Analysis Overview
SHA256
62d7925c29c53e19cc3247b35b31c5b1431533d2e17e961340da6f562dfd9d0f
Threat Level: Known bad
The file virussign.com_a537d2478356f0fb5710b888e178f7e0.vir was found to be: Known bad.
Malicious Activity Summary
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Malware Dropper & Backdoor - Berbew
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 19:48
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 19:48
Reported
2024-06-02 19:51
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
127s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kapfiqoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lljdai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Klhnfo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cogddd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Giljfddl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Joekag32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fnipbc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ocohmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdmfllhn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mqhfoebo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nckkfp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klfaapbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pnifekmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qobhkjdi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hnbeeiji.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfnjpfcl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iliinc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Haodle32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iamamcop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oplfkeob.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fefedmil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ibfnqmpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcmdaljn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kcpjnjii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ckeimm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jenmcggo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bpkdjofm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojdgnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iamamcop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Enkdaepb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iepaaico.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iidphgcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mjaabq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jcfggkac.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmdnbn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iahgad32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nmfmde32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bakgoh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfbcke32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmojkj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nfqnbjfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ncqlkemc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Onkidm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oaplqh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aogiap32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Adkgje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fbgihaji.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnojho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nflkbanj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmnbfhal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ommceclc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fpimlfke.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iinjhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jmbhoeid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jilfifme.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ooibkpmi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Alpbecod.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mcelpggq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Giljfddl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmaffnce.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aajhndkb.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Omcjep32.exe | C:\Windows\SysWOW64\Olanmgig.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmdpiacg.dll | C:\Windows\SysWOW64\Bddjpd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ilphdlqh.exe | C:\Windows\SysWOW64\Ibgdlg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qffkpn32.dll | C:\Windows\SysWOW64\Bakgoh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbjoeojc.exe | C:\Windows\SysWOW64\Hplbickp.exe | N/A |
| File created | C:\Windows\SysWOW64\Fcokoohi.dll | C:\Windows\SysWOW64\Ngjkfd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Binlfp32.dll | C:\Windows\SysWOW64\Nqbpojnp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nfohgqlg.exe | C:\Windows\SysWOW64\Ncqlkemc.exe | N/A |
| File created | C:\Windows\SysWOW64\Oakbehfe.exe | C:\Windows\SysWOW64\Onmfimga.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhclmp32.exe | C:\Windows\SysWOW64\Dbicpfdk.exe | N/A |
| File created | C:\Windows\SysWOW64\Lblldc32.dll | C:\Windows\SysWOW64\Ibfnqmpf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jcoaglhk.exe | C:\Windows\SysWOW64\Jpaekqhh.exe | N/A |
| File created | C:\Windows\SysWOW64\Kncaec32.exe | C:\Windows\SysWOW64\Kflide32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaonbc32.exe | C:\Windows\SysWOW64\Jblmgf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbepme32.exe | C:\Windows\SysWOW64\Jeapcq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Okehmlqi.dll | C:\Windows\SysWOW64\Mmpmnl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cepjip32.dll | C:\Windows\SysWOW64\Dgeenfog.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Efjbcakl.exe | C:\Windows\SysWOW64\Ebnfbcbc.exe | N/A |
| File created | C:\Windows\SysWOW64\Enkdaepb.exe | C:\Windows\SysWOW64\Ekmhejao.exe | N/A |
| File created | C:\Windows\SysWOW64\Idefqiag.dll | C:\Windows\SysWOW64\Lfeljd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Akkeajoj.dll | C:\Windows\SysWOW64\Mokmdh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddligq32.exe | C:\Windows\SysWOW64\Dbnmke32.exe | N/A |
| File created | C:\Windows\SysWOW64\Egdagc32.dll | C:\Windows\SysWOW64\Jcanll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nfaemp32.exe | C:\Windows\SysWOW64\Ncchae32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dglkoeio.exe | C:\Windows\SysWOW64\Ddnobj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qoelkp32.exe | C:\Windows\SysWOW64\Qdphngfl.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgaclkia.dll | C:\Windows\SysWOW64\Hoclopne.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iinjhh32.exe | C:\Windows\SysWOW64\Iebngial.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcfggkac.exe | C:\Windows\SysWOW64\Jphkkpbp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lqmmmmph.exe | C:\Windows\SysWOW64\Lmaamn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mokmdh32.exe | C:\Windows\SysWOW64\Mmmqhl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aoqqpnlk.dll | C:\Windows\SysWOW64\Cdnmfclj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckkpjkai.dll | C:\Windows\SysWOW64\Ncchae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flhkmbmp.dll | C:\Windows\SysWOW64\Oplfkeob.exe | N/A |
| File created | C:\Windows\SysWOW64\Flbfjl32.dll | C:\Windows\SysWOW64\Ocjoadei.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohofdmkm.dll | C:\Windows\SysWOW64\Efjbcakl.exe | N/A |
| File created | C:\Windows\SysWOW64\Occmjg32.dll | C:\Windows\SysWOW64\Pjbcplpe.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffchaq32.dll | C:\Windows\SysWOW64\Aehgnied.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jinboekc.exe | C:\Windows\SysWOW64\Jebfng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aonhghjl.exe | C:\Windows\SysWOW64\Adhdjpjf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkgeainn.exe | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmkalh32.dll | C:\Windows\SysWOW64\Fijkdmhn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qhmqdemc.exe | C:\Windows\SysWOW64\Qoelkp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ilqoobdd.exe | C:\Windows\SysWOW64\Imnocf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fmggcl32.dll | C:\Windows\SysWOW64\Kgdpni32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lqkqhm32.exe | C:\Windows\SysWOW64\Ljqhkckn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aefjii32.exe | C:\Windows\SysWOW64\Anobgl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Flmqlg32.exe | C:\Windows\SysWOW64\Fechomko.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpaekqhh.exe | C:\Windows\SysWOW64\Jleijb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dggbcf32.exe | C:\Windows\SysWOW64\Ddifgk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcegclgp.exe | C:\Windows\SysWOW64\Pmkofa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Keiifian.dll | C:\Windows\SysWOW64\Qhhpop32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dnajppda.exe | C:\Windows\SysWOW64\Dggbcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnqfcbnj.exe | C:\Windows\SysWOW64\Glbjggof.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmafajfi.exe | C:\Windows\SysWOW64\Gejopl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebggoi32.dll | C:\Windows\SysWOW64\Bklomh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mmhgmmbf.exe | C:\Windows\SysWOW64\Mnegbp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Alapqh32.dll | C:\Windows\SysWOW64\Mfenglqf.exe | N/A |
| File created | C:\Windows\SysWOW64\Qidpon32.dll | C:\Windows\SysWOW64\Nqoloc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ibgdlg32.exe | C:\Windows\SysWOW64\Ihbponja.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocgkan32.exe | C:\Windows\SysWOW64\Ommceclc.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmacdg32.dll | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnojho32.exe | C:\Windows\SysWOW64\Mjcngpjh.exe | N/A |
| File created | C:\Windows\SysWOW64\Dkahilkl.exe | C:\Windows\SysWOW64\Dhclmp32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Pififb32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aefjii32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aekddhcb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agchinmk.dll" | C:\Windows\SysWOW64\Bepmoh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddnfmqng.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjcgjio.dll" | C:\Windows\SysWOW64\Jenmcggo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll" | C:\Windows\SysWOW64\Kcjjhdjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dbocfo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eqdpgk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ebfign32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ekdnei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggcl32.dll" | C:\Windows\SysWOW64\Kgdpni32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccdbf32.dll" | C:\Windows\SysWOW64\Ojdgnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnnfkal.dll" | C:\Windows\SysWOW64\Gicgpelg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amjbbfgo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Onmfimga.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aajhndkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jblmgf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jcoaglhk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nmipdk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll" | C:\Windows\SysWOW64\Loacdc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegaehem.dll" | C:\Windows\SysWOW64\Bedgjgkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qfmmplad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Giljfddl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnindhpg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Efjbcakl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nflkbanj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oclkgccf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dahmfpap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgamhc32.dll" | C:\Windows\SysWOW64\Dbocfo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkgme32.dll" | C:\Windows\SysWOW64\Oacoqnci.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolece32.dll" | C:\Windows\SysWOW64\Fpkibf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pdenmbkk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nhahaiec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll" | C:\Windows\SysWOW64\Dojqjdbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll" | C:\Windows\SysWOW64\Iefgbh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nmdgikhi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bgnffj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gicgpelg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll" | C:\Windows\SysWOW64\Klhnfo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll" | C:\Windows\SysWOW64\Mqafhl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aekddhcb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gnqfcbnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iepaaico.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" | C:\Windows\SysWOW64\Qdphngfl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nqoloc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjhab32.dll" | C:\Windows\SysWOW64\Jnlkedai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll" | C:\Windows\SysWOW64\Dooaoj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackekpfe.dll" | C:\Windows\SysWOW64\Adkgje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaoaic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Geoapenf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pknqoc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kegpifod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddgibkpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ilphdlqh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll" | C:\Windows\SysWOW64\Fihnomjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hplbickp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfqknfm.dll" | C:\Windows\SysWOW64\Lnangaoa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cammjakm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Njljch32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jekqmhia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ocohmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lljdai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahamgib.dll" | C:\Windows\SysWOW64\Dbnmke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll" | C:\Windows\SysWOW64\Ibfnqmpf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe"
