Analysis Overview
SHA256
1b2848437d3bdad1f3642a1eb59d79718274400e011ccc15fb3662ae75c3711b
Threat Level: Known bad
The file virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.vir was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew family
Malware Dropper & Backdoor - Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 09:44
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 09:43
Reported
2024-06-02 09:46
Platform
win7-20240221-en
Max time kernel
144s
Max time network
123s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chcqpmep.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffnphf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gphmeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcifgjgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Claifkkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ekholjqg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpmgqnfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddcdkl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjbmjplb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chcqpmep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekholjqg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ecpgmhai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eiomkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dmoipopd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ecpgmhai.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dnilobkm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmoipopd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dcknbh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Claifkkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Gmjaic32.exe | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gphmeo32.exe | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hicodd32.exe | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddeaalpg.exe | C:\Windows\SysWOW64\Dmoipopd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Glfhll32.exe | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjcpjl32.dll | C:\Windows\SysWOW64\Gphmeo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkkalk32.exe | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Anapbp32.dll | C:\Windows\SysWOW64\Dnilobkm.exe | N/A |
| File created | C:\Windows\SysWOW64\Fejgko32.exe | C:\Windows\SysWOW64\Faokjpfd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Claifkkf.exe | C:\Windows\SysWOW64\Cjbmjplb.exe | N/A |
| File created | C:\Windows\SysWOW64\Dcknbh32.exe | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| File created | C:\Windows\SysWOW64\Eajaoq32.exe | C:\Windows\SysWOW64\Eiomkn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dngoibmo.exe | C:\Windows\SysWOW64\Claifkkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emcbkn32.exe | C:\Windows\SysWOW64\Dfijnd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gaqcoc32.exe | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pabakh32.dll | C:\Windows\SysWOW64\Gaqcoc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnagjbdf.exe | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File created | C:\Windows\SysWOW64\Pafagk32.dll | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfijnd32.exe | C:\Windows\SysWOW64\Dcknbh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Emcbkn32.exe | C:\Windows\SysWOW64\Dfijnd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Efjcibje.dll | C:\Windows\SysWOW64\Eiomkn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Flabbihl.exe | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gobgcg32.exe | C:\Windows\SysWOW64\Gfefiemq.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbhfilfi.dll | C:\Windows\SysWOW64\Ccfhhffh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ekholjqg.exe | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hellne32.exe | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihoafpmp.exe | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgodbh32.exe | C:\Windows\SysWOW64\Dngoibmo.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekholjqg.exe | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lanfmb32.dll | C:\Windows\SysWOW64\Epfhbign.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmhheqje.exe | C:\Windows\SysWOW64\Ffnphf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcnpbi32.exe | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcfdakpf.dll | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hghmjpap.dll | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkkemh32.exe | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| File created | C:\Windows\SysWOW64\Henidd32.exe | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hhmepp32.exe | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcifgjgc.exe | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ieqeidnl.exe | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpbjlbfp.dll | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmhheqje.exe | C:\Windows\SysWOW64\Ffnphf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fpfdalii.exe | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| File created | C:\Windows\SysWOW64\Lefmambf.dll | C:\Windows\SysWOW64\Dmoipopd.exe | N/A |
| File created | C:\Windows\SysWOW64\Faokjpfd.exe | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| File created | C:\Windows\SysWOW64\Ooghhh32.dll | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| File created | C:\Windows\SysWOW64\Enlbgc32.dll | C:\Windows\SysWOW64\Hejoiedd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffpmnf32.exe | C:\Windows\SysWOW64\Fpfdalii.exe | N/A |
| File created | C:\Windows\SysWOW64\Dngoibmo.exe | C:\Windows\SysWOW64\Claifkkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eloemi32.exe | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohbepi32.dll | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpfdalii.exe | C:\Windows\SysWOW64\Fmhheqje.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgcmfjnn.dll | C:\Windows\SysWOW64\Dcknbh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eiaiqn32.exe | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eloemi32.exe | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gfefiemq.exe | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aimkgn32.dll | C:\Windows\SysWOW64\Gkkemh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkkalk32.exe | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Epaogi32.exe | C:\Windows\SysWOW64\Emcbkn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpmgqnfl.exe | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpmgqnfl.exe | C:\Windows\SysWOW64\Hicodd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nfmjcmjd.dll | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jiiegafd.dll | C:\Windows\SysWOW64\Ealnephf.exe | N/A |
| File created | C:\Windows\SysWOW64\Icbimi32.exe | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ejgcdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" | C:\Windows\SysWOW64\Hellne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maomqp32.dll" | C:\Windows\SysWOW64\Cpjiajeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" | C:\Windows\SysWOW64\Chcqpmep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fejgko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hgdbhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" | C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ihoafpmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dngoibmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebinic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfijnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" | C:\Windows\SysWOW64\Dfijnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" | C:\Windows\SysWOW64\Eiaiqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Goddhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" | C:\Windows\SysWOW64\Hckcmjep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpjiajeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hellne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" | C:\Windows\SysWOW64\Dgodbh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Henidd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eiomkn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Faokjpfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" | C:\Windows\SysWOW64\Fpfdalii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" | C:\Windows\SysWOW64\Glfhll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gmjaic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" | C:\Windows\SysWOW64\Hpkjko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ieqeidnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" | C:\Windows\SysWOW64\Fckjalhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fpfdalii.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Epaogi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ecpgmhai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fmlapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddeaalpg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hnagjbdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hlfdkoin.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hcplhi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hhmepp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" | C:\Windows\SysWOW64\Ioijbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chcqpmep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gphmeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" | C:\Windows\SysWOW64\Gphmeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gphmeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gpknlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" | C:\Windows\SysWOW64\Dmafennb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe"
