Analysis Overview
SHA256
c8838f5fb02f2d77675d57e09db4f42275a9d620370d91ceab4e133c2c7a1e55
Threat Level: Known bad
The file 924175e1c77a17d831516187efdb1d60N.exe was found to be: Known bad.
Malicious Activity Summary
Gozi
Adds autorun key to be loaded by Explorer.exe on startup
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 10:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 10:05
Reported
2024-08-06 10:07
Platform
win7-20240708-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dadbdkld.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Famaimfe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ikgkei32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iclbpj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fkqlgc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibcphc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kjeglh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfckcoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cfckcoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjogcm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dnqlmq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dgknkf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkojbf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hnkdnqhm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjfnnajl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Icncgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghgfekpn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Goqnae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iaimipjl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hdbpekam.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gnfkba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbmome32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gecpnp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gajqbakc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gajqbakc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hjfnnajl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcnoejch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkojbf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Folhgbid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fglfgd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Imggplgm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kgcnahoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Epnhpglg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gamnhq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Famaimfe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fgocmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghgfekpn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hdbpekam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iclbpj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kambcbhb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Epnhpglg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jcnoejch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dnhbmpkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fglfgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gnfkba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hnmacpfj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Jikhnaao.exe | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pehbqi32.dll | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhhcghdk.dll | C:\Windows\SysWOW64\Dadbdkld.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmiflpof.dll | C:\Windows\SysWOW64\Hiioin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kidjdpie.exe | C:\Windows\SysWOW64\Kambcbhb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lbjofi32.exe | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgknkf32.exe | C:\Windows\SysWOW64\Daaenlng.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ibfmmb32.exe | C:\Windows\SysWOW64\Igqhpj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kdbepm32.exe | C:\Windows\SysWOW64\Kadica32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gecpnp32.exe | C:\Windows\SysWOW64\Gpggei32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cocajj32.dll | C:\Windows\SysWOW64\Ebckmaec.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdgoqijf.dll | C:\Windows\SysWOW64\Gajqbakc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnkdnqhm.exe | C:\Windows\SysWOW64\Hgqlafap.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kadica32.exe | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Onpeobjf.dll | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dafoikjb.exe | C:\Windows\SysWOW64\Dnhbmpkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghgfekpn.exe | C:\Windows\SysWOW64\Gamnhq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Clffbc32.dll | C:\Windows\SysWOW64\Gnfkba32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kqacnpdp.dll | C:\Windows\SysWOW64\Hcgmfgfd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifblipqh.dll | C:\Windows\SysWOW64\Imggplgm.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgcmiq32.dll | C:\Windows\SysWOW64\Iaimipjl.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipafocdg.dll | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjpqkajf.dll | C:\Windows\SysWOW64\Dekdikhc.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgeelf32.exe | C:\Windows\SysWOW64\Hmpaom32.exe | N/A |
| File created | C:\Windows\SysWOW64\Blbjlj32.dll | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmfpmc32.exe | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmmfnb32.exe | C:\Windows\SysWOW64\Kkojbf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mndofg32.dll | C:\Windows\SysWOW64\Dnhbmpkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Khjgel32.exe | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eknpadcn.exe | C:\Windows\SysWOW64\Eafkhn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eeojcmfi.exe | C:\Windows\SysWOW64\Epbbkf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebckmaec.exe | C:\Windows\SysWOW64\Eeojcmfi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fimoiopk.exe | C:\Windows\SysWOW64\Fgocmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnlnhm32.dll | C:\Windows\SysWOW64\Gamnhq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aibijk32.dll | C:\Windows\SysWOW64\Hjmlhbbg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hfhfhbce.exe | C:\Windows\SysWOW64\Hgeelf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogbogkjn.dll | C:\Windows\SysWOW64\Iinhdmma.exe | N/A |
| File created | C:\Windows\SysWOW64\Dekdikhc.exe | C:\Windows\SysWOW64\Dnqlmq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgngaoal.dll | C:\Windows\SysWOW64\Jmdgipkk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjfnnajl.exe | C:\Windows\SysWOW64\Hclfag32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Icncgf32.exe | C:\Windows\SysWOW64\Ikgkei32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kekkiq32.exe | C:\Windows\SysWOW64\Kbmome32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eknpadcn.exe | C:\Windows\SysWOW64\Eafkhn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfcabd32.exe | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| File created | C:\Windows\SysWOW64\Qmgaio32.dll | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Efhqmadd.exe | C:\Windows\SysWOW64\Epnhpglg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjogcm32.exe | C:\Windows\SysWOW64\Cfckcoen.exe | N/A |
| File created | C:\Windows\SysWOW64\Hqnjek32.exe | C:\Windows\SysWOW64\Hfhfhbce.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmkoadgf.dll | C:\Windows\SysWOW64\Ieponofk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Igebkiof.exe | C:\Windows\SysWOW64\Icifjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gpggei32.exe | C:\Windows\SysWOW64\Fimoiopk.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdmnkd32.dll | C:\Windows\SysWOW64\Efjmbaba.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkqlgc32.exe | C:\Windows\SysWOW64\Fahhnn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ibcphc32.exe | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ijaaae32.exe | C:\Windows\SysWOW64\Igceej32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkaobghp.dll | C:\Windows\SysWOW64\Igceej32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgknkf32.exe | C:\Windows\SysWOW64\Daaenlng.exe | N/A |
| File created | C:\Windows\SysWOW64\Fglfgd32.exe | C:\Windows\SysWOW64\Famaimfe.exe | N/A |
| File created | C:\Windows\SysWOW64\Eqpkfe32.dll | C:\Windows\SysWOW64\Hdbpekam.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibcphc32.exe | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Igebkiof.exe | C:\Windows\SysWOW64\Icifjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbclgf32.exe | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kambcbhb.exe | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eafkhn32.exe | C:\Windows\SysWOW64\Ebckmaec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hcgmfgfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Epbbkf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fooembgb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fijbco32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Khjgel32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkojbf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dadbdkld.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fggmldfp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iinhdmma.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjfkmdlg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dekdikhc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hnmacpfj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dnjoco32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kambcbhb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jcnoejch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hadcipbi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daaenlng.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dafoikjb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ibfmmb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Igebkiof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jpgmpk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gecpnp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hjfnnajl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ebckmaec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ibhicbao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Icifjk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jmdgipkk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ejaphpnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Efhqmadd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Folhgbid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hjmlhbbg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgqlafap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Igqhpj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eeojcmfi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkqlgc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ieponofk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gcgqgd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hiioin32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iclbpj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dnqlmq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gpggei32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ikgkei32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kjeglh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgknkf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghgfekpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hclfag32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hmpaom32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgeelf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kadica32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpklkgoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Goqnae32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmmcpi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jplfkjbd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll" | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkojbf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahemgiea.dll" | C:\Windows\SysWOW64\Eeojcmfi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Igebkiof.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ejaphpnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fooembgb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gecpnp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Igqhpj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll" | C:\Windows\SysWOW64\Lmmfnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cfckcoen.