974d16731c61cc6ac2eb246c37f05ecce8d7210eb123489b66ee12a808bfaf838d8c1b5 |
memory/4164-28-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Chnlihnl.exe
| MD5 | 482dda9681ea6643556cd9ced497a161 |
| SHA1 | a2e0f37478f9b6bd8e1a2dd8e22e2cf9d557d05b |
| SHA256 | fe042a72697d1a486a271911234a59ba30be62d472d9b7dbcc66b32a743a934e |
| SHA512 | 1dc3c4fd79f8ff489ff1b186d71b340f6660531cec42e48c61931bc8d6aa78c1ee932896dc6bc796beb568cb379f658e01c45331a1fe41cb8639df3520156d88 |
C:\Windows\SysWOW64\Aamgnn32.dll
| MD5 | 1e14e12ea2f385f4eb3242f25ab045ae |
| SHA1 | 82adc3243bf415883bb4d78186513e55e0aa9592 |
| SHA256 | ec52d88bb11686241fc75ac2c1873791e4a4b0ee46fab37752772ce9016eddfe |
| SHA512 | 46f8a1059eca31153dafc6b94a8e37defcd86171fdd5e859c0e1421677dc75a7f087212a2a294fc31ba166666dc866bf57fb71061757ab14ddafc7451bcd2261 |
C:\Windows\SysWOW64\Cpedjf32.exe
| MD5 | a6494baf065e25b3e5e4ef84968b278a |
| SHA1 | b21a6bb9f63c47e20dc5c816d1c3f932660a089c |
| SHA256 | 5483cc2e0e138005d77f93a46f776bf5f82ea41dcfc77bd393e51505b83fac53 |
| SHA512 | 99f580fe7f362cb85fe6e89bdb20de8c90bf582eec4d57644540995a6327a0c5fa215408d0e86fcf02ebd870a30f357aee12daebec12f667887b712d6c72d5f9 |
memory/5316-36-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5372-39-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Cafpanem.exe
| MD5 | 68d6072be70f0a0092746590a50c9519 |
| SHA1 | 46db36ed83bd6a2e0ecb8090fe3b7f67fdfb58c9 |
| SHA256 | 8ab1082c1ad568f2ebba28ee5874b19f0222d37ae37f11ba27faab2176ffb686 |
| SHA512 | 671c453993f5de07d9df372703e04b3eac7af9cc97ddb901fbe358b534c0e55b51afcdee4d806a68da966a11c4ed6af37a3b79f825525225a0b037055248228c |
memory/5828-48-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Cimhckeo.exe
| MD5 | 7c28a86db2c00838ca65d3d6e61be6b8 |
| SHA1 | c50ea15c5c10698853425c9a7b90a3931f12acb9 |
| SHA256 | 5ffc51f8e62ffc76e1f2ec9cf6f2a84c52ad0f43884c7500f670fd49e4afc117 |
| SHA512 | 6813779a1f92df5bc37d893296d3c9b08a077dbaa2db881a6e404e0f7d490f92eac24fbbf54f6692acc1eb11cf8cfb388a58877947e5c2f895c2885d8e964513 |
C:\Windows\SysWOW64\Cpgqpe32.exe
| MD5 | fec685fb664492ce1d14fb0795a0ab7e |
| SHA1 | e32372ac3a44f2d0902f42b2055b4cc4be4ab453 |
| SHA256 | 97fd8aa9835aac6055156163843e26613a8126862627e927ae682a2a9690a232 |
| SHA512 | b004b1c224e29af02deb5efc24c219c8f73d3da8384eaf1aadf8b7e74fa188a7dcd89be1557f22d6ed39083dd7f0e6a8badacc839bc09509d853cd869c7851ee |
memory/3912-60-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3980-64-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1116-72-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Caimgncj.exe
| MD5 | cc0d52c1efc999e70c153930918a953f |
| SHA1 | 16a1b4c382f6660f6d52103f8465517023bb4725 |
| SHA256 | 646bef140180a528096396d214a8f8d59cfec9ffa8991dc8554dceb680d6da00 |
| SHA512 | e41c206580f081cbbdb5c454ea90d5582e7ee1d8679ea0d979314fd153bb1624d3449d5a41ca791f19b7dbb6180369d87321f03cde42ef7e58704ce310a943f8 |
C:\Windows\SysWOW64\Cipehkcl.exe