C:\Windows\SysWOW64\Ccfhhffh.exe
C:\Windows\system32\Ccfhhffh.exe
C:\Windows\SysWOW64\Chcqpmep.exe
C:\Windows\system32\Chcqpmep.exe
C:\Windows\SysWOW64\Cpjiajeb.exe
C:\Windows\system32\Cpjiajeb.exe
C:\Windows\SysWOW64\Cjbmjplb.exe
C:\Windows\system32\Cjbmjplb.exe
C:\Windows\SysWOW64\Claifkkf.exe
C:\Windows\system32\Claifkkf.exe
C:\Windows\SysWOW64\Dngoibmo.exe
C:\Windows\system32\Dngoibmo.exe
C:\Windows\SysWOW64\Dgodbh32.exe
C:\Windows\system32\Dgodbh32.exe
C:\Windows\SysWOW64\Dnilobkm.exe
C:\Windows\system32\Dnilobkm.exe
C:\Windows\SysWOW64\Ddcdkl32.exe
C:\Windows\system32\Ddcdkl32.exe
C:\Windows\SysWOW64\Dmoipopd.exe
C:\Windows\system32\Dmoipopd.exe
C:\Windows\SysWOW64\Ddeaalpg.exe
C:\Windows\system32\Ddeaalpg.exe
C:\Windows\SysWOW64\Dmafennb.exe
C:\Windows\system32\Dmafennb.exe
C:\Windows\SysWOW64\Dcknbh32.exe
C:\Windows\system32\Dcknbh32.exe
C:\Windows\SysWOW64\Dfijnd32.exe
C:\Windows\system32\Dfijnd32.exe
C:\Windows\SysWOW64\Emcbkn32.exe
C:\Windows\system32\Emcbkn32.exe
C:\Windows\SysWOW64\Epaogi32.exe
C:\Windows\system32\Epaogi32.exe
C:\Windows\SysWOW64\Ejgcdb32.exe
C:\Windows\system32\Ejgcdb32.exe
C:\Windows\SysWOW64\Ekholjqg.exe
C:\Windows\system32\Ekholjqg.exe
C:\Windows\SysWOW64\Ecpgmhai.exe
C:\Windows\system32\Ecpgmhai.exe
C:\Windows\SysWOW64\Eeqdep32.exe
C:\Windows\system32\Eeqdep32.exe
C:\Windows\SysWOW64\Epfhbign.exe
C:\Windows\system32\Epfhbign.exe
C:\Windows\SysWOW64\Eiomkn32.exe
C:\Windows\system32\Eiomkn32.exe
C:\Windows\SysWOW64\Eajaoq32.exe
C:\Windows\system32\Eajaoq32.exe
C:\Windows\SysWOW64\Eiaiqn32.exe
C:\Windows\system32\Eiaiqn32.exe
C:\Windows\SysWOW64\Eloemi32.exe
C:\Windows\system32\Eloemi32.exe
C:\Windows\SysWOW64\Ebinic32.exe
C:\Windows\system32\Ebinic32.exe
C:\Windows\SysWOW64\Ealnephf.exe
C:\Windows\system32\Ealnephf.exe
C:\Windows\SysWOW64\Fckjalhj.exe
C:\Windows\system32\Fckjalhj.exe
C:\Windows\SysWOW64\Flabbihl.exe
C:\Windows\system32\Flabbihl.exe
C:\Windows\SysWOW64\Faokjpfd.exe
C:\Windows\system32\Faokjpfd.exe
C:\Windows\SysWOW64\Fejgko32.exe
C:\Windows\system32\Fejgko32.exe
C:\Windows\SysWOW64\Ffnphf32.exe
C:\Windows\system32\Ffnphf32.exe
C:\Windows\SysWOW64\Fmhheqje.exe
C:\Windows\system32\Fmhheqje.exe
C:\Windows\SysWOW64\Fpfdalii.exe
C:\Windows\system32\Fpfdalii.exe
C:\Windows\SysWOW64\Ffpmnf32.exe
C:\Windows\system32\Ffpmnf32.exe
C:\Windows\SysWOW64\Fjlhneio.exe
C:\Windows\system32\Fjlhneio.exe
C:\Windows\SysWOW64\Fmlapp32.exe
C:\Windows\system32\Fmlapp32.exe
C:\Windows\SysWOW64\Gpknlk32.exe
C:\Windows\system32\Gpknlk32.exe
C:\Windows\SysWOW64\Gfefiemq.exe
C:\Windows\system32\Gfefiemq.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
C:\Windows\SysWOW64\Gelppaof.exe
C:\Windows\system32\Gelppaof.exe
C:\Windows\SysWOW64\Glfhll32.exe
C:\Windows\system32\Glfhll32.exe
C:\Windows\SysWOW64\Goddhg32.exe
C:\Windows\system32\Goddhg32.exe
C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
C:\Windows\SysWOW64\Gkkemh32.exe
C:\Windows\system32\Gkkemh32.exe
C:\Windows\SysWOW64\Gmjaic32.exe
C:\Windows\system32\Gmjaic32.exe
C:\Windows\SysWOW64\Gphmeo32.exe
C:\Windows\system32\Gphmeo32.exe
C:\Windows\SysWOW64\Hgbebiao.exe
C:\Windows\system32\Hgbebiao.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hpkjko32.exe
C:\Windows\system32\Hpkjko32.exe
C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
C:\Windows\SysWOW64\Hgdbhi32.exe
C:\Windows\system32\Hgdbhi32.exe
C:\Windows\SysWOW64\Hicodd32.exe
C:\Windows\system32\Hicodd32.exe
C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
C:\Windows\SysWOW64\Hckcmjep.exe
C:\Windows\system32\Hckcmjep.exe
C:\Windows\SysWOW64\Hejoiedd.exe
C:\Windows\system32\Hejoiedd.exe
C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
C:\Windows\SysWOW64\Hcnpbi32.exe
C:\Windows\system32\Hcnpbi32.exe
C:\Windows\SysWOW64\Hellne32.exe
C:\Windows\system32\Hellne32.exe
C:\Windows\SysWOW64\Hlfdkoin.exe
C:\Windows\system32\Hlfdkoin.exe
C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
C:\Windows\SysWOW64\Henidd32.exe
C:\Windows\system32\Henidd32.exe
C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Icbimi32.exe
C:\Windows\system32\Icbimi32.exe
C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
C:\Windows\SysWOW64\Ioijbj32.exe
C:\Windows\system32\Ioijbj32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 140
Network
Files
memory/1132-4-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1132-6-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Ccfhhffh.exe
| MD5 | 617c1cdcd5f9aecaf3c78e2545123c8d |
| SHA1 | 83a81d6046fa070b3fd51fc8fe5a51167d72ab4f |
| SHA256 | 2a7f5b99a893e8021a106dc412bb20e918c8f42c4a44aa2e033eaf5a4711ec34 |
| SHA512 | 8291730196c818f6c530960761fee91df190e8e96480484c058ddb5e95a8dc58a367e0e88b6f39a2461bff952ad0e58c5b35d28d2117e0fad57e347b0b627f55 |
memory/1132-18-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2372-19-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Chcqpmep.exe
| MD5 | 8a8004a955ee0ec08cc386eab609e699 |
| SHA1 | 7eb7d3b633803573a87340aee73ac2dcdfa5a9de |
| SHA256 | 63d866c0a18eb8101b351ee377f835015e9ddf047d5d9a41e037983b8fb37769 |
| SHA512 | 82cea2356d04f6957706bf7aec60ddb52b296fd6fc5379966f52f6b95382e4b7127fcd8c4702250926746bb016f835e02adabcf657e8470e85c9b700293ba2c7 |
memory/3068-31-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2372-27-0x0000000000250000-0x0000000000283000-memory.dmp
memory/3068-36-0x0000000000280000-0x00000000002B3000-memory.dmp
\Windows\SysWOW64\Cpjiajeb.exe
| MD5 | dd070d9dcbadb5c1fbdd52d7583a7f4f |
| SHA1 | 84b745f0e8fd0bf4524f4ebce3885fd8a50e5677 |
| SHA256 | 05fb9761f8da4de15823fe85c3e6cfea04924253c32f4411c96c5a9c1bd876e7 |
| SHA512 | 982261294a3c165d3e53f81d631d43f8d452e1a005b471d974750c71c29403de21d4ab4d03c50424df53adc200b4ffd7e778fe2695e2698df6a947afbaade46a |
memory/2684-42-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cjbmjplb.exe
| MD5 | c32aa00be8900b4dbb993e834352c0e6 |
| SHA1 | 1f66d4e1974381218b43af4d703439a6a1d87ff6 |
| SHA256 | 38441e6a04ec45b3acb22bd4ccf55e71e60d87b23916639c8e12da237a35782b |
| SHA512 | 22a891f980d38b592d3895375b721970071ea5a4a7c64df91014d9b6f750d9cd022e147cb33ad98b3bde9180df3327ba205601eb74caae2e61ca46192a43817b |
\Windows\SysWOW64\Claifkkf.exe
| MD5 | ef35330521a048abb95621c1a39646ff |
| SHA1 | 5ce1c42a1effd521eff927dd952aa451c5870c1a |
| SHA256 | f780d1438926f2f3b23b9fc0f274bebd85a548c66bf49903dba3d341f70dc8ec |
| SHA512 | 60fc35265db2ea50a5c2d91e5de16ae941ab44ffcbdc5ab9f37a1d457ae89dd315aeeac2e21707e5707ec797cf02403571f24ff904f52026dd98366ea2e54450 |
memory/2560-70-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2496-72-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2560-69-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2560-57-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2684-56-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2684-55-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Dgodbh32.exe
| MD5 | 6518cabff9739542086a6ed1f3194686 |
| SHA1 | 2f2c291d70800bdf0f75ea54a35306898fedaaf2 |
| SHA256 | 9cf029837d448f5aa5a421eb7d71e2e0c931a2a5d8d7063ce0183abeb8800965 |
| SHA512 | 652ece319f6d7adab843f1be2125ba0ad87fe92bdb67295260c00ccba8f0269580f2844d40de778aece92c3f07c2da4cd56eff8a253ae56aa45ca4c411107440 |
\Windows\SysWOW64\Dnilobkm.exe
| MD5 | a5dee606bdd3001466b4f92a9ec8cd30 |
| SHA1 | 96738955dc455395fc094d4094b8abe2d225f6ce |
| SHA256 | e73041698e48affbd526713f4e6b50477ce9deb376e20804b7bc706c7a2432ee |
| SHA512 | 94db6d3a512982d6f66da48145ba43fabad5baead7d6658ae12f9e7573621fdf6d46a6faa4aeb04cf6a5800bea1486f0f4247eed813e5de225d84221cd1551d7 |
C:\Windows\SysWOW64\Ddcdkl32.exe
| MD5 | 340ec2230d5e63fe95ea4b8398f79902 |