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cjogcm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fkqlgc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hfhfhbce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dafoikjb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Efhqmadd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnjbnhn.dll" | C:\Windows\SysWOW64\Gcgqgd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Igceej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jmdgipkk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jfohgepi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgklp32.dll" | C:\Windows\SysWOW64\Epnhpglg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacdld32.dll" | C:\Windows\SysWOW64\Famaimfe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmkihbho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gncnmane.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" | C:\Windows\SysWOW64\Hqiqjlga.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hiioin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll" | C:\Windows\SysWOW64\Kdphjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Koflgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kadica32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Folhgbid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fglfgd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jmdgipkk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efcckjpl.dll" | C:\Windows\SysWOW64\Dnqlmq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfaognh.dll" | C:\Windows\SysWOW64\Fooembgb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ijaaae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jcnoejch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll" | C:\Windows\SysWOW64\Kambcbhb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll" | C:\Windows\SysWOW64\Kbmome32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eeojcmfi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalcc32.dll" | C:\Windows\SysWOW64\Hnmacpfj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fijbco32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ieponofk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifblipqh.dll" | C:\Windows\SysWOW64\Imggplgm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkmmlgik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eknpadcn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fggmldfp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hiioin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ikgkei32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jabponba.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll" | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hdbpekam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmichb32.dll" | C:\Windows\SysWOW64\Hgqlafap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfomeb32.dll" | C:\Windows\SysWOW64\Gpggei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gnfkba32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll" | C:\Windows\SysWOW64\Hnkdnqhm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hnkdnqhm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe
"C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe"
C:\Windows\SysWOW64\Cfckcoen.exe
C:\Windows\system32\Cfckcoen.exe
C:\Windows\SysWOW64\Cjogcm32.exe
C:\Windows\system32\Cjogcm32.exe
C:\Windows\SysWOW64\Cmmcpi32.exe
C:\Windows\system32\Cmmcpi32.exe
C:\Windows\SysWOW64\Dnqlmq32.exe
C:\Windows\system32\Dnqlmq32.exe
C:\Windows\SysWOW64\Dekdikhc.exe
C:\Windows\system32\Dekdikhc.exe
C:\Windows\SysWOW64\Daaenlng.exe
C:\Windows\system32\Daaenlng.exe
C:\Windows\SysWOW64\Dgknkf32.exe
C:\Windows\system32\Dgknkf32.exe
C:\Windows\SysWOW64\Dadbdkld.exe
C:\Windows\system32\Dadbdkld.exe
C:\Windows\SysWOW64\Dnhbmpkn.exe
C:\Windows\system32\Dnhbmpkn.exe
C:\Windows\SysWOW64\Dafoikjb.exe
C:\Windows\system32\Dafoikjb.exe
C:\Windows\SysWOW64\Dnjoco32.exe
C:\Windows\system32\Dnjoco32.exe
C:\Windows\SysWOW64\Dpklkgoj.exe
C:\Windows\system32\Dpklkgoj.exe
C:\Windows\SysWOW64\Ejaphpnp.exe
C:\Windows\system32\Ejaphpnp.exe
C:\Windows\SysWOW64\Epnhpglg.exe
C:\Windows\system32\Epnhpglg.exe
C:\Windows\SysWOW64\Efhqmadd.exe
C:\Windows\system32\Efhqmadd.exe
C:\Windows\SysWOW64\Efjmbaba.exe
C:\Windows\system32\Efjmbaba.exe
C:\Windows\SysWOW64\Epbbkf32.exe
C:\Windows\system32\Epbbkf32.exe
C:\Windows\SysWOW64\Eeojcmfi.exe
C:\Windows\system32\Eeojcmfi.exe
C:\Windows\SysWOW64\Ebckmaec.exe
C:\Windows\system32\Ebckmaec.exe
C:\Windows\SysWOW64\Eafkhn32.exe
C:\Windows\system32\Eafkhn32.exe
C:\Windows\SysWOW64\Eknpadcn.exe
C:\Windows\system32\Eknpadcn.exe
C:\Windows\SysWOW64\Fahhnn32.exe
C:\Windows\system32\Fahhnn32.exe
C:\Windows\SysWOW64\Fkqlgc32.exe
C:\Windows\system32\Fkqlgc32.exe
C:\Windows\SysWOW64\Folhgbid.exe
C:\Windows\system32\Folhgbid.exe
C:\Windows\SysWOW64\Fakdcnhh.exe
C:\Windows\system32\Fakdcnhh.exe
C:\Windows\SysWOW64\Fggmldfp.exe
C:\Windows\system32\Fggmldfp.exe
C:\Windows\SysWOW64\Fooembgb.exe
C:\Windows\system32\Fooembgb.exe
C:\Windows\SysWOW64\Famaimfe.exe
C:\Windows\system32\Famaimfe.exe
C:\Windows\SysWOW64\Fglfgd32.exe
C:\Windows\system32\Fglfgd32.exe
C:\Windows\SysWOW64\Fijbco32.exe
C:\Windows\system32\Fijbco32.exe
C:\Windows\SysWOW64\Fgocmc32.exe
C:\Windows\system32\Fgocmc32.exe
C:\Windows\SysWOW64\Fimoiopk.exe
C:\Windows\system32\Fimoiopk.exe
C:\Windows\SysWOW64\Gpggei32.exe
C:\Windows\system32\Gpggei32.exe
C:\Windows\SysWOW64\Gecpnp32.exe
C:\Windows\system32\Gecpnp32.exe
C:\Windows\SysWOW64\Gcgqgd32.exe
C:\Windows\system32\Gcgqgd32.exe
C:\Windows\SysWOW64\Gajqbakc.exe
C:\Windows\system32\Gajqbakc.exe
C:\Windows\SysWOW64\Gcjmmdbf.exe
C:\Windows\system32\Gcjmmdbf.exe
C:\Windows\SysWOW64\Gamnhq32.exe
C:\Windows\system32\Gamnhq32.exe
C:\Windows\SysWOW64\Ghgfekpn.exe
C:\Windows\system32\Ghgfekpn.exe
C:\Windows\SysWOW64\Goqnae32.exe
C:\Windows\system32\Goqnae32.exe
C:\Windows\SysWOW64\Gncnmane.exe
C:\Windows\system32\Gncnmane.exe
C:\Windows\SysWOW64\Gnfkba32.exe
C:\Windows\system32\Gnfkba32.exe
C:\Windows\SysWOW64\Hjmlhbbg.exe
C:\Windows\system32\Hjmlhbbg.exe
C:\Windows\SysWOW64\Hadcipbi.exe
C:\Windows\system32\Hadcipbi.exe
C:\Windows\SysWOW64\Hdbpekam.exe
C:\Windows\system32\Hdbpekam.exe
C:\Windows\SysWOW64\Hgqlafap.exe
C:\Windows\system32\Hgqlafap.exe
C:\Windows\SysWOW64\Hnkdnqhm.exe
C:\Windows\system32\Hnkdnqhm.exe
C:\Windows\SysWOW64\Hqiqjlga.exe
C:\Windows\system32\Hqiqjlga.exe
C:\Windows\SysWOW64\Hcgmfgfd.exe
C:\Windows\system32\Hcgmfgfd.exe
C:\Windows\SysWOW64\Hnmacpfj.exe
C:\Windows\system32\Hnmacpfj.exe
C:\Windows\SysWOW64\Hmpaom32.exe
C:\Windows\system32\Hmpaom32.exe
C:\Windows\SysWOW64\Hgeelf32.exe
C:\Windows\system32\Hgeelf32.exe
C:\Windows\SysWOW64\Hfhfhbce.exe
C:\Windows\system32\Hfhfhbce.exe
C:\Windows\SysWOW64\Hqnjek32.exe
C:\Windows\system32\Hqnjek32.exe
C:\Windows\SysWOW64\Hclfag32.exe
C:\Windows\system32\Hclfag32.exe
C:\Windows\SysWOW64\Hjfnnajl.exe
C:\Windows\system32\Hjfnnajl.exe
C:\Windows\SysWOW64\Hiioin32.exe
C:\Windows\system32\Hiioin32.exe
C:\Windows\SysWOW64\Ikgkei32.exe
C:\Windows\system32\Ikgkei32.exe
C:\Windows\SysWOW64\Icncgf32.exe
C:\Windows\system32\Icncgf32.exe
C:\Windows\SysWOW64\Ieponofk.exe
C:\Windows\system32\Ieponofk.exe
C:\Windows\SysWOW64\Imggplgm.exe
C:\Windows\system32\Imggplgm.exe
C:\Windows\SysWOW64\Ioeclg32.exe
C:\Windows\system32\Ioeclg32.exe
C:\Windows\SysWOW64\Ibcphc32.exe
C:\Windows\system32\Ibcphc32.exe
C:\Windows\SysWOW64\Iinhdmma.exe
C:\Windows\system32\Iinhdmma.exe
C:\Windows\SysWOW64\Igqhpj32.exe
C:\Windows\system32\Igqhpj32.exe
C:\Windows\SysWOW64\Ibfmmb32.exe
C:\Windows\system32\Ibfmmb32.exe
C:\Windows\SysWOW64\Iaimipjl.exe
C:\Windows\system32\Iaimipjl.exe
C:\Windows\SysWOW64\Igceej32.exe
C:\Windows\system32\Igceej32.exe
C:\Windows\SysWOW64\Ijaaae32.exe
C:\Windows\system32\Ijaaae32.exe
C:\Windows\SysWOW64\Ibhicbao.exe
C:\Windows\system32\Ibhicbao.exe
C:\Windows\SysWOW64\Icifjk32.exe
C:\Windows\system32\Icifjk32.exe
C:\Windows\SysWOW64\Igebkiof.exe
C:\Windows\system32\Igebkiof.exe
C:\Windows\SysWOW64\Ijcngenj.exe
C:\Windows\system32\Ijcngenj.exe
C:\Windows\SysWOW64\Ieibdnnp.exe
C:\Windows\system32\Ieibdnnp.exe
C:\Windows\SysWOW64\Iclbpj32.exe
C:\Windows\system32\Iclbpj32.exe
C:\Windows\SysWOW64\Jjfkmdlg.exe
C:\Windows\system32\Jjfkmdlg.exe
C:\Windows\SysWOW64\Jmdgipkk.exe
C:\Windows\system32\Jmdgipkk.exe
C:\Windows\SysWOW64\Jcnoejch.exe
C:\Windows\system32\Jcnoejch.exe
C:\Windows\SysWOW64\Jgjkfi32.exe
C:\Windows\system32\Jgjkfi32.exe
C:\Windows\SysWOW64\Jikhnaao.exe
C:\Windows\system32\Jikhnaao.exe
C:\Windows\SysWOW64\Jabponba.exe
C:\Windows\system32\Jabponba.exe
C:\Windows\SysWOW64\Jbclgf32.exe
C:\Windows\system32\Jbclgf32.exe
C:\Windows\SysWOW64\Jfohgepi.exe
C:\Windows\system32\Jfohgepi.exe
C:\Windows\SysWOW64\Jllqplnp.exe
C:\Windows\system32\Jllqplnp.exe
C:\Windows\SysWOW64\Jpgmpk32.exe
C:\Windows\system32\Jpgmpk32.exe
C:\Windows\SysWOW64\Jbfilffm.exe
C:\Windows\system32\Jbfilffm.exe
C:\Windows\SysWOW64\Jedehaea.exe
C:\Windows\system32\Jedehaea.exe
C:\Windows\SysWOW64\Jmkmjoec.exe
C:\Windows\system32\Jmkmjoec.exe
C:\Windows\SysWOW64\Jpjifjdg.exe
C:\Windows\system32\Jpjifjdg.exe
C:\Windows\SysWOW64\Jfcabd32.exe
C:\Windows\system32\Jfcabd32.exe
C:\Windows\SysWOW64\Jefbnacn.exe
C:\Windows\system32\Jefbnacn.exe
C:\Windows\SysWOW64\Jplfkjbd.exe
C:\Windows\system32\Jplfkjbd.exe
C:\Windows\SysWOW64\Kbjbge32.exe
C:\Windows\system32\Kbjbge32.exe
C:\Windows\SysWOW64\Kambcbhb.exe
C:\Windows\system32\Kambcbhb.exe
C:\Windows\SysWOW64\Kidjdpie.exe
C:\Windows\system32\Kidjdpie.exe
C:\Windows\SysWOW64\Kjeglh32.exe
C:\Windows\system32\Kjeglh32.exe
C:\Windows\SysWOW64\Kbmome32.exe
C:\Windows\system32\Kbmome32.exe
C:\Windows\SysWOW64\Kekkiq32.exe
C:\Windows\system32\Kekkiq32.exe
C:\Windows\SysWOW64\Khjgel32.exe
C:\Windows\system32\Khjgel32.exe
C:\Windows\SysWOW64\Klecfkff.exe
C:\Windows\system32\Klecfkff.exe
C:\Windows\SysWOW64\Kmfpmc32.exe
C:\Windows\system32\Kmfpmc32.exe
C:\Windows\SysWOW64\Kdphjm32.exe
C:\Windows\system32\Kdphjm32.exe
C:\Windows\SysWOW64\Kfodfh32.exe
C:\Windows\system32\Kfodfh32.exe
C:\Windows\SysWOW64\Koflgf32.exe
C:\Windows\system32\Koflgf32.exe
C:\Windows\SysWOW64\Kadica32.exe
C:\Windows\system32\Kadica32.exe
C:\Windows\SysWOW64\Kdbepm32.exe
C:\Windows\system32\Kdbepm32.exe
C:\Windows\SysWOW64\Kkmmlgik.exe
C:\Windows\system32\Kkmmlgik.exe
C:\Windows\SysWOW64\Kmkihbho.exe
C:\Windows\system32\Kmkihbho.exe
C:\Windows\SysWOW64\Kbhbai32.exe
C:\Windows\system32\Kbhbai32.exe
C:\Windows\SysWOW64\Kgcnahoo.exe
C:\Windows\system32\Kgcnahoo.exe
C:\Windows\SysWOW64\Kkojbf32.exe
C:\Windows\system32\Kkojbf32.exe
C:\Windows\SysWOW64\Lmmfnb32.exe
C:\Windows\system32\Lmmfnb32.exe
C:\Windows\SysWOW64\Lplbjm32.exe
C:\Windows\system32\Lplbjm32.exe
C:\Windows\SysWOW64\Lbjofi32.exe
C:\Windows\system32\Lbjofi32.exe
Network
Files
memory/3008-0-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cfckcoen.exe
| MD5 | 2f653fee64328d70481032a0a0ac1b32 |
| SHA1 | 00d6b70a5bd78e725dd14b57414b9d27efa169a0 |
| SHA256 | 39a341031ef78c7a4af7ec862b09eeb53252fa09d897851234afced314ab7b3d |
| SHA512 | b03536d3b2cc051fbc0a63aedf239746c58aba7981b005c72b1969db4c6e01479f846fb509ac9853d627c5b7faba24e4a3fc665cdd55358f322c21a6dc93f930 |
C:\Windows\SysWOW64\Cjogcm32.exe
| MD5 | a279a3ed90bf4bf038bfe38bcb9164fc |
| SHA1 | 1fa412d1ba29b6315121259be26f38413fc0bf47 |
| SHA256 | ddc6332444f9895108a77251beeeddcfe6445535dc5671b9044009cea9a1b890 |
| SHA512 | ea200cc36ba78e4134f82d1f79fa778fdd392522ec98a9e40c6e29b968eb1811ccda71c03b72e7f4dd92952242ec14575ef999b03a79c9b9a0a926bd9b5a96f5 |
memory/2100-25-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3008-24-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/3008-17-0x0000000000250000-0x00000000002A3000-memory.dmp
\Windows\SysWOW64\Cmmcpi32.exe
| MD5 | cb451c75bf756802487a355da37fd35c |
| SHA1 | 00820daf121835c7610f87fd816fbb437a95cef3 |
| SHA256 | 8ed546852a1455f6ab2dbdcedd1053228b3434580a5394f35c1fe63e38a887a3 |
| SHA512 | 57533b4b6cbdde5e7fa68241f107f469ee625fe0e5fbec1c93861d6db22490ee47b81f584b0d1b26958201bdc3efa6d92d75c38002e4ddd41a9fd7662fc4e3e0 |
memory/2640-33-0x00000000002F0000-0x0000000000343000-memory.dmp
C:\Windows\SysWOW64\Dnqlmq32.exe
| MD5 | 60d5af10512b603301ddc3e06ef3d4b9 |
| SHA1 | c8cf573bfd6cb595309e46e5ee7132411532afd5 |
| SHA256 | 8826d8c10b9c753fcbc051f3d77ad17d3b2c090fa3f02aa39f0cd6dee6bc3b6c |
| SHA512 | b302e888c4bedeb8674457299efc9e7e96d7eaad4f83f712bf88a90fd1dc2e64ab9bb46d9432060c832bcd66351ac3c7149c408a94bab136cb338a11e3abc31e |
memory/2556-53-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2640-40-0x00000000002F0000-0x0000000000343000-memory.dmp