| MD5 | 3d90b3481b5b87b110f5c3d5e63f36de |
| SHA1 | eeeac0d55aa385ecc56c18510d412bfb7817f9bd |
| SHA256 | dafa3792220fa62312ab23caff59a90eb0e9d04bc57d864dde22034cdbaef705 |
| SHA512 | 0b2c85a33b656269f7da85ea16dde39d09c5c9ac908c651d310d71aa56f76f90db315034694420979cb7c8b7b19e51896b600b48f4705adf0b966bfea31ea876 |
memory/1392-80-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Clnadfbp.exe
| MD5 | ad4c059b89eb41d75ffdb973f7f1337f |
| SHA1 | f92dc37db5f8f107ca2a716e23b381d8c7ea7d14 |
| SHA256 | b262bd2c6235a7c1da387e39705a55022c1298ad67d93d5acc5a6adbee445c56 |
| SHA512 | ac744e15103e1f42f68237f46bd70cf9aacfc49537ac098a7365a2468b36344f2ad23548ab28cc1b2cef2cd198f8daf022bbb8521dc73305cad8a313278778c1 |
memory/5280-88-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Commqb32.exe
| MD5 | b236c2ea6049e1dcd63598309f7f74d3 |
| SHA1 | 577a60a75863c76bb1c99d3f9ef206ef44d442b9 |
| SHA256 | fd4714b36995d30488dd114312821abcff68f5e450284bd9709c1e203f5e2403 |
| SHA512 | 70d6b6183d4c632567fb47f7ef64dff0b8653e2ab156607584a5b949add249ffa5f47b49c068c8ca68e6318f84762ead9f4ae0801fb479e1e2e92925e78abfd3 |
memory/412-95-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Cefemliq.exe
| MD5 | 9046712c1d09a4867e4df2cf8da311ff |
| SHA1 | 96a2af63ae15055d7c143f57a659c7d142208a02 |
| SHA256 | 3ed01f1323dbe379d469f2134c9497cb5e8046b559109b9838d2a3dc38649cb7 |
| SHA512 | 9965ec516114afd723e9ae3d722b6628e9e6d6d7c33414592b017c2cbae41fdebbaf37476536730db5b7ab8fdd4ea6e0370fedda41b9bc904ca5dff8cce62815 |
memory/3732-104-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Chebighd.exe
| MD5 | decae30d10ae8793e835818db04bb9d3 |
| SHA1 | 2f329700fcabb68731e843febc7da0edaf4a9cf9 |
| SHA256 | a3bfb44cddd2e97f82989383b13dd4a25a5924481e4a598978fc20dd20e06ee1 |
| SHA512 | 577e36cc99a818ae15d09e834ac1f16b440ea07d4bf08fd11b9f6b6119b6b7576c594bb7df1f96b879d42f5b8b69561c7ad2fef0588419cd4d6bda996ed3c6ca |
memory/4140-111-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Coojfa32.exe
| MD5 | 6f9f7a2564b1e01531dbbb2e6c30e104 |
| SHA1 | 028aaad34cd12fea3dd7fe5f252437d0aa5c6ccd |
| SHA256 | 6b0e3a63c8e9783ed0868a766c57bdaad842cfc42ead8931e5b727be5305a041 |
| SHA512 | d847abd575c6524f06c3645f1f0eed17f144936358d8d2cca0f613f4014df07e445242e70c694f16943b9fa6b68fc07f250f494f666841e24a7c95a196548685 |
memory/2732-126-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3248-127-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Camfbm32.exe
| MD5 | 3cdb703ee8dfa54f2e8506dd6f3288cf |
| SHA1 | fa9c464cf76ce490ae29a149264a9d9f0a23dcc3 |
| SHA256 | 95c8059c80157c8425f82d9fd69e7af05805c64c2a99b9b7a54efae058475f9f |
| SHA512 | 54d89a173f4b6c1208527ecbe7d52ba70cc55abe3cf305c81d714a0cda39aa3282618774153ea7774521302a6b5167871120faeaa5c540e9d43b2a5937d70308 |
C:\Windows\SysWOW64\Cidncj32.exe
| MD5 | 1da0db1c3866a6f0cb1ea6b6dbd4e9eb |
| SHA1 | bfadbb48066b9ee31b72cea0a346e198dfd038d9 |