| SHA1 | 410f65e0c74a74da65b77b04c89d491d094ff954 |
| SHA256 | 5d68cf295fac56dc7c35c3fec741043a3f1d5e9ebc0d71ef3ebc40e481b95b32 |
| SHA512 | d7b81f25b3f1c1d3067add523d9bcb3f775a1d9dc3b18ed578ebaf5fd299260a8be3b39e1cc4334337ee837b9bef19fcfe8087a77b2c84a7c6bddd9c6a3bece3 |
memory/1972-127-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Dmoipopd.exe
| MD5 | 67ca45166179acd1244c89f4e801ec2b |
| SHA1 | b60de89ebc70f489921427bd10ca0f8ab22e53c6 |
| SHA256 | d4356c4ebd8c91f54385d9dc3ab159c0a3d451614ad74ee8e7f8006fb308cab9 |
| SHA512 | e8d6628ee38a274103a2745ca52eb9918e32b45893a0542015f65c95523d30482e72d73bdd212451f2d37bc8df7f58af337377a5383d1ec7e6de5517d7c35006 |
C:\Windows\SysWOW64\Ddeaalpg.exe
| MD5 | 619f45ce703f1845f0ef69c4a4674910 |
| SHA1 | 7990ac2d4633f738f6bcd3b168d82b81d997bd78 |
| SHA256 | e53ed22e4ba3e51fb44a6bcb869ee22b342659e7461b292ba890f1bb5c65f546 |
| SHA512 | 149f32d7a99d60a032a0259508580e6a8aed553aa7a989353e8500b0647c2024004d92076983b1510c296d5881b714296cccd01ab8a6912a9b8b46a4a1de6f17 |
C:\Windows\SysWOW64\Dmafennb.exe
| MD5 | cd63437a82a3c5d3eb70d35d40a8f74f |
| SHA1 | 340e13ec5d31b074261d9ecfe4631e89bae8a1db |
| SHA256 | f8a084483d6bd57e18bd35774a865583951380a308c5c0bf422a7f5e0c999319 |
| SHA512 | 4b39f290a7633c78435dc2039d64df91373bfc42692143cebd832f8ef12c71113c6997011dbc9fd6be2d2621d5135ed435792909a30ce0d661afcbba224cc75b |
memory/1524-182-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Emcbkn32.exe
| MD5 | f13a67906e640935f814f1a6d7f6e969 |
| SHA1 | d2d08e2e3f5b2ddacd16ab01e7467b9b664f08f9 |
| SHA256 | caf4baca0bb37ee0a9dc6b90c549591a0c3c822d7220ec6a0fb515687b594650 |
| SHA512 | 720827e75956ffefca97b6e26c2d0d3f77d905955267707cfd59e1c65696f5d039e3c63e9e8cfebc87e45c25836f7e3e290a20b2b2e8898a66bf5d110e345148 |
C:\Windows\SysWOW64\Epaogi32.exe
| MD5 | 4be68412d5e837185c95e30d701b3fa8 |
| SHA1 | 4746267bb1b4e147c955b0ac1b95a2162ef39d5f |
| SHA256 | 6e9c60dc3f1c31a4cfe586a096ee4c1c1cf1a1a9438735f0dec2c1a4d54b4c7c |
| SHA512 | 2ac2c4917b5818903c5fec168a673a14a955290968f7fe07d4c033ec0eb5e6007f66075db1cf440c069ee4efb8713d0118b91a1d2203cfb38b502c75abbcf7a3 |
memory/936-231-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ecpgmhai.exe
| MD5 | e2a7b2b3925debead379a6e9aa07f50a |
| SHA1 | 3b2c6b1392024d08ea0a60341434e9938c640581 |
| SHA256 | b16fe7b9aa9141197b142b62c15f80e96decaf6e29a0b64dd2e3a522a1e2d2d8 |
| SHA512 | 3282a0dfa32e4329c7493059abd9b8d8bf07d4b0912d64c03bad774a60e7ee042359222aa508a8db087c1b65e1fd6fb3acc362ac114ce4fd6bd49d48f5b00eb8 |
memory/2308-251-0x0000000000400000-0x0000000000433000-memory.dmp
memory/832-250-0x0000000000250000-0x0000000000283000-memory.dmp
memory/832-241-0x0000000000400000-0x0000000000433000-memory.dmp
memory/936-240-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2308-262-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2080-272-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2168-271-0x00000000002E0000-0x0000000000313000-memory.dmp
C:\Windows\SysWOW64\Epfhbign.exe
| MD5 | 1c46dbee396f587e93954a079b86519e |
| SHA1 | d51ffc3c58bb524c346596b5d7037a7c58c44ff4 |
| SHA256 | 493bd89c93b1a783d1409ac4a946872b0d5ef5b6e55bc7b342dce40039496ebe |
| SHA512 | 886205d628ddf4642a3317bb962760c2703f4d8ac0efa7651eb101210ee0a36d6126a57edcfefc9ec5147d717d3d2043979be8ec87d255f688ecbf061a202053 |
memory/2968-293-0x0000000000400000-0x0000000000433000-memory.dmp
memory/892-308-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-316-0x00000000005D0000-0x0000000000603000-memory.dmp
memory/2380-332-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Flabbihl.exe
| MD5 | bf739d266e172641aba72ea3df4b9f6e |
| SHA1 | 7864c4fa070f512a70ad76dba20b4bbde9343c5f |
| SHA256 | 737d9c46d2663b89b1b634d3fdbb0d93338b7cec8579f05922049a710b3a857b |
| SHA512 | 4e3f09866524de8b47cb0b52037f20a2b3ac46915b43ab620810aa364de87ead4311ffbbfd9eaa1dfc4c75e4703a2f662d3589d957a44fc01d5b265371148f6b |
memory/2660-361-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2472-373-0x0000000001F30000-0x0000000001F63000-memory.dmp
memory/2472-372-0x0000000001F30000-0x0000000001F63000-memory.dmp
memory/1384-371-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ffnphf32.exe
| MD5 | f899ded5e50c320bdb20d94f87445926 |
| SHA1 | 87fd31cddfd5930685b165fef8284443a9bf530c |
| SHA256 | d5cc5a05cf82799d9da95258da5a87b6b63f4893b4ee8a2d7a6dbde4bdc97d06 |
| SHA512 | 8f66b2e34c778c292c7804e9927300cc55588b56e53e6e3cce18ca63475397e65da4fc1fbdb44ccaf85ddb9181bd4907c5d9d3f5ab55baa0dff1d8875f182f16 |
C:\Windows\SysWOW64\Fmhheqje.exe
| MD5 | 4fe4698c1acf131e8d377a32b31f8fb7 |
| SHA1 | dbe9feb92201df68cef0f8760ffdf73c17bd035f |
| SHA256 | 706f9b529e4245c2dd72b914e23d111a4dc95cee6af40da53772936dcf49bb0e |
| SHA512 | 3cca1de3b263bdced0581baed9d3d46925a87122a91e30a44b2d035100cd804be1d3809fa1afe0c59d252d211d993a33ef21844f1408f0cb37d488b27a4258a6 |
memory/2040-417-0x00000000002F0000-0x0000000000323000-memory.dmp
memory/1624-423-0x0000000000260000-0x0000000000293000-memory.dmp
memory/3044-428-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fmlapp32.exe
| MD5 | 6df314581c7eb891564f0efe06f16090 |
| SHA1 | bc19f12629809d3a8fc8408bcfdffe7d18f59873 |
| SHA256 | 63505a6f599859c94ccb92e4f6bef4269d280b11e6043eb0ed5f3502e46b1692 |
| SHA512 | e62770d0f0afaf37730b5321f86867a3cbe4bad94f79bcf23e2df13a9351e58ce95bf4aead7657da39c93bc740629a0308484863e73a1d6553923d72b8705c72 |
C:\Windows\SysWOW64\Gpknlk32.exe
| MD5 | 6d58b659ed0772aae943b92fe0c4a078 |
| SHA1 | b5ff7320f1ab0987b175f20277508166b53cb684 |
| SHA256 | 3a7a9d191fbe1506652dfc7a2c5a6ac5bad1a911378465608d60b26d6e246323 |
| SHA512 | fd5d67f1dc8d6233cd0322a293d1e116215a2f5e6f740db1d8488d650c139a9b3b66f1c531de67e514df71e8d1d6f64529b1547d0dea52fd13bde354d57aac7e |
memory/1160-451-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1948-449-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1948-448-0x0000000000250000-0x0000000000283000-memory.dmp
memory/840-460-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gelppaof.exe
| MD5 | d1cb6e2aaedaee094301324ffcb096d6 |
| SHA1 | 7bb5b4258af457d9e4b1588a60137b0c6791be8e |
| SHA256 | c628b16fa0aff503cf2890b7b41c15c5f427d31efc2b6460043bca1176e15d18 |
| SHA512 | 7b23480e4548fbaae9608b4e68b559fbda1b64b88b18bddff1c9cc92d52230f1e8fe3e9d006fcf4c076019a8103aa7b61228d8094f43af3c559ab9c357a4163f |
C:\Windows\SysWOW64\Glfhll32.exe
| MD5 | 8abf0691e1ee8080d18a1eddc81b8fc5 |
| SHA1 | 842ac8ed07b5c09bfd24af0c2103d55c65c16655 |
| SHA256 | 204c04a413acc47140b75c1ce0020feecb114ba867e931cfeb19724df09bbc38 |
| SHA512 | f4c77093a78b70099290eea5c982d77ff01ba06fdccc8fd299dfcb370231d30cd0d948dce8af950caa9e9933fe7a90a76aa1c6b4235028cf404541b74bce52ec |
C:\Windows\SysWOW64\Gacpdbej.exe
| MD5 | a4a9f31ae838493f5e1083fc9c61d5a4 |
| SHA1 | e725b2a21944a41ae95bfe2643d74a558fd9e662 |
| SHA256 | 07de983f5260776d99a338213ff3608fab4b7c32fdbccb91ced0372e1f607791 |
| SHA512 | 4d80457af730ebc3ad900b258c31ff990e20888e223a8e81e553f91de05e1a680d40568a8476d5973e3422b79f80da54ef70f2b339d4b5466ce92fc263e53dc1 |
C:\Windows\SysWOW64\Gkkemh32.exe
| MD5 | 20232fd5c106c2b6bb7e752de6825b63 |
| SHA1 | 016e757bddc5b10e22fd3558d88ac27b54afb03a |
| SHA256 | f5846edfb06815d4e3f5fb7da69fcdb8c37099b166952b22f088d67df9730685 |
| SHA512 | 01c755f57a96bd69693033ad8a20e827d73745cc502bf269b8ada4c0fa767c80a843360c2e28d9e6496c550f90ae594d7e0a4d6b628494f3c08f7fe8ce5bd1a3 |
C:\Windows\SysWOW64\Hgbebiao.exe
| MD5 | 70f76fcab3bebbc9427258f552b4fbed |
| SHA1 | c62a9f2d73e7a7837b316c8f4c1c3bcb6a65b705 |
| SHA256 | ee12bf8066356dfd5221baa09c07d4bf5b3286edddbf075a524b085221a5a5d0 |
| SHA512 | 323e21012d49948c83b9147f63cca9888070ff0cfa2c3d09f57280664bce7e0edcfdc8adf2c650867465c09e568577681ce99b533d3fbd9ff1089eeefe72289a |
C:\Windows\SysWOW64\Hpkjko32.exe
| MD5 | 3216364fb8756907a27d5c0c30ba028e |
| SHA1 | e383b4756847d862c0e6917cb2267d71cd16a2cb |
| SHA256 | a5851f888a24f6cf04c83f48734d27370a3ddece57cb92e1d185068f8037935a |
| SHA512 | c4e4fd0caa652c11170d089465e2e011b535dcd2c016f5cd4e1467cbafd927f6abbe63ede4650c5ed1ed213d89e9ccf3c2b8e4775fcbf463e6fa901738058e2a |
C:\Windows\SysWOW64\Hckcmjep.exe
| MD5 | 0f4de615c7c7c36905ea4c6d13dba357 |
| SHA1 | e7f0648cff3055b12786a843c141957586fab8ea |
| SHA256 | 4faf2e967d472df4b7439015b9ba884dfce0041f8cd8c541c9d37354b1997392 |
| SHA512 | 3b8152131781f3e87b39b26daf8a0dc104c129b8cd959471730c281b40543f16c255caa99e5e6f8275c68c6522adbf02ab9cc13d7e58b15239bb0728dd8eabf1 |
C:\Windows\SysWOW64\Hejoiedd.exe
| MD5 | c6724e00e314d51000aabd4a7aa5effe |
| SHA1 | 645865b8ca0cdb3fe4a9604fc63727b22f2db769 |
| SHA256 | b575a7c2a4c6a50b841b668afd8a9243479c03effe481e6c5013a13e93c22100 |
| SHA512 | 36bf7149ef09997e9ef399822a31332b8dcb7506393c93f5f0e85cf17132463ff2cad9a310c4fd35fac3b49f048f00fc6647079373a2c35b89c7dfebfc8d6750 |