\Windows\SysWOW64\Dekdikhc.exe
| MD5 | b8f57c50f019f05cc5693ab60459f1f2 |
| SHA1 | 7236ded19cb949502c532f8a26b81480a9eb4bc3 |
| SHA256 | ebb0b8ce61161d74b5693836090fe1ea0aa8ebd539ad9211141b8a2ec58c2fe7 |
| SHA512 | 32bab1a07c85f3d87225e393f40b73a58a899c22ecb9158a09106c15a695bc0a48e94ac09846267ec7ae16fd26196d2c79e3773a31512223744cb97c47b10045 |
memory/2556-61-0x00000000006C0000-0x0000000000713000-memory.dmp
memory/2552-67-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Daaenlng.exe
| MD5 | 7c6a698aa9311679a41ff2aa4a133342 |
| SHA1 | 0329148a41a25648d90b2aebfe6c1acf69dcfd9c |
| SHA256 | aced49a92330a56154eb2ae6df2788463efcc42f27694a82cf11aa96ab604f4b |
| SHA512 | 189d5af780afd0668f050cba6d3b33d0acd398a70058754fb9ef06340d424aed4b286a4cc4f435db8a2631e69f5a133ca28e68c81d355a3fcc4c22ad9fa59425 |
memory/2508-80-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Dgknkf32.exe
| MD5 | 0d3d7a1df29430898d93f005966da078 |
| SHA1 | 94a34bcfdabc09927063ef50a9c74aa62df63168 |
| SHA256 | 51a7dd8c3f207a8386da964c202196bdf75d2b25350af33a8891b79a8abfb775 |
| SHA512 | 91668891ed28ca8dc4057f267ffb7a8aee955300cf2874f79f3fde3506ac29c13c8d714c6bd9e1205b5ff46c027a53fb3c001577477ec12f6cf223487b69aa7d |
memory/552-93-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Dadbdkld.exe
| MD5 | 876c7869c0ef16783b17d762b9643952 |
| SHA1 | 6eab71e2b95fbc17044ac5c89b8bacefbd5dae61 |
| SHA256 | 8304a81dc3c97fe5a28b31e85e11317aeba26579a33e2246a389faddf415ed3f |
| SHA512 | 0682f3f12c1244e7846cba76319fee34dd5466d74af01b881e95202f829101da47acaeb306e2648e9a6702851f312fb0904f0d2b748370d97a6bbf8cc18ce2f8 |
memory/552-105-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2656-107-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Dnhbmpkn.exe
| MD5 | ffe8ac803114d13ac61155acdb1674f5 |
| SHA1 | 107e3e374ec1bbd08c5ab2bc1ed87fc3142f4bbd |
| SHA256 | 6597a6e8ae3bdb8882b82d26fa671beb7999941f94649158a57772df49304e71 |
| SHA512 | 65c820ee3d5debf85ec12a66a31d55cecd9c133b7e5ef077920cd60401bccad3268b2530515d3f08f9b89407f61b48335ab2e0019c5c56667347f9d94715eafb |
memory/2776-120-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dafoikjb.exe
| MD5 | 0a68529421d2d09e04a99ab7f4187be7 |
| SHA1 | de12f4d49a8f980df05bdf02d053f5d2f8b27b12 |
| SHA256 | d90225ed868f7f5589190b141427f6b5b6229c22a1dfb95f1fc245bb47273260 |
| SHA512 | 2e1379df81b998c015b24f1e6a9bf8eea9a955a297b0ea1e50eee437abeafef23ea86b0ef2b6139deac2a041f06042b2f6e3a6604675312597163ef6babdc7dc |
memory/1960-133-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Dnjoco32.exe
| MD5 | 6eab1f118bbde6b87fb7a1f5f5958610 |
| SHA1 | 924521591e9c5bc2cdd6c3bfa1859d1f0a0449a4 |
| SHA256 | e77b48a8ab710767b11ab800392cf0a3fbe41614ca4dbdf20e4a09fd25b6132d |
| SHA512 | 235e1e1b05602d10fcdb074f1b332dabd87147d47e56436f23fc19df1d8cf511be90ae8d37fcbfa7a73fccd00ad13dbd43bb96380a68100cd03d643944d24394 |
memory/1960-141-0x0000000000250000-0x00000000002A3000-memory.dmp
\Windows\SysWOW64\Dpklkgoj.exe
| MD5 | d1ee1007de50ef83cec59cdc9088da41 |
| SHA1 | 6dd407730f3714536d1d823cbe9f5957baaa9c0d |
| SHA256 | ff54a010ddb51f385fd4d7cec5ab733c265d5a3167d11ac4ae1dac4eb7e28e0f |
| SHA512 | 3a87b9375e1187763847bef177b742fab241d3a97bf2b49d3aca9355f674cd5834d14a685991f54dff49ad86727ee49ddd9cedd3d5f3dfd8d11ecfbf31a01da3 |
memory/1168-159-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Ejaphpnp.exe
| MD5 | 2709eaff62e4cedd4a247ce5f26a3f8c |
| SHA1 | d6ce130f2b32e87f868a3a174b731428d709ecff |
| SHA256 | d87eff28847b217336f9a4fa7b4105637f9cc3a0c4d78a96a15b21c4dc3fe741 |
| SHA512 | a8e8178cfc3b3d4a46a659462049b8ce34377d56d8e4a9b0ea3a42b6321e44eb538900c2a5cb6bf189143b98488156e0ba65a608a8e277de201760c38f991303 |
memory/1168-171-0x0000000000300000-0x0000000000353000-memory.dmp
\Windows\SysWOW64\Epnhpglg.exe
| MD5 | 2237c9cc769a375b8f1bd563ef6cc479 |
| SHA1 | 31ab6435585936ca611c47c276b31161c80a480b |
| SHA256 | f1426d89a41141841e88e902b59a4dc2f4b000639c39d4acfe10b411dc1b862a |
| SHA512 | 60452fb0d34baba58f09f6eb0c89f28501e38b2ddd727392b8bbf9906254792007f1099893abc6dc58ac276394c82c172acd60d154a2e31c138de3ae7004b141 |
memory/1628-185-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/1628-184-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/408-191-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Efhqmadd.exe
| MD5 | 147dfaceffb0a15b2091ba33037fd79a |
| SHA1 | d6f65ac51abb0278c00dad00e79209cfde5bb043 |
| SHA256 | 3e21c09240843c6fedda4040a7b1990641c7c88f5243eac4c45b870a556b9808 |
| SHA512 | 34ed17aad839077daa19ebcd23955b6eb478750abd3503f769ba8cdad9c65313141c99d2fdf282194b4c3abbdd4c675bae4e41273b912240edb244cd3f56e99c |
memory/408-197-0x0000000000320000-0x0000000000373000-memory.dmp
memory/408-198-0x0000000000320000-0x0000000000373000-memory.dmp
memory/3060-207-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Efjmbaba.exe
| MD5 | ba17dd5e2967b0363a37aaeb6cdc3e61 |
| SHA1 | dccddda30f21fab7e15d6b31ab33e0f9db7c934c |
| SHA256 | 1a0f980f126d20833aaf397b1057a3329aa72399d811376afb2160fd7351f004 |
| SHA512 | 9c9466cacd5fc96a579ae02140e9e27a84f95a53559f182765753eb678e45926701945d6fd0b89d19b57597e02fe8fb215430ca2b88bd5e2fd36ddc62d90dacd |
memory/1292-217-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3060-216-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/3060-215-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1292-228-0x0000000001F60000-0x0000000001FB3000-memory.dmp
memory/1292-227-0x0000000001F60000-0x0000000001FB3000-memory.dmp
C:\Windows\SysWOW64\Epbbkf32.exe
| MD5 | c13d66d6113644c9d83c86f28e34e9fe |
| SHA1 | 3f26d6e95079abd22737b137803cfe8562670e8f |
| SHA256 | f6c661347e0d48c2d8ecdd29d5f85b7082b2b85cd4392927adbc79964506280a |
| SHA512 | 7f546ef3e06ac08ed710854f8365f2628c364ebcc939ec23b03b5f2ef25ad29b15891bafdfa92004b448db94a1812535a5905d5a3de3209e3e744999bdd8bf04 |
memory/1864-229-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1864-239-0x00000000002F0000-0x0000000000343000-memory.dmp
memory/1864-238-0x00000000002F0000-0x0000000000343000-memory.dmp
C:\Windows\SysWOW64\Eeojcmfi.exe
| MD5 | 8d2c12ef6737b866d8fdbcc1c4db236b |
| SHA1 | 145bcbcf478db981ea56fc6fb386456a55bea20c |
| SHA256 | eb2b9668cb8037b6877a025c7a18351cfcf11f4d7e3d864390dc20fe02927b1d |
| SHA512 | cb675b8d53198c2da95d8da36b5ff6b0ba9798085769842ebe4e767d3a12b602e3e6a15594192bbf5911e300214c8b8d9a58548ab7b09522ba810efc31959727 |
memory/3024-240-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ebckmaec.exe
| MD5 | 25d879b0a45e6a2d7298a35febad4b49 |
| SHA1 | d262f40fd0f407994bd5be5770ca615676af5c44 |
| SHA256 | cfe6d0787b886d999aa003d1a3aedad5af2753dc7eff14fdb4acaf57e630fe3f |
| SHA512 | ef8c5b329990644501137c6fa495eee8f3c5b8c406c7ab06bc9aea2bb96333b24595ed0982f572abef32806f159a549e024ccb1b415258ba1552581d901857ed |
memory/2284-257-0x0000000000300000-0x0000000000353000-memory.dmp
memory/2284-255-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3024-254-0x0000000000310000-0x0000000000363000-memory.dmp
memory/3024-253-0x0000000000310000-0x0000000000363000-memory.dmp
C:\Windows\SysWOW64\Eafkhn32.exe
| MD5 | db86f9ed950f4771b53c110c935e5366 |
| SHA1 | 3dd9838d66e06f2bbe6b6272c95f100352f52a77 |
| SHA256 | ec5440cb15cbd6a55e781727918a91d3bc69c730a0bf7a7d48298f9f41ba6d0d |
| SHA512 | bc12fc44c7552f8e34712f5871329619900dfddff56c9dbd528683150ea6eafa62e0efd75445684fd602ee23ca40af9d80d1fd1a5df453e77cf2d778809900fe |
memory/2856-262-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2284-261-0x0000000000300000-0x0000000000353000-memory.dmp
C:\Windows\SysWOW64\Eknpadcn.exe
| MD5 | 38d4aa1521b0f3e1e7ad186f5d2dc7d0 |
| SHA1 | e615106510d26934a8ffd47cbcfbaa50987a78cb |
| SHA256 | 62f19e3726ed30894fa008f68fdb4703ee900b0c8fde20cda2dd9a2072afce25 |
| SHA512 | 5a9a432ca933b0a7718d5d4c55e52bafcbd94c86251cda79bbb0fe6dfccb1b5a50e728100c68c4211ec7b1cb672b8954e727bd7938463ac282403d6c7110ca6e |
C:\Windows\SysWOW64\Fahhnn32.exe
| MD5 | c5a6beaa5e45ab3f7bf28f18bb7704bd |
| SHA1 | a531a3938ead466cc048f70fe92254bf3617c2c8 |
| SHA256 | d8308363c14e1d02c6863439410e7cda2e6899cffd2ae6ee78661f01e8efa254 |
| SHA512 | edcd89a300cf15c0edbff90c2745c8c3dbea67084f51b067a43e71ef43bb0e72bc0c8db94b345f99e1d24b8140ef2230f583d1b46910df9a31c385e54b4f22de |
memory/1084-273-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2856-272-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1704-284-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1084-283-0x00000000005F0000-0x0000000000643000-memory.dmp
memory/1084-282-0x00000000005F0000-0x0000000000643000-memory.dmp
memory/2856-271-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Fkqlgc32.exe
| MD5 | 9fa3f5930836e15e49dc7afa7ae5bd02 |
| SHA1 | b2702a26853f86964d31e44ef1cf20a159f36d85 |
| SHA256 | 9bbc1339afd70b974a750401a3c6c604eca9777cb90f67b8743068deb6c6f3c1 |
| SHA512 | 0cd2c727f8d639e56f04b2a8eafc514b98103b856dc3a564e460028acb97674582cf6746c6a7e138770fa763d3661edeab0c9c06c095bd3664f34489af9b2818 |
memory/1704-296-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/980-298-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2876-305-0x0000000000400000-0x0000000000453000-memory.dmp
memory/980-304-0x0000000000300000-0x0000000000353000-memory.dmp
memory/980-303-0x0000000000300000-0x0000000000353000-memory.dmp
C:\Windows\SysWOW64\Folhgbid.exe
| MD5 | 16b3d5094748ac5e7e9846c99ef52e01 |
| SHA1 | 234a447ecfb7a93949ebb7bbbf818d246f92fc46 |
| SHA256 | edf5193a1f8d2a713bd1b9fdff988b5fe375282c0f87900e25634f6ed8eae7b8 |
| SHA512 | 9d21caad0dc2d82327f34998d00a290cddde90748b4bf04c7cef1055fccd09ddaca5f791f4390af834e6a70efa57d3ebe596652c7903c3779c9b44905e876abb |
C:\Windows\SysWOW64\Fakdcnhh.exe
| MD5 | adf8d3bfd9abcbb371af5535b02c9519 |
| SHA1 | e08bb1c673123030e50009fd922bacc933e7c699 |
| SHA256 | 277ca86f8a42bde79af75b216bf1ddde5953eda8fad5331edb4f91a9a5617b19 |
| SHA512 | 8b1f5c97c1278bee225d1c7b66cef267a229d02948f15f047c836bb3964d8be1d1b938dfb3d3aa70d593c1419a75de8d371a90a755f7a79c8107574f16f2bdd5 |
memory/2876-314-0x00000000005F0000-0x0000000000643000-memory.dmp
memory/2972-328-0x00000000002E0000-0x0000000000333000-memory.dmp
C:\Windows\SysWOW64\Fooembgb.exe
| MD5 | 2c1042719586a7945d6f0637432e1198 |
| SHA1 | 6e9bba0fba8633746f0282143794b4e49d722f04 |
| SHA256 | 96936c0c8561ed9a5410ee5761a8a7099d981bb9c34559ef98292eba483febe5 |
| SHA512 | f5e4cd276736f80950393c3da9248f3af8d357c4e81af5c4ee424038809b788bc66600b02c7e83bee5a342e13716484995d28a7e3c90272c7b6ce6e92f2ab8f0 |
memory/2636-329-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2972-318-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2300-317-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2300-316-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2300-324-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2632-340-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2636-339-0x0000000000260000-0x00000000002B3000-memory.dmp
memory/2636-338-0x0000000000260000-0x00000000002B3000-memory.dmp
C:\Windows\SysWOW64\Famaimfe.exe
| MD5 | 6978780b0dbebc804977715e126ce4fc |
| SHA1 | 739d2f96d786d941ffd1ade796d61f92f8f238c2 |
| SHA256 | b29451fbb03a7570ef331fa7d55ba0ee18ef31c77fa05ad909c6d93950f7cdb4 |
| SHA512 | a49f25c04dd7a1ec8cb12e6217cfdebb72334938b3d33f537cbf170c4677a5231225b9e822d8a4c44f91545ad55ce983f165e15d56e0d926665a394b02f8cced |
memory/2876-315-0x00000000005F0000-0x0000000000643000-memory.dmp
C:\Windows\SysWOW64\Fglfgd32.exe
| MD5 | 818317572a90438b4a873645ffe8e396 |
| SHA1 | f223dbb02e769f35b85f00ac8a749228d5635f99 |
| SHA256 | 732c20ba8aea939b5c2df271bcbd8a0c7b376991e48134f14ad14b9e18fd104a |
| SHA512 | 13f1e070927e391ec61a76756ec9a543d98c61bbd579851d339ba393ac20c4c64ae3332d85d63e84ae0b1f3fe3ca1c699fb0a6b77c3c568798722d7598e42ba6 |
C:\Windows\SysWOW64\Fijbco32.exe
| MD5 | ca7b23b06c854c2f605640ad7ded8777 |
| SHA1 | fe743ff870bbea014ab32a2a956b39e3d2b68242 |
| SHA256 | f67b8b9b619a97c2e4793a841d9e07910ae1c03892eec0d7c07193168dfa8440 |
| SHA512 | 1b67549c4c5068bf9cb325283ebc757a37dd62dc080536127c2d89ea98b26abc8941e8fd48de3a340f3d5702d74784659a5355294f23b0b6c9adc19b70a9422e |
memory/836-362-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2724-361-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/2724-360-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/2724-351-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2632-350-0x00000000005F0000-0x0000000000643000-memory.dmp
memory/2632-349-0x00000000005F0000-0x0000000000643000-memory.dmp
C:\Windows\SysWOW64\Fgocmc32.exe
| MD5 | cc4f0980908db9a4843019e4a983eed9 |
| SHA1 | 796d04077e7b3c393e51c67dd345be2b626dc11e |
| SHA256 | cab22df29bbf2c627e30434240c4dec2849ddfbcfce18ac3231f74c5f780a849 |
| SHA512 | 581cb832c5a65f43b4434a8a537fea2700491d9d431dd512400ea145a285d51f2d8ab2ab1a245d4c5b453b1b6491fd48fc1679cb39be61671c28f9cadd54d5af |