| SHA256 | 3270a8ce61ef5562b6067eda76d0ff76c5981edfe84371b1c35cbd65c7c4016d |
| SHA512 | 1dc08faa4567e36a300665abada9f9569d0d071ef63656919048ec181c25753ede4ff768d2637973a5e6dab1d35b726533d8e52b4bafc54638c7c8302d00e2c6 |
C:\Windows\SysWOW64\Cpofpdgd.exe
| MD5 | 33ea0ff7945431cf25d3ed086a084cbb |
| SHA1 | 9e6e048fb6c9d913e3bd2b65b00d80da9ae7da77 |
| SHA256 | 3acf05e9f4888ad63d1dc565ab513a62f3d804e84a55a741c304e31b4c1637fe |
| SHA512 | 34edf0efde567b790acbf36731dbceb8668d6ecdd4c7857a9604d716779b13887f557fe3ef103a74c031399545ec55cd556d2d518cb8b243643c6502c2250ef4 |
memory/1904-141-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4728-148-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ccmclp32.exe
| MD5 | da498a2db850b91166707e7ee05521ad |
| SHA1 | a827ac896971d4b955fab0d913ab0addaca65e19 |
| SHA256 | f8ea9e3c98aaab60ec8c0d0d7111a8d93f8666a8a3d59e9e175d5518383bb2f1 |
| SHA512 | 0746dedf6aea7d9fd25c6d1e2028f897a53e15f18cbedfcbe33711be83ca13ccb2246b34c76dade6904cd7b8a9b7f5ef99cc233dc4e19aae82da5f6718b368d9 |
memory/2000-152-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Digkijmd.exe
| MD5 | 7f38b1a57828f8ccda8cd029c7dd0ac4 |
| SHA1 | 5c5e59e782dc2277155bbff998224a93b3eff635 |
| SHA256 | 24ff999ec8b727b0ba380c29046e493f03145ab6d7143ad74c75c5a48fd0b1fd |
| SHA512 | 2f0efb75f13edf3efc65984c4c6f8c981578a27cf0301853cc74b230cf67efa83f87830a9c7791d494ab8baaa81af7d192b534bda50b29da5dc1adbdc6221f47 |
C:\Windows\SysWOW64\Dlegeemh.exe
| MD5 | 9dbbff47697fbcca70e7ce30d7394a63 |
| SHA1 | 1b1e4959ac2cd6cac86af23b81b633e91ce0089e |
| SHA256 | ceeb0d7da231b85561ee34b9a7e2bc7f3afe0f3f39c58ca0ea6211ae019f0b2c |
| SHA512 | d5b4b5077e672ccfa72d4fda1e7ef0d7e304ec37e07e6e6532c61bf20fb8dbcc8b418eb7204d75a82a4e21ba32f33b78d4f06d4f083a3406278ad67d406b9d6f |
memory/748-160-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Doccaall.exe
| MD5 | 4c552f3ad10a14f440b8f238fc3dd103 |
| SHA1 | ba514b376591a4305b1becf487116095a4b09ce1 |
| SHA256 | 2712183c7208e2faee01fa0e529ae23132e02031360c21220285c80fb3482e2a |
| SHA512 | 76f9ad23217fb98c7c654899da1c6aaa2cb8aa01eea5bb57540f18629825179835c26491e32a0174c0827be4a22c3475d909f0832b47d7e9b6b67115ec85269e |
memory/4128-174-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1564-176-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Denlnk32.exe
| MD5 | 73b849c1e33ad71f4e33d2ba638e8580 |
| SHA1 | 6b6c42fd61001175ff094ec44bcd350258be7a3c |
| SHA256 | 81fc13a55e5a1cc0ad13335b71a50df268dfd71f847b0f98f2147688a897ce19 |
| SHA512 | ed6acacf17773adf08bcab366b71db1d969a0543ab919ec9fed23e56c2d50a12db3405a8f422896614f773d06ab741910d02e8a2779ccfdaaa530a3c585c6015 |
memory/3336-184-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dpcpkc32.exe
| MD5 | 9859cd6e3cf1fdb500494e281f2246cc |
| SHA1 | 31d6bbb17d4a63d0f29e801a66aac2676887daba |
| SHA256 | 7ecc946253ef0931adc2cec58d67027e7e784fbb09f84938f67121af0ca92179 |
