Analysis Overview
SHA256
1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2
Threat Level: Known bad
The file 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew family
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 07:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 07:10
Reported
2024-11-07 07:12
Platform
win7-20241010-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Cnimiblo.exe | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfhkhd32.exe | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dpapaj32.exe | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdkefp32.dll | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmbfdl32.dll | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| File created | C:\Windows\SysWOW64\Cchbgi32.exe | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| File created | C:\Windows\SysWOW64\Fkdqjn32.dll | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\ÿs.e¢e | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cileqlmg.exe | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| File created | C:\Windows\SysWOW64\Pobghn32.dll | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cchbgi32.exe | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dpapaj32.exe | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ÿs.e¢e | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cileqlmg.exe | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnimiblo.exe | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Acnenl32.dll | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfhkhd32.exe | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cileqlmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe
"C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe"
C:\Windows\SysWOW64\Cileqlmg.exe
C:\Windows\system32\Cileqlmg.exe
C:\Windows\SysWOW64\Cnimiblo.exe
C:\Windows\system32\Cnimiblo.exe
C:\Windows\SysWOW64\Cchbgi32.exe
C:\Windows\system32\Cchbgi32.exe
C:\Windows\SysWOW64\Cfhkhd32.exe
C:\Windows\system32\Cfhkhd32.exe
C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 144
Network
Files
\Windows\SysWOW64\Dpapaj32.exe
| MD5 | 39f0173cc8efa4c07889f42587015b21 |
| SHA1 | 6037ec6eb207e75705ecd056bb90fd54a4635176 |
| SHA256 | f8a4522e4032b2c706fed5a29535078706555fc066422d4d9209c9770e2ea15e |
| SHA512 | 9e9baa3a91cffa4c8853be511395722f97348e539e1953e41968f456a1c8e185d6c2dc497b24c6f7411fe5a0ff58adf38f3b12b404f1fcc8f26cfa10bbd0340a |
memory/2828-70-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2380-69-0x0000000000220000-0x000000000025C000-memory.dmp
C:\Windows\SysWOW64\Cfhkhd32.exe
| MD5 | 466f826c69c047f01870c4f6133a98fc |
| SHA1 | b52c55ca4f7dac1f70fa2539084629ef4fe0562e |
| SHA256 | f90d1120fa84744029d30224e278d26cc68baf3665f3ce5ba5828ae193439d8c |
| SHA512 | 3d2444d6ab71a45afd7cccffbe87e68f29624523ae0381dd8e91b92642a6979e43afe6db67a17d7adf8c3833a338ce205659e70ecb27def00f92ee2a6adbc82a |
memory/2380-56-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2780-49-0x00000000003C0000-0x00000000003FC000-memory.dmp
C:\Windows\SysWOW64\Cchbgi32.exe
| MD5 | 6acef5715cd83bc6f2c85c339e968b6a |
| SHA1 | cbfa06333ae21e4c4035b6829d16f40f22f328c7 |
| SHA256 | efb9429d9c5bcc52d53972fa38bd598347e9cca5c0b60723a7c3d2d2548e95fa |
| SHA512 | b6e4fbd2e2668e1abd77d6d5ab89b9cc6bec04d9b24ad67299447da6c1d9a100ae1d0936095b7980de8519d2d155ecb88cd0e0cf7e235ef5294ea8ab96307124 |
memory/2780-42-0x0000000000400000-0x000000000043C000-memory.dmp
memory/524-40-0x00000000002B0000-0x00000000002EC000-memory.dmp
memory/524-39-0x00000000002B0000-0x00000000002EC000-memory.dmp
C:\Windows\SysWOW64\Cnimiblo.exe
| MD5 | c8f1c8d30f7aa9715f7ba172836d9e3a |
| SHA1 | b077d13a498aea94a81fe600e7abd7ca17435b59 |
| SHA256 | 0c7d5ad3d9e133dfe60b4f99e612d497977ee1b01b2fdd0cc7768d2976359f91 |
| SHA512 | f09a843f70d1d55f210c7d4aec59ad5327d340ea8a7e1bf8199fdcb2d40258bf05257587738e5e6552191c1c18c829bb389ef6696a89163b1e7a8870bf0fff9f |
C:\Windows\SysWOW64\Cileqlmg.exe
| MD5 | 6a56979a9e4284ce9f4118c00a8e5306 |
| SHA1 | 8aeb25fdda0ac065243c3ec374a03bd04d42ba26 |
| SHA256 | deddffeca64caec623d0f134cac0418b27787c17c01b350bc906de33560b586e |
| SHA512 | b77685948c71c9287560832e2d350df9e8dcfee6d9c19dade4bb94d3a11e5089ad809db882291f5807f5cae166a4f61553e170372ca65a07bed91c51744d1ac2 |
memory/2556-14-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1832-13-0x0000000000220000-0x000000000025C000-memory.dmp
memory/2556-22-0x00000000003C0000-0x00000000003FC000-memory.dmp
memory/1832-12-0x0000000000220000-0x000000000025C000-memory.dmp
memory/1832-0-0x0000000000400000-0x000000000043C000-memory.dmp
memory/524-82-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2780-81-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1832-80-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2556-79-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2828-77-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2380-78-0x0000000000400000-0x000000000043C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 07:10
Reported
2024-11-07 07:12
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
101s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fbpchb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iliinc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Onocomdo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apodoq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdojjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgelgi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chfegk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dngjff32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emanjldl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jilfifme.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kgflcifg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ljceqb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Coqncejg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ckjknfnh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dpiplm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmcjpl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hifcgion.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibaeen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mogcihaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chkobkod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eehicoel.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gncchb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hehkajig.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hfjdqmng.