C:\Windows\SysWOW64\Hellne32.exe
| MD5 | 3c2cb2f616a40625bcd7599f1930a986 |
| SHA1 | 495809c88d1749a4f13b2720958693fd218df4db |
| SHA256 | 7bd5622c21d0c4966c6d225c614e2475105636dbb2fa256b13a1c9953750b3a0 |
| SHA512 | 8033e3fe78a4e1adc81accf74e81196aa2cad3f6591f9f77a4f74aa51a68cc29075745fcdccc5421e2ce35b53bc41abd5ff6f681966881bef7fb7390408f24a7 |
C:\Windows\SysWOW64\Henidd32.exe
| MD5 | a6a32dc190da22142280dd68ee919420 |
| SHA1 | af9c95a2a37644715017fd03ef73f81bd807b948 |
| SHA256 | 55d62f569e5c8d310039dd314edbcffd88e0d40c40c34e8b8216f23dab8405a1 |
| SHA512 | e4400874188337139ef86c3cb29d8c1ec63886de43aa9bbf091c41e7d4e4e72eecf8f87e122a1a76a1d5c4f558bc248389e15840c0a83a47218ab682487d791c |
C:\Windows\SysWOW64\Hhmepp32.exe
| MD5 | 183a76c8518e543c841d9a7ae3d59bb2 |
| SHA1 | e433cd9b0993bfcd1b0a3471e500fe9e732ec69d |
| SHA256 | 69a3ed2717fc9b554637d8a3ded1e3fe471f8cb2eaa41ba3ac8d4f9d5210dc34 |
| SHA512 | b38268d70e893db8361bd95d6893f25d1db3eddb0059f4d08ff0abced2b788867268d61132794fe1bafa552a8c288be380e871c807c1badb4671ea7f2d5926cf |
C:\Windows\SysWOW64\Icbimi32.exe
| MD5 | 2513edc877a7bb3dc90abfbae0c7a4fd |
| SHA1 | 616b64ccbe0a2a4c3c2704b64d746e47990ff167 |
| SHA256 | 3ea52cef32c57a98c50ab42018e382f0b073cf0cce54a716d63de712940a9220 |
| SHA512 | bce69b71e0ca8f7542f5fb5860e23bc0f4068053101a71225c1a41510ea0c912a4c807e76db6dfc49de9fa6645566267543b35b77217c0b409f8a2fd6be0fda7 |
C:\Windows\SysWOW64\Ieqeidnl.exe
| MD5 | 1a19eef7acd3f8419ecdabfa44bd6d78 |
| SHA1 | 822eb5041fefb4778675c8507e3f7b3275d86476 |
| SHA256 | cf08c9a00933bcd0e8c0d6b7bca6e7287b7c9247300ea72fca62667a607ab694 |
| SHA512 | 06d7c4e820aa31d607be7269eb92c6fa325a67314bee6e5577c4cce63e24e767674aa2eb73eb54d1ce4e1f6ed4a534051bba39ddb14e5dca3ca2339693f185b5 |
C:\Windows\SysWOW64\Ioijbj32.exe
| MD5 | 8c9b6febab2c42693eccbd8f439d7688 |
| SHA1 | e9584bc7f2e749a2d3052fac3c881336cbcf0610 |
| SHA256 | c4d62b918a91d00f336d3642a61b7d391036f5e909da3d97e2f45cd137fcc0a6 |
| SHA512 | c361104441918f99b30075d6e46fe676332fd3c4e3e8ebcf56b2c3b28a9e3242ac710ab47f676af6da138d696a32f716f9f0940d700317c979b2f048941f227f |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | a33ccb4c0027cbbf6bba41a66813287c |
| SHA1 | a171c0e23bacf74cc67722a16771b68c2503f91b |
| SHA256 | 5c9c2f5423ae6f8dae6b80e689ec02134b6dec41b0f99d80f75a518e71669677 |
| SHA512 | 811c669cd01057588503f7e8b1e3b1582411f1fa4c693929156a867c237dccdd6bd038908be42eb3c2ef3ca776d3565787dfcb6f7838eb0bcb726961dab234dc |
C:\Windows\SysWOW64\Ihoafpmp.exe
| MD5 | a9964507fc2f32ac1fc007b48a18dc4e |
| SHA1 | 620df53bf1c8f77c64bbc815fe108e76c8db4b28 |
| SHA256 | d6a809040e407d34b1e1b59914e680218bd8b74d14ec3d89afe4f605e72ee231 |
| SHA512 | cbdd719aa0c9a30c7fd14ef983838fa8ea137a953fb63232506d9c090b9546d0f0ff60339f21d2eb69c3c8e05167660d092891406a2604526802618618529a61 |
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | 311b351800a186885bf0899699cdadff |
| SHA1 | 9d84fe6c181b447ba44608bfd56c5c986179fd0f |
| SHA256 | 761f564a8c34193991ebbc06adb34ef9369b5f8a8732d805d3bd81871dcbbfdf |
| SHA512 | 27b8166b552ddc9d1e6e0d7c4de684494853a5d21f6c64be1bb822a377379a51d70a7c0cbb582f2c3878a027918e484f8924202fa0ce62f101c181ec2924cfa3 |
C:\Windows\SysWOW64\Hcplhi32.exe
| MD5 | 3e9cf3d767907fb7c023d3996de49242 |
| SHA1 | 32c9786d1eb4ec805da31fbea47d9899f33c13c4 |
| SHA256 | 056d5e0202982eaabe7b0ffb0f95dd5c30d4a9b92acbf558b062f5205a4c4071 |
| SHA512 | 33714d5c1ab297338d246e1b96c273eaf34c222816d9f3853295f0e381bd7364aa8be02c6f6e3664b025579792a78fdd9d2d12f5f97ce5501bc2abb9e48427ab |
C:\Windows\SysWOW64\Hlfdkoin.exe
| MD5 | 701780107f512c6867ab328651542f66 |
| SHA1 | fd89191ae09cb22ab04a81fa456df5a8a6d35a5b |
| SHA256 | 9217f8a210bffa05f473bbd216d3f65ca3d0beca780bc8061ad3eb7558138f03 |
| SHA512 | 007b3c0f6facd391e55980e70c259b668ffee19c61bd639f0f15e6cec7904ceb24d987f380695c2f5c12763917b9b733d1f7d49af1141262cd0c67fe700152b5 |
C:\Windows\SysWOW64\Hcnpbi32.exe
| MD5 | 8e08ff6b2b48eda14364b1594d957054 |
| SHA1 | 122e2f60f87da77c6d95e1f348d8d4ae10e1d947 |
| SHA256 | b4d83c310bf069ec57fb52cfe6f98ecc8c313220b556cb43feefc130c2593c1a |
| SHA512 | 37133d8bac25f9c83e29fdb17711a711605533ca486e74d2796e5e194be63498bc6fb444df9b0ab92be61ff43c5b499cf9531ab3bc3c7e0a0d5ca824df36cfcd |
C:\Windows\SysWOW64\Hnagjbdf.exe
| MD5 | 0c73db97db2e5cbd0ccb5ca82acf9584 |
| SHA1 | fbcb948137aa253a27ccb4b9c7f7ef65f48255b4 |
| SHA256 | fe0112ce2f033da39b8b0d94880db9c44a1bb69098434dc9b8d85a0e3e0d724d |
| SHA512 | 9535ddac3c03f79d3603d685d6768358899acf82b08d1df76eb5aaa7050b1ec9da522ed4c1e43956c48db6b6ed86204943bd82845a2219047b2e9526eb58d858 |
C:\Windows\SysWOW64\Hpmgqnfl.exe
| MD5 | 6628bb176d7b68392cd65724d9f7325f |
| SHA1 | 6c9a03621a786529a04b356b44fd7c910b4a5308 |
| SHA256 | 8b87b55539a412dc57eec6ada52dcc110365e4e6e80e99203ad4f9018a63a3ca |
| SHA512 | 8ffa3b630a45f47386c0e3395c7a480f6ba8fcec550838f7075e150e7a67e35a9dabdb6edeb7cdc3d9fa26f129055d880609abe1f294ceebd33730541bac4c63 |
C:\Windows\SysWOW64\Hicodd32.exe
| MD5 | 2882e971acf11b2e1bdde2a659eccfdf |
| SHA1 | c19d7d2071f0b41fb9d74e0bb1614b11944567de |
| SHA256 | 2cf1a10565fd4d13a999468890849ced86cec6f78e1e29b5b3f508e258949c4f |
| SHA512 | d7c8391f6e87316ffed55cdb6d6516dac5676eeaeb55b4f64310592e856e65bdf0227e010f14a3be6eae28a06b5d888c084c84a434ad7c6df033ed08c4afc6e8 |
C:\Windows\SysWOW64\Hgdbhi32.exe
| MD5 | bec65e3f433dad54b9a2bcd0514a37ef |
| SHA1 | 992ffe6a0d51526c282ffc2f1e0db1feb0c0c4dd |
| SHA256 | 61c7b65ae3a430c439b185976baaabdca419024e2156210f2940a56d05d220b0 |
| SHA512 | fd8bd839934bd474348a25d7d4259b8d1dbd27a4bb0ae182cd7ef77854b0f441633ace626d1dba0bf700995763f866d9df15729677e3a02de4d75f826585e1d9 |
C:\Windows\SysWOW64\Hcifgjgc.exe
| MD5 | e95f63af8909cb655ad2d63ecf55ebd7 |
| SHA1 | dbbc41ba1d4b6d820be77ba18ab50b90492e8491 |
| SHA256 | c48663986afa593709826ec5e9aaf9bab66b2f7466786e1e0d15904ab045cccb |
| SHA512 | 9cb049dbc3976169344d4315ea9e9e56a77490d317220d2dfa014e06c73533684f2a0bc0ce142b4d81c04ab162e7b635c285fd6ff081bc003e80b17879c67353 |
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | 96ae8fe315b405e6ff90f52aba2660da |
| SHA1 | 1d3d1090349b971e5743706605169c561e22976e |
| SHA256 | 26ab82e2dd6bea2e1bc9f32897c997b2330e70d3ff5c2d0dad945cec8b045056 |
| SHA512 | 29993fd141f09f7307862de74c995cee6e0e60bceeeaee7f0db1b9690e590fc6ba98a77bd771b7dcee03324905fbeb3298169cb9db7a718e51dfd256d9b6abd9 |
C:\Windows\SysWOW64\Gphmeo32.exe
| MD5 | 0f1a471828f0f4d2c05083644b0689bb |
| SHA1 | cf3a62d1529a83de1c3fc6db1bf0b47ea0f4f313 |
| SHA256 | aeb9e2a59c5eeef9c2fe284f9314f2fda9be75119970195f086f63f3b3bb581f |
| SHA512 | 4033dfcc16a5628f2434c76b4bbbdd4e998c3192fe57c96a1242f025c4f6434bbce44817812095a2f81841a57786d35fc37d363f87a9cc908217e947ef086b1b |
C:\Windows\SysWOW64\Gmjaic32.exe
| MD5 | c14d7221d16d607098ac7befef0d7874 |
| SHA1 | 34eb0a3e468962d4c8ffbc0dfa95d7822aa6d026 |
| SHA256 | 66169db2f2c186dc86f530b6caa4517315a28ecaa126541b6b4f28eba39dbb7d |
| SHA512 | 5fad914a4c42438c9faa8c5d6577b45d414dc37619374f6a1ef84b9a74ab95e80dd973de8bde867dd5338a23ad55fe646aab72c3389b6aa5d52f3c7f2ea172bd |
C:\Windows\SysWOW64\Goddhg32.exe
| MD5 | 3c47240c0fda1fb53ca1d563072e4dca |
| SHA1 | 496c18e5f06691c0a56ed8f05fe66626c8bd314f |
| SHA256 | 9b554bd388c02e873822c8f3c90732192a1c2b5250c263db4ca5495f8cd3700a |
| SHA512 | adc0858813e920f8e14a7ed79df79ef2d60c9a60b8167eae5e92cb24f651d9cc55b999ae7fa7e684ac3c5f8e87d9326c23ada1fbdf1815a83e7b8b3d6009e79f |
memory/1088-479-0x0000000000400000-0x0000000000433000-memory.dmp
memory/840-478-0x0000000000250000-0x0000000000283000-memory.dmp
memory/840-477-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Gaqcoc32.exe
| MD5 | c729d24fa801ca15c17068cb87bf4e44 |
| SHA1 | 774a9547ab16bce9c527ccbb85af35955883cb0a |
| SHA256 | c483048b9f33f23ef6e6686acfa308dcb237156a06318d809084e0bc97db8fb8 |
| SHA512 | d992ea76706b9f2ca4f4b91f7f360785e5f9ce358d43402d6ec6347a1fc58bd3e4813f7c33a6ccf353d806c6ea9c50c92280d89715a595490162817b1b355c9f |
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | 4be673afdcc797f7079eb7ab39ccc530 |
| SHA1 | 21cfe402822ae2b0fefbfabcf8e4918b97c04fc1 |
| SHA256 | 9976f9c16f88f2ea5834f5ebd364f8e6776fed10c64b09cd786d3366ea1f07af |
| SHA512 | c74c6acd39e6ffffd5f04e671b8bbf09fd07c311066067ff0afc721467812559e36c7361ef7c0db4eb16f41ffbf84ae0a364a346613a31e635cbc5b0910a28c8 |
memory/1160-459-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Gfefiemq.exe
| MD5 | aad6c760e140a43c791b7c7f11fbe60c |
| SHA1 | 5d46540ff4aca513bc5c22f37bfe853391bc3f26 |
| SHA256 | b62e7570d4e54c04faa89e9729757da86fea11b1974e2445c3bee259ad5522d0 |
| SHA512 | b6f065fdafedca0f81e11717b0709cc9487f3ce18da9dc80b786cabd9a75a6c3e011a3bc23769fd8795f638ec53439b42a7fd77a7e051e1234fe443389f3195f |