| SHA512 | 1b0ee9d96ba860ccdd47d97e95ffa6049dcd0501dc64c54300b1d13f5a392ec57181563b74251148388b9c5cf11540dd93118f208a58c874fe6881ee33ff4d7b |
memory/3388-192-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dadlclim.exe
| MD5 | e8150a0fc4244281710b0669d6514957 |
| SHA1 | 6319019f015824e16f789bb7c6fba595d9aebbd7 |
| SHA256 | 2d5e26e9cf03c307c584cc1903846fe8ab3f9f446331af6aef5ff422c1ea7705 |
| SHA512 | 46f8a287a4234bc3b0133826ca564ade58464065a0103cd4aed88281a15eb639261677a3751c447f81b7b344bb871aa403fb918c353ebaa6ec929e03f211dac9 |
memory/1404-199-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Djlddi32.exe
| MD5 | b20aadc6fcb75b62f42e6b69835f1baf |
| SHA1 | 01330c12f4283c18851c87fc338ef30db8afaa61 |
| SHA256 | fb1b17f1319c03c173796bacc991068a89587fe4568f98c38452f525a3fa9111 |
| SHA512 | 7ca8d4c8a5944ac462ed155609f43a8a0127a524e8b3c267fe00f40c7a0c510c333e15d9f59e6da144e293e57234f75a34b2f6841bc050658a1a1410009a77c2 |
memory/780-208-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2496-220-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dohmlp32.exe
| MD5 | 9d61e3f0b505cdaa57f20050426927f5 |
| SHA1 | 2a20fc54d49e362c378f51af239022175a3286ad |
| SHA256 | 875c537839637288ba011b155c82fab25777553a481c1c2be9713daec31851ff |
| SHA512 | c749ffbaeba5d7fb287cec8f10af3bf1fb11016300b0a935821a24630ea66cea172592963b48207eaf0555932fe495557e6be436c9b71aa11ecc33587bf8456f |
C:\Windows\SysWOW64\Dagiil32.exe
| MD5 | 279f0de2d781a6aab5f547e36b19a6ff |
| SHA1 | 3dcc5656e5ce27bf470f66c4ebd2a9b6015e8ef8 |
| SHA256 | bd21f69d5c57789cc9a904df521d93bd6acf4a854c63500bdb95089e16bc9da7 |
| SHA512 | 176c5f8a3e2f29e48306511ff0c661274ecf49c8450c3aaa5443d6a534b08d418fff7d389fe4ed8219f5e05d2ef91e0c18a6b283df80f0edff643da94e4b12de |
memory/4332-228-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Djnaji32.exe
| MD5 | 875b36fa6b89838a2991c1702d51731c |
| SHA1 | 69605ea70d990b538006b4370461ea687fb29e31 |
| SHA256 | 317b15189ee12c875f99aec44b47cfd045f2419c7ca29a19a468a6bb60b82344 |
| SHA512 | f3be5f8c17f5d1e5c8adc18332fddfdc5dca930a40719d1e0f4a358c926e844c7d20099185dca488e3c4146fb6640a3f4e4b295a66971f581df0d497568607ac |
memory/1372-231-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dokjbp32.exe
| MD5 | 85ea5f93d1440b587494a44de3d14dc2 |
| SHA1 | 8433cce4e8c71f282dd9a3acf90df2c885f1e240 |
| SHA256 | 10c299cbcae4fb52f834fa5d97371205e83cb8e3fb65e732ce21ead49145eb62 |
| SHA512 | 1163bbb68247914253fed4b586d54b37be8ca393c9f0de0791d2f6f337e39dca3b8e46fd54794bf9c8a5dc529126142d1bb5a461305a8b22d11c8b52e46a440a |
memory/3752-244-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dcfebonm.exe
| MD5 | 26ebaaa6605a3f86479baf8f3fd61c36 |
| SHA1 | 42eb725cb650e23a0b4bed74b716415e00ac8f02 |
| SHA256 | 9e376e952c8322b9fbfb9dbbec3c5ad79348e210d18127a55dee54b95b744bde |
| SHA512 | 98e52ae560c89ebd0697ab7a068bffbd416032161551d6b1484e216c87596c4e87939eeff19ff4c2874c1b81679d0ed050df73fdde13bfcc84ba6ef18fefbf91 |