memory/836-375-0x0000000000290000-0x00000000002E3000-memory.dmp
C:\Windows\SysWOW64\Fimoiopk.exe
| MD5 | f8d11326e2af27f786304110bdf12559 |
| SHA1 | ecc19c1010ad2b4f7fca7392990d137465299ca1 |
| SHA256 | 738c5981d77ed1d2c75b57c261f782ade22f4ce5b63173131d6d6abf4cf43321 |
| SHA512 | a32bec1f3767fcd6d666071d745d9776fc36536d7d6f0831428bcc20d7491f8b914af38df6b7145661857427f115a5a9a6367f4a57f80ec07fa7416a051eef5f |
memory/2360-383-0x0000000000310000-0x0000000000363000-memory.dmp
memory/2608-386-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2360-385-0x0000000000310000-0x0000000000363000-memory.dmp
memory/2608-388-0x0000000000320000-0x0000000000373000-memory.dmp
C:\Windows\SysWOW64\Gpggei32.exe
| MD5 | 99ff15bbae852102b485b6fa78d56ad9 |
| SHA1 | cca3ad96a1ff3a64f4e806c696e9554b2a0f00c2 |
| SHA256 | d0e67951c73402af88c14729ce095c33d434467889786dddf45257904761d200 |
| SHA512 | 45b7af89ffa3199509e2f21cfa290f3051ea72310ae59d30f3082465564c2bcc4fff9153861d7374a46e21d9ccced5f14937c2468f5550a46216e993ad981765 |
C:\Windows\SysWOW64\Gecpnp32.exe
| MD5 | 8e457fd19a05841a89066010f48a4db2 |
| SHA1 | 9d3263a441314e1b783a85769e00fe6b61dd9171 |
| SHA256 | 687fb2317189127964d5d8e19b51b2740ac5f0cbb337d70d97b4b8a4df5c41f8 |
| SHA512 | dc388c81d6930e7c8f2164cdd3695a0dbcd7061f8469179081c08197a4d20c4e990df358b8160b1a71b7d6fe91526bf9a1719397b3e2deccb6bc0e3f79e5f751 |
memory/2608-400-0x0000000000320000-0x0000000000373000-memory.dmp
memory/2904-402-0x0000000001F60000-0x0000000001FB3000-memory.dmp
memory/2904-401-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1852-403-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Gcgqgd32.exe
| MD5 | 96d7f29f360d74cc504734474a658760 |
| SHA1 | 68241a20d306271be09dc7e3568bb906672d8829 |
| SHA256 | a9c51cbc242e6010fbdfe7851c62dc2749f4ce1db07795cc318901ed9abec98d |
| SHA512 | ecd6248eff436bac157c53fe82f3c71715165522c17b4234f33ef0fb2fcb9829892791ce8ea78683026ced097ac6c778ebba7ebbbd91e7df178f42f59450454f |
memory/1852-416-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1852-417-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Gajqbakc.exe
| MD5 | 1001518fceba149d9e8467fd23eae50d |
| SHA1 | 4ddbb8e8436c6abae9a9fe53bc55eda748e2e09d |
| SHA256 | 45f3907c03a22009e02ddc08697a41a53a964645c06124cb0bb2e9d738cdbcb9 |
| SHA512 | eaa88f21ed1ab14b145e19c530e288f115dc5eb05a925a4510e02bee43a75eadd770a06037a1f543d75b813e7931cc1b63ab39c6f1a89f2def868f52e430582e |
memory/2524-423-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2524-422-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1808-424-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Gcjmmdbf.exe
| MD5 | d04e450c36759486485a959708012567 |
| SHA1 | 9202e327fcddc2f4566f7aba46d36b4ca8c73d19 |
| SHA256 | de455a52aef882dddb87f2c1d803ef1154d095c171baf51e7467e508699e6275 |
| SHA512 | 9e0e4067108f95a2c71ab2cb6f7c8557c3e82f5153386972988664cabb26c24fe18e4266fc0740602daef46ea3c679fb7381afc03ec7d02e8975fcbe069d16a1 |
memory/1808-438-0x00000000004D0000-0x0000000000523000-memory.dmp
memory/1808-437-0x00000000004D0000-0x0000000000523000-memory.dmp
memory/2144-443-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Gamnhq32.exe
| MD5 | dac49f478ed0b684f7132d80893ce08f |
| SHA1 | d30ef0683d9ebe65e2575e0a9ee2ea8ad9257532 |
| SHA256 | 9c3a84951dedb87805dc0f3312c4096b5ac0c5745dc26383789b6d9d7f1e9d91 |
| SHA512 | a584f180e51b33e8e8f72bbcbbdf54d87e633e3c4c4b11d86d06a2673647973ee30d3e35a2216273c93da375f814d114747580081ec79f52d0e3f485c6e8725a |
C:\Windows\SysWOW64\Ghgfekpn.exe
| MD5 | 913beace4c70fb4d7f92705fe9be844f |
| SHA1 | e83acfad398337ddd7fac8856a992010b00071e4 |
| SHA256 | 122b800663cd5ad4c50904d3b7066325153a54a0168aa44a2da0d637980e2a62 |
| SHA512 | 35797d277a0bdc936716d82c745cdf32a7c04e9e56dad750f136bd2067a3a9949c37d37a9d7b93ed63ea9ba5e166b9558db3dc8caa7185cd048e1a5890dd8565 |
C:\Windows\SysWOW64\Goqnae32.exe
| MD5 | c9d9d537aae0c9d8dee227246832dfa7 |
| SHA1 | 8387f926fa8e7171b9dfcb8f4508062374e2057d |
| SHA256 | b46a9852905a2730d70add97cf74b6df88eebb1e5de3f429c9b64e5f3a7f8f3c |
| SHA512 | 0de7155759935b0ca85a5157bf3d773d82f775c7d8bf5b0803b6f60af926cea4fcc8f005c419c16d39b48d9e9a438c8b3bace9ff03e5448e5cdf82556a1ea2be |
memory/1928-462-0x0000000000320000-0x0000000000373000-memory.dmp
memory/2144-457-0x00000000002A0000-0x00000000002F3000-memory.dmp
memory/2144-456-0x00000000002A0000-0x00000000002F3000-memory.dmp
memory/1928-463-0x0000000000320000-0x0000000000373000-memory.dmp
memory/1696-467-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Gncnmane.exe
| MD5 | e2bdf3e4578c3a4ce50c335d4033c9b7 |
| SHA1 | 3cf3222b42a1cd2e7ce07c3b5e1bd23a79bb7550 |
| SHA256 | 1a061b1c32951b912b67d546ce60725110f9a0ca9488a294b9c4c44db8a17c3b |
| SHA512 | 3943e0359ed175aad9f523b9835d0148c0b75948828d5f7250e854dc6bfc8e6f4663c41d040e99977a0cc509192727ac45535eb64d7ec6b046ecbe04429edda3 |
memory/1076-485-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1500-484-0x00000000002E0000-0x0000000000333000-memory.dmp
C:\Windows\SysWOW64\Gnfkba32.exe
| MD5 | d3f3ea1939bb0836f8c9b0df27fd07f1 |
| SHA1 | a481a289d505c2797c6b8a30c343f5853cb05b22 |
| SHA256 | d690a6146991f935c7d728059aeea7f51bc22b643f30b96313f3abe5dfbc6a95 |
| SHA512 | d35ab1ac036c34a40bbd210a65f7d35f56b3ce9aa20f5a63a9105101502087c49446de0b81708bb24d870c42b3b80aa5b7b992a688a57a8acfc24f56731dc2c8 |
memory/1500-479-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1696-474-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1696-473-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Hjmlhbbg.exe
| MD5 | 6e9b23084a10b083f7b54bc68374ec30 |
| SHA1 | b45e0b2b0e123a285389a8f6aa12d05679dd13ea |
| SHA256 | 1b26541221e3514e5d9d51fea691f5a503a5cb9b738e45e307dc8283048e663d |
| SHA512 | a7250d27e47e6f137308c89f366597313d3d92980893fd9e0d4439ca5bc98d2ead6d35515fc0df750203a0b3526aa99e7d769ffee5e7fdcfab253856a22d20ac |
C:\Windows\SysWOW64\Hadcipbi.exe
| MD5 | 0787fcce74fc0814d8e2c03a028943c1 |
| SHA1 | c98b1d7547edd3e8eb32271ad0d936906a902615 |
| SHA256 | c31df81b0a1502c9d0a7c52d53f5286529319826efb416e853e0a77771f907a0 |
| SHA512 | 058772cbfc8379544144fba921ee09aaf9e2b773d0da1d73cc8c15fa7835edda6f96d739d392861feebe104498617e5253402454bdadec8a206d993b45960d96 |
memory/1076-503-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/1076-502-0x00000000002D0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Hdbpekam.exe
| MD5 | 068d2279d2a5342e4cb4687620f7687b |
| SHA1 | 5da4132edd36c1ef12ef3db7723fb50c855ffda4 |
| SHA256 | ce3872094c8f1e8f4fb2eebb2d9b3f20ae27c017af95f6b9661fd322895906aa |
| SHA512 | 9b308e48f728f63aa2a41048c3ba3209cfb6fafe01ba8104ad9f5941382d36739ef6d37dce5fa22df80dd0f27eb8cd4a66310b73d60e390167d819d79bc7d38f |
C:\Windows\SysWOW64\Hgqlafap.exe
| MD5 | 9430364edf8444bfb71544cf53cf3218 |
| SHA1 | 3d0db69d9d373d77595f369037556c7e552f4386 |
| SHA256 | 7e0b3a14548a0e21e30b0c4f89d552bad2c340ae2787580bdc015ca6a8a45a96 |
| SHA512 | fa089e1024efd7949032306b13fcf889db51ea06df8e2af8ef2e3a9034705d6de8561b8767d9ad3111f3142a3914da4c5c75b7fb53f35d6675b65abdcaf0a90e |
C:\Windows\SysWOW64\Hnkdnqhm.exe
| MD5 | 29cbe1c4c6f7a7de6b576cdf96149012 |
| SHA1 | ff1317e7d8b6e48d7aef06006333cdf00324275c |
| SHA256 | 5ca6d148bb8d454945ae282d8691a0b0cd84a80ae72c19ce4df89c40edcc16d8 |
| SHA512 | 02bce12cf1e8110cadf2d6167abdeb5cd98d3a79bb7403f4ae988dcdae3fcd8c7d9586b9810c68132976586de9bb07dbf5134ae72a313bdc09ef19fd6c38f5c3 |
C:\Windows\SysWOW64\Hqiqjlga.exe
| MD5 | a558dcefc533cbd0f234b5614f11cd11 |
| SHA1 | 43dad5fb83a40017616b1af9d600b41663a211f8 |
| SHA256 | ea5a4865bfc69576680e0e497d10eb6c6e45e1fb0e50bb26923558822e752621 |
| SHA512 | aaf6fca1816460911ae93ebbd59d67afd22bfd24fc9160890d164519adb594f9b9e0760fe32539aaa045ccc4ec56039dc804df7a6b74e72b2fded733b9776714 |
C:\Windows\SysWOW64\Hcgmfgfd.exe
| MD5 | 6b07340a4ece75ce6d06d28550dba085 |
| SHA1 | 6b8e546e2a7e27da4585314609d1a8946c6f6f92 |
| SHA256 | c87ee8938b4b60301038754aa3dfc8c528e5ef889e7ad4f5c3417ec85ed14409 |
| SHA512 | 62db4bd2c176dea1ac621066913f778aa8bdfd14fdd0d7a0956ad9be5b4b93b505a9dc35240e6596af05a86f17c06f4e872a7db3bff13f3ec9b9cdf39592424a |
C:\Windows\SysWOW64\Hnmacpfj.exe
| MD5 | a3da13c0ceb21617c3389c106aadc5a7 |
| SHA1 | 4865af3480991bfc58c7310fb69438ea0b5928bb |
| SHA256 | b91feab91c21ef94817ae42ed83e2ae5d41dd2224709375d07b1427867f121ba |
| SHA512 | f8e0ba0e9c99b5623cf224878103f60d2cc32c06b3888dfecea9a4b7534572e8615b5a209c87a4b4306fd3e6984aee69befb03709ce81fc68cb9e947f2deb295 |
C:\Windows\SysWOW64\Hmpaom32.exe
| MD5 | 4ddf5203bb4f554a7f7a679ef1c3172b |
| SHA1 | a06a07f65fd98307df7ee8d073055070785dfb66 |
| SHA256 | 7c16ba0afbce38fef51cfdd1f2a2eac3d4c23562db6fedbb5ff37ec10450c20e |
| SHA512 | 015df0c6b359de2a08907e291bd61672b9868b808da8839ee3bc86d7d01b3ef784bbb3500a5daf97f375403ac662e3a2d74a9e9a660207a10fe835b4dc5d4d6c |
C:\Windows\SysWOW64\Hgeelf32.exe
| MD5 | 085e5e334f5ad14a3a66ef5c8810d920 |
| SHA1 | eaa109143ab92f4d29f7209e17dcc8d5063cf138 |
| SHA256 | 4b0a57541bf1caca539fd5097df66bff65796884228b3f1e27e170c13a8809d2 |
| SHA512 | 936f7249d30a077fa75396127fd3b2dbe5a38b19ab83e9d36d06d3830189597610985d033a1ed45020348687c95a6c563d73e483ce04565c854d3d8b9d6b0b5a |
C:\Windows\SysWOW64\Hfhfhbce.exe
| MD5 | eb267e453706ccff3b23d88fc3351d16 |
| SHA1 | 2e85ec8909a5b278e4cba6df7793f419a5a24609 |
| SHA256 | c4c3ca460241ddd3c76fe360bf17a4511f926b9982741f55dcb25497e0e5861a |
| SHA512 | 4bce4bf1ad797abe5fe8e1b453f368eb2f8b2c14a7daad239dbeda6f9c977a73ff7bda2cc5df25bb092db70a3aba195996ebe54f3825936d55d36e2284ae5e1f |
C:\Windows\SysWOW64\Hqnjek32.exe
| MD5 | 85923d0f679e8ea8d3e4b4c5a295e9f3 |
| SHA1 | 6e5711b3db9f97bce6fbccdbbd20a2b4437f512d |
| SHA256 | 1aeac5d815277a8f394ecd8f5e7c3d328d99f7ee31bce03113b738890597fe8f |
| SHA512 | e10817734180f89e91f3a446c4a93f44d6c946dbf19a114578d7ff9528e8f1985786146b6bfac70047f8b1f6c6e3af21118adca217e6726814a3c518223a31e3 |
C:\Windows\SysWOW64\Hclfag32.exe
| MD5 | 6802571cfe614263e1c0a4987ee46f28 |
| SHA1 | 942ddb03a0a08f3e8b03d9251d7363b5c79607c9 |
| SHA256 | 83c80ab10d314eaaa3929c9b0adadbbee4dc356fa1f1e36d3aabde52271378e2 |
| SHA512 | 77eb880899f277124f9bccb122cd4390d01ebbd547603a4fe488e665d86a45475a2d3919c7dc67fb2580c318c524f99120f6dea6393df30bd2bdb6b915aabbab |
C:\Windows\SysWOW64\Hjfnnajl.exe
| MD5 | 918a0030a0d60799ffe60aed89e69eeb |
| SHA1 | eae5378a5a4edd444a6341019bf2d6b95ee3ed9d |
| SHA256 | a34a7ab92eedf1fd25224530ee6831598d8959790b71fcd1e4a744a48d9a6ef4 |
| SHA512 | 80cbd3db299871e893e58a27b321afba3faa62cb1e2cbd24a5de97c180cda05d2749f4d748b880ec060530169bcc4bab95e8e522c72f304973d34e4046e1e727 |
C:\Windows\SysWOW64\Hiioin32.exe
| MD5 | deea7c1c2c28b0d2100e17af40e1dcf4 |
| SHA1 | 9ef96c2a85faec519a7ad17afc569dab265c2d7a |
| SHA256 | 4ebff317a99e355738415215e60ca1fc54a627967db6e9a409cb53935e9a4b8c |
| SHA512 | de9464b691e0cebe7f835551d949393a95ee9ec2816b69f956d8d538ffa835ce5aafb36a59d868246e4b51af728fa585ca954460e3b911553a0b470b2646b482 |
C:\Windows\SysWOW64\Ikgkei32.exe
| MD5 | d874b0e5ab8e1fcc9df53c2c6ed9519f |
| SHA1 | 236db3294a864b023c973a4232b16d6da0003d06 |
| SHA256 | 3aee878c12ef007addc6e0ef5c47b23fa954d4d46f7fa94f8e3d178d3ca07cf3 |
| SHA512 | 5cdededa0498c2fd1bdf53124ec5dc01746852d56c75eb7a4bc519060b6f123d8f8e47757ad15322dca6120341f5b4b73ac3c7d0b2e4fc5b3bdb800a27572436 |
C:\Windows\SysWOW64\Icncgf32.exe
| MD5 | 6275f2e4ce79a5361257e448da099618 |
| SHA1 | 17b830c58998c6fca381ed3d09665df4e679d55f |
| SHA256 | cbf119015bab6b6339abf494a547c42bf8ca8dae60aafba3d23e1541c7e237dc |
| SHA512 | b1b73ddf66c0ebdfe7a6cef565a8e0181587b05b42375440042584ff4b47f7e095cbbdfb8f9be78105cc5807ad3ebbbeb5b2aca6176daab81a1ba2dc0c5d8012 |
C:\Windows\SysWOW64\Ieponofk.exe
| MD5 | 86175e16f80904c6fd10a0d3a3f02aae |
| SHA1 | 3e1371215aee20f31c8559801b28994f20fb8c61 |
| SHA256 | 8903ab1434a549f67698ce272ef3bdaca897bda4228f327d59b2b7d4aaa6ef81 |
| SHA512 | 125bb2f4ec1188bf3743562e3c33bcf385e04207d485d322afe55c7ecb9f816d1d5571692e0ce1089ddd18708e1eab39adcc06411eb3eb84217e49a51ed5c5c9 |
C:\Windows\SysWOW64\Imggplgm.exe
| MD5 | 62772ee020438cb04eb468dc7b125b6a |
| SHA1 | f34e211b20ec29373fa9578d45bfb5fa630c55f7 |
| SHA256 | ff7d96961448784618e270ffae14c8ace480f911e48f59dadef50baf69a396f6 |
| SHA512 | 335ef9364eee0006507cfce500dd8592e731b46d15bc8e90e3fdc9d01ef1540d9240df526bff2dff249992ae594c161981d40db49458c08e2cf0f3b535217b5e |
C:\Windows\SysWOW64\Ioeclg32.exe
| MD5 | 43189539dbe4c5665c623e32c20a392f |
| SHA1 | 01faa93230535ff07083af98fa2fd607d3ea6721 |
| SHA256 | 816ffd9940acd534fddb69a3623e1670728ffd7ee8d7d3bb970704e7baa51cb5 |
| SHA512 | 0392231e51f958792e89f5dbbaf6bbed1209ab20c86a73d6ffad369d8dac66550511425abaf41b614d32eeceea8fb158ee48501d75d989ff1252a45b67f877c3 |
C:\Windows\SysWOW64\Ibcphc32.exe
| MD5 | 8e5a48c1fe1b615cbb68f8b9a6167bc8 |
| SHA1 | ea08173b1a24ec5e184d6aab513ea7c5b6d6e9c0 |