memory/1948-440-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3044-438-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/3044-437-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/1624-427-0x0000000000260000-0x0000000000293000-memory.dmp
C:\Windows\SysWOW64\Fjlhneio.exe
| MD5 | 9f5c6090d91207371aece94310585604 |
| SHA1 | 2f99d700b7e685dae7f731c464297215878aa495 |
| SHA256 | 17e5a80f6b2769ff5e28f7ab7d665cd5e43badd485af24882d8a4ea20caf804a |
| SHA512 | c182afc9f0e058f1322615cd6596dfd546717eaaa3c3f204eb94278a3181040e6e1c52f92beb24febe549346eed28cea91c2e78e413e9ad73ef611a02224f2e8 |
memory/2040-416-0x00000000002F0000-0x0000000000323000-memory.dmp
memory/1624-415-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2040-414-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2568-413-0x0000000001F40000-0x0000000001F73000-memory.dmp
C:\Windows\SysWOW64\Ffpmnf32.exe
| MD5 | 0efba50f01ee7b2f08616ac6374cf4b1 |
| SHA1 | b882a37d2e9c4c4f63da0c8f163e0d8e935e5619 |
| SHA256 | e2bbe1bf3bbffc90b14e40c902eeeb2a8fe57512edb7719c96e2cbc29deaafe8 |
| SHA512 | c40284ff60b4f498769ef968f83a9cb69e49c23f49b3528a61b85d8fa29f58a39ed6301691f55e016e862634aef7ebf543064ea71737cedd9fdf98cc1aa9dfa3 |
memory/2568-404-0x0000000001F40000-0x0000000001F73000-memory.dmp
C:\Windows\SysWOW64\Fpfdalii.exe
| MD5 | d378be4834d5c54534d9f1c2962ba938 |
| SHA1 | fd15a6020d4fcf9c5b45415c415df61f17305ec2 |
| SHA256 | 0e1530f496b925dcca60ee9e3c4697d5f27fe8bcf1c6f933f7ed9710507a1ea0 |
| SHA512 | 723d38df0090486fc92ccc94da01c73b0b6f9c5ebde5d72e43be65a280fb61db87a7e19735978ba17cc700a634d5d519d97ccbc2f5d635b3523e2fb6c1f3952a |
memory/2568-399-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2892-398-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2892-397-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2892-388-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1384-387-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1384-386-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2472-370-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fejgko32.exe
| MD5 | ad1c50a47eb47b503b1c24f79372acd4 |
| SHA1 | ce2af46c583d2f80eea7d7cef4b159672aab81a8 |
| SHA256 | 5ccf349bab0126904fa359ea78095d3a54d3e4c8f3d3337d6d8df0cefa04da63 |
| SHA512 | 245605b2bedda553c7a11bba027cf39e4a33ba964e390dcba7b34c7b18e300b9a7b9cd71f449d5ba65992f98cf2a67357cb05e1a88e4861b420ad3f173d6f222 |
memory/2660-360-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Faokjpfd.exe
| MD5 | 0756ddff0d99f62d22177b914f8a391b |
| SHA1 | 8c7f389298bc792371c245b980c37dd86addedae |
| SHA256 | 5c4c8a0a477b288cea92d1c4e6b73ac639f0cbcf486ad62e225dd65f60346e47 |
| SHA512 | a0963bd7ac67a36882bb057ba2cf4f7153048f11ed6be0c5dfa41af00023e8bf78d9b69ec136c48cfc2a5314712aab99190071f7d0047456741cc857a2d72dbe |
memory/2660-351-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2692-350-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2692-349-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2692-344-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2380-343-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/2380-342-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Fckjalhj.exe
| MD5 | de6370f123e73e8bfd4e2ec683515641 |
| SHA1 | b21c18c959eef619a9505322ec89572b039ba79f |
| SHA256 | a81c459699dee84c4e009a126da4e0e0d2a127203570db3abfab6c980313f104 |
| SHA512 | 2c7c8f90474f7180b9e242e5ef086088994286f85f2e3fa8793b06a96519413718a3a4ec1c2ed33294bcdf1b55de70c5d1ccc55581ab4c4bf727b961be5e8ffd |
memory/1604-328-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1604-327-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Ealnephf.exe
| MD5 | 98d03c4e5f7cef103aa7d82fe66fb0e8 |
| SHA1 | 1efde74d77907becfbba2ed55bccf465a2629e8d |
| SHA256 | b5a0e25a52e8c445ad1b1340e9f6d54a1703cf2a11e3204f3d949ff191d533a9 |
| SHA512 | e784c83838a570a77bc83647a0dcfcccfd76ef36eb638fb37bc2ab22bd09d74779b28983a055a7b95f43e981a565214454ef82274cec47f60fd04f99f5ba7b86 |
memory/1604-323-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-322-0x00000000005D0000-0x0000000000603000-memory.dmp
memory/2972-315-0x0000000000400000-0x0000000000433000-memory.dmp
memory/892-314-0x00000000002F0000-0x0000000000323000-memory.dmp
memory/892-313-0x00000000002F0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Eloemi32.exe
| MD5 | 66d0f5221d13dd27723f9c0e6cdc2cb4 |
| SHA1 | e81e4ba3bb6f18c88af3674fe96fcaedb6ec324a |
| SHA256 | ecc2a57beac254cafd5ed87d0c1bd27b704be9dac7ece6ebd3c6e19dee8ab428 |
| SHA512 | 21c69361590ca87fa8499ad8b301dcce4fd18fc0a83173d6e753948f0faf9133ad7abeb9085ad3c97efc6627d4dce6b4edff8d3976063353754273151bf5067c |
memory/2968-306-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2968-303-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Eiaiqn32.exe
| MD5 | 9ef753c2a881fd9407744ead7da52820 |
| SHA1 | 2c13a46761a799185c673fd6b6dcea67da890421 |
| SHA256 | 9732d741c0db0a26e12b5ee8a9b777b89105086763328fefae2258c5b7626864 |
| SHA512 | 0b0732aa269dc9daa68f4b3fdc24518359b94c9295d283f7e34857e98ac10f1c0f71f300ef1e6e4aa7367a6eaaaabe34922c03a343a24f8b4a2a5cdbde52463b |
C:\Windows\SysWOW64\Eajaoq32.exe
| MD5 | 2a84648f4ef635998088d5a7640c741f |
| SHA1 | aeddb2cdd5860ec54142a0bc4ebc253072a6e52f |
| SHA256 | aaf1726955e60f14e565d81cdb1855ec0b6536bd29bca5e44adf87f27ad07569 |
| SHA512 | 35619bf82ceee1a3144ca189e5469d07e3467a11ed2752caf05d5a3345df75525ba7d89086fb45001ac503450d948cbda418079251b0cf75275592e1fc20a6f4 |
memory/2804-292-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/2804-287-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2080-286-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2080-285-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Eiomkn32.exe
| MD5 | a80385edcdb83ca9aeeab1811547bfb2 |
| SHA1 | 8d3f4ce812679eb35a601a002c0c7da60bd3215e |
| SHA256 | 570b26d6e80d94e90d5c4bba439bf5fd62a19c5bfe689565b8a157fb4e06b7d4 |
| SHA512 | 38f37093a8e8dbdcf2e5b2e7d4a50f9e529fa6065f52d97b742ef489bed023bd65984e9cbdfe1d0d468d3e390ad33114f6bcfc92900e2160055a0fc6686ed299 |
memory/2168-261-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2308-260-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Eeqdep32.exe
| MD5 | a9958921b49db02f859111d0eb289649 |
| SHA1 | aaf8d5bd0608fa488dbe63f4b0e57c8f0649dbbf |
| SHA256 | fa3763690afe0915010cc44c709f48b8e5a4d850da8d235c62fd708216f3bdcb |
| SHA512 | b7878d20882c58d808b95a370199923c657e50280e73b11166187067444ac2d9b6e131f3a62a928a939793adaa7dfe8301c3588f75e11bc45e84cf8bcc8d07bf |
C:\Windows\SysWOW64\Ekholjqg.exe
| MD5 | f595292ba05172cb6352c734ab283e94 |
| SHA1 | 2f4795336f7e68b052ad543259bf0eaad272cbc8 |
| SHA256 | b520b0650867e358ece631a07ebdae48deda1f987f7d83c1a8d186db5fdf9d5a |
| SHA512 | 8d56f651940cb09f8100087db7d0d0e665675a25653e8d5ba9fbfbaac978ac1381de6dd1f658e97633135aee0efed4960c419d7378a8d79f5c6dc77541259c36 |
C:\Windows\SysWOW64\Ejgcdb32.exe
| MD5 | 8fcdd6cbe22fc29dc46965d0e6357356 |
| SHA1 | 102e0dd50daa6d406de1f10e85d9f7942ce57883 |
| SHA256 | e37a67ed3fb0acd51bf6f2f46657b750081b61d2d08b957e1f8777bcf2d65f0f |
| SHA512 | b572d80af99d18e8be7fdbea998e9382b77d2de417675c3f9588cbbd31f3575d15ba218eb79554e448ce74a98a95175e9a2984692fb02523bc8ecdf179338c6e |
memory/484-225-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2188-215-0x00000000005D0000-0x0000000000603000-memory.dmp
memory/2188-208-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1152-199-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dfijnd32.exe
| MD5 | f62d2b29df4c03a937bfbeeb995f5b5e |
| SHA1 | 64ad6e7f26a5a34a478a0f70c6aad2177922372c |
| SHA256 | 38a95abab7cc7d842d2c306ef1cc64d71fd88e59e73be87378d0908ca0af46ea |
| SHA512 | 8bcb81c9c7c5d03d32cc6e182fb16df556d9b95b0ba49fec007454e8927275f1583cda83403cbdacf599794534c2d4210e5598a32099810e2153d4759b50791a |
C:\Windows\SysWOW64\Dcknbh32.exe
| MD5 | 67160fc5ad8a7522d810c0f64f54d6b3 |
| SHA1 | 0bfb76aa079a70c8823dd3d8ce421c500b9815cd |
| SHA256 | 142ee55160d0ad81df14f8610417067f475f5abcd52b5a7f1069115509ff74f2 |
| SHA512 | f6b4e000b3c5a135e386d4ee9497a4eae3b977585f353dd1224f0edcc248f1532915805c67a25f1728cd1c18f5a22543aa01aae40b409111da0d05498e2e16c8 |
memory/1984-180-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2500-174-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1984-173-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1984-171-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1688-143-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2544-114-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2216-101-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2516-100-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/2516-94-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/2516-93-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dngoibmo.exe