memory/4328-252-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dfdbojmq.exe
| MD5 | 22dcbc43555f2ae21cfa4079b200de3f |
| SHA1 | 35c0035fd83fb321b83482e14db86a9f3f847b0f |
| SHA256 | 95c67feef2fd05f50a9448bf49ac47b4faaa5b6335ace0d44dc9e9d5a38ea6cd |
| SHA512 | 6964e7fc3bab2433a5d125382ca6e6c8f416290184fa8581153e46c7eacf1d415c24d16b7289b3ec58bb49afd5251496651a8f2d8cfcf362d354e73a29da6f51 |
memory/2828-256-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3428-262-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Dchbhn32.exe
| MD5 | ffda48a327e338a2030c14746ff9951e |
| SHA1 | db806c165a4a0aae35e9bd516a042de580d80bc0 |
| SHA256 | 5d22abf43e6156ce2f8fe19579a8d13d77214c79d1dcaf2adb407e02bbec44e8 |
| SHA512 | 9c168e91f6d0afc236d36ed2a13273f305d8a5e387868b5deae2bf8994dde9c0545fc7dfa8567f399239538a1ebee4b8df40d3d8a03896e0d615b4b7383b28a1 |
memory/4612-272-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3756-274-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2980-280-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1828-290-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5500-292-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5536-302-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5628-304-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2024-310-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2444-316-0x0000000000400000-0x0000000000447000-memory.dmp
memory/6000-322-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2376-332-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3584-338-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5512-340-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Ecbenm32.exe
| MD5 | 2eeb071205eb61c4e299ac60154d1e08 |
| SHA1 | 303d52d5a887b045ad8ba7e381afdab88e61c2af |
| SHA256 | ae07254d922c36a1b75c1f20f9d7113dcaa6d390d99da34a2e50fde8e4b5115b |
| SHA512 | 927b2e000de8654056bdc3ef9118a78333efa8c19dc93a340c0e4b4f61dee44509af64841681a18cb4cd2a49f6f38a8c8a61ff6cf96983bee7611030aa1713ef |
memory/5524-350-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4288-352-0x0000000000400000-0x0000000000447000-memory.dmp
memory/6120-358-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1424-364-0x0000000000400000-0x0000000000447000-memory.dmp
memory/900-370-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3276-376-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4600-382-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1136-388-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3052-394-0x0000000000400000-0x0000000000447000-memory.dmp
memory/760-404-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4092-406-0x0000000000400000-0x0000000000447000-memory.dmp
memory/404-412-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4876-418-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Fqmlhpla.exe
| MD5 | 96070efc9564e7de7e15f4bb81f00d34 |
| SHA1 | a2b943f963b895d7f09f9fddf3ab6c53f8e306e9 |