| SHA256 | 46ca39c439829d90da47f6204caaea279dc3276c6d3fb555c60ada15bf87e704 |
| SHA512 | 140573435c61939d98de7713e68c66b2c9c5f98e62f038ad644c6cbbffd3085b412baf3605d2c78ee283909626d9c31956aa316896e1b966443b1dea243fb2a5 |
C:\Windows\SysWOW64\Iinhdmma.exe
| MD5 | fa45feaa852b217b5b39f02a4a55e083 |
| SHA1 | 1b9e093d59a0d75147e466ca6defcf2433aeee94 |
| SHA256 | 355b0d6f506d1b6a933879bc3c8194e93ff7d563db4020fa47d0b19cb71e673c |
| SHA512 | b0ea541523b31e2adab33fcba593dd9d7a8f26bad4ab93decfe9c7c874aab239e0b4bb033a52e2e7792d8ef1c12b585102cd774d3c071b3752b53097e877ddd8 |
C:\Windows\SysWOW64\Igqhpj32.exe
| MD5 | fbaaad4c812f214e243725ceea016b8c |
| SHA1 | 48a148a984c967f6a5a6b95af3ff54aa4378ea9d |
| SHA256 | a19c739c8e74b4503081e864d4127def09f588d20476645b2ffec61a2ca8f7d2 |
| SHA512 | 7ca1f27d246de2998ec38a861ba5a077ce5617efefac510f02b080f0da618c7a6f8d7daac75dfae68910244481612977ccf131ab65b7bdbaf98e8aabc3cb165b |
C:\Windows\SysWOW64\Ibfmmb32.exe
| MD5 | 230eebcc35e688d8bd527272d758e846 |
| SHA1 | 0662be7bde2bd522594a6042a659ddacf7d83a54 |
| SHA256 | 2f5e24073575d98a1fb5bea6a52494281bd6d668da29c18092fd4d44e7aa519f |
| SHA512 | bc92c12e4f6b765b15fe3f4fa3e6a979045888171460dcc74e6c29fe755d27eeb92f3546216dee65cd66398c39020581b02762725070fece8808ef0248194f89 |
C:\Windows\SysWOW64\Iaimipjl.exe
| MD5 | 4e628de480b5bd8293c40a297315e771 |
| SHA1 | 229a3a895853c66fb6089cf0fd050d00caeb330b |
| SHA256 | 76022d64a13a8f10e91955719ef9d283ac9f95a84632254cb5a63d4e0e3bf1b2 |
| SHA512 | e0f6d47e1ccd5e17bb6aa16639a895a1b1ff4dc690d024c3556dba3eb46a65d30da9413abf58daaceb55501fac9218cf9953e9d1f05e5b71380486e9973f5083 |
C:\Windows\SysWOW64\Igceej32.exe
| MD5 | f63c094d497d8b5960a5dc9a04a6805b |
| SHA1 | 7b5587aa389d1905ee06d4855b3dc5d687167115 |
| SHA256 | 8b410531e00ace02f329f5787750ab7ca145c7a85bc2b61116d5807b71daae78 |
| SHA512 | 0e86208c3256cd63858b38de095a6d68ba9334b0b35dadb781d60a429996efd2762996987b7035e251349ea8a6de0c107b2a95a207feea7093ad1214961f144a |
C:\Windows\SysWOW64\Ijaaae32.exe
| MD5 | 2680219ee446f439cc7889507a210a04 |
| SHA1 | 573d7d4022a26e1c8d11d0512267a7735ab3c7b1 |
| SHA256 | 3349b46b632b556481302cad67945812ac8d83c52b2d72f35961caccc38c51c4 |
| SHA512 | 209c46d1a21a2be36e8f8d9267da5372b66b07eb754a2febd1c72e0abe578b7d92f43d84ffdbc3460721b07146e32c72edab8566810e7e4f6a3d40ac48bebf0a |
C:\Windows\SysWOW64\Ibhicbao.exe
| MD5 | 0257f6c313614e483a722b441f53fbd7 |
| SHA1 | ae6d753b951155c327e8d225c649f6c08c48e434 |
| SHA256 | 0a4dd5eb569bbc67718b150cd30cbcd98583f8a9a9e2faf878128a3ea26568a8 |
| SHA512 | 0e1af6fd8a29eb97e1db57b4f38365d2a76809390e0fc6945382d221cfa4ff5bd753d191e08bc93780370da56edba4048a7a715b4a801a494953c42897f55e00 |
C:\Windows\SysWOW64\Icifjk32.exe
| MD5 | 54b7c367abe1ae806737482b3e86dc2e |
| SHA1 | aded6fadea99abfed3e5fb8add09b6e30c509e09 |
| SHA256 | c04db9fb600553d3475d7fa0526f7586e4c394c15760c6965e307eb60e60dc7e |
| SHA512 | 0d1b8aaeb8d587ea6e3fc58e6477e03189d19502fa3f275472aa22f94687c1aee5bf24e28a0f706686d3ef3dc3fc1b9b7cf5d8bc7124ee162695114415d3c256 |
C:\Windows\SysWOW64\Igebkiof.exe
| MD5 | 63b530595622b8302cd7a75ee0b3ef69 |
| SHA1 | 268f98b849d325acf78ac5929dce459c356c13dd |
| SHA256 | 337c63dfc5add524f5ca3e4480a4d3ac72af6ba2907e3e3a5aa798f72d0ec8c8 |
| SHA512 | 007c546a1c9fd944aad0c467da716f69446413cd300db4375da1a7e703a541009deb0bd29d62b6317c145cb3f4cbc2b4f75ed0dd220a024f15fae81c75768c94 |
C:\Windows\SysWOW64\Ijcngenj.exe
| MD5 | ee112dc34e4c81e138486e5ab8405464 |
| SHA1 | 9e275a20a3e3c720107652f214aaeded05ed7b5c |
| SHA256 | 2f91164b4a9ae8fd2be5a001892c04b7033df60c98196411f310dd5d92e2d8ea |
| SHA512 | 00483e8a9322db7be098b4d0d7c190557d3d35fc1fc9dab8cabed496ea54272ff9a26f4e5b3272c6e282afd704acf459f188e4cd7257a55eae2ed1b2e561fd92 |
C:\Windows\SysWOW64\Ieibdnnp.exe
| MD5 | 8cef5c8abe536eb44d60d0d91627aec3 |
| SHA1 | 84fce9cfad2250bd1b3f84448bf0ebea74808db4 |
| SHA256 | dc5cf66e669c5c002dd1d84bb8faa3d00ebebef7795561c271ad333293435803 |
| SHA512 | 295ca3bd1b42cfcf6e1d0fceea5e5995bf6121ad38561d7261ed6e11bd677dc32f74c2893b9992b8a806db976118ca31a9e9d0650970f5a3a053b3befb17f5aa |
C:\Windows\SysWOW64\Iclbpj32.exe
| MD5 | 7b8e5298981a803fa3dd986d4cdedfa7 |
| SHA1 | d397f416d34c0e3657e459abe325f52f3deaedc4 |
| SHA256 | 5b1d554119b8cf0f26cfd80e0e8607e983ff7f13bd5f95db1daf1e2adfafb61c |
| SHA512 | 5a7b08408960ae637fb000d2dfcfdc5716b7d77b2debbec3e7682bfbe7591c0715e9872f586ad6592a94994e6a020e2fc0106a61c34aced16e53e695cb627c11 |
C:\Windows\SysWOW64\Jjfkmdlg.exe
| MD5 | f0ecf5ca8de4c4d6737191d7d7bd85f1 |
| SHA1 | 0132cb1b1dd1403cca4bd50375c1ac6ed4710988 |
| SHA256 | 292290aa2ba6d3fe40cfcdab539522ee908e1ac936f3744cb35ed961fe3c8da3 |
| SHA512 | 290239052719dcfaf6a5b009d421496e6dd92110d3a13ae2686c865dc5ff713a70c37001cb44951fbfd440888b4760cee34b5bbfb3f5ed60c4e348dec23104d8 |
C:\Windows\SysWOW64\Jmdgipkk.exe
| MD5 | 875cd931c3c09c2b7afd386103c15126 |
| SHA1 | f26399247099977d42a0efcc9918a98c699d224c |
| SHA256 | 03a1240458e4230752a71df9e6ed156eaae7db297f15a80963e075bfaeb78d35 |
| SHA512 | e479fd566336471ccf024f7a837ec39c06b0a03f3d34705cb003888551d44c87d840fd1cdc94fa8bd871f19845e7153ee499b9dd605b4e7ce975d852e8822fd6 |
C:\Windows\SysWOW64\Jcnoejch.exe
| MD5 | 9d3afc64bc1f81ed008b1bef35a52bb1 |
| SHA1 | 5db8d8973198306db39b4e645d736f625f039359 |
| SHA256 | 703c359754b6661a5eab321746599a3b5a70247b6444ec126ac952a604c9be59 |
| SHA512 | 618f2aed2decf651c6853ef65922c52d6c02c5d75f53613077f058b264e77eb9772c92166298f44252006f59a4508b1ae7826d52ca34920c77e1c50f77f195ee |
C:\Windows\SysWOW64\Jgjkfi32.exe
| MD5 | f52185eab938e3d1125b1f8dcb6e14d9 |
| SHA1 | eda27e392702b6dd2d5e0959df6b25fefdf6d703 |
| SHA256 | 1c1332b327ed6058f74f9c8033e916acd1bbcf2f7f3b73bbc24648997e67a90b |
| SHA512 | 69b72e9d1f4ef44dc367ad95b7775d0bfa489837778f0140c1a641d020ab520a08bd5160b68b20aef5e4bf9ba398b10a7b4970b1afa28f8102361689dfd5a002 |
C:\Windows\SysWOW64\Jikhnaao.exe
| MD5 | 759355976c0f791ac083615b676258cb |
| SHA1 | 8b5b57602971ad6f3a5efea2962be167489e57dd |
| SHA256 | ab9ad0ca94a9fc70789e6c6267671292b42808388d5f20a0e43f92058280beee |
| SHA512 | 79ae51e8d6255bdf54cfbbec380bed7ae6887166e568964e15cb5009c2b4b25cc107ae27ca5a06bfe9cd1a588140c4613093accc9795681770f70c0e7ba8111b |
C:\Windows\SysWOW64\Jabponba.exe
| MD5 | 353f41b83c45024d3bbe6f412a1ae200 |
| SHA1 | 3df0d199cc0820b19e2f94bb3f7c6b836bd1d991 |
| SHA256 | 2b6b2a257e25e49a7ab233e586fe6fab32fe54ee8a011577a431139e38a49479 |
| SHA512 | 498c65bf469818c6e652894d26a18064f993f2617202b8c9c937ade076b43df3bdc1c1fbf606cc7e7a5bf534e8e8c1bda05909e970eb9a6e2bfc17c576e445bf |
C:\Windows\SysWOW64\Jbclgf32.exe
| MD5 | 4ebcde5e69f760a35abec7552fe3b581 |
| SHA1 | 3a4b28892a6057e84a48b93200551ef995f0733b |
| SHA256 | c72154cf14cecc4752cc4a08628c9e658551db2e5ff8c5a236c2091b2d5fed5a |
| SHA512 | cac348b967c38b50dc3e4e66a31cc063b74e6cc3d1dd0bb40b7fa092eeff4d24a8de52c9872d4cf8851b2eb5cb9c7ad6782994dcd996a552cabaee0f4c4b250b |
C:\Windows\SysWOW64\Jfohgepi.exe
| MD5 | 8d006f0a56fc9970c20dbb64531944f2 |
| SHA1 | 63b2d3976da522055bb997be52e8b5049dad81ab |
| SHA256 | e6a2d487c0fb77ba08f6cf0f2c201a675d97a020e4a103eeee0528db23a4ba3d |
| SHA512 | dafee778d2fe1a65f2874d2d50eca29afd1c2e9e3a5379d9b0f33cf42bb47cc7277645fd3e461034cf963a4e45a16265437dc83f78a260033f03e18477339d94 |
C:\Windows\SysWOW64\Jllqplnp.exe
| MD5 | fd1cf39ddcc93c14e4dd6c4b0c19eb45 |
| SHA1 | 1971fbb099595941b0c28e7766814165f9a892d9 |
| SHA256 | de222acee1af1fc487afc707537e7641d71c1d1b92df038ff357a4868c2b9eae |
| SHA512 | 5b6a9e95e1b0342b9e0092a46080ffef66a5616e3818713ad552a7f1eb2eb02e5cddfd638586abf0f1afde93e98a588e6ab7de5d53c5fb67c83706656b266b44 |
C:\Windows\SysWOW64\Jpgmpk32.exe
| MD5 | e75c4f2bf659679ff8f0b8bc652a2d31 |
| SHA1 | a392980cd24de2d873141138de5e340a525b69ab |
| SHA256 | 73506aabb7348ec674edbf2534478349dcb4193886f27639836f5fab02cdf4e3 |
| SHA512 | 3d547a760669de694b4852ab8852a2cf81bf62742b74b6577f6513ba9c765e0091638b692daf24d15a85cfecf01c1feb73a49ff297100b8af596a47178f9cfd9 |
C:\Windows\SysWOW64\Jbfilffm.exe
| MD5 | 45232399f982efb13636b7e274d3c9ce |
| SHA1 | 7c5c242f30c969a1207cf6f9fc8a8831c954acd3 |
| SHA256 | bc2a7fce80940418066b7ecf5640f188a4c7b8ee3f92b3852c1c10224de02f75 |
| SHA512 | e1c9b54046d0817918a2971ed80f9bd5204e7d1c635cf1e066b6821ea05abd0d584b83d29cda66835f59c4c799ff4c8c9c43c291781becc90dc11a7ff0f1bfb2 |
C:\Windows\SysWOW64\Jedehaea.exe
| MD5 | 1887c9a894600eeab4c73f4b38dae4d0 |
| SHA1 | 7bf51044b5ed698e49f2b652837f32795e3009fc |
| SHA256 | 6d677b58fede94fc70dd4f9c854cbe92c1904ca1130c0c3abe7cc5f5419ce137 |
| SHA512 | b852888479f8a176843ee18e5debece9d8f8a2a0e3847a9bdcb32e2b5816d9e7ce5e8d6a5ac0ab9cb4cce72e5940fa97b3bd85f6fc99f876e1ca3b003df626cb |
C:\Windows\SysWOW64\Jmkmjoec.exe
| MD5 | 2e3c258a7badabe8e67d79f2fb09cc93 |
| SHA1 | 01299f1fd9cd22d9084b3e506f04641d128fe113 |
| SHA256 | efbfc74754f067e53a5685b13371b1318ed58feb96660325e6c514c9d82d123d |
| SHA512 | 8b4d001169b1ede5f51340a118e267e1fd8850474c81117cf74f047f97a373423471b6339fd36879fecbe9034b9163e486220725c7127da4b1e5955d0f9f3862 |
C:\Windows\SysWOW64\Jpjifjdg.exe
| MD5 | f793d61faea4e6f994b292b13b3a311a |
| SHA1 | 388a5e780ae0c19c89b78551c0d1e12ec4506862 |
| SHA256 | ebe6f197aba00ad91f4b5b5ddfab2be0f3e93fde3de246473988a00c314b9ba6 |
| SHA512 | 2475a1d680fae81ad83cd49ac276263abfb2b64636f2a2a8b5c44e576bdbef9d0b2ea640fb2a2db5992673f4ae4e0bde1d5cfb79e93d56be62b0c919356667c0 |
C:\Windows\SysWOW64\Jfcabd32.exe
| MD5 | a186121d3e042133ba80d2251351c325 |
| SHA1 | fd6f958dc4ccc052950b56a048104d0585f537cd |
| SHA256 | 7739830e5199b41b29a5cc8b995f88b2721389031dce17914f8d5c249d3e693a |
| SHA512 | 5b1a39aa609a59cf705066b48088f4f13623443d7e8a57dfb52cc5b1e55d39854446aebbf289dd988e609c32cb2b81affe92b56f088a2cee753d63d211af7459 |
C:\Windows\SysWOW64\Jefbnacn.exe
| MD5 | 2d30793e1b379ac4f483b92b28b39146 |
| SHA1 | 5436179fbacfc2a94e40605943ccce939e61a32b |
| SHA256 | f8fe66079f38044e425168b46fe6fe1547b0ada6e0a6075040646ce6e18f497d |
| SHA512 | f9846bdfb5efc354159d262fd608c263d3f3f0ee29b404bd5c9da6776db76bfdc465c93586d9c211657fa4e4dad597796c21894d6abd941f9b2e8875f908812f |
C:\Windows\SysWOW64\Jplfkjbd.exe
| MD5 | 70a12a609a783c56d7fa38d61987cd3f |
| SHA1 | bd0c5bfe2898f746230c88e1176e2a20b8093172 |
| SHA256 | a0d925e288b46c96384c3c99a39736f60bd74cf999021f5162ce6ae448b87021 |
| SHA512 | 98a1e2bfdc33ec3d0970e67b1a379d9d94ec42938983ded6ed451fcfa3edb2d5f9553747fc30eef8932f8e30f04c74cbbe8ce1347c08db9bb961c55bd4584650 |
C:\Windows\SysWOW64\Kbjbge32.exe
| MD5 | fcd7e5bcb85ebdbda20e01e3a891f206 |
| SHA1 | 9384bb726eb42b0dbc4acec0b2e29c88a8e5176b |
| SHA256 | a918795104921505c94e021af0301b9c2bcfac10f475dc0032cbaef3d82daca3 |
| SHA512 | 2beb1dc84eb9d588f642ba8cc981ce9cc5d3bd25d171ad0926999e3dec5fad561c67e1447159de36cdb0854b8db35246f41e0c5e81ea947b6d8dfd0d32042993 |
C:\Windows\SysWOW64\Kambcbhb.exe
| MD5 | 4c9fc4ac689b0bcc52d2294509088eaa |
| SHA1 | 876ab6cd9c8d25c776562166113dd2805e7bd6e0 |
| SHA256 | 2accf84ca79f46a087db0e7fd5f17d7873cc8f3439b836c5e044dbf84724247f |
| SHA512 | 71bbaf8d339b92336f5049aa5e7083ed598cbff2c62c4f246041ad4fcf85aff830ecea51aec985f83d288a8d29b5cb9d0b39b77c546a32443f431baa74d85201 |
C:\Windows\SysWOW64\Kidjdpie.exe
| MD5 | e92b3fa576528c8138138839aece610c |
| SHA1 | 2ac6aa4aa026c502659956f461db6b03a126958e |
| SHA256 | b696ade1360cc01e5529646e2bd1ba6836d683262ec1614ff752a6c4d244426a |
| SHA512 | a73ae6e53e855e57cebbf00c2859683214262e530ed583f60d41224fc8d8bd6dcf666e4a74816def1c22fa4dca12339ffa2d29b7669a87f7e0e6fd735fb3ded7 |
C:\Windows\SysWOW64\Kjeglh32.exe
| MD5 | 95d0bf9ad902c2cb1747932cd06ab943 |
| SHA1 | b85ccf11ea69018b83c33b311297cedc96852dc8 |
| SHA256 | 84f1a676b5741a9f6ce4983552560562e3e374a8e8d4cd5d5e12b0aadeb32e9f |
| SHA512 | 6c772c75ec52d568087b703f6ef770051f16c7105d0cc239f4cc355054cd2c94f33570053248ded748671259d13be4a1256d9b0c4ed9948cfcd1d01128eb3050 |
C:\Windows\SysWOW64\Kbmome32.exe
| MD5 | d3da5ddd34b43dc268ff906a5d6a599a |
| SHA1 | 90862efd3599103d4894f0c3392e82fcd4438275 |
| SHA256 | b39c461e32fcbd3b7b5220b909455eb40609abc36d615a3043e68912454e8417 |
| SHA512 | 0b5b38f09ced3f4e1f6a3fbc3d99dbbc6b052cc7937ffc8a4685c79a40964d3309c2ef12495a3ac68f78c846b154feaac2227507e726431b0192c4ae338976ff |
C:\Windows\SysWOW64\Kekkiq32.exe
| MD5 | 599cf3a1640845449df809e320e52025 |
| SHA1 | d8c8f5a7189f1efa08e7482148aaf08f5223cfc3 |
| SHA256 | cca06c8e17640dd280724b8311fab18c5853279a1e7e37d9cc7237b4ea549c43 |
| SHA512 | 50070f67d93135ae5a75d5c483fe182b23320ecf1ea2f81799fedc069a6addf41fc19a1b7207754060573df97565f4f678899e67a57de6d1c8de04625976c177 |
C:\Windows\SysWOW64\Khjgel32.exe
| MD5 | e78b7dd0a1984bf2736c79767056b183 |
| SHA1 | ad92ef5d8d643943ca36a509cb6684ac2c7e8903 |
| SHA256 | f87588b00cc7ed812dbc35166e44a1d43a3b9867ab7312de3e82c9f849e69758 |