| MD5 | dda9fbe361303ca1c141add854d50960 |
| SHA1 | 10236cb117cef78c92f0ea84086e53e704a96c9f |
| SHA256 | 568d7a034f5aa06348b2f4f18f93ddb427c0fcb1dfe73456e0ba78b2459479d0 |
| SHA512 | 4e8d2de59bc6f05a1f23716e64353040b54a4a194d2c304410e8804820e31cebee8be27d5c3f85449f5a0188e59974d08f8f1b24241ebbeb588e2d0e2803df3a |
memory/2496-80-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/1384-853-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2660-851-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2380-849-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-845-0x0000000000400000-0x0000000000433000-memory.dmp
memory/892-844-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2968-843-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 09:43
Reported
2024-06-02 09:46
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpkbebbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdiklqhm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nacbfdao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kgdbkohf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nggqoj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdopod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lklnhlfb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdopod32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kibnhjgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldmlpbbj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nafokcol.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nqklmpdd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcmofolg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mnocof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgghhlhq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mcnhmm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lklnhlfb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkepnjng.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjqjih32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgnnhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjjmog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lcmofolg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lnjjdgee.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgghhlhq.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ngedij32.exe | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndidbn32.exe | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkiqbl32.exe | C:\Windows\SysWOW64\Ldmlpbbj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnhfee32.exe | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndbnboqb.exe | C:\Windows\SysWOW64\Nacbfdao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnmopdep.exe | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
| File created | C:\Windows\SysWOW64\Paadnmaq.dll | C:\Windows\SysWOW64\Ncihikcg.exe | N/A |
| File created | C:\Windows\SysWOW64\Eplmgmol.dll | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mahbje32.exe | C:\Windows\SysWOW64\Mjqjih32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcnhmm32.exe | C:\Windows\SysWOW64\Mdkhapfj.exe | N/A |
| File created | C:\Windows\SysWOW64\Dihcoe32.dll | C:\Windows\SysWOW64\Nacbfdao.exe | N/A |
| File created | C:\Windows\SysWOW64\Lelgbkio.dll | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgnnhk32.exe | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nacbfdao.exe | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfcbokki.dll | C:\Windows\SysWOW64\Ndbnboqb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bheenp32.dll | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lknjmkdo.exe | C:\Windows\SysWOW64\Lnjjdgee.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjqjih32.exe | C:\Windows\SysWOW64\Lknjmkdo.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdiklqhm.exe | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbkhfc32.exe | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnngob32.dll | C:\Windows\SysWOW64\Lnjjdgee.exe | N/A |
| File created | C:\Windows\SysWOW64\Lifenaok.dll | C:\Windows\SysWOW64\Mpkbebbf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mjjmog32.exe | C:\Windows\SysWOW64\Mglack32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljfemn32.dll | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mglack32.exe | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kgdbkohf.exe | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldaeka32.exe | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckegia32.dll | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njcqqgjb.dll | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnhfee32.exe | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncgkcl32.exe | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkckjila.dll | C:\Windows\SysWOW64\Nqklmpdd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ockcknah.dll | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcnhmm32.exe | C:\Windows\SysWOW64\Mdkhapfj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbbkdl32.dll | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcbahlip.exe | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mpdelajl.exe | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nggqoj32.exe | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmegbjgn.exe | C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgdbkohf.exe | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fogjfmfe.dll | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkepnjng.exe | C:\Windows\SysWOW64\Mcnhmm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmegbjgn.exe | C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lnhmng32.exe | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Maohkd32.exe | C:\Windows\SysWOW64\Mjhqjg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Addjcmqn.dll | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nqklmpdd.exe | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnibdpde.dll | C:\Windows\SysWOW64\Nggqoj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkbchk32.exe | C:\Windows\SysWOW64\Mgghhlhq.exe | N/A |
| File created | C:\Windows\SysWOW64\Oaehlf32.dll | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcbahlip.exe | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nafokcol.exe | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nddkgonp.exe | C:\Windows\SysWOW64\Nafokcol.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcmofolg.exe | C:\Windows\SysWOW64\Kibnhjgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mnocof32.exe | C:\Windows\SysWOW64\Mjcgohig.exe | N/A |
| File created | C:\Windows\SysWOW64\Mglack32.exe | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnfmbf32.dll | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgengpmj.dll | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkepnjng.exe | C:\Windows\SysWOW64\Mcnhmm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nacbfdao.exe | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncgkcl32.exe | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ldaeka32.exe | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lklnhlfb.exe | C:\Windows\SysWOW64\Ldaeka32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkpgck32.exe | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lmccchkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndidbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mjqjih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mkbchk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" | C:\Windows\SysWOW64\Nddkgonp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" | C:\Windows\SysWOW64\Mciobn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdmegp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Njcpee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kmegbjgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lknjmkdo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mpmokb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nacbfdao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" | C:\Windows\SysWOW64\Nafokcol.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lcmofolg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" | C:\Windows\SysWOW64\Mamleegg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll" | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nggqoj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" | C:\Windows\SysWOW64\Mnapdf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nnmopdep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nqklmpdd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll" | C:\Windows\SysWOW64\Kgdbkohf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" | C:\Windows\SysWOW64\Lcmofolg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" | C:\Windows\SysWOW64\Ldmlpbbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mkpgck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" | C:\Windows\SysWOW64\Nggqoj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nafokcol.