C:\Windows\SysWOW64\Nmlddqem.exe
C:\Windows\system32\Nmlddqem.exe
C:\Windows\SysWOW64\Ndflak32.exe
C:\Windows\system32\Ndflak32.exe
C:\Windows\SysWOW64\Nhahaiec.exe
C:\Windows\system32\Nhahaiec.exe
C:\Windows\SysWOW64\Njpdnedf.exe
C:\Windows\system32\Njpdnedf.exe
C:\Windows\SysWOW64\Oeehkn32.exe
C:\Windows\system32\Oeehkn32.exe
C:\Windows\SysWOW64\Odhifjkg.exe
C:\Windows\system32\Odhifjkg.exe
C:\Windows\SysWOW64\Onnmdcjm.exe
C:\Windows\system32\Onnmdcjm.exe
C:\Windows\SysWOW64\Oeheqm32.exe
C:\Windows\system32\Oeheqm32.exe
C:\Windows\SysWOW64\Olanmgig.exe
C:\Windows\system32\Olanmgig.exe
C:\Windows\SysWOW64\Omcjep32.exe
C:\Windows\system32\Omcjep32.exe
C:\Windows\SysWOW64\Oejbfmpg.exe
C:\Windows\system32\Oejbfmpg.exe
C:\Windows\SysWOW64\Ohhnbhok.exe
C:\Windows\system32\Ohhnbhok.exe
C:\Windows\SysWOW64\Omegjomb.exe
C:\Windows\system32\Omegjomb.exe
C:\Windows\SysWOW64\Odoogi32.exe
C:\Windows\system32\Odoogi32.exe
C:\Windows\SysWOW64\Oacoqnci.exe
C:\Windows\system32\Oacoqnci.exe
C:\Windows\SysWOW64\Odalmibl.exe
C:\Windows\system32\Odalmibl.exe
C:\Windows\SysWOW64\Oogpjbbb.exe
C:\Windows\system32\Oogpjbbb.exe
C:\Windows\SysWOW64\Pddhbipj.exe
C:\Windows\system32\Pddhbipj.exe
C:\Windows\SysWOW64\Pknqoc32.exe
C:\Windows\system32\Pknqoc32.exe
C:\Windows\SysWOW64\Pmlmkn32.exe
C:\Windows\system32\Pmlmkn32.exe
C:\Windows\SysWOW64\Pdfehh32.exe
C:\Windows\system32\Pdfehh32.exe
C:\Windows\SysWOW64\Plmmif32.exe
C:\Windows\system32\Plmmif32.exe
C:\Windows\SysWOW64\Pmoiqneg.exe
C:\Windows\system32\Pmoiqneg.exe
C:\Windows\SysWOW64\Pdhbmh32.exe
C:\Windows\system32\Pdhbmh32.exe
C:\Windows\SysWOW64\Pmaffnce.exe
C:\Windows\system32\Pmaffnce.exe
C:\Windows\SysWOW64\Phfjcf32.exe
C:\Windows\system32\Phfjcf32.exe
C:\Windows\SysWOW64\Popbpqjh.exe
C:\Windows\system32\Popbpqjh.exe
C:\Windows\SysWOW64\Pdmkhgho.exe
C:\Windows\system32\Pdmkhgho.exe
C:\Windows\SysWOW64\Pocpfphe.exe
C:\Windows\system32\Pocpfphe.exe
C:\Windows\SysWOW64\Qdphngfl.exe
C:\Windows\system32\Qdphngfl.exe
C:\Windows\SysWOW64\Qoelkp32.exe
C:\Windows\system32\Qoelkp32.exe
C:\Windows\SysWOW64\Qhmqdemc.exe
C:\Windows\system32\Qhmqdemc.exe
C:\Windows\SysWOW64\Aogiap32.exe
C:\Windows\system32\Aogiap32.exe
C:\Windows\SysWOW64\Aeaanjkl.exe
C:\Windows\system32\Aeaanjkl.exe
C:\Windows\SysWOW64\Ahpmjejp.exe
C:\Windows\system32\Ahpmjejp.exe
C:\Windows\SysWOW64\Aknifq32.exe
C:\Windows\system32\Aknifq32.exe
C:\Windows\SysWOW64\Aahbbkaq.exe
C:\Windows\system32\Aahbbkaq.exe
C:\Windows\SysWOW64\Adfnofpd.exe
C:\Windows\system32\Adfnofpd.exe
C:\Windows\SysWOW64\Akqfkp32.exe
C:\Windows\system32\Akqfkp32.exe
C:\Windows\SysWOW64\Anobgl32.exe
C:\Windows\system32\Anobgl32.exe
C:\Windows\SysWOW64\Aefjii32.exe
C:\Windows\system32\Aefjii32.exe
C:\Windows\SysWOW64\Alpbecod.exe
C:\Windows\system32\Alpbecod.exe
C:\Windows\SysWOW64\Aonoao32.exe
C:\Windows\system32\Aonoao32.exe
C:\Windows\SysWOW64\Aehgnied.exe
C:\Windows\system32\Aehgnied.exe
C:\Windows\SysWOW64\Adkgje32.exe
C:\Windows\system32\Adkgje32.exe
C:\Windows\SysWOW64\Akepfpcl.exe
C:\Windows\system32\Akepfpcl.exe
C:\Windows\SysWOW64\Anclbkbp.exe
C:\Windows\system32\Anclbkbp.exe
C:\Windows\SysWOW64\Aekddhcb.exe
C:\Windows\system32\Aekddhcb.exe
C:\Windows\SysWOW64\Alelqb32.exe
C:\Windows\system32\Alelqb32.exe
C:\Windows\SysWOW64\Bnfihkqm.exe
C:\Windows\system32\Bnfihkqm.exe
C:\Windows\SysWOW64\Bhkmec32.exe
C:\Windows\system32\Bhkmec32.exe
C:\Windows\SysWOW64\Boeebnhp.exe
C:\Windows\system32\Boeebnhp.exe
C:\Windows\SysWOW64\Bepmoh32.exe
C:\Windows\system32\Bepmoh32.exe
C:\Windows\SysWOW64\Bhnikc32.exe
C:\Windows\system32\Bhnikc32.exe
C:\Windows\SysWOW64\Bklfgo32.exe
C:\Windows\system32\Bklfgo32.exe
C:\Windows\SysWOW64\Bafndi32.exe
C:\Windows\system32\Bafndi32.exe
C:\Windows\SysWOW64\Bddjpd32.exe
C:\Windows\system32\Bddjpd32.exe
C:\Windows\SysWOW64\Bojomm32.exe
C:\Windows\system32\Bojomm32.exe
C:\Windows\SysWOW64\Bnmoijje.exe
C:\Windows\system32\Bnmoijje.exe
C:\Windows\SysWOW64\Bedgjgkg.exe
C:\Windows\system32\Bedgjgkg.exe
C:\Windows\SysWOW64\Bkaobnio.exe
C:\Windows\system32\Bkaobnio.exe
C:\Windows\SysWOW64\Bakgoh32.exe
C:\Windows\system32\Bakgoh32.exe
C:\Windows\SysWOW64\Bffcpg32.exe
C:\Windows\system32\Bffcpg32.exe
C:\Windows\SysWOW64\Bheplb32.exe
C:\Windows\system32\Bheplb32.exe
C:\Windows\SysWOW64\Coohhlpe.exe
C:\Windows\system32\Coohhlpe.exe
C:\Windows\SysWOW64\Camddhoi.exe
C:\Windows\system32\Camddhoi.exe
C:\Windows\SysWOW64\Cdlqqcnl.exe
C:\Windows\system32\Cdlqqcnl.exe
C:\Windows\SysWOW64\Ckeimm32.exe
C:\Windows\system32\Ckeimm32.exe
C:\Windows\SysWOW64\Cndeii32.exe
C:\Windows\system32\Cndeii32.exe
C:\Windows\SysWOW64\Cdnmfclj.exe
C:\Windows\system32\Cdnmfclj.exe
C:\Windows\SysWOW64\Cleegp32.exe
C:\Windows\system32\Cleegp32.exe
C:\Windows\SysWOW64\Cnfaohbj.exe
C:\Windows\system32\Cnfaohbj.exe
C:\Windows\SysWOW64\Cfnjpfcl.exe
C:\Windows\system32\Cfnjpfcl.exe
C:\Windows\SysWOW64\Clgbmp32.exe
C:\Windows\system32\Clgbmp32.exe
C:\Windows\SysWOW64\Cnindhpg.exe
C:\Windows\system32\Cnindhpg.exe
C:\Windows\SysWOW64\Cfpffeaj.exe
C:\Windows\system32\Cfpffeaj.exe
C:\Windows\SysWOW64\Cohkokgj.exe
C:\Windows\system32\Cohkokgj.exe
C:\Windows\SysWOW64\Cfbcke32.exe
C:\Windows\system32\Cfbcke32.exe
C:\Windows\SysWOW64\Chqogq32.exe
C:\Windows\system32\Chqogq32.exe
C:\Windows\SysWOW64\Dmlkhofd.exe
C:\Windows\system32\Dmlkhofd.exe
C:\Windows\SysWOW64\Dokgdkeh.exe
C:\Windows\system32\Dokgdkeh.exe
C:\Windows\SysWOW64\Dbicpfdk.exe
C:\Windows\system32\Dbicpfdk.exe
C:\Windows\SysWOW64\Dhclmp32.exe
C:\Windows\system32\Dhclmp32.exe
C:\Windows\SysWOW64\Dkahilkl.exe
C:\Windows\system32\Dkahilkl.exe
C:\Windows\SysWOW64\Dbkqfe32.exe
C:\Windows\system32\Dbkqfe32.exe
C:\Windows\SysWOW64\Ddjmba32.exe
C:\Windows\system32\Ddjmba32.exe
C:\Windows\SysWOW64\Dooaoj32.exe
C:\Windows\system32\Dooaoj32.exe
C:\Windows\SysWOW64\Dbnmke32.exe
C:\Windows\system32\Dbnmke32.exe
C:\Windows\SysWOW64\Ddligq32.exe
C:\Windows\system32\Ddligq32.exe
C:\Windows\SysWOW64\Dmcain32.exe
C:\Windows\system32\Dmcain32.exe
C:\Windows\SysWOW64\Dbpjaeoc.exe
C:\Windows\system32\Dbpjaeoc.exe
C:\Windows\SysWOW64\Ddnfmqng.exe
C:\Windows\system32\Ddnfmqng.exe
C:\Windows\SysWOW64\Dmennnni.exe
C:\Windows\system32\Dmennnni.exe
C:\Windows\SysWOW64\Dodjjimm.exe
C:\Windows\system32\Dodjjimm.exe
C:\Windows\SysWOW64\Dfnbgc32.exe
C:\Windows\system32\Dfnbgc32.exe
C:\Windows\SysWOW64\Eiloco32.exe
C:\Windows\system32\Eiloco32.exe
C:\Windows\SysWOW64\Eofgpikj.exe
C:\Windows\system32\Eofgpikj.exe
C:\Windows\SysWOW64\Ebdcld32.exe
C:\Windows\system32\Ebdcld32.exe
C:\Windows\SysWOW64\Eecphp32.exe
C:\Windows\system32\Eecphp32.exe
C:\Windows\SysWOW64\Emjgim32.exe
C:\Windows\system32\Emjgim32.exe
C:\Windows\SysWOW64\Ekmhejao.exe
C:\Windows\system32\Ekmhejao.exe
C:\Windows\SysWOW64\Enkdaepb.exe
C:\Windows\system32\Enkdaepb.exe
C:\Windows\SysWOW64\Efblbbqd.exe
C:\Windows\system32\Efblbbqd.exe
C:\Windows\SysWOW64\Eiahnnph.exe
C:\Windows\system32\Eiahnnph.exe
C:\Windows\SysWOW64\Ekodjiol.exe
C:\Windows\system32\Ekodjiol.exe
C:\Windows\SysWOW64\Ennqfenp.exe
C:\Windows\system32\Ennqfenp.exe
C:\Windows\SysWOW64\Efeihb32.exe
C:\Windows\system32\Efeihb32.exe
C:\Windows\SysWOW64\Eehicoel.exe
C:\Windows\system32\Eehicoel.exe
C:\Windows\SysWOW64\Emoadlfo.exe
C:\Windows\system32\Emoadlfo.exe
C:\Windows\SysWOW64\Enpmld32.exe
C:\Windows\system32\Enpmld32.exe
C:\Windows\SysWOW64\Efgemb32.exe
C:\Windows\system32\Efgemb32.exe
C:\Windows\SysWOW64\Eifaim32.exe
C:\Windows\system32\Eifaim32.exe
C:\Windows\SysWOW64\Ekdnei32.exe
C:\Windows\system32\Ekdnei32.exe
C:\Windows\SysWOW64\Ebnfbcbc.exe
C:\Windows\system32\Ebnfbcbc.exe
C:\Windows\SysWOW64\Efjbcakl.exe
C:\Windows\system32\Efjbcakl.exe
C:\Windows\SysWOW64\Fihnomjp.exe
C:\Windows\system32\Fihnomjp.exe
C:\Windows\SysWOW64\Fmcjpl32.exe
C:\Windows\system32\Fmcjpl32.exe
C:\Windows\SysWOW64\Fpbflg32.exe
C:\Windows\system32\Fpbflg32.exe
C:\Windows\SysWOW64\Fbpchb32.exe
C:\Windows\system32\Fbpchb32.exe
C:\Windows\SysWOW64\Feoodn32.exe
C:\Windows\system32\Feoodn32.exe
C:\Windows\SysWOW64\Fijkdmhn.exe
C:\Windows\system32\Fijkdmhn.exe
C:\Windows\SysWOW64\Fpdcag32.exe
C:\Windows\system32\Fpdcag32.exe
C:\Windows\SysWOW64\Ffnknafg.exe
C:\Windows\system32\Ffnknafg.exe
C:\Windows\SysWOW64\Fnipbc32.exe
C:\Windows\system32\Fnipbc32.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8
C:\Windows\SysWOW64\Ffqhcq32.exe
C:\Windows\system32\Ffqhcq32.exe
C:\Windows\SysWOW64\Fechomko.exe
C:\Windows\system32\Fechomko.exe
C:\Windows\SysWOW64\Flmqlg32.exe
C:\Windows\system32\Flmqlg32.exe
C:\Windows\SysWOW64\Fpimlfke.exe
C:\Windows\system32\Fpimlfke.exe
C:\Windows\SysWOW64\Fbgihaji.exe
C:\Windows\system32\Fbgihaji.exe
C:\Windows\SysWOW64\Fefedmil.exe
C:\Windows\system32\Fefedmil.exe
C:\Windows\SysWOW64\Fmmmfj32.exe
C:\Windows\system32\Fmmmfj32.exe
C:\Windows\SysWOW64\Fpkibf32.exe
C:\Windows\system32\Fpkibf32.exe
C:\Windows\SysWOW64\Fnnjmbpm.exe
C:\Windows\system32\Fnnjmbpm.exe
C:\Windows\SysWOW64\Gehbjm32.exe
C:\Windows\system32\Gehbjm32.exe
C:\Windows\SysWOW64\Gmojkj32.exe
C:\Windows\system32\Gmojkj32.exe
C:\Windows\SysWOW64\Glbjggof.exe
C:\Windows\system32\Glbjggof.exe
C:\Windows\SysWOW64\Gnqfcbnj.exe
C:\Windows\system32\Gnqfcbnj.exe
C:\Windows\SysWOW64\Gfhndpol.exe
C:\Windows\system32\Gfhndpol.exe
C:\Windows\SysWOW64\Gejopl32.exe
C:\Windows\system32\Gejopl32.exe
C:\Windows\SysWOW64\Gmafajfi.exe
C:\Windows\system32\Gmafajfi.exe
C:\Windows\SysWOW64\Gppcmeem.exe
C:\Windows\system32\Gppcmeem.exe
C:\Windows\SysWOW64\Gbnoiqdq.exe
C:\Windows\system32\Gbnoiqdq.exe
C:\Windows\SysWOW64\Gemkelcd.exe
C:\Windows\system32\Gemkelcd.exe
C:\Windows\SysWOW64\Gmdcfidg.exe
C:\Windows\system32\Gmdcfidg.exe
C:\Windows\SysWOW64\Gpbpbecj.exe
C:\Windows\system32\Gpbpbecj.exe
C:\Windows\SysWOW64\Gflhoo32.exe
C:\Windows\system32\Gflhoo32.exe
C:\Windows\SysWOW64\Gmfplibd.exe
C:\Windows\system32\Gmfplibd.exe
C:\Windows\SysWOW64\Gpelhd32.exe
C:\Windows\system32\Gpelhd32.exe
C:\Windows\SysWOW64\Gfodeohd.exe
C:\Windows\system32\Gfodeohd.exe
C:\Windows\SysWOW64\Gpgind32.exe
C:\Windows\system32\Gpgind32.exe
C:\Windows\SysWOW64\Hipmfjee.exe
C:\Windows\system32\Hipmfjee.exe
C:\Windows\SysWOW64\Hibjli32.exe
C:\Windows\system32\Hibjli32.exe
C:\Windows\SysWOW64\Hplbickp.exe
C:\Windows\system32\Hplbickp.exe
C:\Windows\SysWOW64\Hbjoeojc.exe
C:\Windows\system32\Hbjoeojc.exe
C:\Windows\SysWOW64\Hidgai32.exe
C:\Windows\system32\Hidgai32.exe
C:\Windows\SysWOW64\Hoaojp32.exe
C:\Windows\system32\Hoaojp32.exe
C:\Windows\SysWOW64\Hfhgkmpj.exe
C:\Windows\system32\Hfhgkmpj.exe
C:\Windows\SysWOW64\Hifcgion.exe
C:\Windows\system32\Hifcgion.exe
C:\Windows\SysWOW64\Hoclopne.exe
C:\Windows\system32\Hoclopne.exe
C:\Windows\SysWOW64\Hbohpn32.exe
C:\Windows\system32\Hbohpn32.exe
C:\Windows\SysWOW64\Hemdlj32.exe
C:\Windows\system32\Hemdlj32.exe
C:\Windows\SysWOW64\Hmdlmg32.exe
C:\Windows\system32\Hmdlmg32.exe
C:\Windows\SysWOW64\Hlglidlo.exe
C:\Windows\system32\Hlglidlo.exe
C:\Windows\SysWOW64\Hoeieolb.exe
C:\Windows\system32\Hoeieolb.exe
C:\Windows\SysWOW64\Ifmqfm32.exe
C:\Windows\system32\Ifmqfm32.exe
C:\Windows\SysWOW64\Iepaaico.exe
C:\Windows\system32\Iepaaico.exe
C:\Windows\SysWOW64\Iliinc32.exe
C:\Windows\system32\Iliinc32.exe
C:\Windows\SysWOW64\Ibcaknbi.exe
C:\Windows\system32\Ibcaknbi.exe
C:\Windows\SysWOW64\Iebngial.exe
C:\Windows\system32\Iebngial.exe
C:\Windows\SysWOW64\Iinjhh32.exe
C:\Windows\system32\Iinjhh32.exe
C:\Windows\SysWOW64\Illfdc32.exe
C:\Windows\system32\Illfdc32.exe
C:\Windows\SysWOW64\Iojbpo32.exe
C:\Windows\system32\Iojbpo32.exe
C:\Windows\SysWOW64\Ibfnqmpf.exe
C:\Windows\system32\Ibfnqmpf.exe
C:\Windows\SysWOW64\Iedjmioj.exe
C:\Windows\system32\Iedjmioj.exe
C:\Windows\SysWOW64\Imkbnf32.exe
C:\Windows\system32\Imkbnf32.exe
C:\Windows\SysWOW64\Ilnbicff.exe
C:\Windows\system32\Ilnbicff.exe
C:\Windows\SysWOW64\Iomoenej.exe
C:\Windows\system32\Iomoenej.exe
C:\Windows\SysWOW64\Igdgglfl.exe
C:\Windows\system32\Igdgglfl.exe
C:\Windows\SysWOW64\Iefgbh32.exe
C:\Windows\system32\Iefgbh32.exe
C:\Windows\SysWOW64\Imnocf32.exe
C:\Windows\system32\Imnocf32.exe
C:\Windows\SysWOW64\Ilqoobdd.exe
C:\Windows\system32\Ilqoobdd.exe
C:\Windows\SysWOW64\Ioolkncg.exe
C:\Windows\system32\Ioolkncg.exe
C:\Windows\SysWOW64\Ickglm32.exe
C:\Windows\system32\Ickglm32.exe
C:\Windows\SysWOW64\Ieidhh32.exe
C:\Windows\system32\Ieidhh32.exe
C:\Windows\SysWOW64\Iidphgcn.exe
C:\Windows\system32\Iidphgcn.exe
C:\Windows\SysWOW64\Ilcldb32.exe
C:\Windows\system32\Ilcldb32.exe
C:\Windows\SysWOW64\Joahqn32.exe
C:\Windows\system32\Joahqn32.exe
C:\Windows\SysWOW64\Jcmdaljn.exe
C:\Windows\system32\Jcmdaljn.exe
C:\Windows\SysWOW64\Jekqmhia.exe
C:\Windows\system32\Jekqmhia.exe
C:\Windows\SysWOW64\Jmbhoeid.exe
C:\Windows\system32\Jmbhoeid.exe
C:\Windows\SysWOW64\Jleijb32.exe
C:\Windows\system32\Jleijb32.exe
C:\Windows\SysWOW64\Jpaekqhh.exe
C:\Windows\system32\Jpaekqhh.exe
C:\Windows\SysWOW64\Jcoaglhk.exe
C:\Windows\system32\Jcoaglhk.exe
C:\Windows\SysWOW64\Jgkmgk32.exe
C:\Windows\system32\Jgkmgk32.exe
C:\Windows\SysWOW64\Jenmcggo.exe