| SHA512 | fe6cc320627481de2b2cb90323aadcf59c81e596a666efbf03caf9de032ad67200bfe4d5dd725c3dbddbc1b1b3caebeddb680f13599625e1a8d7690fe2712727 |
C:\Windows\SysWOW64\Klecfkff.exe
| MD5 | 4b3486bcfad33365d175e7ca1d057f5e |
| SHA1 | b104274390235f19868c944fb748ae7f5bb58060 |
| SHA256 | 29d18dc067790787827d5dbd403acf83031214c002a2bd4639c8fccc5e7b8005 |
| SHA512 | c04322db7c0d92636474d9f69270ee64a56e7a6340cc1a1fd844b85466da7ffda90e4146b801f8f53082a2626a1bfc52c1d6d2d48f2150e711d6526a78750ea3 |
C:\Windows\SysWOW64\Kmfpmc32.exe
| MD5 | 0162b4f05e90ee6f93c1a9fa76e78492 |
| SHA1 | 7f6ebb55572fa20258dc59de8d33ea206b5efc23 |
| SHA256 | e01c88bffd3509f005fe48f2b8bf5d7e638101a1a861624f6c0883f1c230ef0c |
| SHA512 | 7fd5b2cb51fb3a80bd009665be26b58bd7b012a0e63bbb3cfa1f5342537f82e6b7f24237cdee1451c488270cb9a07aeeac822987b15b008c3f08197857467e12 |
C:\Windows\SysWOW64\Kdphjm32.exe
| MD5 | 93ccff09e46bf40e00c611d453760b9c |
| SHA1 | 15472a6b44c152aa6318210ef149cf40b354af25 |
| SHA256 | 28dd521bac79b158b7c4fc28017233b2a4de730d9bf9e839eb3a4616b9ef9ef6 |
| SHA512 | fbb71bce697a4f05e299b8aaad1b5af2155276f2f6ed54ec9a2b25f3fc6b3d101eefc82b3dd94887f8bc018978ed4de8da7bddd57d7ecf927a7eef70f2c2bd94 |
C:\Windows\SysWOW64\Kfodfh32.exe
| MD5 | 286c00c5450e280caae8810d25217a3e |
| SHA1 | a58aa86c6ebc6c4a1ebc2ab934761791fee7d1ef |
| SHA256 | 8df36bac2b826beb9fb731e580193d9daafe9f9cc89fd65e8a0112228a3c9ca3 |
| SHA512 | b80e48a2873919f761e90a1f1af507c2fa80fd7cc3fe2777ea553af14285815a7bcfe22a8d5dd79f31abcd2c2bdef10a2c304ee95101cbb10edb8c2af8254280 |
C:\Windows\SysWOW64\Koflgf32.exe
| MD5 | dd55d2717d0ba25abb4c70c0b2299cf9 |
| SHA1 | 77b6525d02d46e48e0a4059799f612834fef5818 |
| SHA256 | dec0e4a38567aae13344c38c42dd3dd873d2a00557d7284f8829822c553af0c0 |
| SHA512 | aa43fc4cbf4948f2e0732920854498d9c8bfd10cca26752963a446a3542b06f033fb4a2ce74039dd60aeb4e3310fde3ef5cb625990fdf4690cac788c030d1c4b |
C:\Windows\SysWOW64\Kadica32.exe
| MD5 | 0add03079e687a0168ec3e586f91208c |
| SHA1 | 3964aaaa52e8a30331df03c14da454673fa16d73 |
| SHA256 | 51392169e55851c714e7c9cd87b79d76be670c46f99b72e03d7cc4516bca8a1c |
| SHA512 | 52874a5d4fa0027827658e733b43d4bb15cbefb8a85df7b3d034af46dc383fe3bb1a60e420755449bd5534312801a3a6ac9d2ce53346badbdc1ed91c3871645d |
C:\Windows\SysWOW64\Kdbepm32.exe
| MD5 | 7af475d71431f4bce00f85a4f4f10bef |
| SHA1 | f5ccab8c51c532575f1270c64cebd2d59032959f |
| SHA256 | 1e873d9f8d710b0b2034e7934f0f7753fc0730e8c19bf6d459e432a9851c2425 |
| SHA512 | 78f89695229e811de8dea45d09f94411f5ec9a5ef10a90ea25d67aa42534844b07fb3e232d843bb4b12f915fc479f7dc1b24e7a8b2a1a98c40a9f333d58c39d8 |
C:\Windows\SysWOW64\Kkmmlgik.exe
| MD5 | 17848c13229115f0193fe4f99d42a91a |
| SHA1 | 08c50d7edad2684a8c0164299d7ecc7bc63f4e04 |
| SHA256 | f521faa6321fa7084cf77fa41bd6b7ccb1480cfb461cde522bd69a761808e4ae |
| SHA512 | 14d9ec5301a8655c1ea668ba21e5270df68502e9d66f83de6e7ac71a222047ab13e1cf830fa5c140c103926060e7c6d5c9766e23adf1b65ad86aae271ffcdb7d |
C:\Windows\SysWOW64\Kmkihbho.exe
| MD5 | d12f0ef0ca9718cde43cff92cd68e110 |
| SHA1 | 68cd87486b6af77b53fb064fdf797fe572c14e60 |
| SHA256 | 444538537ac6b039d49fa967b6e1af924515816f40ea3d160b3feb4ac14f9ca6 |
| SHA512 | 4b59d72b76ebddf2058eafaa88c4b666b72fbf9c281b9bc51411d9fd5aa2497937b1dd54e4649f0cd95443ad4a843ff6bf5ad6629383feea35d0245a0144beab |
C:\Windows\SysWOW64\Kbhbai32.exe
| MD5 | 26d6a367cfd39bca28aceadfd723659e |
| SHA1 | f85659ed57cd32a33f15d9a671a754654b7db112 |
| SHA256 | 8e6ec83c8a1d13e7fb30404cacf59b47f1eeb673c680dc82f39f6cbdcc557c05 |
| SHA512 | cc4596c5b74c3c688acc32247b00347a879274515039c907df00268c373e64b75949170cebe183e5698c39e2400d3b236c75408a9260844bd598f837451495ce |
C:\Windows\SysWOW64\Kgcnahoo.exe
| MD5 | 2dc58f6b5fbf43dc27a0f87358dd4ad7 |
| SHA1 | ea9b6c2c42d26d9bc538bd9e30e345ad725d8625 |
| SHA256 | ef4d69c6c2466137ad57ded34aea459484bb2e1e1433dd3794ea8874173d94d5 |
| SHA512 | 3cf87088924589e808e78310340d8cb2181b53a4dc6032063367efbdcfd375dddbb3d2ccb476a59fdf67f0595a4b7300557e5e12b6cec185443cc1f3a6d67a40 |
C:\Windows\SysWOW64\Kkojbf32.exe
| MD5 | 97c8a79a9ac0f1ad5d9f27c7ac83bba5 |
| SHA1 | 86bba63c4bb210df199e342a992a5c2b32db1747 |
| SHA256 | 3ed3bc35cb8e32b41dd95ff55533022f5fc9174d4dedabefedb7c532d6cdcdcf |
| SHA512 | d9ee5918283316eb6528429f6c3e1ef4e252ecd512fabfaa786bb79589305dcfd4be66a62ba6da7a3fce1c04d72bba169dc8c8b0d53c65f61d7a1b43f82c5ad6 |
C:\Windows\SysWOW64\Lmmfnb32.exe
| MD5 | 98e54d1b1c94bf32bedb89d7709321a8 |
| SHA1 | 7c0d865b7690fc49b4ab2e6c2b76db712e870744 |
| SHA256 | f85c2d66429d0a43d255891d89d76b82f9402bb28cc341633e7f81eb745f8f97 |
| SHA512 | 6245e228f088044cee25551e7f7889c16fa0e47775eaa5d6ff5a38f9ebf32f39d7c1de879db58cfd1a749086a76c81ca813137c527cd09201d95d7af3a0acb3a |
C:\Windows\SysWOW64\Lplbjm32.exe
| MD5 | 97b5a2136417245293cf005305f5f671 |
| SHA1 | 78779be02cb91d2abfa7a7fae2767aa47b2ae1a2 |
| SHA256 | 83f91354fd5bd29ce166b6d39f07b3c966dd3153d64f41ab24d5744ad22e4668 |
| SHA512 | 5311b923b101e98dffca461a2edc3d44e0c0a473ca611a5285e0c690087655c63524c72eaea78351b9658a927af4e3a39d204a95955ddc7caac32bd684a79276 |
C:\Windows\SysWOW64\Lbjofi32.exe
| MD5 | 56a6edd1898dcee260680f1c6965ff85 |
| SHA1 | 36f1a108b6d1c63415d591e64380208b50fb5a63 |
| SHA256 | c5589765993e19500cffc1b6fa8cf8658a2c5652a60c345c6c032dd6dd366340 |
| SHA512 | 3bd8e3b30095b4868a9af875d3ce4cbcb99ee922a3671de84ef40fb2e9e91fb6f181b981ce56a409d29284e1d0b654f44ad2574f9fb283fe835466be78a52019 |
memory/548-1343-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3056-1283-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1528-1342-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2476-1368-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2500-1367-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2540-1366-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2136-1359-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1464-1358-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2896-1381-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2252-1380-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 10:05
Reported
2024-08-06 10:07
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
120s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjnaaa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbgfhnhi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lbqinm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldbefe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jaljbmkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jhfbog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Klpjad32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kehojiej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldbefe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lajokiaa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhfbog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ldfoad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lbqinm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbgfhnhi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkgdhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Khkdad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ijpepcfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jjdokb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnedgq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jnedgq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldfoad32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkqgno32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iecmhlhb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhhodg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ijpepcfj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jejbhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jelonkph.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lbcedmnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ibbcfa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jhhodg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Inidkb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jaljbmkd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjdokb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klpjad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Llkjmb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lkqgno32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibbcfa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kehojiej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lbcedmnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jlfhke32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Khkdad32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ilkhog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jacpcl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jlfhke32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lajokiaa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jacpcl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iecmhlhb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jelonkph.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jjnaaa32.exe | N/A |
Gozi
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Pceijm32.dll | C:\Windows\SysWOW64\Jacpcl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjejmalo.dll | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldikgdpe.exe | C:\Windows\SysWOW64\Lajokiaa.exe | N/A |
| File created | C:\Windows\SysWOW64\Balfdi32.dll | C:\Windows\SysWOW64\Jejbhk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jeaiij32.exe | C:\Windows\SysWOW64\Jacpcl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ieaqqigc.dll | C:\Windows\SysWOW64\Ldfoad32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfamlaff.dll | C:\Windows\SysWOW64\Inidkb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kopcbo32.exe | C:\Windows\SysWOW64\Kehojiej.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iloajfml.exe | C:\Windows\SysWOW64\Ijpepcfj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjdokb32.exe | C:\Windows\SysWOW64\Jhfbog32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhoeef32.exe | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ilkhog32.exe | C:\Windows\SysWOW64\Ibbcfa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pakfglam.dll | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| File created | C:\Windows\SysWOW64\Khkdad32.exe | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldbefe32.exe | C:\Windows\SysWOW64\Lbqinm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jelonkph.exe | C:\Windows\SysWOW64\Jhhodg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaljbmkd.exe | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Llkjmb32.exe | C:\Windows\SysWOW64\Lbcedmnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jaljbmkd.exe | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jelonkph.exe | C:\Windows\SysWOW64\Jhhodg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jlfhke32.exe | C:\Windows\SysWOW64\Jelonkph.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jjnaaa32.exe | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Klpjad32.exe | C:\Windows\SysWOW64\Kbgfhnhi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kemhei32.exe | C:\Windows\SysWOW64\Kkgdhp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lojfin32.exe | C:\Windows\SysWOW64\Llkjmb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbfhni32.dll | C:\Windows\SysWOW64\Lkqgno32.exe | N/A |
| File created | C:\Windows\SysWOW64\Denlcd32.dll | C:\Windows\SysWOW64\Ilkhog32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjnaaa32.exe | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Llfgke32.dll | C:\Windows\SysWOW64\Kehojiej.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjmheb32.dll | C:\Windows\SysWOW64\Iecmhlhb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jhhodg32.exe | C:\Windows\SysWOW64\Jejbhk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iecmhlhb.exe | C:\Windows\SysWOW64\Inidkb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldnemdgd.dll | C:\Windows\SysWOW64\Jjdokb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ldbefe32.exe | C:\Windows\SysWOW64\Lbqinm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Elmoqj32.dll | C:\Windows\SysWOW64\Jnedgq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eloeba32.dll | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| File created | C:\Windows\SysWOW64\Okahhpqj.dll | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Idjcam32.dll | C:\Windows\SysWOW64\Lbcedmnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ijpepcfj.exe | C:\Windows\SysWOW64\Iecmhlhb.exe | N/A |