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbkhfc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" | C:\Windows\SysWOW64\Ncgkcl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kibnhjgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ldmlpbbj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lnhmng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mnocof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mpdelajl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mgghhlhq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Maohkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" | C:\Windows\SysWOW64\Nnhfee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" | C:\Windows\SysWOW64\Ngedij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll" | C:\Windows\SysWOW64\Kgphpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mdiklqhm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mdiklqhm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Maaepd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ncgkcl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll" | C:\Windows\SysWOW64\Mahbje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mcbahlip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nkjjij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" | C:\Windows\SysWOW64\Njogjfoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lkiqbl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" | C:\Windows\SysWOW64\Mnocof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll" | C:\Windows\SysWOW64\Mdkhapfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll" | C:\Windows\SysWOW64\Nkncdifl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe"
C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
C:\Windows\SysWOW64\Kdopod32.exe
C:\Windows\system32\Kdopod32.exe
C:\Windows\SysWOW64\Kgphpo32.exe
C:\Windows\system32\Kgphpo32.exe
C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4104 -ip 4104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/3968-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3968-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Kmegbjgn.exe
| MD5 | bed67e072e3405a7d02e86bd9d97d74a |
| SHA1 | b20e9656c70847ecc1815032d01dbdef552a8a9c |
| SHA256 | d27433984ae02a42a21a9850b3dac449bddfe1940aeef6d57a2cfc7da8006f20 |
| SHA512 | 5f305f7f902d52f3b988549fac19b5702dcc890a4a615254cd2afe4317a122d76876f0e329b264c1fc0ec301d594cd465cb622b99b9ac21ba7daf88dc3846d19 |
memory/1412-9-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kdopod32.exe
| MD5 | f554edb99afaab4ff813236575ca2e0c |
| SHA1 | eb462e32933ed5f9768bb36593d051c48b6dd1bf |
| SHA256 | 5ca64a6ec85c79d910376e9d617ea45f0da07381a299e8121192081c951d1519 |
| SHA512 | 38ef0671c10dff102b19154b1a59822c133d161b1adbb03685d38e86bff4f2e34b8fea61e7a1ec224a1a5a283ffe04bd4422cdca2428b80c7b38fd42fa260c3b |
memory/4508-21-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3312-25-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kgphpo32.exe
| MD5 | c55f7bf09f30415ecc4237492bf23d1f |
| SHA1 | d607869236e3e99a8d3d83657b66edf81d7283d8 |
| SHA256 | 1bd48195118ed33cb66cefcf52f6bd36c03b0b6ea39e19bb08c82c4daedcc6e5 |
| SHA512 | 375d34e3968acdcb7a48dbc620951173149f82410ab383ea0495cdde50f8dab14538def65adbd1783079140459a860ce81b902cad28086f518d291ded7f86591 |
C:\Windows\SysWOW64\Kgdbkohf.exe
| MD5 | 3ef6bca2d2e931f22ad88639c67fc1c6 |
| SHA1 | acfc374c5e51f91fb94c904dd133cf3cb8e503a7 |
| SHA256 | 638eea5351281d864bf7d727640f9ee073a9d93a7af990824b8458e34093463d |
| SHA512 | dcdb8497015d6bbb3f838cd417ba72d234853d39176eede23af1961bd2a973ebdc72c48197f80c5103be6161f51daafb4525d464828c5e3c76c9d9907ae94f2a |
memory/2404-33-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kibnhjgj.exe
| MD5 | 0c399212799dbb4fe06451c59b9d501a |
| SHA1 | 409d6e4c534475924d573311e95a73c0d3ccd2e3 |
| SHA256 | 70c6eb9a73b2d6111036d7b726a5b9c056471dd9fdcaebcaf8907af0ed94c5c0 |
| SHA512 | f00609715efa7828ecf0292e21cde0489b13f78de9746ba9b35448e37af286609a9e90c07344f0a250fdd85462cb394e600f1bdd2f68f3ab0fa61d72818a79fd |
memory/1728-41-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lcmofolg.exe
| MD5 | 64c89812bb51a240d03c60975870bd07 |
| SHA1 | 5335aebcebdae59676bf571ade1c8f3e00a01897 |
| SHA256 | 0ac6776457966c08edff61fff06017a178cfbb97236748cd7e3216f3217b6e8c |
| SHA512 | 9a122b0f743f91c9a6b9626e28d2a8498d6bcc821bae4c9762ff6a553ae0fbe8762f9311e33cea4be2074498b5ae53a029d0fd918c5111c7af2b43f922c4476c |
memory/3036-49-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lmccchkn.exe
| MD5 | 5596ee972da14cb1c2f8e4e6c6b1091e |
| SHA1 | 4c4abdddf961ea4509243e212f1c7c1e9237b0a8 |
| SHA256 | 0456d74bc41c9dfce9fba783cb45eb317431208c222058a80b3b67c2b28855ca |
| SHA512 | db8254cdbaa57d00109efda89982da2e9e271a9040bbddc0d8b95e2368e07f92df88d3b07be6860b9e8683c3659d2c074f5ee1386008fc31002e77b38941de8b |
memory/2528-57-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ldmlpbbj.exe
| MD5 | 86f731d3c3e7f263c228152098299312 |
| SHA1 | 21b9d268e40e3cb943a5c25f2957e885cfe826bf |
| SHA256 | ffb24fa4cbaccf340b994d1ddc3c49af1b78891d142841b05be8eae8a57ccb53 |
| SHA512 | 36bbb3fca22b2baf2891320aefc39b392d590496936ff7894e84a5904b1d756f1bbc64f89816a133cfda55f9389dd4356b3c3a2c838c83deed398cad82eb74e4 |
memory/3048-69-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lkiqbl32.exe
| MD5 | 20e0f04e843231a70b620455b3c02681 |
| SHA1 | be91740ab9b17522e7068218ec50b9e2120b87ff |
| SHA256 | c38771194a410af067a2fdd32e62675ec71fbd4111d0c5aee57ee3b427bed854 |
| SHA512 | 46abe98561fb8f60d47409206f472cf9b0aee2bc863d2e855eecce234db789cdb8a0a158428f92b44f28c37765c2ed893fa8f3effc3cf0bc55647593fd57132a |
memory/4528-77-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4204-80-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ldaeka32.exe
| MD5 | e290b0b88ead13be387ea06fa28f1033 |
| SHA1 | 58ceb168f04d662638c3769c323a86afe1b71c54 |
| SHA256 | d0449f4705cf9e10d021e2b91b53233213a2422d6ccdac2514201b2206fadf48 |
| SHA512 | 3665ca5f19fab5472801f045083723615b7d77f5cbfe71d07aae08184303b235bc9aad67b05a582cb949a47753eef861ba551e82ff3e587d77af997d85f2ed30 |
C:\Windows\SysWOW64\Lklnhlfb.exe
| MD5 | 1d4400c666306df922db994e767e253a |
| SHA1 | 36ab5fbd9134b485f8417cc7a5a2c43d256bab6b |
| SHA256 | ed4f3110f3e71c778d6843908dc063889034cfbfb471bd651282cfb0ec73e0e9 |
| SHA512 | 620c4208dd846181c37de82da52f46f2536d21b06446f8b8deefb7e015e5130ae9a55b9dc58cf1b25a12cba9a3cd4f204431bd6a5d120fd9ffe1d809849f615d |
memory/4776-101-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mpkbebbf.exe
| MD5 | 2c4014dbad541ca4ed5c2be39d3991cf |
| SHA1 | 6024a2e01eefc03cc6fb4e2bbc68b8ca9503aaf9 |
| SHA256 | f102d64acaa10047c3e216be4597864467c8b8ab3e8b30cc607705211f17aa7b |
| SHA512 | 5002c6915e659965386db3277c52c7cfc9275a0b4f8fe57967107edb8855ae58dc086463f3ddbd126146a6b297a0b184024e0ff616e6dea1a4bc12bde17b5ae9 |
C:\Windows\SysWOW64\Mkpgck32.exe
| MD5 | 03fb6f1639b63fe1a73885640e1938ee |
| SHA1 | 5370599ef1e7ebcb64b0af66ab9a64607cee75af |
| SHA256 | e4afa77055acf34191c545d4e77d09b9217455c3f19b5c94be4f990982585ad1 |
| SHA512 | e1bcb9901a26d26aca0bf6639a475d877e02bccf9910ed40c7365e9e8e3cc4683f4671e76264fb7c6f122e298905ba81e2a4e05c89b4b012983b7aeb65619325 |
C:\Windows\SysWOW64\Mnocof32.exe
| MD5 | 685403cf25944db40a402a9a35c429b8 |
| SHA1 | 739e65d2b7fa4b8dcb40accd6935926f7668fea1 |
| SHA256 | 896878f963a73cc2abdd859910bc8791b8db098d9ab729c6a0bcfb21b0aae35c |
| SHA512 | 7009cabcd724922379072e6705b98604c32e9da1ac857a3e743d49b9d2c8a8896179cbc06aacdb41f7c0e2f946de3fbcf93317be13b7c1a8ab1e62d0b74b5fef |
C:\Windows\SysWOW64\Mdiklqhm.exe
| MD5 | 6bc3368afd5269f68c98089b048b936b |
| SHA1 | 219928f1655860495b7b94c3ee0ff86dac79c858 |
| SHA256 | 9fe8881632e545b82f5ab08c429b7fdca80adeb47463720fff3de9101ab7255e |
| SHA512 | adb64b84f2484fa6bbfcdf61572aadf47ac3c8861cf8eb7e73ef85dd884edde2a17eb1eff3035e5876c9bfe32ff80d72c1d68a1272a39be2b7ea9d6189cd5595 |
C:\Windows\SysWOW64\Mnapdf32.exe
| MD5 | 1cfab1a5ac270d123df586b9e80ada63 |
| SHA1 | d8272dfa096af57196ca7bb020ce07d2c11ac386 |
| SHA256 | a8eabe84f3d2ffbe2ef46abebbbca77ee475b3054795f59e5006cf3eb90368af |
| SHA512 | cf696c5ebec8b05daf65cf8d40854c59a40052902bdc3cb9af7704cbfd7a68607c1d92e91def33bf180749b03d1ca906a1f3cfe560229c7cd76b3b98fef509e6 |
C:\Windows\SysWOW64\Mkepnjng.exe
| MD5 | 32549ec2155aff608d58efaa488d47d9 |
| SHA1 | a14c85231579e443081ca591a868de60d8e90438 |
| SHA256 | 829e49bc9062c6d7c5e9b7e5d3127a7840774f98faac86bc5afbeed67d76712f |