C:\Windows\system32\Jenmcggo.exe
C:\Windows\SysWOW64\Jmeede32.exe
C:\Windows\system32\Jmeede32.exe
C:\Windows\SysWOW64\Jpcapp32.exe
C:\Windows\system32\Jpcapp32.exe
C:\Windows\SysWOW64\Jcanll32.exe
C:\Windows\system32\Jcanll32.exe
C:\Windows\SysWOW64\Jepjhg32.exe
C:\Windows\system32\Jepjhg32.exe
C:\Windows\SysWOW64\Jilfifme.exe
C:\Windows\system32\Jilfifme.exe
C:\Windows\SysWOW64\Jljbeali.exe
C:\Windows\system32\Jljbeali.exe
C:\Windows\SysWOW64\Johnamkm.exe
C:\Windows\system32\Johnamkm.exe
C:\Windows\SysWOW64\Jcdjbk32.exe
C:\Windows\system32\Jcdjbk32.exe
C:\Windows\SysWOW64\Jebfng32.exe
C:\Windows\system32\Jebfng32.exe
C:\Windows\SysWOW64\Jinboekc.exe
C:\Windows\system32\Jinboekc.exe
C:\Windows\SysWOW64\Jphkkpbp.exe
C:\Windows\system32\Jphkkpbp.exe
C:\Windows\SysWOW64\Jcfggkac.exe
C:\Windows\system32\Jcfggkac.exe
C:\Windows\SysWOW64\Jedccfqg.exe
C:\Windows\system32\Jedccfqg.exe
C:\Windows\SysWOW64\Jnlkedai.exe
C:\Windows\system32\Jnlkedai.exe
C:\Windows\SysWOW64\Jlolpq32.exe
C:\Windows\system32\Jlolpq32.exe
C:\Windows\SysWOW64\Kpjgaoqm.exe
C:\Windows\system32\Kpjgaoqm.exe
C:\Windows\SysWOW64\Komhll32.exe
C:\Windows\system32\Komhll32.exe
C:\Windows\SysWOW64\Kgdpni32.exe
C:\Windows\system32\Kgdpni32.exe
C:\Windows\SysWOW64\Kegpifod.exe
C:\Windows\system32\Kegpifod.exe
C:\Windows\SysWOW64\Klahfp32.exe
C:\Windows\system32\Klahfp32.exe
C:\Windows\SysWOW64\Kpmdfonj.exe
C:\Windows\system32\Kpmdfonj.exe
C:\Windows\SysWOW64\Kckqbj32.exe
C:\Windows\system32\Kckqbj32.exe
C:\Windows\SysWOW64\Kgflcifg.exe
C:\Windows\system32\Kgflcifg.exe
C:\Windows\SysWOW64\Kjeiodek.exe
C:\Windows\system32\Kjeiodek.exe
C:\Windows\SysWOW64\Klcekpdo.exe
C:\Windows\system32\Klcekpdo.exe
C:\Windows\SysWOW64\Kpoalo32.exe
C:\Windows\system32\Kpoalo32.exe
C:\Windows\SysWOW64\Kcmmhj32.exe
C:\Windows\system32\Kcmmhj32.exe
C:\Windows\SysWOW64\Kgiiiidd.exe
C:\Windows\system32\Kgiiiidd.exe
C:\Windows\SysWOW64\Kflide32.exe
C:\Windows\system32\Kflide32.exe
C:\Windows\SysWOW64\Kncaec32.exe
C:\Windows\system32\Kncaec32.exe
C:\Windows\SysWOW64\Klfaapbl.exe
C:\Windows\system32\Klfaapbl.exe
C:\Windows\SysWOW64\Kodnmkap.exe
C:\Windows\system32\Kodnmkap.exe
C:\Windows\SysWOW64\Kcpjnjii.exe
C:\Windows\system32\Kcpjnjii.exe
C:\Windows\SysWOW64\Kgkfnh32.exe
C:\Windows\system32\Kgkfnh32.exe
C:\Windows\SysWOW64\Kjjbjd32.exe
C:\Windows\system32\Kjjbjd32.exe
C:\Windows\SysWOW64\Klhnfo32.exe
C:\Windows\system32\Klhnfo32.exe
C:\Windows\SysWOW64\Kpcjgnhb.exe
C:\Windows\system32\Kpcjgnhb.exe
C:\Windows\SysWOW64\Kcbfcigf.exe
C:\Windows\system32\Kcbfcigf.exe
C:\Windows\SysWOW64\Kfpcoefj.exe
C:\Windows\system32\Kfpcoefj.exe
C:\Windows\SysWOW64\Kngkqbgl.exe
C:\Windows\system32\Kngkqbgl.exe
C:\Windows\SysWOW64\Lljklo32.exe
C:\Windows\system32\Lljklo32.exe
C:\Windows\SysWOW64\Lpfgmnfp.exe
C:\Windows\system32\Lpfgmnfp.exe
C:\Windows\SysWOW64\Lgpoihnl.exe
C:\Windows\system32\Lgpoihnl.exe
C:\Windows\SysWOW64\Ljnlecmp.exe
C:\Windows\system32\Ljnlecmp.exe
C:\Windows\SysWOW64\Lnjgfb32.exe
C:\Windows\system32\Lnjgfb32.exe
C:\Windows\SysWOW64\Llmhaold.exe
C:\Windows\system32\Llmhaold.exe
C:\Windows\SysWOW64\Lokdnjkg.exe
C:\Windows\system32\Lokdnjkg.exe
C:\Windows\SysWOW64\Lcgpni32.exe
C:\Windows\system32\Lcgpni32.exe
C:\Windows\SysWOW64\Lfeljd32.exe
C:\Windows\system32\Lfeljd32.exe
C:\Windows\SysWOW64\Ljqhkckn.exe
C:\Windows\system32\Ljqhkckn.exe
C:\Windows\SysWOW64\Lqkqhm32.exe
C:\Windows\system32\Lqkqhm32.exe
C:\Windows\SysWOW64\Lomqcjie.exe
C:\Windows\system32\Lomqcjie.exe
C:\Windows\SysWOW64\Lgdidgjg.exe
C:\Windows\system32\Lgdidgjg.exe
C:\Windows\SysWOW64\Ljceqb32.exe
C:\Windows\system32\Ljceqb32.exe
C:\Windows\SysWOW64\Lmaamn32.exe
C:\Windows\system32\Lmaamn32.exe
C:\Windows\SysWOW64\Lqmmmmph.exe
C:\Windows\system32\Lqmmmmph.exe
C:\Windows\SysWOW64\Lckiihok.exe
C:\Windows\system32\Lckiihok.exe
C:\Windows\SysWOW64\Lggejg32.exe
C:\Windows\system32\Lggejg32.exe
C:\Windows\SysWOW64\Lfjfecno.exe
C:\Windows\system32\Lfjfecno.exe
C:\Windows\SysWOW64\Lnangaoa.exe
C:\Windows\system32\Lnangaoa.exe
C:\Windows\SysWOW64\Lmdnbn32.exe
C:\Windows\system32\Lmdnbn32.exe
C:\Windows\SysWOW64\Lobjni32.exe
C:\Windows\system32\Lobjni32.exe
C:\Windows\SysWOW64\Lcnfohmi.exe
C:\Windows\system32\Lcnfohmi.exe
C:\Windows\SysWOW64\Lflbkcll.exe
C:\Windows\system32\Lflbkcll.exe
C:\Windows\SysWOW64\Ljhnlb32.exe
C:\Windows\system32\Ljhnlb32.exe
C:\Windows\SysWOW64\Mmfkhmdi.exe
C:\Windows\system32\Mmfkhmdi.exe
C:\Windows\SysWOW64\Mqafhl32.exe
C:\Windows\system32\Mqafhl32.exe
C:\Windows\SysWOW64\Mcpcdg32.exe
C:\Windows\system32\Mcpcdg32.exe
C:\Windows\SysWOW64\Mgloefco.exe
C:\Windows\system32\Mgloefco.exe
C:\Windows\SysWOW64\Mfnoqc32.exe
C:\Windows\system32\Mfnoqc32.exe
C:\Windows\SysWOW64\Mnegbp32.exe
C:\Windows\system32\Mnegbp32.exe
C:\Windows\SysWOW64\Mmhgmmbf.exe
C:\Windows\system32\Mmhgmmbf.exe
C:\Windows\SysWOW64\Mogcihaj.exe
C:\Windows\system32\Mogcihaj.exe
C:\Windows\SysWOW64\Mcbpjg32.exe
C:\Windows\system32\Mcbpjg32.exe
C:\Windows\SysWOW64\Mjlhgaqp.exe
C:\Windows\system32\Mjlhgaqp.exe
C:\Windows\SysWOW64\Mnhdgpii.exe
C:\Windows\system32\Mnhdgpii.exe
C:\Windows\SysWOW64\Mmkdcm32.exe
C:\Windows\system32\Mmkdcm32.exe
C:\Windows\SysWOW64\Moipoh32.exe
C:\Windows\system32\Moipoh32.exe
C:\Windows\SysWOW64\Mcelpggq.exe
C:\Windows\system32\Mcelpggq.exe
C:\Windows\SysWOW64\Mjodla32.exe
C:\Windows\system32\Mjodla32.exe
C:\Windows\SysWOW64\Mmmqhl32.exe
C:\Windows\system32\Mmmqhl32.exe
C:\Windows\SysWOW64\Mokmdh32.exe
C:\Windows\system32\Mokmdh32.exe
C:\Windows\SysWOW64\Mgbefe32.exe
C:\Windows\system32\Mgbefe32.exe
C:\Windows\SysWOW64\Mjaabq32.exe
C:\Windows\system32\Mjaabq32.exe
C:\Windows\SysWOW64\Mmpmnl32.exe
C:\Windows\system32\Mmpmnl32.exe
C:\Windows\SysWOW64\Monjjgkb.exe
C:\Windows\system32\Monjjgkb.exe
C:\Windows\SysWOW64\Mcifkf32.exe
C:\Windows\system32\Mcifkf32.exe
C:\Windows\SysWOW64\Mjcngpjh.exe
C:\Windows\system32\Mjcngpjh.exe
C:\Windows\SysWOW64\Nnojho32.exe
C:\Windows\system32\Nnojho32.exe
C:\Windows\SysWOW64\Nqmfdj32.exe
C:\Windows\system32\Nqmfdj32.exe
C:\Windows\SysWOW64\Nopfpgip.exe
C:\Windows\system32\Nopfpgip.exe
C:\Windows\SysWOW64\Nggnadib.exe
C:\Windows\system32\Nggnadib.exe
C:\Windows\SysWOW64\Njfkmphe.exe
C:\Windows\system32\Njfkmphe.exe
C:\Windows\SysWOW64\Nmdgikhi.exe
C:\Windows\system32\Nmdgikhi.exe
C:\Windows\SysWOW64\Npbceggm.exe
C:\Windows\system32\Npbceggm.exe
C:\Windows\SysWOW64\Ngjkfd32.exe
C:\Windows\system32\Ngjkfd32.exe
C:\Windows\SysWOW64\Nflkbanj.exe
C:\Windows\system32\Nflkbanj.exe
C:\Windows\SysWOW64\Nncccnol.exe
C:\Windows\system32\Nncccnol.exe
C:\Windows\SysWOW64\Nqbpojnp.exe
C:\Windows\system32\Nqbpojnp.exe
C:\Windows\SysWOW64\Ncqlkemc.exe
C:\Windows\system32\Ncqlkemc.exe
C:\Windows\SysWOW64\Nfohgqlg.exe
C:\Windows\system32\Nfohgqlg.exe
C:\Windows\SysWOW64\Nnfpinmi.exe
C:\Windows\system32\Nnfpinmi.exe
C:\Windows\SysWOW64\Nmipdk32.exe
C:\Windows\system32\Nmipdk32.exe
C:\Windows\SysWOW64\Npgmpf32.exe
C:\Windows\system32\Npgmpf32.exe
C:\Windows\SysWOW64\Ncchae32.exe
C:\Windows\system32\Ncchae32.exe
C:\Windows\SysWOW64\Nfaemp32.exe
C:\Windows\system32\Nfaemp32.exe
C:\Windows\SysWOW64\Nmkmjjaa.exe
C:\Windows\system32\Nmkmjjaa.exe
C:\Windows\SysWOW64\Npiiffqe.exe
C:\Windows\system32\Npiiffqe.exe
C:\Windows\SysWOW64\Ngqagcag.exe
C:\Windows\system32\Ngqagcag.exe
C:\Windows\SysWOW64\Nfcabp32.exe
C:\Windows\system32\Nfcabp32.exe
C:\Windows\SysWOW64\Onkidm32.exe
C:\Windows\system32\Onkidm32.exe
C:\Windows\SysWOW64\Omnjojpo.exe
C:\Windows\system32\Omnjojpo.exe
C:\Windows\SysWOW64\Oplfkeob.exe
C:\Windows\system32\Oplfkeob.exe
C:\Windows\SysWOW64\Ogcnmc32.exe
C:\Windows\system32\Ogcnmc32.exe
C:\Windows\SysWOW64\Ojajin32.exe
C:\Windows\system32\Ojajin32.exe
C:\Windows\SysWOW64\Onmfimga.exe
C:\Windows\system32\Onmfimga.exe
C:\Windows\SysWOW64\Oakbehfe.exe
C:\Windows\system32\Oakbehfe.exe
C:\Windows\SysWOW64\Ocjoadei.exe
C:\Windows\system32\Ocjoadei.exe
C:\Windows\SysWOW64\Ogekbb32.exe
C:\Windows\system32\Ogekbb32.exe
C:\Windows\SysWOW64\Ojdgnn32.exe
C:\Windows\system32\Ojdgnn32.exe
C:\Windows\SysWOW64\Ombcji32.exe
C:\Windows\system32\Ombcji32.exe
C:\Windows\SysWOW64\Oclkgccf.exe
C:\Windows\system32\Oclkgccf.exe
C:\Windows\SysWOW64\Oghghb32.exe
C:\Windows\system32\Oghghb32.exe
C:\Windows\SysWOW64\Ojfcdnjc.exe
C:\Windows\system32\Ojfcdnjc.exe
C:\Windows\SysWOW64\Omdppiif.exe
C:\Windows\system32\Omdppiif.exe
C:\Windows\SysWOW64\Oaplqh32.exe
C:\Windows\system32\Oaplqh32.exe
C:\Windows\SysWOW64\Ocohmc32.exe
C:\Windows\system32\Ocohmc32.exe
C:\Windows\SysWOW64\Ofmdio32.exe
C:\Windows\system32\Ofmdio32.exe
C:\Windows\SysWOW64\Ondljl32.exe
C:\Windows\system32\Ondljl32.exe
C:\Windows\SysWOW64\Opeiadfg.exe
C:\Windows\system32\Opeiadfg.exe
C:\Windows\SysWOW64\Pfoann32.exe
C:\Windows\system32\Pfoann32.exe
C:\Windows\SysWOW64\Pnfiplog.exe
C:\Windows\system32\Pnfiplog.exe
C:\Windows\SysWOW64\Paeelgnj.exe
C:\Windows\system32\Paeelgnj.exe
C:\Windows\SysWOW64\Phonha32.exe
C:\Windows\system32\Phonha32.exe
C:\Windows\SysWOW64\Pfandnla.exe
C:\Windows\system32\Pfandnla.exe
C:\Windows\SysWOW64\Pnifekmd.exe
C:\Windows\system32\Pnifekmd.exe
C:\Windows\SysWOW64\Pagbaglh.exe
C:\Windows\system32\Pagbaglh.exe
C:\Windows\SysWOW64\Pdenmbkk.exe
C:\Windows\system32\Pdenmbkk.exe
C:\Windows\SysWOW64\Phajna32.exe
C:\Windows\system32\Phajna32.exe
C:\Windows\SysWOW64\Pjpfjl32.exe
C:\Windows\system32\Pjpfjl32.exe
C:\Windows\SysWOW64\Pmnbfhal.exe
C:\Windows\system32\Pmnbfhal.exe
C:\Windows\SysWOW64\Pdhkcb32.exe
C:\Windows\system32\Pdhkcb32.exe
C:\Windows\SysWOW64\Phcgcqab.exe
C:\Windows\system32\Phcgcqab.exe
C:\Windows\SysWOW64\Pjbcplpe.exe
C:\Windows\system32\Pjbcplpe.exe
C:\Windows\SysWOW64\Ppolhcnm.exe
C:\Windows\system32\Ppolhcnm.exe
C:\Windows\SysWOW64\Phfcipoo.exe
C:\Windows\system32\Phfcipoo.exe
C:\Windows\SysWOW64\Pfiddm32.exe
C:\Windows\system32\Pfiddm32.exe
C:\Windows\SysWOW64\Pmblagmf.exe
C:\Windows\system32\Pmblagmf.exe
C:\Windows\SysWOW64\Qhhpop32.exe
C:\Windows\system32\Qhhpop32.exe
C:\Windows\SysWOW64\Qobhkjdi.exe
C:\Windows\system32\Qobhkjdi.exe
C:\Windows\SysWOW64\Qpcecb32.exe
C:\Windows\system32\Qpcecb32.exe
C:\Windows\SysWOW64\Qfmmplad.exe
C:\Windows\system32\Qfmmplad.exe
C:\Windows\SysWOW64\Qmgelf32.exe
C:\Windows\system32\Qmgelf32.exe
C:\Windows\SysWOW64\Qpeahb32.exe
C:\Windows\system32\Qpeahb32.exe
C:\Windows\SysWOW64\Ahmjjoig.exe
C:\Windows\system32\Ahmjjoig.exe
C:\Windows\SysWOW64\Akkffkhk.exe
C:\Windows\system32\Akkffkhk.exe
C:\Windows\SysWOW64\Amjbbfgo.exe
C:\Windows\system32\Amjbbfgo.exe
C:\Windows\SysWOW64\Adcjop32.exe
C:\Windows\system32\Adcjop32.exe
C:\Windows\SysWOW64\Aknbkjfh.exe
C:\Windows\system32\Aknbkjfh.exe
C:\Windows\SysWOW64\Amlogfel.exe
C:\Windows\system32\Amlogfel.exe
C:\Windows\SysWOW64\Apjkcadp.exe
C:\Windows\system32\Apjkcadp.exe
C:\Windows\SysWOW64\Ahaceo32.exe
C:\Windows\system32\Ahaceo32.exe
C:\Windows\SysWOW64\Akpoaj32.exe
C:\Windows\system32\Akpoaj32.exe
C:\Windows\SysWOW64\Aajhndkb.exe
C:\Windows\system32\Aajhndkb.exe
C:\Windows\SysWOW64\Adhdjpjf.exe
C:\Windows\system32\Adhdjpjf.exe
C:\Windows\SysWOW64\Aonhghjl.exe
C:\Windows\system32\Aonhghjl.exe
C:\Windows\SysWOW64\Apodoq32.exe
C:\Windows\system32\Apodoq32.exe
C:\Windows\SysWOW64\Aopemh32.exe
C:\Windows\system32\Aopemh32.exe
C:\Windows\SysWOW64\Aaoaic32.exe
C:\Windows\system32\Aaoaic32.exe
C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
C:\Windows\SysWOW64\Bkgeainn.exe
C:\Windows\system32\Bkgeainn.exe
C:\Windows\SysWOW64\Bmeandma.exe
C:\Windows\system32\Bmeandma.exe
C:\Windows\SysWOW64\Bgnffj32.exe
C:\Windows\system32\Bgnffj32.exe
C:\Windows\SysWOW64\Bmhocd32.exe
C:\Windows\system32\Bmhocd32.exe
C:\Windows\SysWOW64\Bdagpnbk.exe
C:\Windows\system32\Bdagpnbk.exe
C:\Windows\SysWOW64\Bklomh32.exe
C:\Windows\system32\Bklomh32.exe
C:\Windows\SysWOW64\Bmjkic32.exe
C:\Windows\system32\Bmjkic32.exe
C:\Windows\SysWOW64\Bddcenpi.exe
C:\Windows\system32\Bddcenpi.exe
C:\Windows\SysWOW64\Boihcf32.exe
C:\Windows\system32\Boihcf32.exe
C:\Windows\SysWOW64\Bpkdjofm.exe
C:\Windows\system32\Bpkdjofm.exe
C:\Windows\SysWOW64\Bkphhgfc.exe
C:\Windows\system32\Bkphhgfc.exe
C:\Windows\SysWOW64\Cpmapodj.exe
C:\Windows\system32\Cpmapodj.exe
C:\Windows\SysWOW64\Ckbemgcp.exe
C:\Windows\system32\Ckbemgcp.exe
C:\Windows\SysWOW64\Cammjakm.exe
C:\Windows\system32\Cammjakm.exe
C:\Windows\SysWOW64\Cponen32.exe
C:\Windows\system32\Cponen32.exe
C:\Windows\SysWOW64\Chfegk32.exe
C:\Windows\system32\Chfegk32.exe
C:\Windows\SysWOW64\Ckebcg32.exe
C:\Windows\system32\Ckebcg32.exe
C:\Windows\SysWOW64\Caojpaij.exe
C:\Windows\system32\Caojpaij.exe
C:\Windows\SysWOW64\Cdmfllhn.exe
C:\Windows\system32\Cdmfllhn.exe
C:\Windows\SysWOW64\Ckgohf32.exe
C:\Windows\system32\Ckgohf32.exe
C:\Windows\SysWOW64\Caageq32.exe
C:\Windows\system32\Caageq32.exe
C:\Windows\SysWOW64\Cpdgqmnb.exe
C:\Windows\system32\Cpdgqmnb.exe
C:\Windows\SysWOW64\Ckjknfnh.exe
C:\Windows\system32\Ckjknfnh.exe
C:\Windows\SysWOW64\Cpfcfmlp.exe
C:\Windows\system32\Cpfcfmlp.exe
C:\Windows\SysWOW64\Cogddd32.exe
C:\Windows\system32\Cogddd32.exe
C:\Windows\SysWOW64\Dddllkbf.exe
C:\Windows\system32\Dddllkbf.exe
C:\Windows\SysWOW64\Dojqjdbl.exe
C:\Windows\system32\Dojqjdbl.exe
C:\Windows\SysWOW64\Dahmfpap.exe
C:\Windows\system32\Dahmfpap.exe
C:\Windows\SysWOW64\Dpkmal32.exe
C:\Windows\system32\Dpkmal32.exe
C:\Windows\SysWOW64\Ddgibkpc.exe
C:\Windows\system32\Ddgibkpc.exe
C:\Windows\SysWOW64\Dgeenfog.exe
C:\Windows\system32\Dgeenfog.exe
C:\Windows\SysWOW64\Dolmodpi.exe
C:\Windows\system32\Dolmodpi.exe
C:\Windows\SysWOW64\Dnonkq32.exe
C:\Windows\system32\Dnonkq32.exe
C:\Windows\SysWOW64\Dakikoom.exe
C:\Windows\system32\Dakikoom.exe
C:\Windows\SysWOW64\Ddifgk32.exe
C:\Windows\system32\Ddifgk32.exe
C:\Windows\SysWOW64\Dggbcf32.exe
C:\Windows\system32\Dggbcf32.exe
C:\Windows\SysWOW64\Dnajppda.exe
C:\Windows\system32\Dnajppda.exe
C:\Windows\SysWOW64\Damfao32.exe
C:\Windows\system32\Damfao32.exe
C:\Windows\SysWOW64\Ddkbmj32.exe
C:\Windows\system32\Ddkbmj32.exe
C:\Windows\SysWOW64\Dgjoif32.exe
C:\Windows\system32\Dgjoif32.exe