| SHA256 | 5e5974bef5a6eb7553702468de0c5968b89d63f014536e8bd42b026867b83f02 |
| SHA512 | 55dad36b590757bfa74e2f917581fd496ea84d2e0c915989e128a91d720d45bea46807d2ad6731027ddb9c1874a4e68fd0e3f11ca77c7d8308353becaf5627a6 |
memory/1964-424-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2624-435-0x0000000000400000-0x0000000000447000-memory.dmp
memory/784-436-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4904-442-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3036-450-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1556-458-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5616-464-0x0000000000400000-0x0000000000447000-memory.dmp
memory/956-470-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4696-478-0x0000000000400000-0x0000000000447000-memory.dmp
memory/6108-477-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1640-484-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Gjjjle32.exe
| MD5 | 14d7cb0040aef1abe11201c26c3d15ce |
| SHA1 | 4d2ce919aede65a4e8292992f7ef72cd170c54ac |
| SHA256 | e7f9b2a4267e7e017b5894b8c5a503af95fff86f47377006ceb06208836c6deb |
| SHA512 | 08105740f1df5f011bfc88ffca95e9aea0c1309565eedfac4995e998a1edcef89aa8989d13e074b3387f25ee4b3234bcff18d5ad9ba226d0f266caa9aad4bb0c |
memory/5780-490-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5664-500-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5648-502-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5692-512-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2160-519-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1436-525-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5624-529-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1344-532-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2016-542-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5312-544-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3256-545-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3096-551-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3772-552-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3612-558-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4300-564-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5684-566-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4164-565-0x0000000000400000-0x0000000000447000-memory.dmp
memory/732-572-0x0000000000400000-0x0000000000447000-memory.dmp
memory/4592-579-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5372-578-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5828-590-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2248-592-0x0000000000400000-0x0000000000447000-memory.dmp
memory/5776-591-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Hcqjfh32.exe
| MD5 | 047413f209fc5557a7d6626a100c8b8a |
| SHA1 | 1548dd7b5d9ffb4879e39a98d5ca7a977970ef7a |
| SHA256 | 839fbce31882416ccfb7de86de07791d5e4c56a8a271d321345302ff9840ba25 |