| File created | C:\Windows\SysWOW64\Eepbdodb.dll | C:\Windows\SysWOW64\Jhfbog32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbgfhnhi.exe | C:\Windows\SysWOW64\Jjnaaa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Khkdad32.exe | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ldikgdpe.exe | C:\Windows\SysWOW64\Lajokiaa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ibbcfa32.exe | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jhfbog32.exe | C:\Windows\SysWOW64\Jaljbmkd.exe | N/A |
| File created | C:\Windows\SysWOW64\Jejbhk32.exe | C:\Windows\SysWOW64\Jjdokb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnedgq32.exe | C:\Windows\SysWOW64\Jlfhke32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkgdhp32.exe | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ilkhog32.exe | C:\Windows\SysWOW64\Ibbcfa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfmeel32.dll | C:\Windows\SysWOW64\Klpjad32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kaopoj32.exe | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aomqdipk.dll | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkqgno32.exe | C:\Windows\SysWOW64\Ldfoad32.exe | N/A |
| File created | C:\Windows\SysWOW64\Afgfhaab.dll | C:\Windows\SysWOW64\Jelonkph.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kehojiej.exe | C:\Windows\SysWOW64\Klpjad32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebpmamlm.dll | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dpjkgoka.dll | C:\Windows\SysWOW64\Khkdad32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lbqinm32.exe | C:\Windows\SysWOW64\Khkdad32.exe | N/A |
| File created | C:\Windows\SysWOW64\Llkjmb32.exe | C:\Windows\SysWOW64\Lbcedmnl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lkqgno32.exe | C:\Windows\SysWOW64\Ldfoad32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkgdhp32.exe | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfdkqcmb.dll | C:\Windows\SysWOW64\Kkgdhp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ldfoad32.exe | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbbnhl32.dll | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ldikgdpe.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ilkhog32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jelonkph.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kehojiej.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ldfoad32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ldikgdpe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iecmhlhb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jnedgq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Llkjmb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ijpepcfj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhfbog32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjdokb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jacpcl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klpjad32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lajokiaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhhodg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ldbefe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Inidkb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkgdhp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbcedmnl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jaljbmkd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Khkdad32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkqgno32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jejbhk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbgfhnhi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbqinm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ibbcfa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jlfhke32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjnaaa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjdokb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ijpepcfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapchaef.dll" | C:\Windows\SysWOW64\Jaljbmkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibbcfa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Llkjmb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kbgfhnhi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lbcedmnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnhl32.dll" | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jlfhke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejmalo.dll" | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jaljbmkd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jhfbog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll" | C:\Windows\SysWOW64\Lbqinm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Inidkb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpmamlm.dll" | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kemhei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll" | C:\Windows\SysWOW64\Llkjmb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lajokiaa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Inidkb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll" | C:\Windows\SysWOW64\Jacpcl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Llkjmb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll" | C:\Windows\SysWOW64\Lojfin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfamlaff.dll" | C:\Windows\SysWOW64\Inidkb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jhhodg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kaopoj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lbqinm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ldfoad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakfglam.dll" | C:\Windows\SysWOW64\Iloajfml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhomgchl.dll" | C:\Windows\SysWOW64\Jlfhke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kkgdhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ilkhog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Klpjad32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjnaaa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll" | C:\Windows\SysWOW64\Jeaiij32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmgkhgl.dll" | C:\Windows\SysWOW64\Jhoeef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnggccfl.dll" | C:\Windows\SysWOW64\Ldbefe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jelonkph.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ldbefe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll" | C:\Windows\SysWOW64\Lkqgno32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lkqgno32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ilkhog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jacpcl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapijm32.dll" | C:\Windows\SysWOW64\Ibbcfa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iecmhlhb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balfdi32.dll" | C:\Windows\SysWOW64\Jejbhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jnedgq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll" | C:\Windows\SysWOW64\Jnedgq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll" | C:\Windows\SysWOW64\Jjnaaa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll" | C:\Windows\SysWOW64\Kopcbo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Khkdad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmheb32.dll" | C:\Windows\SysWOW64\Iecmhlhb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jaljbmkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjcam32.dll" | C:\Windows\SysWOW64\Lbcedmnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlcd32.dll" | C:\Windows\SysWOW64\Ilkhog32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe
"C:\Users\Admin\AppData\Local\Temp\924175e1c77a17d831516187efdb1d60N.exe"
C:\Windows\SysWOW64\Ibbcfa32.exe
C:\Windows\system32\Ibbcfa32.exe
C:\Windows\SysWOW64\Ilkhog32.exe
C:\Windows\system32\Ilkhog32.exe
C:\Windows\SysWOW64\Inidkb32.exe
C:\Windows\system32\Inidkb32.exe
C:\Windows\SysWOW64\Iecmhlhb.exe
C:\Windows\system32\Iecmhlhb.exe
C:\Windows\SysWOW64\Ijpepcfj.exe
C:\Windows\system32\Ijpepcfj.exe
C:\Windows\SysWOW64\Iloajfml.exe
C:\Windows\system32\Iloajfml.exe
C:\Windows\SysWOW64\Jaljbmkd.exe
C:\Windows\system32\Jaljbmkd.exe
C:\Windows\SysWOW64\Jhfbog32.exe
C:\Windows\system32\Jhfbog32.exe
C:\Windows\SysWOW64\Jjdokb32.exe
C:\Windows\system32\Jjdokb32.exe
C:\Windows\SysWOW64\Jejbhk32.exe
C:\Windows\system32\Jejbhk32.exe
C:\Windows\SysWOW64\Jhhodg32.exe
C:\Windows\system32\Jhhodg32.exe
C:\Windows\SysWOW64\Jelonkph.exe
C:\Windows\system32\Jelonkph.exe
C:\Windows\SysWOW64\Jlfhke32.exe
C:\Windows\system32\Jlfhke32.exe
C:\Windows\SysWOW64\Jnedgq32.exe
C:\Windows\system32\Jnedgq32.exe
C:\Windows\SysWOW64\Jacpcl32.exe
C:\Windows\system32\Jacpcl32.exe
C:\Windows\SysWOW64\Jeaiij32.exe
C:\Windows\system32\Jeaiij32.exe
C:\Windows\SysWOW64\Jhoeef32.exe
C:\Windows\system32\Jhoeef32.exe
C:\Windows\SysWOW64\Jjnaaa32.exe
C:\Windows\system32\Jjnaaa32.exe
C:\Windows\SysWOW64\Kbgfhnhi.exe
C:\Windows\system32\Kbgfhnhi.exe
C:\Windows\SysWOW64\Klpjad32.exe
C:\Windows\system32\Klpjad32.exe
C:\Windows\SysWOW64\Kehojiej.exe
C:\Windows\system32\Kehojiej.exe
C:\Windows\SysWOW64\Kopcbo32.exe
C:\Windows\system32\Kopcbo32.exe
C:\Windows\SysWOW64\Kaopoj32.exe
C:\Windows\system32\Kaopoj32.exe
C:\Windows\SysWOW64\Kkgdhp32.exe
C:\Windows\system32\Kkgdhp32.exe
C:\Windows\SysWOW64\Kemhei32.exe
C:\Windows\system32\Kemhei32.exe
C:\Windows\SysWOW64\Khkdad32.exe
C:\Windows\system32\Khkdad32.exe
C:\Windows\SysWOW64\Lbqinm32.exe
C:\Windows\system32\Lbqinm32.exe
C:\Windows\SysWOW64\Ldbefe32.exe
C:\Windows\system32\Ldbefe32.exe
C:\Windows\SysWOW64\Lbcedmnl.exe
C:\Windows\system32\Lbcedmnl.exe
C:\Windows\SysWOW64\Llkjmb32.exe
C:\Windows\system32\Llkjmb32.exe
C:\Windows\SysWOW64\Lojfin32.exe
C:\Windows\system32\Lojfin32.exe
C:\Windows\SysWOW64\Ldfoad32.exe
C:\Windows\system32\Ldfoad32.exe
C:\Windows\SysWOW64\Lkqgno32.exe
C:\Windows\system32\Lkqgno32.exe
C:\Windows\SysWOW64\Lajokiaa.exe
C:\Windows\system32\Lajokiaa.exe
C:\Windows\SysWOW64\Ldikgdpe.exe
C:\Windows\system32\Ldikgdpe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 464 -ip 464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 400
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4352-0-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4352-1-0x0000000000432000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ibbcfa32.exe
| MD5 | 6dc9f0951ccf8323d342ffa88b09cc65 |
| SHA1 | f6d33f6a2db150cb2ff5e855ff0445ec3b90dde6 |
| SHA256 | 4eeb99a05d7852656091b59b9ca39b9e3a7567e0324a794886b7dad46fe0feca |
| SHA512 | fb794dfbf55f0ec61ce2ae1794c6dd9b8836f648c9b3230606d8c9facf7f902c50889fda72e6bda0364f2ce8d8b6a57e595d7833072a2170e3a9bf54eda4b504 |
memory/4480-8-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ilkhog32.exe
| MD5 | 90501ff2a89bb60487cd18e986121988 |
| SHA1 | 849622e1292d71fbae7aac0a2d7a9af5f84da5a8 |
| SHA256 | e11ffe5f2686e2ecc2176df3faf7b59c43d7534a8e51e219a631315e54e7d21b |
| SHA512 | d58758863865e78da48af4da2325adbf5fb6bccb85b36396a4429fe14ccfdf916644b49015a9875b23ce93cc939dc6f3ad54d9399d8f8fdfc9e9678de82445c2 |
memory/5016-17-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Inidkb32.exe
| MD5 | 229365177bb95c7667422884cf88a21b |
| SHA1 | 6a03edf7b69a85e698c14bcfe3fe22f4b6d1f64c |
| SHA256 | 1be6e7db567e310276cf2a69d0ad4a605064f8b478f046447d975e91388ebcf9 |
| SHA512 | 95f1f1c672f13df518ab178698279c5419554e22548f9dc79859f19ce62be9264a9bb9e37d97cfdeada4daa781b42e0b8c79189b69a294b8296fd151f832bc8e |
memory/996-24-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Iecmhlhb.exe
| MD5 | e11e7da5b049784bd33b37e1d4b8dfdd |
| SHA1 | 05e66da74b71fe24b2cf96804f6069f20ba7d7a2 |
| SHA256 | 08b25ff3bebd479d520efa78577e9dd64dcc02ac991b7debcb2b7fcb6e5aadd5 |
| SHA512 | 7717d818a18ae496702c846e6c43cdb11c16a88bb9f87eaa401e5d4c048a75afa13e7e429279a9593b499de0bc7a2ce2c675f22ad7bc2e4454f4d6262dcc40f8 |
memory/2904-33-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ijpepcfj.exe
| MD5 | 698934b436cb29a4740279f55bb15b8e |
| SHA1 | 378e69439867db86cace450a170ab94d1439d705 |
| SHA256 | 085847c10cc1680656fc5b8ff768c859f7583f5097331a545c24040e4f4c954b |
| SHA512 | b01524e73095f4e88889a450f908f3b36130a6a9d9cd45d412235d98a638c1f906ce64207915d0d4a38bb1d401687a0df2ac62d0161e20d6421ba04c9c0fd65b |
memory/5012-40-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Iloajfml.exe
| MD5 | f919cd167f1d2acd5ca5baf35db6e89f |
| SHA1 | fe2aa7967cca4169f875cac26e4c8d97794a76a9 |
| SHA256 | ecec5f1139dd1440437cbc975a968a394dae0a41af1209e28737e7ee7e02bcdf |
| SHA512 | c9328e9a30119b31d9814a22837522e9dec47d6c8cd8f7b36a6a121fba405049ee7383a6085c046abd3d85b34b956dcebcdb97c96cbf7885642bbd267fb40c42 |
memory/2592-49-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jaljbmkd.exe
| MD5 | 6de73bddbb6dae4dba87c8bdcb82c01b |
| SHA1 | f5d061303c19c46247a90156f4dba5e5c51cab91 |