C:\Windows\SysWOW64\Dbocfo32.exe
C:\Windows\system32\Dbocfo32.exe
C:\Windows\SysWOW64\Ddnobj32.exe
C:\Windows\system32\Ddnobj32.exe
C:\Windows\SysWOW64\Dglkoeio.exe
C:\Windows\system32\Dglkoeio.exe
C:\Windows\SysWOW64\Eqdpgk32.exe
C:\Windows\system32\Eqdpgk32.exe
C:\Windows\SysWOW64\Edplhjhi.exe
C:\Windows\system32\Edplhjhi.exe
C:\Windows\SysWOW64\Ekjded32.exe
C:\Windows\system32\Ekjded32.exe
C:\Windows\SysWOW64\Enhpao32.exe
C:\Windows\system32\Enhpao32.exe
C:\Windows\SysWOW64\Edbiniff.exe
C:\Windows\system32\Edbiniff.exe
C:\Windows\SysWOW64\Ehndnh32.exe
C:\Windows\system32\Ehndnh32.exe
C:\Windows\SysWOW64\Eklajcmc.exe
C:\Windows\system32\Eklajcmc.exe
C:\Windows\SysWOW64\Ebfign32.exe
C:\Windows\system32\Ebfign32.exe
C:\Windows\SysWOW64\Eqiibjlj.exe
C:\Windows\system32\Eqiibjlj.exe
C:\Windows\SysWOW64\Ehpadhll.exe
C:\Windows\system32\Ehpadhll.exe
C:\Windows\SysWOW64\Egcaod32.exe
C:\Windows\system32\Egcaod32.exe
C:\Windows\SysWOW64\Eojiqb32.exe
C:\Windows\system32\Eojiqb32.exe
C:\Windows\SysWOW64\Ebifmm32.exe
C:\Windows\system32\Ebifmm32.exe
C:\Windows\SysWOW64\Ekajec32.exe
C:\Windows\system32\Ekajec32.exe
C:\Windows\SysWOW64\Eghkjdoa.exe
C:\Windows\system32\Eghkjdoa.exe
C:\Windows\SysWOW64\Fqppci32.exe
C:\Windows\system32\Fqppci32.exe
C:\Windows\SysWOW64\Fndpmndl.exe
C:\Windows\system32\Fndpmndl.exe
C:\Windows\SysWOW64\Fgmdec32.exe
C:\Windows\system32\Fgmdec32.exe
C:\Windows\SysWOW64\Filapfbo.exe
C:\Windows\system32\Filapfbo.exe
C:\Windows\SysWOW64\Fniihmpf.exe
C:\Windows\system32\Fniihmpf.exe
C:\Windows\SysWOW64\Fganqbgg.exe
C:\Windows\system32\Fganqbgg.exe
C:\Windows\SysWOW64\Fbgbnkfm.exe
C:\Windows\system32\Fbgbnkfm.exe
C:\Windows\SysWOW64\Fgcjfbed.exe
C:\Windows\system32\Fgcjfbed.exe
C:\Windows\SysWOW64\Gbiockdj.exe
C:\Windows\system32\Gbiockdj.exe
C:\Windows\SysWOW64\Gicgpelg.exe
C:\Windows\system32\Gicgpelg.exe
C:\Windows\SysWOW64\Gpmomo32.exe
C:\Windows\system32\Gpmomo32.exe
C:\Windows\SysWOW64\Gejhef32.exe
C:\Windows\system32\Gejhef32.exe
C:\Windows\SysWOW64\Gpolbo32.exe
C:\Windows\system32\Gpolbo32.exe
C:\Windows\SysWOW64\Glfmgp32.exe
C:\Windows\system32\Glfmgp32.exe
C:\Windows\SysWOW64\Geoapenf.exe
C:\Windows\system32\Geoapenf.exe
C:\Windows\SysWOW64\Gngeik32.exe
C:\Windows\system32\Gngeik32.exe
C:\Windows\SysWOW64\Giljfddl.exe
C:\Windows\system32\Giljfddl.exe
C:\Windows\SysWOW64\Hlkfbocp.exe
C:\Windows\system32\Hlkfbocp.exe
C:\Windows\SysWOW64\Hecjke32.exe
C:\Windows\system32\Hecjke32.exe
C:\Windows\SysWOW64\Hhaggp32.exe
C:\Windows\system32\Hhaggp32.exe
C:\Windows\SysWOW64\Hajkqfoe.exe
C:\Windows\system32\Hajkqfoe.exe
C:\Windows\SysWOW64\Hhdcmp32.exe
C:\Windows\system32\Hhdcmp32.exe
C:\Windows\SysWOW64\Hicpgc32.exe
C:\Windows\system32\Hicpgc32.exe
C:\Windows\SysWOW64\Haodle32.exe
C:\Windows\system32\Haodle32.exe
C:\Windows\SysWOW64\Hnbeeiji.exe
C:\Windows\system32\Hnbeeiji.exe
C:\Windows\SysWOW64\Hihibbjo.exe
C:\Windows\system32\Hihibbjo.exe
C:\Windows\SysWOW64\Ihmfco32.exe
C:\Windows\system32\Ihmfco32.exe
C:\Windows\SysWOW64\Iimcma32.exe
C:\Windows\system32\Iimcma32.exe
C:\Windows\SysWOW64\Iahgad32.exe
C:\Windows\system32\Iahgad32.exe
C:\Windows\SysWOW64\Ihbponja.exe
C:\Windows\system32\Ihbponja.exe
C:\Windows\SysWOW64\Ibgdlg32.exe
C:\Windows\system32\Ibgdlg32.exe
C:\Windows\SysWOW64\Ilphdlqh.exe
C:\Windows\system32\Ilphdlqh.exe
C:\Windows\SysWOW64\Iamamcop.exe
C:\Windows\system32\Iamamcop.exe
C:\Windows\SysWOW64\Jhgiim32.exe
C:\Windows\system32\Jhgiim32.exe
C:\Windows\SysWOW64\Jblmgf32.exe
C:\Windows\system32\Jblmgf32.exe
C:\Windows\SysWOW64\Jaonbc32.exe
C:\Windows\system32\Jaonbc32.exe
C:\Windows\SysWOW64\Jhifomdj.exe
C:\Windows\system32\Jhifomdj.exe
C:\Windows\SysWOW64\Jppnpjel.exe
C:\Windows\system32\Jppnpjel.exe
C:\Windows\SysWOW64\Jemfhacc.exe
C:\Windows\system32\Jemfhacc.exe
C:\Windows\SysWOW64\Jhkbdmbg.exe
C:\Windows\system32\Jhkbdmbg.exe
C:\Windows\SysWOW64\Joekag32.exe
C:\Windows\system32\Joekag32.exe
C:\Windows\SysWOW64\Jpegkj32.exe
C:\Windows\system32\Jpegkj32.exe
C:\Windows\SysWOW64\Jeapcq32.exe
C:\Windows\system32\Jeapcq32.exe
C:\Windows\SysWOW64\Jbepme32.exe
C:\Windows\system32\Jbepme32.exe
C:\Windows\SysWOW64\Kakmna32.exe
C:\Windows\system32\Kakmna32.exe
C:\Windows\SysWOW64\Kcjjhdjb.exe
C:\Windows\system32\Kcjjhdjb.exe
C:\Windows\SysWOW64\Kapfiqoj.exe
C:\Windows\system32\Kapfiqoj.exe
C:\Windows\SysWOW64\Kemooo32.exe
C:\Windows\system32\Kemooo32.exe
C:\Windows\SysWOW64\Lljdai32.exe
C:\Windows\system32\Lljdai32.exe
C:\Windows\SysWOW64\Lindkm32.exe
C:\Windows\system32\Lindkm32.exe
C:\Windows\SysWOW64\Lpgmhg32.exe
C:\Windows\system32\Lpgmhg32.exe
C:\Windows\SysWOW64\Lhcali32.exe
C:\Windows\system32\Lhcali32.exe
C:\Windows\SysWOW64\Lakfeodm.exe
C:\Windows\system32\Lakfeodm.exe
C:\Windows\SysWOW64\Lplfcf32.exe
C:\Windows\system32\Lplfcf32.exe
C:\Windows\SysWOW64\Lfiokmkc.exe
C:\Windows\system32\Lfiokmkc.exe
C:\Windows\SysWOW64\Loacdc32.exe
C:\Windows\system32\Loacdc32.exe
C:\Windows\SysWOW64\Mjggal32.exe
C:\Windows\system32\Mjggal32.exe
C:\Windows\SysWOW64\Modpib32.exe
C:\Windows\system32\Modpib32.exe
C:\Windows\SysWOW64\Mablfnne.exe
C:\Windows\system32\Mablfnne.exe
C:\Windows\SysWOW64\Mjidgkog.exe
C:\Windows\system32\Mjidgkog.exe
C:\Windows\SysWOW64\Mcaipa32.exe
C:\Windows\system32\Mcaipa32.exe
C:\Windows\SysWOW64\Mjlalkmd.exe
C:\Windows\system32\Mjlalkmd.exe
C:\Windows\SysWOW64\Mfbaalbi.exe
C:\Windows\system32\Mfbaalbi.exe
C:\Windows\SysWOW64\Mqhfoebo.exe
C:\Windows\system32\Mqhfoebo.exe
C:\Windows\SysWOW64\Mfenglqf.exe
C:\Windows\system32\Mfenglqf.exe
C:\Windows\SysWOW64\Njbgmjgl.exe
C:\Windows\system32\Njbgmjgl.exe
C:\Windows\SysWOW64\Nckkfp32.exe
C:\Windows\system32\Nckkfp32.exe
C:\Windows\SysWOW64\Nqoloc32.exe
C:\Windows\system32\Nqoloc32.exe
C:\Windows\SysWOW64\Nmfmde32.exe
C:\Windows\system32\Nmfmde32.exe
C:\Windows\SysWOW64\Njjmni32.exe
C:\Windows\system32\Njjmni32.exe
C:\Windows\SysWOW64\Nqcejcha.exe
C:\Windows\system32\Nqcejcha.exe
C:\Windows\SysWOW64\Nfqnbjfi.exe
C:\Windows\system32\Nfqnbjfi.exe
C:\Windows\SysWOW64\Njljch32.exe
C:\Windows\system32\Njljch32.exe
C:\Windows\SysWOW64\Nqfbpb32.exe
C:\Windows\system32\Nqfbpb32.exe
C:\Windows\SysWOW64\Ooibkpmi.exe
C:\Windows\system32\Ooibkpmi.exe
C:\Windows\SysWOW64\Ojnfihmo.exe
C:\Windows\system32\Ojnfihmo.exe
C:\Windows\SysWOW64\Ommceclc.exe
C:\Windows\system32\Ommceclc.exe
C:\Windows\SysWOW64\Ocgkan32.exe
C:\Windows\system32\Ocgkan32.exe
C:\Windows\SysWOW64\Ofegni32.exe
C:\Windows\system32\Ofegni32.exe
C:\Windows\SysWOW64\Oonlfo32.exe
C:\Windows\system32\Oonlfo32.exe
C:\Windows\SysWOW64\Ofgdcipq.exe
C:\Windows\system32\Ofgdcipq.exe
C:\Windows\SysWOW64\Oophlo32.exe
C:\Windows\system32\Oophlo32.exe
C:\Windows\SysWOW64\Omdieb32.exe
C:\Windows\system32\Omdieb32.exe
C:\Windows\SysWOW64\Oflmnh32.exe
C:\Windows\system32\Oflmnh32.exe
C:\Windows\SysWOW64\Pqbala32.exe
C:\Windows\system32\Pqbala32.exe
C:\Windows\SysWOW64\Pfojdh32.exe
C:\Windows\system32\Pfojdh32.exe
C:\Windows\SysWOW64\Pcbkml32.exe
C:\Windows\system32\Pcbkml32.exe
C:\Windows\SysWOW64\Pmkofa32.exe
C:\Windows\system32\Pmkofa32.exe
C:\Windows\SysWOW64\Pcegclgp.exe
C:\Windows\system32\Pcegclgp.exe
C:\Windows\SysWOW64\Piapkbeg.exe
C:\Windows\system32\Piapkbeg.exe
C:\Windows\SysWOW64\Pfepdg32.exe
C:\Windows\system32\Pfepdg32.exe
C:\Windows\SysWOW64\Ppnenlka.exe
C:\Windows\system32\Ppnenlka.exe
C:\Windows\SysWOW64\Pjcikejg.exe
C:\Windows\system32\Pjcikejg.exe
C:\Windows\SysWOW64\Pififb32.exe
C:\Windows\system32\Pififb32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 13244 -ip 13244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 13244 -s 412
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.17.178.52.in-addr.arpa | udp |
Files
memory/1860-1-0x0000000000432000-0x0000000000433000-memory.dmp
memory/1860-0-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Nmlddqem.exe
| MD5 | e985ccaf02eee3bc9cde39ec0409fffb |
| SHA1 | a096086cf6e0022c0b0bbe75a3c5a4e6d2b354e3 |
| SHA256 | c87772eb13c3181d1b3f5af7f636bbd2dcd2ea62de4188f4869b3e48cb0b87f9 |
| SHA512 | 567bd8bd037914438e2ee3b1d9549eeadb7853b5edb08c6b808af63f1c603680d345a49b5e4a8a69861afe7af853af67f4513250cda0eba30f108c85ba5b0769 |
C:\Windows\SysWOW64\Ndflak32.exe
| MD5 | ba7bb243b9bcacee456e80f0d7d776b5 |
| SHA1 | 7bb8c68a770faeae135bcb535fc3283cd9258342 |
| SHA256 | 169de15e99779a82fa6b35a3c684c05fb11eeb1239c762ece7da060f5309a24c |
| SHA512 | da8d6e239dff13705f7ec74aeb17a2196acd58058ac022e6b7d3a0931d809c55b9c07d763c158d6281937f9c47cd8aa0b0a9ff642852ec4c950ab81346f08f38 |
C:\Windows\SysWOW64\Nhahaiec.exe
| MD5 | d0475d2f55e6aa4c8dde658eb12c134e |
| SHA1 | 50053b584938bddff606697a21ba2409c147880c |
| SHA256 | deada72acf723d85125a8b7d84b2a5f165330500e5b89faf28f0e2bbcfb8bc9e |
| SHA512 | 6595b9b3c48bd8ff363495e18dc8d03e081a7134a0af208bde8082182c43988266fad1b9e6d44c0fde71e9a16f2cc833c7a694e2198f8e48aa6ffbd4882f2942 |
memory/1832-29-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Njpdnedf.exe
| MD5 | 025e08a6f9a1ca89a38f3a382bb3cdfe |
| SHA1 | dc92972f927a39d08834817091c23ee8796f6ede |
| SHA256 | 2c70ad276fe9d5e30de9dab8955ed049ae20e92253d41d86cf49d3a7b257240e |
| SHA512 | 85ee57900cbfe8576b4377a3ce64281e2342554aa677d9d84c0316d099c12bdcc88be4036e288c0ae3cde7bd6b12c230a9d44681ed0b6460f2b76331b553948a |
memory/744-33-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1492-21-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Oeehkn32.exe
| MD5 | 4b03d34768cc795920c652bc7c94e996 |
| SHA1 | 7ebbb8ddf8d6961dd727d76084da4ad04f4eba7e |
| SHA256 | d442a645e1fcabfc8be04d08d12c0110fe4417e998fabdd98e5adbaf2bdc6ddd |
| SHA512 | f2786b9f258aad9f0239cde98dd7eab107a2c6d4033e547b8bfa1dc22ec0ed5a95bdb71a62e1e659eef0132522582c7828258b9422395e4fb84e4bd27b6221e6 |
C:\Windows\SysWOW64\Odhifjkg.exe
| MD5 | 24dba2b94c61ec0ccaaf36e185ef7f10 |
| SHA1 | 4d9e4629c78dcfe72c2d7411daede9489688c959 |
| SHA256 | 947953fb125649a743776accab1deb899cf935327ca314d7eee5dbeee00496c0 |
| SHA512 | b43f71e89d0e2d1717b8f64af274985a99e53b1868890fa4ef3533cb38ea453db0b24473bce52fbd03af72bcd756efe0d7088fe230341474fddbd1a898e08af8 |
memory/3376-45-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4924-14-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Onnmdcjm.exe
| MD5 | 0c24eea6c67f34dd84a7f628250f3f7e |
| SHA1 | 584518b3b1f05bf1ed4bba0ccdfa097ed6b3cf56 |
| SHA256 | 99e7fe8d5d741a12c8e6373ee62695b9b62159462b68e87b3490f36988447731 |
| SHA512 | c5427b4f154b0553471df71a09b6a633d7769deab4f60029017182522eeeaf8023d7f08fd91ffe1b8d846de78db040a328dec3f7914f66067d1cf66d93f03dce |
memory/1564-54-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2620-57-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Oeheqm32.exe
| MD5 | 1758299af632d92778e466403868b75e |
| SHA1 | da9efa7eec23923b83ca17f1ab5f2be93eb3d19b |
| SHA256 | db902047ae2a49fad2ff55cca8119d77180f6e89218610556f7b45a469c3c934 |
| SHA512 | 5f0a83c0054a12c46db6b3faf737cc9bd0c3db5a00b12979494044f5bd0e37d70618aa67592780671a2fbecbd8e213be2f058667f1bd39681067ca9ea7b798da |
memory/1176-65-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Olanmgig.exe
| MD5 | 1359142458b93af8b673ae8f668a03b1 |
| SHA1 | d8894a99a1b7bc295a885cd8ab7078f06d05c497 |
| SHA256 | 2c2eb6623167b2c2ca3297a2b608c427c22620b76fbcb706c6444ebf30ddbc50 |
| SHA512 | b03dc6a77e4979b7709ff5aac997514a041fb56ff8bbe608b56c807ff6cb3688c904699dece3cca62cecf47238e18b9498bbb98709d81c112e156252ff6b8617 |
memory/3976-73-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Omcjep32.exe
| MD5 | 0f5be4ee373339ccd1dc857eddc69ec8 |
| SHA1 | bf51a1305f1a7faefc4f9b88e23a110f8a76f53f |
| SHA256 | 3f20b4d3f998d798e4a680db7ceefb3bf8f014c602ea62d09a275aaa4ec7164d |
| SHA512 | 5e13591acd382ddd9cd448621a927f858037d742e38890afb3f7c5794e5f95fe0c7ae700d55c0d21449a13d5f283416b96f1fc2bfcb53fa7fe6d7e3414171a54 |
memory/3096-81-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Oejbfmpg.exe
| MD5 | d6e2a0391f236228c4eb28e1cd163ec0 |
| SHA1 | 9f8790c76fe214fd180e89e95daf75877d6bd295 |
| SHA256 | 25f23654516bee29a49bad614db8456bb847ab0ba739cf314aaf8e3949209a3d |
| SHA512 | 250fed489cb1a566d87234c5b34756e219eb8d98e540fda5647a3d4029470bdcc9fcb3bd3d14970cf5a123f21efdf8536e66648e11eb21802e530be392883dc3 |
memory/4784-89-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Ohhnbhok.exe
| MD5 | 22a7e82e647a71b26c6d7e0e17a9f77c |
| SHA1 | b8f69f2e30fa2d481e0a9f80e04492994048b826 |
| SHA256 | 670a59c773f243319a1cfe72e0a30d04d0a456725990375cb527a308e53c079d |
| SHA512 | d35ad5d170f17c2fc57422512f48dd8e4a65800e05d312b075fe8cdd633f6a5fb733150b6b3ca960d6c71032792d5b5c42eacb747de129df9897527f6cb8d236 |
memory/2876-97-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Omegjomb.exe
| MD5 | 03def6f23ff63675891912876bee9dd1 |
| SHA1 | 8b5dcc3283f99818784d9be60edfcc5a0ede45d4 |
| SHA256 | 945efe5739d77e4ab50214f2d06c2aae5b74db9ca44f008e8d25abdad79c1464 |
| SHA512 | 51b905f983e1cfbdc13b717f008ce6dad41ccc6a2a787bfac232065cb8d9749044bcf7e3f5213d8de01442b438bd2dc9484ca41a208144754d76b12846a3cd8b |
memory/5036-104-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Odoogi32.exe
| MD5 | d0d9c9075cd76e020a45207d6a3bd9f1 |
| SHA1 | 61972864558136afbcf490cc2f5d1071b046c3bb |
| SHA256 | 1000aeb39de5cb97a1b6f0495d586809c63557d89124b3f004de104a3303059e |
| SHA512 | 7eddcccb0891a6139d6de0117f543f12d27bf1f7956ae6050b468de5a6d0d2a45223f45c0af92529309497747122a1b04fab0851bd20b088c00bf3f149dfaf30 |
memory/2636-112-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Oacoqnci.exe
| MD5 | ab0cb66e1f5c6678ec246993a078c4ba |
| SHA1 | 4330da3a1fae7d7c395b786d34ca3f320532c2cb |
| SHA256 | 62bd2dc7841d0cc42f79bd13dfb782c4c19adb21d26bf04021cb774ace8d1814 |
| SHA512 | cd2eec9cbd73d44810f5f3ae7d6f60be9987fb065dc229a27216cd6f71792d5c94c0b0709fd88f539d4d9a25c3625b4575f934582f031aaa2cb21a6d48cecd01 |
memory/544-121-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Odalmibl.exe
| MD5 | 400c0667ae0351b5d0a54c32cf96d4ea |
| SHA1 | d67684a1a8e06ec42cd81bfacb2f5bcfe33f55c4 |
| SHA256 | 2d490816b75d475625ffad69592a6511d9d0870a34d91d842226adce9c2088a6 |