| SHA512 | 42b7f5eea9f63a9dd7e123e249508500c5f44b242d9e31fb7ddafc5664d3bceff87b9ef2d50e41d2be92945855f24b1d79cd9261743cb59a8bf038578db868b4 |
memory/2732-421-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3968-468-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1412-466-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3312-463-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2404-461-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1728-459-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3036-457-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2528-455-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4204-451-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1216-447-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4076-445-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5020-443-0x0000000000400000-0x0000000000433000-memory.dmp
memory/100-441-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5004-439-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2416-437-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4664-435-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2100-433-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3416-431-0x0000000000400000-0x0000000000433000-memory.dmp
memory/944-429-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3356-427-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2224-425-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1012-423-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2368-419-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3532-417-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3944-415-0x0000000000400000-0x0000000000433000-memory.dmp
memory/668-413-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3648-411-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3404-409-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4604-407-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1084-405-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4032-403-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2692-401-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4368-399-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5116-397-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1600-395-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4984-393-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4660-391-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4964-389-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4808-387-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1556-385-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2620-383-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2632-381-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3556-379-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2688-377-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1280-375-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1408-373-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1616-371-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3288-369-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1300-367-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4848-365-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3700-363-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1676-361-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4104-359-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Maohkd32.exe
| MD5 | cd0bdbe0575ffd3ba167a3e0d67dba3d |
| SHA1 | 8fc9d5b14ebba5347bf422c226483b1fc9937c7d |
| SHA256 | 1c351c8990931dd82e6c03994685d83e37e5de58a8a51839653e7f958b960c4d |
| SHA512 | eaaa915d85b06774062a89e0c7bd1a0919576973351719226c58da2b1dcc5c18cb0c0c2faa6b50ded4bec387ab4b09d77fb73d2f68cf4b6fb1683f184d99d249 |
C:\Windows\SysWOW64\Mjhqjg32.exe
| MD5 | dc310802d37c024dfc7dc5a9fc29e1f9 |
| SHA1 | 7dd4a7a202e47a341fdc8ba04fe4bc7dcd8d0e84 |
| SHA256 | 4bb5652583ed16597d0239466c079ec385a2585913a65c7f88dc608df0b99c54 |
| SHA512 | 4d574f023b84b5e863022344dd280d46bf3ed537964d136b5c03fc705b4f0d5666731a667a0e6708a917ca706c0d59e94f523877d6e49adddb7885b8326c33ea |
C:\Windows\SysWOW64\Mcnhmm32.exe
| MD5 | bd9edd56d59e390cacca093a097da616 |
| SHA1 | 64390441686403f632f1779cf0e0ea4092462a76 |
| SHA256 | 8763bf321e5795b6e4f190f970eeb988546bd61b92f99e587943dce07bc19e8c |
| SHA512 | 92b81a372cb9c032d8e4bbb276945068012cd853e7aa8a22e269389b9c81b6840fa18b9910af32c724e79baf73c285c5d51715f15d880a6d563b4504876f7e01 |
C:\Windows\SysWOW64\Mdkhapfj.exe
| MD5 | c423460db200f8b3fa86e882fa9ee3b5 |
| SHA1 | 384e9ce2fc764b487daa1ba4b76981c63b120848 |
| SHA256 | 5e005a2f4d4c986196d7720adf374864dbd724c48e77fafcbe120191f0ebc890 |
| SHA512 | ca0cc53c7ea091c35b8189060e9b18400634dd257741d7895d0fd21752fb8d137f38ffe42015076e98b8bf299ca314ef3f3bf60a53243560e87ee0dd48af9e08 |
C:\Windows\SysWOW64\Mamleegg.exe
| MD5 | 8aed59bdf8b443b425b3bcccc6460b6a |
| SHA1 | fd6b85981c3e06bfbbe23949d813261a428055c7 |
| SHA256 | 25dfd81207c9622eb19b926089c1572251fdc45ecc39db21e5e61c096a422bf3 |
| SHA512 | b90977d32b3a358366e000be5bac0cc8cd2ee0631efd4e8e78fe613408e1df96415eb77495e77ee07c878bda38fd3886c980a737a97aac8c918ebd026932060f |
C:\Windows\SysWOW64\Mkbchk32.exe
| MD5 | 4280b3002a84284f5fc1d663543c0703 |
| SHA1 | fab1996cf7c86b898e4eaafb92fc11fc79774e11 |
| SHA256 | e090c77101ffad76e01c662b83062762f69508dc5f989cc39da10798c07f48e6 |
| SHA512 | 85d363f4b1ae13d01dfd0fe7b253c7d0803dd86c0b9998f23eb2dee62bad0012e261438790820b7a92d0289679a30784776c75946fb5f5104d99b443acc10e98 |
C:\Windows\SysWOW64\Mgghhlhq.exe
| MD5 | db40ede8365baa07b421b1dcaf3776de |
| SHA1 | 9b42735d744edae275293c7259221f3348298296 |
| SHA256 | e12a7a00f76810bac5825be15980bafb3849eca4e5b3cd7f8e5ca081ba6993ad |
| SHA512 | 693478619d6cc858ec948e902276730d080b9816f429e2437979544c50d62dfc1126e93ef7495e18d09bed54ce1f3f8a7038f94c1e839d0504edb9d9574c5e86 |
C:\Windows\SysWOW64\Mpmokb32.exe
| MD5 | 32d772485a5afa6fdc43777a8437da77 |
| SHA1 | bc47e150d973d049a8f6e4c848e71a77d57f9f51 |
| SHA256 | 9fbfbf09373253706a2ba96c3dd9921f595cd80f0fd12ef4503fc5eb4753c4ab |
| SHA512 | 0c04d3cbeb7a89d0a2dace6f7f8863b7241812b9f53c244a7283d645f0ef62e399e9f33e6ff9bf5a83501906f282bd8575816db60e0b6d6c8c6f9535ceaf38ef |
C:\Windows\SysWOW64\Mjcgohig.exe
| MD5 | 1ef906f9db8d06f2e1ae219eb0288a4c |
| SHA1 | f9ac85e34515df9b0152655fd41b38154f3a2a0f |
| SHA256 | 1932bb0653af1d69c0da6de126e5abef116ed4be1be3c15c10919d674df30fbe |
| SHA512 | 56a957d4b026298cc062cbbacfb26f657aa7951877b5b3215a3db9fbb21b1bb08d2cfe19453f48a6cd5e4ceebd85dea22fe3d363e6d012a5c87caedf090586a9 |
C:\Windows\SysWOW64\Mciobn32.exe
| MD5 | 220da927fc10a801dfcda0ed666132e9 |
| SHA1 | 1f93b64d0e38d985b80249d02865a4bf1decb317 |
| SHA256 | ea1562d9a08d02789506d8951fefdfe4084384c0a8dac2d8f5e2be999722e78e |
| SHA512 | 573128ed85142fb93f66da3d3d6098b4fb4cbf49771b114f75848d9d4fdede0cd76fe99a32d90d07e14b0d6b1a38f4284bc8cd1fa419ea68aa8bc7509f77cfb6 |
C:\Windows\SysWOW64\Mahbje32.exe
| MD5 | ffe5f621d4c7607b4ecaa50fd33c3626 |
| SHA1 | d6831f3e1ed3e9624dc2be7c5ff2db95d1878060 |
| SHA256 | b3fb7b7de3951b498e4482e187890c8ed0cdf6cefaad6aa08f2224b4540271d4 |
| SHA512 | 4926834f27f8cd99900bec5625e1ac305fced29821c8fa043414ca27e7e5264facb88f92107591e3450fc18ac48b6cacf3a817a0ce01cd577678f65823456ab3 |
C:\Windows\SysWOW64\Mjqjih32.exe
| MD5 | 349034756ba5753e9a4062876a527064 |
| SHA1 | de859e2eadd32707699365c515b2c64bdd44426c |
| SHA256 | 9eae2ecfe3f40ecb9d2853fc1dd273cb6e97e887ea9c6af02b97ed81a33a46ad |
| SHA512 | ca9f8676ff667f7cbae67c5f1f9f7ecddb3ad0e5d865ecae4418afef8e7679e1925100bb7eddc773a0a89ec9add268e992785446fa39d8d4bd85d2230ce5ca27 |
C:\Windows\SysWOW64\Lknjmkdo.exe
| MD5 | 8d7ba5d6e6a10207446dc9c525a6d33d |
| SHA1 | 9a568969cc0c3cb8823e609837dad1837b210c93 |
| SHA256 | 671ef1673a049d12a46b5c4e56d94c5df9f2ff308b805ee06bea24f7a1c95867 |
| SHA512 | ef955bc0ef2e1a43261202c3b8b5e44bb84bdbc26170e49ed0bd5b235b6a786dedc67d5003adbb2985996a89ebde28c7baa8d6d6addd7f32061c86d86e4d913c |
C:\Windows\SysWOW64\Lnjjdgee.exe
| MD5 | 4d32d35764fc17f62900df1b933d76ed |
| SHA1 | 736166ddcf2684565617869902ec804b3f37b2a1 |
| SHA256 | ab8e141d7c65a8a2680450efd8cb750edfb11f89525abcb50ae24854dee1c589 |
| SHA512 | 0d2b9d87623e8123f2dc6c192750efc69c550fb1091eb9f0fb7254ba73bc1a4606e6c0bc71f064e8658c1b027e5a4050c1869de349fe7b995b0e35b12f0d41d4 |
memory/3136-93-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lnhmng32.exe
| MD5 | d92c9c48d5688278453bda7c89e31a06 |
| SHA1 | fbe99f58c620eb42d08a7b730441688e5c262917 |
| SHA256 | 05e9300ecb295c12fa3bc47642eadabb2c2682d01f4369b78d2a97f88dfb02a2 |
| SHA512 | 9b53cc9552d3a6f9d537c2553724f2cb707488be11e808c7c582a1544a50807e34f8833c635a4a6187c6d4b508f9adbf6c672b75f2f840328271474b4d49f729 |