| SHA512 | 5556def53320cc1d12265ed73461e43458fa18e5124077abfc4032b8ad56c723cff8aaddc2a39ed18691cd0760add110bc90095fdf090eaa7b9cde048bfb4cce |
memory/3980-602-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1156-604-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Windows\SysWOW64\Hpgkkioa.exe
| MD5 | d6ae1121b49ecc82cd5e9317b09545f8 |
| SHA1 | a7c2e7e3f4a727d4a1954eeae911f870b88bdb3f |
| SHA256 | b1790ecf6020671caa1bd00d38e9f35c633eb248a8b36b06918b6667e8c28c85 |
| SHA512 | 2822aa321f799ffec7a8ed58ae84fe577a3e3143c55110c92ff86232c88506580a9e7013256d3051fbd65f7f65cd06137f7d7a1ec47ed0fc2641c6ddfcda5340 |
C:\Windows\SysWOW64\Iffmccbi.exe
| MD5 | 3c2f7626f76cbdd89638cf94ba91499d |
| SHA1 | 15308e4bb434135ab450d7aeb96d2f974798998c |
| SHA256 | 6037af9620590d34db2900e6db7f632297f0fb65d117247ac6c66711be53cf6b |
| SHA512 | abbeae2cdc397ba0071e6da6c84e952ef03fcfc050c198dbb62370d134eccfe97409796971cc55722e9a5cb81e19c8af54816794459271920abd58304be7a12c |
C:\Windows\SysWOW64\Jkfkfohj.exe
| MD5 | 19f0b39796e44172c601c373bb81de9e |
| SHA1 | 7d99dd5272c3fb92079fc3a5d2660fb48da75905 |
| SHA256 | a50609d1733c60f1ecc369c7f2045fd97355adcf0658727bfe8f742eb65da35c |
| SHA512 | e7caa8d97430395136ecc208cd1a77ce4a58fafaef0e2facf9b10376828c21ed852d815235bb4770bd9bcf85230194bdecd6481c14139dc274cd0d72da2e66a1 |
C:\Windows\SysWOW64\Kdcijcke.exe
| MD5 | 20658e320eabe3d407be0476c6df2aa2 |
| SHA1 | de60b6a97858738efa4bc93dee4ec855dcb5e9bc |
| SHA256 | 4bd83f8c70b592b9503b4c2c652469049178bd1d3c350984f8c8ce69fe157a29 |
| SHA512 | 24e49d5938f450c38e1287010d7f1aeb56a99e24c723ac7b356e54b920f0692056b257f8097ae17875348eedfdc0ba7cc18ed82d0505e7b734e5a13e4a9783b2 |
C:\Windows\SysWOW64\Kgdbkohf.exe
| MD5 | a6308feac7314678bafb0782593fef02 |
| SHA1 | eff1a65916bcf92572f9803cbebc2db160e7f6d0 |
| SHA256 | 58d168e306a2edd349312e633b08020b11efe5e7f441f1bf701f3b128889a1a7 |
| SHA512 | f7739ab2bff091e88fc7cb48d8261aeb798496ea8778241307dd2df946e7d87aa75845ae76c77e9c68021d56a2192706b6fcd307d0d44fce014fdbf3d3555543 |
C:\Windows\SysWOW64\Kkbkamnl.exe
| MD5 | b9cc7d5d903d98d5c546f35146686eb2 |
| SHA1 | 1682d8e634889a8adcf91c489f3e0adffbf22595 |
| SHA256 | 07d2e520d7e47c0c164e33d9dc6b688a672ce338593375dd75530b3dd731d345 |
| SHA512 | af4d1322b11457975073045ddf4cd87d62d9ff520c1719705508a15a98ee90f5ab2a3efcd3dbea04e27fc84071d2fba36c31840e029fd11d1e50bb32699d8646 |
C:\Windows\SysWOW64\Lpappc32.exe
| MD5 | a33b171e47818ccf72a16d821fdcb5e9 |
| SHA1 | fb5efa950168431d981d17f64e5ad385c00246dc |
| SHA256 | 0821319a244f02e0d325aa90e4e53fa7952a640ce25b603f0250c3217623ad94 |
| SHA512 | 8e0baab62c0e19d43a5ac5ebc6829e53c6173df6f10d8d56a6128273344b61d3ffa8af5f8141e63a73721ca358d450e3c4d3d861796321a1c78223e66168d37c |
C:\Windows\SysWOW64\Laalifad.exe
| MD5 | 5ee1a098c0e35fcd9d4e6e022219bd8b |
| SHA1 | bfca528112841b40ca31cc1e734c79ece409b55d |
| SHA256 | 4655a205e3d1255789e8f0d10d8fbaca8e3265c2b5d6fdab43883fd6ced72033 |