| SHA512 | 934130ee4f6f7ea5145daae31829b70d76a84a4395502eef7f46575acda176528e3ea8ce7c300b678fd2885afaa74d3d8e5672f2139ef7984d9506b55b29140e |
memory/1700-128-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Oogpjbbb.exe
| MD5 | e47400304bacceacd443a4855cf4044a |
| SHA1 | 513d5902402f90425c56931a968dfdb4cdd5f884 |
| SHA256 | 3660d1dda96131739eaea23358ec1671069c6371b3de16e9b0cf1fd299897155 |
| SHA512 | cdc24d39e760c11105490bf737b351e0a473c437fc49aa688576e1adf36ad24f3a392333fe5b88211a33f750e65a97f1f91e0de9b53335ffb92f0a37cb50abea |
memory/3604-136-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pddhbipj.exe
| MD5 | a0df6300f9a57f27cc0ca4f3183dd213 |
| SHA1 | 5021dde9d4c11f30df2e60d87d61c5c8c41d826c |
| SHA256 | c25cb169014d3df30df7bc4e19ad4d8c0e785cb5b910f1dffb351b4dacc5d386 |
| SHA512 | 5a42b586e5ab4d0ff1500df1ffba40a854ff1f1f95a96eac30fb91068b1e301ff2e791f6d8c2355a2c916b49c6a5a3f58caf1784156d65b5ab638a5259909d2e |
memory/3148-145-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pknqoc32.exe
| MD5 | 6f1a6b0ff490ae24e83b07543b1adf22 |
| SHA1 | 72f0ff2e2eb599ee59cb669bea468de1b31abb1f |
| SHA256 | 90fa8067ceff353a37dad927b7ca16aafbe724dcd22f4870419e665d2c7ffc71 |
| SHA512 | 9d1ee12f240c5388948a6e789c5204434bf6628a785a5768a804a518569ed794b5685e0a3f9d69442e60e0bdde1a59158dc2629963ceff65d67e49e5b154110d |
memory/1780-153-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pmlmkn32.exe
| MD5 | f569febc08c6b5deaace0dd29586bbf3 |
| SHA1 | f7df968a42a4e78b6fe9ca23dc55d5bc33c1e9ee |
| SHA256 | 4331e082ed1cab34b9c2498172c5fbd1b805c2a8f81d76c20e93083a75e39b62 |
| SHA512 | 317d7ee04600fa965570c53b7cf018c1ff3e4024ba172556081949981bd3fba6e8e74a5cf914bc9d0f80dc1cb542fa9acefd3bfeb6966b82a7531a8f3aabbeae |
memory/3780-161-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pdfehh32.exe
| MD5 | b03ded83b0945ab302373a84d3e35c20 |
| SHA1 | 46cea3134733773675a791e9d3a946cfa33d37f4 |
| SHA256 | 4cf40e5be575ce255eb138d611c017a6a34f8b1d2b4637e9044aa7da058b5345 |
| SHA512 | 72cf2e0f15c69081d0d647f7a4df2f56e7d0436df2b3b7ea8d8b8f231030df2b896cfd70782403b9739efa8f83e8868eda7e808368d3243d2e86d8313216e16c |
memory/1596-169-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2892-176-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Plmmif32.exe
| MD5 | 3458e92447cf98166e73ce0ab16db231 |
| SHA1 | e4df010570a44692605dd0d9507501219bcea864 |
| SHA256 | fc548254e342b1d77d3aeedfb6ab293e711af4ab11339347ddc8ad8346f8a38b |
| SHA512 | f1dedba10327290768bfdeb8d58bead4c0fa7748f5e49e5d4e478f564c3aa4f03e517bf4fdc99f392ba866403916969adb54bd4f1eaf0af894d538fa386cb7d2 |
memory/3000-185-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pmoiqneg.exe
| MD5 | e191cb40dbf718fe88653030991cb58f |
| SHA1 | 8bb6a6166bb109680a0d337fcbca2bcd1faa91ad |
| SHA256 | aba76de25100cc601518d9f653a06f5e5b23038487dec4df4430cb4ef03f7fdc |
| SHA512 | 0ac9e55e52488482df38047e8b78f62d1026e5b4cd0c4229e744bfc592471e93f44bc3d56d843e9c5b02b2428d54905e89141bd9b167d673a514864d2049735d |
C:\Windows\SysWOW64\Pdhbmh32.exe
| MD5 | 0a39f9558195388732503a3b12035313 |
| SHA1 | fdf271a02f55125142c7f058ff831210511a8355 |
| SHA256 | 2791a74e5416f6fe4559e1a8d5f1abe0c429ee4b83dbb7f0e08c408391d9f4eb |
| SHA512 | 5e7b5541f5a3c38af3ddfe55cf93273cbd36c38e5649fe6f96e4fba3c1caaa89f0d1e5fa317589ed02697e0c0e40e900f471bc85ffda4bb74c395fe8dfb9526d |
memory/4500-193-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pmaffnce.exe
| MD5 | 5cd4c58a285b44f43080a3c74b447b2b |
| SHA1 | 8a9e7afdab689a6ce313b8761f08fd0bcef523f0 |
| SHA256 | 94fecdd1efc047b67da5dbb8e43864f3ac5fd4c282c68f54a2614357dc66b966 |
| SHA512 | 9f4273f0a99289e9e03ef65a73bed82a80433ad1a6c08288ed80d13c0d3be356b7c51285196c214274d2134099e5a36ff89e9a7e8b542111f1a4927b3ee2b155 |
memory/1620-201-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Phfjcf32.exe
| MD5 | bee671c4bc171b6141658bb9842d6a1b |
| SHA1 | 741bd2f3af5e88e7c4cbcfb8ef5a071feb67314c |
| SHA256 | 6ac618f633904cbe33cbcd219a0be48d93d95bbec8a69d48edfef75dc53901ef |
| SHA512 | 41c810001bfcbf1daa958b77bdf2213608f427a041687ea510e2897aca5b290d193b760d437f838f4c8fbf96ee4c3ef93c65f3f139ea8c3c3483b98004f590a3 |
memory/1568-209-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Popbpqjh.exe
| MD5 | 25b68f3c1a7463c9f1fa75263afc757e |
| SHA1 | 122401216b3b8c2fbefe29d341bc9bf5ee348a51 |
| SHA256 | a8bf310a1e6300cf7d27e3be7e83f7864e8983777ae204cc9884c3e0894d7ece |
| SHA512 | a090d32e8a71e731aadcca64d94e81ce1e36fda0b378f5077802cd7c3e405d863570e56754ff773cfb48e0f4d70eecea00e60264686f9afdc7c6fdafebb02581 |
memory/1968-217-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pdmkhgho.exe
| MD5 | 3802a678d44a300d9cf6244e802b8d16 |
| SHA1 | 735ca2941e9b0ad17c6489b896379c01e490a5b5 |
| SHA256 | 0433459a72809d79d9383e6896cfa8d455ba6da2f5a83ce6c44052523b8fad8b |
| SHA512 | 293c8a0646e4e625610a6740329b5ef93a09b1c9e1d6fa2c9d985e3d99e3f5b357082300bce301516c020b316b1e9abe73e1f386aabf6f38eca71092a5aef4e4 |
memory/3956-229-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Pocpfphe.exe
| MD5 | 6507b5ca8252efd6bf3db4a64a956637 |
| SHA1 | 6485b54a26186480f3a1e90834ec4b7ebc0f7678 |
| SHA256 | 18279c189b180efff1cadb30fbd991adc03283f1e6a9cf1e7396d142cb0523db |
| SHA512 | fd22ada6b7f5b877db6d3a5268e177020b1a688b42eb4af4cc8a45d6984a7d2de89fccbb979d72951cbec576f521b2cb6037c454f9941fbe00e1e44b27b08a97 |
memory/2252-233-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2564-240-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Qdphngfl.exe
| MD5 | 1c4aa2fa0ac4a6dd75c9889d71836f65 |
| SHA1 | 35c5d7d027c0cc55355cf96001aaca2eff68d699 |
| SHA256 | 4c767c025d300c4be8f103ac6cbfa05e22b53af9d832a6e2b990f68ff8f2d4b7 |
| SHA512 | aed195c99bd778c24e605050e852545ace160cbb8ed02ee1383d0e41a1f6d181820cb0703f2e2cc389abec28b8a2f5bf209f084f0cfa1a37ef2049aed85dc5f1 |
C:\Windows\SysWOW64\Qoelkp32.exe
| MD5 | e268ccbd34d299e7f819641f6487e1cd |
| SHA1 | aea26cec6f4bb85ee0d25cd534222eecc649d573 |
| SHA256 | df1d4eb719311a69f71801562828b7e685a2461f3d4fcf05fa41151fbff1d384 |
| SHA512 | 2e7906cccd14763e66b33486a0a78d2441dc3b28e2fbca990b8e003b1092c717886a8d64d0b3a802a739311e0662b01fec1a9847d6df12177488fb12e5c871fe |
memory/4848-249-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Qhmqdemc.exe
| MD5 | fa8b9253660b6ea8d058010141f93e2a |
| SHA1 | a8338609e8c6b4027e6b0470de12027dface363c |
| SHA256 | 57fb384eef7d1279439f241c59a29b5ba0adf237817438f04efe488a222286e7 |
| SHA512 | 6d6db48bf863e4331f985329ad732c2504185eee90e343185e246a28892fb32156e6593f22f0a339470949f5103c0ff52765f9d08eb3925c74778928d1c6a556 |
memory/2992-257-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4064-263-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3480-269-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1504-275-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3052-281-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1632-292-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2184-293-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4624-299-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3152-305-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2820-311-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4348-317-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1208-323-0x0000000000400000-0x0000000000442000-memory.dmp
memory/552-333-0x0000000000400000-0x0000000000442000-memory.dmp
memory/32-335-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4612-345-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3340-347-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1412-353-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Alelqb32.exe
| MD5 | c7ba4a423cd7b093815c6ae50c5b575c |
| SHA1 | 514483b733fde7dcd8693f2ae86d8d2d86cc2f84 |
| SHA256 | 719f4c95de33bc980bd432b1f1fbb0a0a6176afd046fda7f410bc042b9edfa62 |
| SHA512 | 792df1816c73a8611c3060561777960103c8c39bdb0a613213f752eace7bc126f001b7af7823db16aabaf5af53b2b3d856990336eb970be21f576db4dfe7747d |
memory/3284-359-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4724-369-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2216-371-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3064-377-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5088-383-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4072-390-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1260-395-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4704-401-0x0000000000400000-0x0000000000442000-memory.dmp
memory/548-407-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4084-417-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2160-424-0x0000000000400000-0x0000000000442000-memory.dmp
memory/232-425-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Bkaobnio.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3160-431-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4564-437-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4968-443-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3752-454-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5132-459-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5172-461-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Cdlqqcnl.exe
| MD5 | 8f3122e502492c91a2e0def056276c12 |
| SHA1 | 2f15315ad42de968b9b6bcd3471fa19068d667e8 |
| SHA256 | 736df430cc4e5b4f1ae8d542067ed9898ba60807176956df81ebce330a6ba1df |
| SHA512 | 3fdd8702557631461503e6e306f4508df9474ebaa70f69e1156ec2a06af54f6ac8d8908d5e9801ae6aa1958bd348d1942d3d30c989aa4ae6e685e466699d9051 |
memory/5260-471-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5316-473-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5368-479-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5408-485-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5448-494-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5488-498-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5528-503-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5572-509-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5612-515-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5656-521-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5696-527-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1860-533-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5736-538-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5780-540-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5820-546-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5860-552-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5900-562-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5940-568-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5980-575-0x0000000000400000-0x0000000000442000-memory.dmp
memory/744-574-0x0000000000400000-0x0000000000442000-memory.dmp
memory/6020-580-0x0000000000400000-0x0000000000442000-memory.dmp
memory/6068-583-0x0000000000400000-0x0000000000442000-memory.dmp
memory/6108-594-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2620-589-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4436-602-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1176-600-0x0000000000400000-0x0000000000442000-memory.dmp
memory/5252-608-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3976-607-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Eiloco32.exe
| MD5 | 4f8fbf3f3f39c993291ea13fa2d9b8cb |
| SHA1 | 1fd1028cd0fa5b6191224bb785ea1382b5b2d7c0 |
| SHA256 | d4ccbef3ea56d480c71cd74539793a0dac9d4c253618b0d3cf2abe1bbca530a9 |
| SHA512 | dbdda43b11d22b0c64df0e84257ecf65452b9861c1f30b8a5b7bb2a6c8fc97a10149e19252ac2608498fb678576020de747a8088bd4067f5c5408a50bc04bf95 |
C:\Windows\SysWOW64\Gflhoo32.exe
| MD5 | 95b394557bf6aab073e534fbba7c68f7 |
| SHA1 | cb01f6822675501e4ef97e7ce79ee67b08a268e9 |
| SHA256 | 205159f210b0514850ffce65fecf9baf5e03e2b2713e3f08000760ce127cdbc5 |
| SHA512 | cf986d08b9723691c78d02cd48067311329d3d50694679f891d4adf523657f7215e25e6ce3d149d1613ac667a779c3763e1e71b3f68f5a66996e8e40e95acccf |
C:\Windows\SysWOW64\Hibjli32.exe
| MD5 | 1f2f643a8102c38328af9397eb42f0eb |
| SHA1 | adc1a9a59dffa19b5e718738e35f6cc4fe228a46 |
| SHA256 | bfc69790e26be7b7e6c574bec7ceaa11cd70fbf7bdb893d089b424503fb95785 |
| SHA512 | 93d5fbdaaa2d814a3d8ebb77ebbf8332414e591f83c7369025d664208b06e7dfca3cfb7c4d7c22fd6c131b9f3081f00da46828826afcd9a3f0601e80d32044d4 |
C:\Windows\SysWOW64\Hifcgion.exe
| MD5 | 6dbd705fc2400105490dd65520157757 |
| SHA1 | 8286f6bbb9023c3f0c3994f07b27d6b7a99403eb |
| SHA256 | 09fd28def17cf1ba893bf5d1eeb4cf1d9c3f4de99d9d3cc193413c0224b0b3e6 |
| SHA512 | 32581d4eed930baa926abcee557598400ccd364b054a8567671577a5619a0411a3916d319815e050d1497e0008fffdb12632e5859f22e6d04810d87f844a40a9 |
C:\Windows\SysWOW64\Ibcaknbi.exe
| MD5 | 417ff51791fed13c4fc274c53f06504e |
| SHA1 | 179b8e4b0a0995a7cf98e22bb839d2c0eacaf29f |
| SHA256 | 4285cc435f938fcbc3bd6735ddec1c8fbdf7f92db641f038a22c4b4aee42f7d4 |
| SHA512 | e4291e90107332c39292603922b9136c6e88bc4f352041ca9df6952502efe9eadfcb11daca5fb4f283c8c289eb4bcb8c95bc38706fca45db7c62e1aa33eb2657 |
C:\Windows\SysWOW64\Jpaekqhh.exe
| MD5 | 249138b1d3633a6bd5558277d034e6af |
| SHA1 | a02d65d9c574657167d8195fafa7083c0238c4e9 |
| SHA256 | 7b721f7bc1236bf967c9d84f25b59ac1df08fcb22f3c3a1aafd02263da8083f7 |
| SHA512 | 2e02ea24ee4e6fe5a6db4efe119b9ee1566a05a1dcc8b5204237dbaefd40f9949c9375536ec0ea994d165cb536cadb7baffa585cc3a799254566d0cca15dc30b |
C:\Windows\SysWOW64\Kegpifod.exe
| MD5 | bfb9b87795950356439ca1d5f2aae960 |
| SHA1 | 0fcfd95dcc9cd3cf24175b204688bf9443ad12aa |
| SHA256 | f1cdf81d05c241b6dec75b3c61c09bbe68b967bc27022823b7becd513de43f2a |
| SHA512 | 373d8b2a5420f8aff582a416702900b51f6dd744c02187f7568f12a5edadf9bba1b25a4fe482c50d8db2b1357007e6770e21a490d1aaedd2562ef69792a9caea |
C:\Windows\SysWOW64\Lokdnjkg.exe
| MD5 | 74ac038a5d2d5d8630d524fe9fde722e |
| SHA1 | 6810ebad25a25187ad2cebdb5609fb4524836799 |
| SHA256 | 700d5ae3b21533ea1cbd31446f33e37badebbca4c49cdf39b949820fd986a167 |