| SHA256 | c13215785c82d148165cbf7f82439027b3a5176010b078edb50a985602438cd6 |
| SHA512 | 3f846796dd652d798b12172ea9e72107d3487d8d67aca31e8963e1d5b0b06d4a76631eb7ac0e3f4d537e26e5ec10c72c6a6c0d75e6040fa52fab655986771d54 |
memory/1784-57-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jhfbog32.exe
| MD5 | cb050fb94eace2673f94daa277f573dd |
| SHA1 | 91eaf9d5f72c7cad6759e3729db2a032366797fc |
| SHA256 | 7baf5f04aab853ca3a91b9856326b3bc15b0bcbda7679007f2dadc3ea5669240 |
| SHA512 | 0ee60d131f70367bba023d3eb55989965d5829576a9391d59842fc411ac9398341fb8970176f9999cd8459c005d02cc85a5db6ae65d9bdeb285e7b1840485ed1 |
memory/216-64-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jjdokb32.exe
| MD5 | 444001661ef72879bc0c47b1416cba94 |
| SHA1 | eaea33bf09b6c71581f7b5d3b11656008b744b4b |
| SHA256 | bbf624c6018ba01a426b765330b47e3c59bd14143bcd81b20f3936f09c8153c9 |
| SHA512 | f7f3dca4ff805d3f5c48998e22e0aec675d0ea213d62aeb93c364673784e0d47a0040c150f620c3a920652751d739d433a847fb32eb1b13a5b850b32307d969f |
memory/1156-73-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jejbhk32.exe
| MD5 | 380c1b22df804bc3a8f76fe8cba50797 |
| SHA1 | d4eb4143f63ca4f73b395fb47981224bcf03508d |
| SHA256 | 13c9ab639bbb58b6eab98f352c698858ee49afe2420228bbbdc85308d989480c |
| SHA512 | 218f8520b45104c0d8c549a490b4b85aa14d73536b71411b719f3a9a7821a3fae0231c96bcb87862cbfacdcd933d0e0aa18869a5d959d3d93aa55e8fcf25ad26 |
memory/3628-81-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jhhodg32.exe
| MD5 | 69a00d96644184fd662e107a9ac5b72e |
| SHA1 | 5754f1a89638908226afa17a9ba64653c34d3a12 |
| SHA256 | 9f142d704a16b051556c8b0cfc8894a1fd4356b27a09b17d4798babb8615b523 |
| SHA512 | e2247ec747e5bcd9cbf3bf59b5a08a66fd18401f48b325fc40efd2a9455fbb12f278d2b17bce746c7c0164b13d52b220339afbacb82fabde4c72942d95abe9bc |
memory/1736-88-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jelonkph.exe
| MD5 | c414c0bca62920898045a7017369e274 |
| SHA1 | 0c405d77f8b929f5aa97d98520d2a3f3b5620c84 |
| SHA256 | 5289ae839154e0d056f6fbff916e93d3eba5a7ac433771bf1a0aa46f8dfdec05 |
| SHA512 | fe2073e7ac7c5841eed22f2b7be655b092faae85324471a650b7c463096b211924a0d6c25da0b1ed70aab3c624b19f9696618778372344de74b4345c0b448b55 |
memory/4560-98-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jlfhke32.exe
| MD5 | c3b71c7dd9726c5fb473b85d630a2a1c |
| SHA1 | 838be7543370712bbe924043c4e3dad445ab2197 |
| SHA256 | 845ba0e1440841e3bfb26078c2565bb62fa991c20b57ee8c160acb01ff392cb2 |
| SHA512 | 5b5e5442eeb80de804d8db62c5b9b42fe9e4a3cbd527fd41e992132d0b5ead619899f51e4653e0fc0fbe18bd62310b7142060bb29adf0740a2512c842cd84689 |
C:\Windows\SysWOW64\Jnedgq32.exe
| MD5 | aa933e56343ff757d02f55c5d56fd859 |
| SHA1 | d7079ca0abe538cc3cb9aebb6b6b4ec747991a42 |
| SHA256 | 6a0a7379ba2865f5f3d1c9fb280372760b5236a79b8ded29b0c1b6c95ccfe2d0 |
| SHA512 | 090810a1a1a7ef2c0bb33bcc25e12874024bc24cc9fe9c91361a08b54d896c8ba4147269b5b5dc786e6b5ebea954536b714b5958d33e7c14d7aa65a645693c4b |
memory/2516-110-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jacpcl32.exe
| MD5 | ee4331607f511b88cd787851eeade858 |
| SHA1 | 3f58e3109c662657423218cd497cb84d50899ae5 |
| SHA256 | b8dcb0ea679a41e5edcbd04c3a6c64bdcf6e6fb851be75ac3c74b7c8f38580ab |
| SHA512 | dfddce9637844dce0eb69e1efbc1afb570322a4dae58a740ba39b22be960907aceee10fc4f4caff13b5050aacd4745d0dd0b0b334bbdf7d0478a0e0b03955776 |
memory/2924-121-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3516-113-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4500-129-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jeaiij32.exe
| MD5 | 2ebd2553e7d237cac66f71f4c7c56efb |
| SHA1 | 2ab823d53af3568ce81fe8845a6a9260552e10cb |
| SHA256 | 7d32e7836a2f295651accce8ea46aeeab081d9bd31da5255bf149c83c3d2877b |
| SHA512 | 30bb5c1a21679d0f6caefdbfd5b58fc341a992185d2eafecfd220731a7d398e008bd549f621e41e85c61a53b37c1e14357eb6e7e81c70827f1ffdff47b72050f |
C:\Windows\SysWOW64\Jhoeef32.exe
| MD5 | 93dc058197c281515199dc8166c0a296 |
| SHA1 | be72476963d91366baee3fa14c261984c0fc5b7b |
| SHA256 | 020a0d399dbe943a5c27cb62505ba2e51a67b803a850009310bdec9b0987c9d8 |
| SHA512 | 5bfe3f49f6adfcba882095786eaeac6e38065db985b3741d44cbf63e0133a542a20ad92f2cf0dfa66dfcaaccfcbeb45594c14c26f12b5805c8e0e8179bfa5a53 |
memory/2448-140-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Jjnaaa32.exe
| MD5 | ddd1ce1ec7e8aec4032af31229b9b8ce |
| SHA1 | 5e0a97b6e3e7d83f3f871c29e265090c2d1a85c8 |
| SHA256 | 82f0545de8be0c7110993bca991df9a363af99ee5ecaef085b56709327ba6f62 |
| SHA512 | c38362b0f90df9ee1c7bd66be18cf90d20691f813b4d7615796fe98cdd78ed7a0a13c199ccabe7f59b3214e15bfa7eb18435fb4addb3695488bab2792564f488 |
memory/428-144-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kbgfhnhi.exe
| MD5 | a7a90fa2f818402fae85264c5c764a9e |
| SHA1 | 04cd19a5d4f84f31e8bae123a941e237b61b06f9 |
| SHA256 | 0b483e0c0ca20777a4f75ecb5364d20529ac478f5d660eac66b500ad47ac01c0 |
| SHA512 | cd10db4ad1c111d8793aea3ddc8e4e40a3ba2d9d623b543760611556617d65ccd5bfcb419150e199c727e4bcdfd150972bf5663476835d77f75fe1906cd9b706 |
memory/3340-153-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Klpjad32.exe
| MD5 | b63753511791d0c73b8eaef66db2a22a |
| SHA1 | 5bd5363517051f96f358c5c032c0be618a3fb454 |
| SHA256 | 27427429b10353c06074006bfde8d038a4d58be10d8fa7c71ed0fbfd4e1522c6 |
| SHA512 | e7223a4d1062727a40e11dd7371a9a34439fd778188cbc7e510ea56dc9117a2cac8e33b42a7d8c797eb1dcf168ca874582f2107f65e7a11b991d23a026d0f2ef |
memory/3936-161-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kehojiej.exe
| MD5 | 142b1660eefa9df0a024597f86a29185 |
| SHA1 | a7798f95a0319423c020fef1a1dd8d63c980c59a |
| SHA256 | 9738711a4454a3c09a26ba2b03fbe7d93fcf1ffe05b458562c948bd37918ccc3 |
| SHA512 | f669b825802c74a1b4fd1f3ceee9cc59cdd2e96ca6c12bb5e39ba3d1686b3d846b6a07d974530354e48395db515d0f396dd20206c60c249aea9a4f17047e27f8 |
memory/4624-168-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kopcbo32.exe
| MD5 | 79951f782414a0f774105673b20ba7ad |
| SHA1 | 4f7c86ae6af816554db79a0bd3740d0bf1a6cd16 |
| SHA256 | b439dee0af93cc90508033adaef5720b6d8586336c202cbee69dbe93820cf2ec |
| SHA512 | f40c357aafe5e35f0e3bb87536ec1b26403d0a65ac1bc43e42d44ebbb548e0eb0b5f8be0f1438314a2154430457bb943bf9abc82983adc45e8636d6299a5c2af |
memory/772-177-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kaopoj32.exe
| MD5 | ba88eddbf35f4e36825abf3b5da0bc9e |
| SHA1 | 8b4025e76e2cd8f020bb0cf28bc8a0385c024d20 |
| SHA256 | fd9ab319f3011331d5cfaf33dd5b8789fa93a383f63881a33bdc0371bb5e441b |
| SHA512 | e026c21fb1c1c7856602a461123e0fc64f7fe04860cc8a2527d6aec8eef7b3b0489bb89160293b366f57d6934b2975294bc4cc8ca6dee3fdf4df13d9b0063138 |
memory/4976-184-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kkgdhp32.exe
| MD5 | 0de2e90c490358a4932fac072b58d5f2 |
| SHA1 | 1b377f25ee7c37759b789d2452b3793720def242 |
| SHA256 | c2a1318065e4138c6dda8b66689c4cac0b80b5fa6c1af7b51daaf2be3016eb6c |
| SHA512 | ec3c893f7019bb1bef82229ae009d2e11cfc2193f33ae48303e92faadd28a5cfed3622e79c884335cdd2a183efc958767759e8cbd65df939c6554687f6ffebc0 |
memory/2040-192-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Kemhei32.exe
| MD5 | ea835f19e5d73af8c10bc40e33706317 |
| SHA1 | 9874e74c0aa639ea48979db65ec5d5cdd717c0a0 |
| SHA256 | 40fe47389244802eef8a584efe61878d0114b1231df620ecfca6ce22d9d9596e |
| SHA512 | aab0fcc12096606cbc7a305bcc07531ad37763d3bd705bae62657a6c809deac287f362393765ebaa48adc2b39eb5a8a5f709de76b02812caf7c17181bb2dc036 |
memory/4556-201-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Khkdad32.exe
| MD5 | 51def17417fafd83f3fb8667c3aeb11e |
| SHA1 | dfd65cb8ecf116d130a47f4ea4af819bb493771b |
| SHA256 | 484e1da0afcef622538926836f61eb5f725dd027a57022b46dfa84c9e805db62 |
| SHA512 | 7b3b82dcc2415d37724c783aba80c3783a39a98e92ebc223405f176887b07c034e43304d42f191a48504c1cb0a1534ba201ac9b35855cbca802d29d05a4652b5 |
memory/3792-209-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Lbqinm32.exe
| MD5 | 7755078ed9944af7f3f27bfe195270c0 |
| SHA1 | 511cb1c4999e0ea888e020a37d9c9fbb8159ba0a |
| SHA256 | d31ce06c4592480087ffa3e4ea7e6d462831932a446fa13ec9afaa7a2aad8643 |
| SHA512 | e3608b502c7b59a3ecff7545fc03968ccbc72bd0bc3f9b6acab87f10c0aaa82910ad867d91d19322658b7f4aadbbe7c3e874c8b9f6bebec1db263fcbe6628946 |
memory/4116-221-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ldbefe32.exe
| MD5 | 21471936b80e87c5e0781ec42c56b90d |
| SHA1 | ef11f91bfe1fd2457c36a4e8c24dc06c02b798af |
| SHA256 | 14da5e8ab542143f02701eff863ed4645ae4e46f68e90cf006d7e68252704f1c |
| SHA512 | 94deb82f5120bd360562285fc13d54702d8d36f3cc4cde53a02dc09141cbf82c40cb8bc33fe231a567a793d6daa756f9bc176285078d34dd770d69a2243da1c1 |
memory/644-224-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Lbcedmnl.exe
| MD5 | 5134b3d9d44127c97f82f31cca26e2c9 |
| SHA1 | d797a90da616b963aea413c8d8a1ded248c8017e |
| SHA256 | c260bc1c4a494889a1f17d38d6dbff9f54ed643ef4d93c8d0ab5d19e6dbfdf43 |
| SHA512 | ae71cd272243d195dacf78d70796ce5e1b7f1a8f3ec609477aab7a50823a43d1436a00ab5faba295888e5d42ccbc62f4f1d1e8d60b2f60a2c7bf74e6647506f4 |
memory/2500-232-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Llkjmb32.exe
| MD5 | fd11eda63bf281098af52d250c33876b |
| SHA1 | 0e740d173fa1404257c99530c7ba903207bdbc5f |
| SHA256 | f44da45773a391c78da9f33d5199201ad07c6f79c06f0f06301c1317d4cb2b1b |
| SHA512 | 0cdc679fd24a9a05cc27431816364bb61b6eef7c8ca948c47089c2d25a4e615c659d13d344de3a5443aa4244a2baf238a3e88b78cc3dacc9c79e1cc583c15e64 |
memory/3724-241-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Lojfin32.exe
| MD5 | 7a56b10c11b145286ed1b70f05def4ff |
| SHA1 | a44b233e581248adee2ca62358cea2883dcd09b8 |
| SHA256 | 422b0ee249faa810d37488b1ed63a4feeee81e9fa40fdf976b04d4d724e26a28 |
| SHA512 | 753bea4493470a702d40da591388639c9bbd8dd329ef260e1996c503c61e8f2a5847e3f8b26bffe8b3ec740802f0b8bddcb47ed04aeae04c4c570b16e4f8ce24 |
memory/4388-249-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ldfoad32.exe
| MD5 | 992739f2ac36217550f3de65eb30db2c |
| SHA1 | 66bbabc10bc19c57dadb22eccfaf173e40e3e6fe |
| SHA256 | 9be72483db361dc727e2e72c9b28cdd74a060492b0769526ed8e7dbb0e3e70e3 |
| SHA512 | 2ed998c256f7e91b9da68cd769ab5f949ee82aaf0dd9f9d24974a87ad7b4ced22923ae3d838c5f340f32ceb87288817f8b22d070b6c8e230650c294bc2b62748 |
memory/1964-257-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5024-263-0x0000000000400000-0x0000000000453000-memory.dmp
memory/464-274-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5024-280-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3724-286-0x0000000000400000-0x0000000000453000-memory.dmp
memory/644-290-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4116-292-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2500-288-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4388-284-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1964-282-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3740-278-0x0000000000400000-0x0000000000453000-memory.dmp
memory/464-277-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4976-300-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4624-304-0x0000000000400000-0x0000000000453000-memory.dmp
memory/772-302-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2040-298-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4556-296-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3792-293-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3792-294-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3340-308-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2448-312-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2924-316-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4560-322-0x0000000000400000-0x0000000000453000-memory.dmp
memory/216-330-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4352-346-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4480-344-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5016-342-0x0000000000400000-0x0000000000453000-memory.dmp
memory/996-340-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2904-338-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5012-336-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2592-334-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1784-332-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1156-328-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3628-326-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1736-324-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2516-320-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3516-318-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4500-314-0x0000000000400000-0x0000000000453000-memory.dmp
memory/428-310-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3936-307-0x0000000000400000-0x0000000000453000-memory.dmp