| SHA512 | 511010b034bebf545864e9930265d76ec155bbf84ecf626d05df95891b43a024cb05c76032cbf35b6304d7011d1d2d3ba863629f71b5e7b815baad62999cd6a4 |
C:\Windows\SysWOW64\Lilanioo.exe
| MD5 | 2f907ac94fe4cc955f1d42d467afa196 |
| SHA1 | 1191d88ec0f667a2a1d09b858a45abb3735a4116 |
| SHA256 | 2dd604170eb23e9c83b213ba04dfb7cc5abd811af87062df22b91e7ac3a576bc |
| SHA512 | 10f0a2af4b8a6b18e0c2d109e32ec3200bd6bc9a42c5e81d6657ffe142d84118f2d50c891aabdd8e7ad305bc47e469dfdff95e8886adf000ac1200d1f253176c |
C:\Windows\SysWOW64\Ldaeka32.exe
| MD5 | 7953e1f8fb2b9ef74302c6a8d6b6e57b |
| SHA1 | 0546459f97d2bc2301a10b357c30de900b6bbbbd |
| SHA256 | 049a1bf9e6c28dd32aa1b4f688110ef3465d25ec4c59516d51fe5202c698eb89 |
| SHA512 | ca98ae534633137d52c05e3f3f5d72142ff0e5fc60bc9ba179960097c9a7f54f230611d264329353930329607d53a9f30c97fc1aeec51ba3d5a181a2ab08c9e7 |
C:\Windows\SysWOW64\Ljnnch32.exe
| MD5 | 8a18e1db70f18f07ea4022df31e35365 |
| SHA1 | ea72b72323fdf1f2fde1633116ef4f369e8456e7 |
| SHA256 | f0bf2c61c5e3c6d5fd6123b2a3a0ca32aa284544d192f113886c47fef0a39cdc |
| SHA512 | 515b10c4c2a544e0aad511bf618e11619661a89a6447efa2793a9ae170493b097608ee86638e7d015f7e5445084b711788151061ff432ede37c7c3c121c5d4aa |
C:\Windows\SysWOW64\Mcklgm32.exe
| MD5 | 59d91288751ee5b9d371f6bf5ff87ce4 |
| SHA1 | 00ada5b70298a726895d3cfb45f3ea07e466901e |
| SHA256 | 0c383c4d290f5bef4a71c291db1b232f0a981f1e3bd9ab85d7949c7812a6a33b |
| SHA512 | 090b4ba207604d5de4f02ddb0b9c63d50a90844f551d8daedbe3969aaa60f315a620d941a476398ca23748c201a8b3318f30a09b4f3887d75712e88d4b40cf5f |
C:\Windows\SysWOW64\Maohkd32.exe
| MD5 | b3e8de6ce53932530e1039f4766dd9c9 |
| SHA1 | 22a170658ffcca2fd548bfeb536c5e6df8e16b9e |
| SHA256 | 79744bd03b836d2d9293d71831b68fb2b2f54c6f50fd1818aaf9a1a0a0f3614f |
| SHA512 | e6f8e2b8eb66e8a409a4773d97441b35895cd18f65ef0fe32f60a730b78e942b73c660da029689ecf763c3277123d150ed202aac21bfa8c04daf10bf0f928b2f |
C:\Windows\SysWOW64\Mgnnhk32.exe
| MD5 | 59eaf9af504c87b6a3b381c2d73e5757 |
| SHA1 | 602c62550b5ec63394a1f6651ff7888f2dd4511d |
| SHA256 | 8451662d47e58bee017ed9c23f5533cd3a30aaf38746929841405139f7a283e7 |
| SHA512 | e206e497b6e04a62f57fb0c71dfe4dd1728145f06706a6c26273f13e56a19f88dab4fe3671d44e823db55e70599d684ed385eeaa63c3a6365628d122126b7e46 |
C:\Windows\SysWOW64\Nnmopdep.exe
| MD5 | 3d31be554d83255269656ca3a7838e7a |
| SHA1 | 65eae87a4c664a9734276a03fbbc6620fc87bc67 |
| SHA256 | 187f0a9ba0f690469daabb5739c67c6ff86234840b0cd03a1284114cd71f3da0 |
| SHA512 | 5f8a19c4ef951f916dd8722eba4ff75594be824009d1993bd6a583571f051a48cce87ee61e350eded02a32bcff124ea050fd8ef79a9700fcaeee5d582eff55b7 |
C:\Windows\SysWOW64\Njcpee32.exe
| MD5 | 31eab31381c788ed17ee60438a5b2348 |
| SHA1 | b201fe95a471c72c07c2065ebbf660bfbba7f2cd |
| SHA256 | b58fb6fe6c2a9b8f5233f61c12ec2e02966eedf41a1b58f576416608e5056e6b |
| SHA512 | c979a1ec8190760ca62133540ffc74bceeec67add498869dd21114b0a2030fed14f17fa174a4a1674edd597d875d3ee150538a99f68195d22624f403ffd0dd4c |