| SHA512 | 0193a9be76b65c9ef63ee69360dfdda9f18af54940fcac75b93d3286c0316756865c9fc0ff7154c9ad55ab771d50fe4d21ec844f9683b0bba4cc0b3d1d64c3c3 |
C:\Windows\SysWOW64\Lobjni32.exe
| MD5 | c4214f11f7bfd8f6fbf4196cbe970fa9 |
| SHA1 | 36910a474f1971df4e35a1255c39320860487487 |
| SHA256 | b21468664947b94c53fedbdbeca074ed9d3e0f54d58b794f98fca9a52502a38d |
| SHA512 | ae45918d16a9650d29249bfe3b300a9d5c732d4bf86b6a1b1bfb102a2ba8167c6ee9f53d2fe65864f80b7bd7d734ae82e5d57476ebac2e2a28b7901c2bf01260 |
C:\Windows\SysWOW64\Nmkmjjaa.exe
| MD5 | d905b30aadade651a826c2804abdc3f2 |
| SHA1 | a290a82af308708b211fb5770f71646483e433eb |
| SHA256 | 4f3d5c29712f074425ce381281770464809e99343ebb3bca2334413f4bc9ed50 |
| SHA512 | 0dcfdbdedbf9ad65c94c0b773d7f232e727853611f4e8e2131bd6d0844cd459eb19a5eaae8ed11941fc8877d0b3f4d4d367fcddcbb448679467b48dde156578d |
C:\Windows\SysWOW64\Ondljl32.exe
| MD5 | a37aa08dd3649ee60de140a6e4d5b65e |
| SHA1 | 1e1546eb007fe2a3a56acca256fe54423c57079c |
| SHA256 | ee4e7c9b110a7f82c273ec502f5db1ca6fe16e0f687643320136a9232624a0c6 |
| SHA512 | a1529e2f4a49cd489954f2465e1c2baf925a29eafbb2f40474477d917d8ca7fc7f1093e8e014d42ebfce6b1f22bdf1904f1b9bc07ffc09f0d8786c3fd526f1f4 |
C:\Windows\SysWOW64\Qhhpop32.exe
| MD5 | b468dd397fae2bc299eedc358b393b9b |
| SHA1 | aa26d18b92ffa07133bea5e61120f6a20294c982 |
| SHA256 | 28b1c72994d72742827e1b4cc964992899b5b7be71686a98771fee460994eab8 |
| SHA512 | 8134e679bf45d6eb8ce75e003877de0598385c606b8594c5447ff0a8f194bd3d2bffb8780e371e784bace1833aca57e2a45cabfcee0067fe107ec928e9becff5 |
C:\Windows\SysWOW64\Qpeahb32.exe
| MD5 | b4209075bddda4284809857190dcc401 |
| SHA1 | c9434a0669d71a2d3aa2301f7870f44a91bae7cb |
| SHA256 | a950a4741008f7badc135af1606cd08a48de0f9ce30a5c6f0d8e63c86aeb19f8 |
| SHA512 | 9e9bc28c9454fd358e18da965fb75923097c61de72f5ef145274c7304b2fbc55d4c31426fababc5996d9969bb23fe125b91f105ece6be474b30bcd5e1210ac5c |
C:\Windows\SysWOW64\Ahaceo32.exe
| MD5 | da88f3c031faad504b785fd1afbe62f5 |
| SHA1 | 8bcbde041f6472b9f05af02ef5c31c4a133547b1 |
| SHA256 | 3f4236a29c233c5a1da9a53a8a1580b5fd7fb364c358b9e4e5c59332633bbfbe |
| SHA512 | 3d97ca8b177e1bf5852e7b1e8ba7dc20b9e97ead11a79f653be97fea55aac8cc34347195657e070c1ac022b19c5fba9f96e46ca77f15173a57bf3fc1f9806550 |
C:\Windows\SysWOW64\Aonhghjl.exe
| MD5 | 60824c78240bcc4db907da3cdc063a62 |
| SHA1 | aebaded1254eac7ecf8545ece9907c1afbe3074b |
| SHA256 | b29d61cece56447597684a6576bbfb634e7c397acb7f11b2a84a99114dc56988 |
| SHA512 | b04c916b2cf615fc557e11e91b327adb9fd49bc81f4d40f28e52cb70cb1a3ecb4c39ea356ac87a94369cd1346ca473150cb2802a2bf43b4559c8869b9a5b1eb4 |
C:\Windows\SysWOW64\Bgnffj32.exe
| MD5 | b4b997c6f8bf19d241c88b939e41f26a |
| SHA1 | 93e291ab67a727a510a241bd2eec473897b00fb5 |
| SHA256 | e897c377df7f7f7d7e733e7543db27f9cdfbb3323707b1fc2f8440317a75370c |
| SHA512 | dd0b687a237a9e03950525d65f42b08d0ad99e48fe1f05019b591656a9844feb42e5669ad643f2cbea7bd714ec06d05146d89ca8ace2428e6e346ef7644edea9 |
C:\Windows\SysWOW64\Bdagpnbk.exe
| MD5 | 618d20eeefc1f96949d12fc179846331 |
| SHA1 | d0197ea6f850a4a83cb7f46652240b0c18081cef |
| SHA256 | 635237df1e159c1d1aabcab52893533ab71f34b339c5d923ad02f5d12da2f3f2 |
| SHA512 | dcc915bc5ec1a53cfaa48c9f0a11f1de5d99e8759f05f0e68f2233fe9498ccae01fdde479d7c6bdccd135a43d88227298d26758dadc9c82daaa07e6cb5cafd2c |
C:\Windows\SysWOW64\Boihcf32.exe
| MD5 | 75c82eccb919bb04ba3b2682f6c8447e |
| SHA1 | a81c610bca1323ee593e635097d26f1189659d5c |
| SHA256 | cc897f7ebe234b84625d0c9a710fd11e57439919ff47b4415da3a058dfcf8b79 |
| SHA512 | 5db2fbb40c93922a88350b18de593524043ed0f85f9be4fb36c95a1d52e9768678274cabe9a73d87a181fe20e6cc38048a66012a0ec42c0ddd1c8ff168330732 |
C:\Windows\SysWOW64\Cpdgqmnb.exe
| MD5 | d0831ada504da87b0148bee9afff697e |
| SHA1 | 34d83b82a2755e14777edbc98f7e56ab26e53032 |
| SHA256 | dc75acdd634874eaa8033dd9ce82a7b16af3c647c6b64e4a5d7a39ecf3983a57 |
| SHA512 | 316bb9b84b707ec96433c9bf1ca4da2d63778a2a2e15ed8413c83a37610600c794f7188ad3477675f0d4c31992bb20cb461133cb30827f2aa5c643625f208830 |
C:\Windows\SysWOW64\Cpfcfmlp.exe
| MD5 | 9c5904d0289ae0118f7dc56b7fb4c80c |
| SHA1 | 83e60582fd66f33425adc32f833f257f396fc384 |
| SHA256 | c12a79d8aedbc8193fa3669b1ad5eb0fd82c524bb4603af914112176274e9ce6 |
| SHA512 | e9e82fc2f7191f418a869b2ce49563a896bac614142385b8c422dc81903ee6c121140d30fb88266a896000916002a83ac7f44dc52a403faece860d26aa8f59ca |
C:\Windows\SysWOW64\Dddllkbf.exe
| MD5 | 35614cb2c0fe3cdf93c702aa2b09d87e |
| SHA1 | 4a09db76ccfa307ea4f52b169b07626d730cb15f |
| SHA256 | 294496cf11305a77e3118f514ea7f8c20f99296887028904f90597d935088113 |
| SHA512 | 9422636a9928794e7746e67a655674f2fc86d4f5c9cae5432d25def133cee2a053d96dc7de16441de2f38a28904864fabebbe4d80e1b780657e8b68741e1311b |
C:\Windows\SysWOW64\Ehpadhll.exe
| MD5 | 671e3c4671db762efbc81a7fe8cd44bc |
| SHA1 | 144156a9a3b91012f10cd85962a41a4ce5b64911 |
| SHA256 | 9d867e5d945ed8fc1d0db75b6daefbacfe550399d4b3d6d90a684e3f890fc0e8 |
| SHA512 | 2cd3c52052458d8169f6f404a90184530d8381d643b46fad711f631064979187b6348fe5445029803146e7a6cd920b1cec36e5d74ba36ea99f93cbc5535f3583 |
C:\Windows\SysWOW64\Eghkjdoa.exe
| MD5 | 3436db1786f5987260669770a89cb7ee |
| SHA1 | 8a40768b3f52dee75edde938a3664c537fccb6e2 |
| SHA256 | a8357648e07132c6283b6e4c7359719de2d25bc1b87abfecbfe5e3025321e608 |
| SHA512 | 2dbe6b47e50e83870f9049aaa9cfd5ac11a24f3399d6eea4af408aa19e783f7ed28c8b90914202cca6bcb2135fe4dcf99fdb691b4ac7801fed9f4222cc1ee8cc |
C:\Windows\SysWOW64\Fndpmndl.exe
| MD5 | c056e02a2814745e4312b262143a8a23 |
| SHA1 | 3acb2108ebe7804dd842715ef730305025f895d5 |
| SHA256 | 3deab5bb680a0256676076182384627963eaf48147860503b0c6a97f71b4bae0 |
| SHA512 | 79378bf5aaa8885d0206de50775555780e9735fabe1ecaa9ff9f52b306f326c6a3d0ca66c7229cd9c8937fc6b1376e6cacec92931552bc6e19d8468b9acceaa3 |
C:\Windows\SysWOW64\Fgmdec32.exe
| MD5 | 7ee837486bc4bbad50c0be4a19b64a4d |
| SHA1 | 3729421cb053d9c3685c4e4a678d565432a5f435 |
| SHA256 | ea8a2598b44cd6cf0f31115dce09bebbfa89b63ad38a4dfca96c29cd0585cbfe |
| SHA512 | a9768e01c1cbd9c6469688d44b106941dbf3f12e41adfadf0a9b2f39899d60b9fd51137852fb4aa442e721bb735020c21d955595889633ef739499ed6978dfe7 |
C:\Windows\SysWOW64\Fniihmpf.exe
| MD5 | 8de981a2a043b866dc545f5091542e0e |
| SHA1 | 6c314348df6e78751d60c921c81d54acc9e78854 |
| SHA256 | 417afd423f945c8058a77f6f47edb79d0f376718569c793a2dced0965375176d |
| SHA512 | c37f431f666bcff8556e76f9d699d38818b9096100a7f13258852a4b2de5a4651e993c37b2c204a64d0e41e4557b0d591e83d1c00477d0deb679333a0ddd1f6f |
C:\Windows\SysWOW64\Gpolbo32.exe
| MD5 | 0047478bd1ef46f91148dc291ba9ec9f |
| SHA1 | 7a7ace65a8264b287011130603f517d3f58e3925 |
| SHA256 | 725ec7947253ded3c9abb7b22f5c6f96b9c7c6dbafdee412a8c427ada739e925 |
| SHA512 | 0144b5a20e56753a09902a023f5266e59c26fa5b9c4d09f7000da66f581d8a07c9e6ea1cc9b5769ba5a3cb94e54a25eba2d351bdf6df0b7aa2412000c73270a7 |
C:\Windows\SysWOW64\Gngeik32.exe
| MD5 | ff26498bab561ba392722ac1651046af |
| SHA1 | 45d9bd3883ba8253be4dd1142ca5ff98ff6f3f9f |
| SHA256 | bc65fa19de59a4f20f81450603f9e486a85771a446e55e96ff519bfb5d0790fa |
| SHA512 | 4bfc377eed27cf083175cc3e9b617f09002dba72216ed4dfff8ffddb80c8e77a0717267333e55fce1c941ff8e5d2fcfbfd28e57bd104e66fd1f248251eb77854 |
C:\Windows\SysWOW64\Hajkqfoe.exe
| MD5 | a5890c6d832ae94fadf6395c94901481 |
| SHA1 | 67a36c06f16263bba6daafe3f40f61d0341bbd88 |
| SHA256 | 3186c476f675089e49388b62796022fda2b453e7af31dc4aebba2751c19f49bd |
| SHA512 | 3f0fbce70a1c1bba205bc749dfff2ac5cd3674fa55533c225b3df4f7a45bc4e6e8a7042a2f0f7a11069628491b2be57736c764e977070ed8d342acf5ef123eac |
C:\Windows\SysWOW64\Jemfhacc.exe
| MD5 | 6f953be20a10de1f9cd3fb35d316b729 |
| SHA1 | 7fae150014c3c70758a9c24cfc11474bfb3080e0 |
| SHA256 | 9c49286d5d70343ad96445cd898d3bd22bd6db97d2f01014aebd034b5060029d |
| SHA512 | ac30830f41759d0c73e1cf29385bad21e466fddf9abe75e4b112d8a077dc134904a500a2c32f26e42e17cca1bcb055e470dacac9b729a87f8ef74d23ae99b6a6 |
C:\Windows\SysWOW64\Jeapcq32.exe
| MD5 | f93c1c91fc6767558fb4a309738e53d2 |
| SHA1 | 179ddb8da9cc2dfc691b1c0af70c96134f6f96a1 |
| SHA256 | 66b7433fcbcc5b278771b6341f27da0b6aa116f5a8cea3bdcb48e1cf9699e0e1 |
| SHA512 | 21ffa94f893d1c0724258cc9f32cc1ff09c383aa0105fe7222c3833d2bbaada405e43eafe13499f74f7bc940aa7d4bd9bcf87d445cb01e2f5de25b70bb59ff71 |
C:\Windows\SysWOW64\Lakfeodm.exe
| MD5 | 32915a13c5fc3a254ae62b68bdcb6992 |
| SHA1 | 8d808ce890bcd98c564fcfa3fe152305bebcf9e0 |
| SHA256 | 3cf72a81e8ed111cde1ebc1d898fcee41ab06e275c01f79242236e552151e9e3 |
| SHA512 | f4f5af7f5690edc608bc234918abda0781f217f15a99f2705875f003439000a85b2a00fcbc1f5ebca97f6b9d7b9c9883d1488bc1f67657e65d77d1d525b79f07 |
C:\Windows\SysWOW64\Mjidgkog.exe
| MD5 | e1a4a4a2f368a1173ecb7a0ef77ff622 |
| SHA1 | 61d9b65778bbad3c8ae5b776d253c5f44dcc6f50 |
| SHA256 | 3f69a513000168f82d7b18959be850e7b55e8f4b73a3d6bbb5d32b12a89cac27 |
| SHA512 | 4e544267171b7d70e70ec7d7aa4471fb93f2c31479b2104daa798c9284299ef80f2445ad03a8f62dd2e17061d45efcaa6b72a533a0272921949b5cbc4f59a170 |
C:\Windows\SysWOW64\Mfenglqf.exe
| MD5 | 4955b670e16cfc9de4ce3153b82206d1 |
| SHA1 | bae10f03270d879c82f4def3c4f8e982eaeb2e6f |
| SHA256 | 8bf86678c75abc383f724666e9d65947bd67d725fa95c53da77e227a38b73a41 |
| SHA512 | 036c157bce55bd2e961cbee62f225cd92f6eed5b53ce9b4c896107bd8d46b68fb895b1e47924b250bc802fda46ca56c216ee4a51599309c8cc078b6c23869e41 |
C:\Windows\SysWOW64\Oophlo32.exe
| MD5 | 97f92ae3a09bbe2f4a748a41e24dad34 |
| SHA1 | c4fb6a4547aec5562ab483bb699fefa7934b2f06 |
| SHA256 | 9c32ce4d39e37158e6599ce6bf4ee16f37d06b56e819468260b3a21127c0d0a7 |
| SHA512 | edbcb994eb3962eb7ecb306fcdbd0771a646df89675892597cedf023df37d29099d40984f8bfb2af6605285cdfe088d38ba8cf99459d458c2e94bcbe908b9cff |
C:\Windows\SysWOW64\Oflmnh32.exe
| MD5 | b52e713490700ebf376769cbb8a31f62 |
| SHA1 | 59f77020858c7ceb2180734d1ab2d07ce78f0e28 |
| SHA256 | 0db74382d5e45c3d0c839df0e31dc89ce700920072484a6645607116cea11553 |
| SHA512 | ce771e143a2b07a1808cc074016554705e84775fa70e245f35b03abc83461360393092e19b032d83a9a56fd2d8551e15900298bbe13d7860adf1fb59a087c895 |
C:\Windows\SysWOW64\Pfepdg32.exe
| MD5 | 8690186b7043d7e5dcfa2ec6102786c5 |
| SHA1 | 91dc897212963f65f43771f23fca5e1e18738e90 |
| SHA256 | 96df1d1510ad440d994249ae7375d404d545ad6d9eb7277c6eab84dd5281f6c4 |
| SHA512 | 7796e5846329bccd9054ac1cd837ebb235f4b45f1d112bc9bd92629610f67787feffea7b9a11766084e9461af026e53447d0057046f183a1be72fa941ec38301 |
C:\Windows\SysWOW64\Ppnenlka.exe
| MD5 | 22637f9cdeda7d1f0ed4a481dec431cc |
| SHA1 | e8b4480cf7a9ff2521cd71e88ab139d09a7157aa |
| SHA256 | ce1f3800cffad30c6efa126c750014c2eaa5b6e43f746a0a2b9caf905add0169 |
| SHA512 | 2ae458287be496af11f3e5eabd5c598a526d044a90907632e4f1bbb6fad3e4c96a66093347e6dda7b769fe6b4f6f22b0a86224011e2bbd2c602377093f7890b1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 19:48
Reported
2024-06-02 19:51
Platform
win7-20240508-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fhhcgj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Enihne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fnbkddem.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fhhcgj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ggpimica.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hodpgjha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gejcjbah.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hodpgjha.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ealnephf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Enihne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ggpimica.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ogjbla32.dll | C:\Windows\SysWOW64\Enihne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjcpjl32.dll | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkkalk32.exe | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| File created | C:\Windows\SysWOW64\Pabakh32.dll | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkpnhgge.exe | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hggomh32.exe | C:\Windows\SysWOW64\Hdhbam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ecmkgokh.dll | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbijhg32.exe | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocjcidbb.dll | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Liqebf32.dll | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eajaoq32.exe | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flabbihl.exe | C:\Windows\SysWOW64\Ealnephf.exe | N/A |
| File created | C:\Windows\SysWOW64\Egadpgfp.dll | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipjchc32.dll | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gegfdb32.exe | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hkpnhgge.exe | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| File created | C:\Windows\SysWOW64\Pffgja32.dll | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| File created | C:\Windows\SysWOW64\Eeqdep32.exe | C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Enihne32.exe | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fjdbnf32.exe | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| File created | C:\Windows\SysWOW64\Dchfknpg.dll | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffpmnf32.exe | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Globlmmj.exe | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gelppaof.exe | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gcmjhbal.dll | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Dcdooi32.dll | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlcgeo32.exe | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhggeddb.dll | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fioija32.exe | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ffbicfoc.exe | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gbijhg32.exe | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdhbam32.exe | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkkalk32.exe | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Icbimi32.exe | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ambcae32.dll | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjpfgi32.dll | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndabhn32.dll | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjdbnf32.exe | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| File created | C:\Windows\SysWOW64\Ggpimica.exe | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| File created | C:\Windows\SysWOW64\Omabcb32.dll | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Idceea32.exe | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajlppdeb.dll | C:\Windows\SysWOW64\Ealnephf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fhhcgj32.exe | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Olndbg32.dll | C:\Windows\SysWOW64\Fnbkddem.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Facdeo32.exe | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffbicfoc.exe | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| File created | C:\Windows\SysWOW64\Globlmmj.exe | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hiqbndpb.exe | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eeqdep32.exe | C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe | N/A |
| File created | C:\Windows\SysWOW64\Fhhcgj32.exe | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiqbndpb.exe | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ealnephf.exe | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gaemjbcg.exe | C:\Windows\SysWOW64\Ggpimica.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcnpbi32.exe | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Icbimi32.exe | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnnhje32.dll | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hodpgjha.exe | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fioija32.exe | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ghkllmoi.exe | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hdhbam32.exe | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| File created | C:\Windows\SysWOW64\Gacpdbej.exe | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iagfoe32.exe | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gejcjbah.exe | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Iagfoe32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" | C:\Windows\SysWOW64\Fhhcgj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Enihne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" | C:\Windows\SysWOW64\Hkpnhgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fnbkddem.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" | C:\Windows\SysWOW64\Fjdbnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" | C:\Windows\SysWOW64\Hlcgeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hodpgjha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" | C:\Windows\SysWOW64\Hggomh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcnpbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" | C:\Windows\SysWOW64\Hkkalk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hgbebiao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ghkllmoi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Idceea32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" | C:\Windows\SysWOW64\Hodpgjha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" | C:\Windows\SysWOW64\Gbijhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hacmcfge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll" | C:\Windows\SysWOW64\Gegfdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll" | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hodpgjha.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eeqdep32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" | C:\Windows\SysWOW64\Flabbihl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" | C:\Windows\SysWOW64\Gelppaof.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gacpdbej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" | C:\Windows\SysWOW64\Ggpimica.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll" | C:\Windows\SysWOW64\Elmigj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gaemjbcg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" | C:\Windows\SysWOW64\Fdoclk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" | C:\Windows\SysWOW64\Fioija32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Globlmmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ghfbqn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" | C:\Windows\SysWOW64\Hiqbndpb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eajaoq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Filldb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fhhcgj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Facdeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" | C:\Windows\SysWOW64\Gobgcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Icbimi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ealnephf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Enihne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejbfhfaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll" | C:\Windows\SysWOW64\Ffpmnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll" | C:\Windows\SysWOW64\Ffbicfoc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" | C:\Windows\SysWOW64\Enihne32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe"
C:\Windows\SysWOW64\Eeqdep32.exe
C:\Windows\system32\Eeqdep32.exe
C:\Windows\SysWOW64\Enihne32.exe
C:\Windows\system32\Enihne32.exe
C:\Windows\SysWOW64\Elmigj32.exe
C:\Windows\system32\Elmigj32.exe
C:\Windows\SysWOW64\Eajaoq32.exe
C:\Windows\system32\Eajaoq32.exe
C:\Windows\SysWOW64\Ejbfhfaj.exe
C:\Windows\system32\Ejbfhfaj.exe
C:\Windows\SysWOW64\Ealnephf.exe
C:\Windows\system32\Ealnephf.exe
C:\Windows\SysWOW64\Flabbihl.exe
C:\Windows\system32\Flabbihl.exe
C:\Windows\SysWOW64\Fjdbnf32.exe
C:\Windows\system32\Fjdbnf32.exe
C:\Windows\SysWOW64\Fhhcgj32.exe
C:\Windows\system32\Fhhcgj32.exe
C:\Windows\SysWOW64\Fnbkddem.exe
C:\Windows\system32\Fnbkddem.exe
C:\Windows\SysWOW64\Fdoclk32.exe
C:\Windows\system32\Fdoclk32.exe
C:\Windows\SysWOW64\Filldb32.exe
C:\Windows\system32\Filldb32.exe
C:\Windows\SysWOW64\Facdeo32.exe
C:\Windows\system32\Facdeo32.exe
C:\Windows\SysWOW64\Ffpmnf32.exe
C:\Windows\system32\Ffpmnf32.exe
C:\Windows\SysWOW64\Fioija32.exe
C:\Windows\system32\Fioija32.exe
C:\Windows\SysWOW64\Ffbicfoc.exe
C:\Windows\system32\Ffbicfoc.exe
C:\Windows\SysWOW64\Globlmmj.exe
C:\Windows\system32\Globlmmj.exe
C:\Windows\SysWOW64\Gbijhg32.exe
C:\Windows\system32\Gbijhg32.exe
C:\Windows\SysWOW64\Gegfdb32.exe
C:\Windows\system32\Gegfdb32.exe
C:\Windows\SysWOW64\Ghfbqn32.exe
C:\Windows\system32\Ghfbqn32.exe
C:\Windows\SysWOW64\Gejcjbah.exe
C:\Windows\system32\Gejcjbah.exe
C:\Windows\SysWOW64\Gobgcg32.exe
C:\Windows\system32\Gobgcg32.exe
C:\Windows\SysWOW64\Gelppaof.exe
C:\Windows\system32\Gelppaof.exe
C:\Windows\SysWOW64\Ghkllmoi.exe
C:\Windows\system32\Ghkllmoi.exe
C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
C:\Windows\SysWOW64\Ggpimica.exe
C:\Windows\system32\Ggpimica.exe
C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
C:\Windows\SysWOW64\Hgbebiao.exe
C:\Windows\system32\Hgbebiao.exe
C:\Windows\SysWOW64\Hiqbndpb.exe
C:\Windows\system32\Hiqbndpb.exe
C:\Windows\SysWOW64\Hkpnhgge.exe
C:\Windows\system32\Hkpnhgge.exe
C:\Windows\SysWOW64\Hdhbam32.exe
C:\Windows\system32\Hdhbam32.exe
C:\Windows\SysWOW64\Hggomh32.exe
C:\Windows\system32\Hggomh32.exe
C:\Windows\SysWOW64\Hlcgeo32.exe
C:\Windows\system32\Hlcgeo32.exe
C:\Windows\SysWOW64\Hcnpbi32.exe
C:\Windows\system32\Hcnpbi32.exe
C:\Windows\SysWOW64\Hodpgjha.exe
C:\Windows\system32\Hodpgjha.exe
C:\Windows\SysWOW64\Hacmcfge.exe
C:\Windows\system32\Hacmcfge.exe
C:\Windows\SysWOW64\Hkkalk32.exe
C:\Windows\system32\Hkkalk32.exe
C:\Windows\SysWOW64\Icbimi32.exe
C:\Windows\system32\Icbimi32.exe
C:\Windows\SysWOW64\Idceea32.exe
C:\Windows\system32\Idceea32.exe
C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 140
Network
Files
memory/3056-0-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Eeqdep32.exe
| MD5 | f99ed3430d21b5c805e1c871f2c4f1cb |
| SHA1 | 106d1155e6aad9b6754626e50ed32d278a2546ad |
| SHA256 | 9914acfe08f9ab548f0a2319906eadb6b01532fb98309fab01bd7c8afe4d7bfe |
| SHA512 | 587c4039fa6b761d4ebc13dd5202933f370676d13e87ff32427d6a8a1c38a764465534f81a5987b6fa3f2ca92b9a53d3434995913ade77cbb450f540ef060533 |
memory/3056-6-0x0000000000310000-0x0000000000352000-memory.dmp
C:\Windows\SysWOW64\Enihne32.exe
| MD5 | c1971fd89fccffebd8933fcb5486c5e9 |
| SHA1 | 26ab74c8d1e50d37a897523b25ff65fce97d98db |
| SHA256 | 1b12216cde2f953a01725004c0f7c236a3bf5802a27710b867a61c08437d0090 |
| SHA512 | 2375f54825f921aa089d4581fc2511aff10947a385607bad9ead91c42babdebbab6b22d6a756eb0e00bdc699e57383459e6c9e6053a06946c1351edf394b3c84 |
memory/2844-26-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1952-25-0x0000000000250000-0x0000000000292000-memory.dmp
\Windows\SysWOW64\Elmigj32.exe
| MD5 | 26f7a41ec4bfbec2861921156e2fc081 |
| SHA1 | 69770dc6512490b9b56c8c121096f4bb69baa1e9 |
| SHA256 | 258a382dedad4b1e509add61d26a19b1c9f5e785fd7a9777bbc16b79ab8cd0fd |
| SHA512 | 3299b9480234e15a1b4300800e31297b339193e56f1094d6a02a4087295f77f620a9c532f0f75324e8ab5715a9a00a323261d883319cc4fac8ae15ab7ac5941b |
memory/2844-34-0x0000000000280000-0x00000000002C2000-memory.dmp
memory/2672-40-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Eajaoq32.exe
| MD5 | e62f3c1f31b0f82d08b86751d569bed1 |
| SHA1 | b0ed2827d67064fcd4f80818b2c855cbda77bc7e |
| SHA256 | 47951699368c3932c5d50a30f4c3b7c0d36ee8721f1baf20022e9a4faf3996bd |
| SHA512 | b346f60c5cd501b4cad67b5a3dccd98fe39924affe5183e2cd0a3e242db5f8ad2dc02fed07f79820dd8c3a6a58dbaeb019b0fe506f40e5a3ba825d8a1ddcf930 |
memory/2720-53-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Ejbfhfaj.exe
| MD5 | 1c6944dab7f2679827a39b6c2de3bc8e |
| SHA1 | 409ab6f2aedc3321c4567bea55487aa5c11f34dd |
| SHA256 | 628f63d8ac928e22878b8c1f57eeb10c16e53b30f8704fe1a4b6abd425800912 |
| SHA512 | 955dcb1910e612d383b9aa671e9a182a2abb593ba2c45a2774a192a91dce88f795db42ed1f03a71e3b9c96608cac3d9199f0eeb56e5338922dfb8d8aa160f9f6 |
memory/2720-60-0x0000000000250000-0x0000000000292000-memory.dmp
\Windows\SysWOW64\Ealnephf.exe
| MD5 | f896e375b0f80d4d399bf670503a408f |
| SHA1 | a824966d5cab7f09662dd60b0e8da50c0b7c3b55 |
| SHA256 | 90d6fa3c9667029f747b8cb537690017598258d4d076b37d4d4e87755a9d198e |
| SHA512 | 399a63da2b260f9ed46230efce11a294c0ab543e954f99abc04ed181f11588e7cfe799cee7324e84098011d9dd7c1662cc0b29aaa97120046e763279169c5842 |
memory/2668-79-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Flabbihl.exe
| MD5 | 55d51862ddc133a61a1c542debeb7b20 |
| SHA1 | f59dd6f8cede70b45144196b9c89774ccaaec60a |
| SHA256 | 80dc39eff42e46a0336552aab02688f98c55e42d6767c220a6cbe24b5a184568 |
| SHA512 | b0360208a9670e54762e04c2f0782528cfdd663326d41f34621c794db68e6b2a3a8e02fa36637a830382aaaafc8eadd44160ee2956235bf228ebc20546b23956 |
\Windows\SysWOW64\Fjdbnf32.exe
| MD5 | 5b16089b50c5229f92e0448c0049c38d |
| SHA1 | d4918882f6f672069a2a6218260e2b361c069570 |
| SHA256 | 1a5ee5619101943a1017dd0033e4cb8dc597f370333e1ff6cb4e1f01b3ebd8a7 |
| SHA512 | 7b279eac536ca1eab9fc9ff220a2189290bf3893075a5903f669357ba629cd763f4c9844448b7eb04f3dafb2f0bd73a141fce86224c55a03a1a8b1492797dcf8 |
memory/3048-105-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2592-92-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Fhhcgj32.exe
| MD5 | 677c47535e9a64db4bb9c1903ac27164 |
| SHA1 | 9537000228adf56fbaa9668c8321bfcf7b5b7826 |
| SHA256 | fb53e69b67d172306e7edc9e8284c7a43c7c96894c5117919a95ba8545ddc738 |
| SHA512 | 05171460781246d542d2ab8cc39e58d1dff2687f65eaf6cf765f6ae8dc28df57678dd6becddeeaeb2d2214ab2a5c05136eb4b6a570f10ee2a5fa6da99d75f8ab |
memory/3048-113-0x0000000000250000-0x0000000000292000-memory.dmp
\Windows\SysWOW64\Fnbkddem.exe
| MD5 | 5903b0b768dbc22e90d934af01ffa112 |
| SHA1 | 60af310780d5aa7170eb03c61bb8f2482b15563a |
| SHA256 | 173c347ae7df595384824db464ea3e2408fda096ec18f8f5e38865a14346cd01 |
| SHA512 | bfc8990ace89ad6aaf48834b179a0cdd8e7208f01b7ddcd8ba771bc2356d88c584d8799a28061558dd761eac1bee1c5ce55f719dc118aa36db9060f6ef0b22aa |
memory/2140-131-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Fdoclk32.exe
| MD5 | 424397f72f53f5fed8f64e8556366394 |
| SHA1 | 33ef7fe97fa39f9fe903d98c604f64298d83a7be |
| SHA256 | 78bb96b3c6314d766e2625513c0c29bc431ec1e0c871480547633e50116d54f7 |
| SHA512 | 755702c910eb6a2e3507fcfefed8242294fd35e1b05e560316874b7573020c915733927e868bb21e5007c8d14b9b41ead2d47bceba82a1db164bb33d1b32d8c3 |
memory/1736-144-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Filldb32.exe
| MD5 | 2a1e6b8b32dfb07eb6803bbc1b353f7b |
| SHA1 | 959b5dc911a271f599ced594dcdfed03ba5f50af |
| SHA256 | 9729099a506b3b7484746f8b736e20d77252f1a88fdcfddba396b3dff0e351dc |
| SHA512 | 76cd7b0ac5889ee634956279ba53413c1c9ef445ac4d641b4994242533e99ff948726bc2791c3cbdae20d3ddc2717137a20cba81f7642bf1ba6b8b3e0bf7c7c3 |
memory/2600-158-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Facdeo32.exe
| MD5 | 32fb49c3b5b6a302b90076d818b886b7 |
| SHA1 | fa5a915f5e134f024a259b38c5e55de2bd3e39c5 |
| SHA256 | c40c682607770a4ce9da69af43d8374436b00bffb4aaf9c76c2edc881eb77d37 |
| SHA512 | cd961b2282fb102ecfbadb224a5118f0de69494f3387b10e996e2ab58c89f33a68fcf29e1f5ace0f450ad0646fc7353be70a8b4be95819e70e376754a67f2070 |
memory/2752-170-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Ffpmnf32.exe
| MD5 | ba62a47ccd813554e2a383fb552ced0c |
| SHA1 | 3a9385b0d96ce41851ad407461e43bf37e3dd9fc |
| SHA256 | 5467a0401312e45e3195b5d6bb03efd4478e381ed5b8daacba23c828f1a8f2aa |
| SHA512 | 07777494372690ab5acfd9e6b84898493b0d677e3e42215dde675d2fc0eceffb956d3ed8a8aea8aea74d51ad65398e9e80b498bad94c5a762c3195d114e5257d |
memory/1680-183-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Fioija32.exe
| MD5 | 6e10c8127110512679bcb4f6e5cf98ea |
| SHA1 | 9f7a960d9c3e4ec7fa72d88572ae2b2044546d50 |
| SHA256 | d3d91f0498c59fee0dad164ba7ae54bcffb4254fd006207957baa556ddfcd294 |
| SHA512 | 29ae3077a162e11627c422dc88646800c30e0e9c497ae075885dfa53587294b2464f942c6d6e299b54ac32658e02dba2247ed7873d986397462b90c8226983d9 |
memory/1680-191-0x0000000000250000-0x0000000000292000-memory.dmp
memory/320-202-0x0000000000400000-0x0000000000442000-memory.dmp
\Windows\SysWOW64\Ffbicfoc.exe
| MD5 | 4534a3917e8d39c58da85076572a5660 |
| SHA1 | 2e84cc81b978d09fa7e4767762caee91d77de4c4 |
| SHA256 | 6e6839fbb9bcb3fe81a6e3fbe43aa45c5f25dc81988103b13eb0780c256ba85c |
| SHA512 | df9f014b83056d644efc0a98626eedfa6a9978d47527db70885ea0abf4e0f842a7244deccdf6774f6b84f4ea4af50f32f20922ed41d4867843086928e7b9eac1 |
memory/2304-210-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2304-220-0x0000000000250000-0x0000000000292000-memory.dmp
C:\Windows\SysWOW64\Globlmmj.exe
| MD5 | fe4ee8d1df3d840c86322dad4ec65f80 |
| SHA1 | eed798f49ab480e8876e0ee3e5aa437c39f6d240 |
| SHA256 | 22d51f3659cf7ed6b9cb125d17cb726aa29a9926272e93be1e13b166b134b67b |
| SHA512 | 83c99f9b545ec8757343b4e3022e890686ab0d971698fbbf1ac0b5e42eed8c95269832ee6d1f2dd11845a82feda35d7f2093e51511d2010b2c315a08261bd05d |
C:\Windows\SysWOW64\Gbijhg32.exe
| MD5 | ccc5f2057c690544a758993f6016a5ad |
| SHA1 | 0ee9fa57b7af874b9f3c54adc0567bf674d2606a |
| SHA256 | 4ccb3c0b9f3e47bdb234a3c29199d18f0f54f324ab655016e384688dcd3ebc01 |
| SHA512 | 5604b85a022ca1cbbf1d0bd2b0b4b91447bdbdc5acf50bd845861f1fffead9dcf529ba1a7b1cac5695321badb921f215b16e197d8ecf54dc2b9a7f7a2d77ec10 |
memory/1312-229-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gegfdb32.exe
| MD5 | 84a71992c1ab158f2c2c0d375d339a94 |
| SHA1 | 2e0d1df66b43273b066f909088cda2def324761b |
| SHA256 | 7c0ea2a18206771543f104eeaedfc6c0a4e32ce526b4f7da53ffc9b86b06e9ca |
| SHA512 | 059d9674e7d51db5c0bcd1276b3b978261c285c17f179718c3f1b21a01e1f67c39c69950e55e6c3474e21830542fb12ec6bba4be42b6693edeba96d415caa96c |
memory/1132-244-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1312-243-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1312-242-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1132-250-0x0000000000310000-0x0000000000352000-memory.dmp
memory/1664-251-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1132-249-0x0000000000310000-0x0000000000352000-memory.dmp
C:\Windows\SysWOW64\Ghfbqn32.exe
| MD5 | 2bd6ac70323f6fde738045f456a489dd |
| SHA1 | fd02e140d14dd0ca22dcc7e6c4dd59e1c0e7848b |
| SHA256 | bc90b5041576f777ad515ed65135925410d68199a5f5a732a3a10975113b4328 |
| SHA512 | 0cf8410ee5ad5bd0d23da0fa5959f0871af416fb8589cc187a9d82ad61de08f30e798cfc72e603cdf24c3cbc09f9aa1746ea62bf0712711aae3adcd5f8d5a1ce |
memory/1664-261-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1664-260-0x0000000000250000-0x0000000000292000-memory.dmp
C:\Windows\SysWOW64\Gejcjbah.exe
| MD5 | 7554e85128d92cc0e7fe75cd35a19967 |
| SHA1 | 15b9e4e700355f5096a45a92505e889cbc0aaef2 |
| SHA256 | 584e2f8dfb20bb1d0c202348f6e8a3b585cc67d6921d0d39d64b122049c78eff |
| SHA512 | 05020778baf5e947a56d7fdca51215cdb7cb68a9e10f77f3aad0f67c4bd52882d88218e976d0de669e7d6e3ddbf5b3ff77ce6df7b07eb5b13e3ab656bb247644 |
memory/1584-262-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gobgcg32.exe
| MD5 | fc908fa46430d46c5549ef9a0ae44c12 |
| SHA1 | 2a8ff80985785efa94eebd1497c053ca36188e56 |
| SHA256 | 0b5a7beb2e5f334d1f6ed8f086c2ab51bde7f2072ea03f8485c52dfa5bd47170 |
| SHA512 | 921d0ef16c21acdee904bc72f3631b20af56e7a86f958281700ffc6f0fe5bce14a915d5264ccc4cbfb09404e5c108d6ffd61d4c98abf4071dfd5a30c72ceaa26 |
memory/1584-272-0x0000000000360000-0x00000000003A2000-memory.dmp
memory/1584-271-0x0000000000360000-0x00000000003A2000-memory.dmp
memory/1820-273-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Gelppaof.exe
| MD5 | 2a4c3050f04ab85edaeb68db81b70438 |
| SHA1 | 9a6105ef81356d1f32e3919d8e7a1f5594e20806 |
| SHA256 | 8b38c3fd8df1b79364438a35be7fdd8ff2ef9545346fdb72c0a9fae46b504725 |
| SHA512 | 73df98cdf39937fc700540a89db391a02405686e05c7940d97b73a9c10517982d2bb6953c2cc3b01be83bf24f789f6e51e7a05250f58fc272d31c8cd16e51121 |
memory/2392-290-0x00000000002E0000-0x0000000000322000-memory.dmp
memory/2392-284-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1820-283-0x0000000000270000-0x00000000002B2000-memory.dmp
memory/1820-282-0x0000000000270000-0x00000000002B2000-memory.dmp
C:\Windows\SysWOW64\Ghkllmoi.exe
| MD5 | 319b6d72a3cc6006883ba8475e7e4c98 |
| SHA1 | a648e7c6d01969583f8b8b30f1497eaa85310d2f |
| SHA256 | 0b92931fefec83cbf5ab7976a0db4258c522e5197ff3776480ca9ee0e311c8bd |
| SHA512 | 0733c0238661cae7a6de748bd79dfd05baac5b7d241542200bc43d1e169bf50392988712a5fd5f38650120f5165ac2f3e69fcb577ea2f99239bb56679292fdff |
memory/1152-299-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2392-296-0x00000000002E0000-0x0000000000322000-memory.dmp
memory/1152-301-0x0000000000250000-0x0000000000292000-memory.dmp
C:\Windows\SysWOW64\Gacpdbej.exe
| MD5 | 09c9626cd1a6cf2b71ae84d208251326 |
| SHA1 | f43b41769c76e3f8115f5f3edc6f5cd87f4a0128 |
| SHA256 | 7745ff8fcfa9762cdae7dfb1d4e90da86acb4b62586d7f69a57e03b1c739c75b |
| SHA512 | 1aa3881d4aec6ee6741b4b76173fbbfe53477f4e63c920ec1c12adab45445ab99e4cf4984679a2082cd429ac32b59b7705366c4493c6067af474564aee635547 |
memory/1152-305-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1740-306-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Ggpimica.exe
| MD5 | 05b59cbb284e34af82f853ba61e09ae2 |
| SHA1 | 7faaec953d0b81db14a1bf49face4f493a8583c4 |
| SHA256 | 6a33490b41c51b1784f47b8fcc8256ae7c2fec4103b79c05d69d86e7a5ac1cc0 |
| SHA512 | 5595805bc29353b9b985e5db940d2a477f99b329f0a482bd13356387cc372888c3223dee0e530d8469387e96ebaf3cf045f3bb413100cf6194ba6488c9a4b8b2 |
memory/2892-317-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1740-316-0x0000000000250000-0x0000000000292000-memory.dmp
memory/1740-315-0x0000000000250000-0x0000000000292000-memory.dmp
C:\Windows\SysWOW64\Gaemjbcg.exe
| MD5 | 2a5f211e4c2de322bb9f0a0bf6c7a50c |
| SHA1 | 583d94d4101287dca04cc25e2adf923b0c46988b |
| SHA256 | 763083467132e2f3959db9f9d22aac2d8f0f2568ec12bfd0ced664cff1785989 |
| SHA512 | 7b6798af7dc14b9ef1af10c5b9fffabf329594ad8bba52ba78aa5131dbbaa4c7febba34b1b7ffdd2d2490beca4932f9bef129ae6ba3e855d64eb62a6304e0962 |
memory/2892-327-0x0000000000260000-0x00000000002A2000-memory.dmp
memory/1692-328-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2892-326-0x0000000000260000-0x00000000002A2000-memory.dmp
memory/1692-338-0x00000000002D0000-0x0000000000312000-memory.dmp
memory/812-339-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1692-337-0x00000000002D0000-0x0000000000312000-memory.dmp
C:\Windows\SysWOW64\Hgbebiao.exe
| MD5 | a9b3e5faa7d8df56fa872e7f05b5701e |
| SHA1 | 1698e0c7d8d979f34dfefc33bf0f70d2717431d6 |
| SHA256 | 3949de0ae7505bb4adc1855f5f98c50421a1884363621929d082970412a61669 |
| SHA512 | accc3f7e2334ed3d58576bb91926a581cb21b20594430d024374b7244bf4dfd883d808f6a6610be46e9ae007895803d2bd535a4fb18b171320a65a71ec22c0c9 |
memory/2148-350-0x0000000000400000-0x0000000000442000-memory.dmp
memory/812-349-0x0000000000280000-0x00000000002C2000-memory.dmp
memory/812-348-0x0000000000280000-0x00000000002C2000-memory.dmp
C:\Windows\SysWOW64\Hiqbndpb.exe
| MD5 | d465ad8f1c2d303d921928585e41d427 |
| SHA1 | b83779e4417324a4a45ac4bd473b3a86e43538bf |
| SHA256 | 2761c3e2ab4ba252c555aa26667a6920403e1c1e8f13ee7c14a1cebd1ae5a8cf |
| SHA512 | 49bf0a27123d23a5053e9e1adfb97708dea3f8f98a3da742f6ad720f222d1f2bae13468ca1f2f71b07e544451b526bed3f6570b0f2f89a0f4f908a216eaf3336 |
C:\Windows\SysWOW64\Hkpnhgge.exe
| MD5 | e913050ffe1320e7cb88217330bf8adf |
| SHA1 | 434798b609101f1ad99d8aeec5383a6cd4d3b3b2 |
| SHA256 | ca11edaee6e685a1ea833b232b7b6299d8f84c23e99e516b66f7cb5f9fb0180b |
| SHA512 | 957f889b00a655940e247339bbf49a34dc5c4ec54ea5c22d0ca61183b83d871ffdd5270d7ac96978e91e4563e3988ab704231376c4deff9987cb6debdc2aa14d |
memory/2148-356-0x00000000002A0000-0x00000000002E2000-memory.dmp
memory/2800-361-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2148-360-0x00000000002A0000-0x00000000002E2000-memory.dmp
C:\Windows\SysWOW64\Hdhbam32.exe
| MD5 | fe26b4780767ce064bb397af3ea02b75 |
| SHA1 | d6f720823ebd457a11191ee576bbcea877895453 |
| SHA256 | 394ef4fd5d65c9e9e78e0e549c79b2cbdd976755bc8c55d43aaacd93d228570d |
| SHA512 | d7876dc522ec126adf8468edf3ca6f7a5fd61f241458d622ce190e78740368f572618b51444c636200d2956d248751bacdddd99108cea87831167905098d3840 |
memory/2824-378-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2824-372-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2800-371-0x00000000002F0000-0x0000000000332000-memory.dmp
memory/2800-370-0x00000000002F0000-0x0000000000332000-memory.dmp
C:\Windows\SysWOW64\Hggomh32.exe
| MD5 | a314fdba2771f49b851c98c87d1957c8 |
| SHA1 | fb310e946ea0a8c834047fe7c745ec17e587b86f |
| SHA256 | 7e1258a4c308d23f1f76095d89095d87ca23b9a8d6fe6015848cee7248c8c0ed |
| SHA512 | f5751baac65cfd5e92f0fe695d2e17b0574d1607dd275e766f99d22fed32a3ef2cecfe531ea864001fb2bb49c369a148f7540b05a145e6ed7d255d9005a8a0ab |
memory/2824-382-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2860-387-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Windows\SysWOW64\Hlcgeo32.exe
| MD5 | 220091645ced115c0ddfc55142f099d6 |
| SHA1 | f54c0ae4f1e50682266762db12dc2b2648aa3344 |
| SHA256 | fdad149c981c143af2625054222a6291b980c3ce51b39d9f06f7cc180096014b |
| SHA512 | f2fd30665f2640f2cb14b3fde3d2fbbef2aed3dc28fb2ef6309add7dd4a43d838e026a99ee939e82dfa0b8665d61be1c9ccde88abcec4de110d2bfbb0852677b |
memory/2860-392-0x00000000002D0000-0x0000000000312000-memory.dmp
memory/2860-393-0x00000000002D0000-0x0000000000312000-memory.dmp
memory/2524-394-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2524-404-0x00000000002D0000-0x0000000000312000-memory.dmp
memory/2524-403-0x00000000002D0000-0x0000000000312000-memory.dmp
C:\Windows\SysWOW64\Hcnpbi32.exe
| MD5 | 0c479cec3aa73470949e14523986b992 |
| SHA1 | ee2b0177cf97e13e2317f7c4504d55ebc0fdbc78 |
| SHA256 | 8e4ec3b5eda3da426502a04695ecbce4a70b3dc0c303164422a223955ea4fc02 |
| SHA512 | 3dbf601f9b8bc75546c23f9c51c68d9bfa90b06e8d001bcae149dfad08c9327d88f83788b7388b283ebc860aaf4e54d786500f1c6356d6d9e0c88381322f02e6 |
memory/3044-405-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3044-411-0x00000000002D0000-0x0000000000312000-memory.dmp
C:\Windows\SysWOW64\Hodpgjha.exe
| MD5 | bd925788b458ec2bbe549b939f5b3dd3 |
| SHA1 | 47737c5ae45f403e9ae8c5dc055faf96518b1821 |
| SHA256 | 9a61e7e0daca3e1446fc57530daacba16dbe22960afddb24d04b6435df22a6fc |
| SHA512 | dce048f528603a090c5776eecab37f04afcd97f8113d25bd2cac75c425c91e3cfee7dfa8e8bcd3abc24d6d44b11c2d3c3e3b12c678b7dbb882d8c81d1597cc4a |
C:\Windows\SysWOW64\Hacmcfge.exe
| MD5 | 657a1d75b1c388b09d4674c7d377457b |
| SHA1 | 2c807e8f2d752cd8acd38594b6276f3fe6b24796 |
| SHA256 | d998a186c3a76288e381c27ba2c5ebd0850aa8f220e35079f61d11c393fa7dd6 |
| SHA512 | 90e02acf29d42739d5d4e15831b48154eca3f70670768ce257e34f08e8935110c2c68181ba1df1f2dce93ce5aac135777f9b44664711e67d5d0423693c6ca0ff |
memory/2852-421-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3044-419-0x00000000002D0000-0x0000000000312000-memory.dmp
memory/2852-426-0x0000000000250000-0x0000000000292000-memory.dmp
memory/2980-427-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2852-425-0x0000000000250000-0x0000000000292000-memory.dmp
C:\Windows\SysWOW64\Hkkalk32.exe
| MD5 | 504913f2999f72d2bb3636374069ec68 |
| SHA1 | 886dc40a3177b6f381278ce6e9a2f4a4c39933ba |
| SHA256 | 4f8c0af090bed5c374a2b69692208a66fa07ea91be63e55f844dadd5516c08ff |
| SHA512 | c20234df2af534bd81bb6bd1077c5cbbbc574f14adf41bbe97e1dfca2d6ca9cfa5cda624101171215d5e7f644b40be55c38c291c38c6c54f82cc17fd4e444f92 |
memory/2980-433-0x0000000000280000-0x00000000002C2000-memory.dmp
memory/2980-437-0x0000000000280000-0x00000000002C2000-memory.dmp
memory/1360-442-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1360-446-0x00000000002D0000-0x0000000000312000-memory.dmp
C:\Windows\SysWOW64\Icbimi32.exe
| MD5 | 76c0cbbd329066fce0b099bf9f377e95 |
| SHA1 | 8c9543909c755cba6b47209bc960611b44d18e53 |
| SHA256 | 4e5ef4c6f4332e1938ed9ca10413c60a4261795db0ec9a382e3ab4b507a4fcf3 |
| SHA512 | 132f7c7f6d8f1c0f5ddf0f67b4b3fa9ee0d9a345c5f9c9e99e2482d910a3973f299fa857928e05dc6d413d94246fae286f511f97f356b7225601d4f2940baaa3 |
memory/1548-448-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1360-452-0x00000000002D0000-0x0000000000312000-memory.dmp
memory/1108-460-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1548-459-0x0000000000320000-0x0000000000362000-memory.dmp
memory/1548-458-0x0000000000320000-0x0000000000362000-memory.dmp
C:\Windows\SysWOW64\Idceea32.exe
| MD5 | 4d1359aa65aa83a766004f9467c27075 |
| SHA1 | ecfaddec7f6229e37a8d7791fe1be189ac70635e |
| SHA256 | 9fc31addeb263e6f29b5bb18cc46b7611e991fcb1cd50bc21db7dfa819e8c9ab |
| SHA512 | a61fa966d7be1e60f88ac49552e47ff8e6d5fd4faab2c1a6e596322e6271504262d778c52fa849a5929fa2605febadab8ae33ea6c14b4460e6d573d454425de4 |
C:\Windows\SysWOW64\Iagfoe32.exe
| MD5 | 716cf3e24cc5b19fbc019d3b9d64bbba |
| SHA1 | 8d0e58db0a6e6e983bf553ecfa7dad4c3100b880 |
| SHA256 | 85b0f725a8f0bfd4072dc0907d84b67fddfaa37129f4a73532e6e9898960deec |
| SHA512 | 087cb88bdeb10afd7cdcbd6db7e322baf6cc3a8b4b59fd417696b8b063d78168050459357fdb8b61946c0cce200e1a7cc5df8132ecf1c36cb48388a0e1cbda6d |
memory/1916-471-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1108-470-0x00000000002E0000-0x0000000000322000-memory.dmp
memory/1108-469-0x00000000002E0000-0x0000000000322000-memory.dmp
memory/3056-472-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1952-473-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2844-474-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2672-475-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2720-476-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2648-477-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2668-478-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2592-479-0x0000000000400000-0x0000000000442000-memory.dmp