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kpoalo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mfqlfb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nqbpojnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Adhdjpjf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ebnfbcbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mcpcdg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mcpcdg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgbefe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bkphhgfc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cacckp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njfkmphe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Boihcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Emhkdmlg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eehicoel.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hfaajnfb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nopfpgip.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Onmfimga.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpqldc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfjfecno.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojdgnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojdgnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ocaebc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gpbpbecj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gfodeohd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gojiiafp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hbhboolf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngjkfd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nnhmnn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eblimcdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hoobdp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Onmfimga.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfoann32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmiikh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ennqfenp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebnfbcbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fiaael32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hplbickp.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ngjkfd32.exe | C:\Windows\SysWOW64\Nqpcjj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pfiddm32.exe | C:\Windows\SysWOW64\Phcgcqab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eblimcdf.exe | C:\Windows\SysWOW64\Epmmqheb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ilmjim32.dll | C:\Windows\SysWOW64\Gncchb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Afeknhab.dll | C:\Windows\SysWOW64\Hehkajig.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hpchib32.exe | C:\Windows\SysWOW64\Hiipmhmk.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibaeen32.exe | C:\Windows\SysWOW64\Hpchib32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fihgkk32.dll | C:\Windows\SysWOW64\Lnangaoa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ckbemgcp.exe | C:\Windows\SysWOW64\Chdialdl.exe | N/A |
| File created | C:\Windows\SysWOW64\Illfdc32.exe | C:\Windows\SysWOW64\Iebngial.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjiipk32.exe | C:\Windows\SysWOW64\Pdmdnadc.exe | N/A |
| File created | C:\Windows\SysWOW64\Bajqda32.exe | C:\Windows\SysWOW64\Bkphhgfc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emanjldl.exe | C:\Windows\SysWOW64\Eblimcdf.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkbjmj32.dll | C:\Windows\SysWOW64\Kgflcifg.exe | N/A |
| File created | C:\Windows\SysWOW64\Boihcf32.exe | C:\Windows\SysWOW64\Bgbpaipl.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjpbba32.dll | C:\Windows\SysWOW64\Eehicoel.exe | N/A |
| File created | C:\Windows\SysWOW64\Hehkajig.exe | C:\Windows\SysWOW64\Hoobdp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hifcgion.exe | C:\Windows\SysWOW64\Hblkjo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Accimdgp.dll | C:\Windows\SysWOW64\Jcmdaljn.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfcjqc32.dll | C:\Windows\SysWOW64\Kcidmkpq.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojnkocdc.dll | C:\Windows\SysWOW64\Mogcihaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmcckk32.dll | C:\Windows\SysWOW64\Jocefm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jcdjbk32.exe | C:\Windows\SysWOW64\Jilfifme.exe | N/A |
| File created | C:\Windows\SysWOW64\Mqafhl32.exe | C:\Windows\SysWOW64\Ljhnlb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pplobcpp.exe | C:\Windows\SysWOW64\Pfdjinjo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmjkic32.exe | C:\Windows\SysWOW64\Bacjdbch.exe | N/A |
| File created | C:\Windows\SysWOW64\Mbkkam32.dll | C:\Windows\SysWOW64\Cpdgqmnb.exe | N/A |
| File created | C:\Windows\SysWOW64\Fiaael32.exe | C:\Windows\SysWOW64\Fefedmil.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcimdh32.exe | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| File created | C:\Windows\SysWOW64\Kibohd32.dll | C:\Windows\SysWOW64\Oghghb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnfpnk32.dll | C:\Windows\SysWOW64\Pfandnla.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdmdnadc.exe | C:\Windows\SysWOW64\Ppahmb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdmfllhn.exe | C:\Windows\SysWOW64\Caojpaij.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kgnbdh32.exe | C:\Windows\SysWOW64\Kfnfjehl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Llodgnja.exe | C:\Windows\SysWOW64\Ljqhkckn.exe | N/A |
| File created | C:\Windows\SysWOW64\Dannpknl.dll | C:\Windows\SysWOW64\Njjdho32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aknbkjfh.exe | C:\Windows\SysWOW64\Aogbfi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkphhgfc.exe | C:\Windows\SysWOW64\Bgelgi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnflfgji.dll | C:\Windows\SysWOW64\Cammjakm.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdbpgl32.exe | C:\Windows\SysWOW64\Cacckp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dpkmal32.exe | C:\Windows\SysWOW64\Dahmfpap.exe | N/A |
| File created | C:\Windows\SysWOW64\Fqibbo32.dll | C:\Windows\SysWOW64\Jokkgl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpfgmnfp.exe | C:\Windows\SysWOW64\Kgnbdh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Onmfimga.exe | C:\Windows\SysWOW64\Nfcabp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Akkffkhk.exe | C:\Windows\SysWOW64\Qdaniq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgbpaipl.exe | C:\Windows\SysWOW64\Bmjkic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckebcg32.exe | C:\Windows\SysWOW64\Chfegk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fiaael32.exe | C:\Windows\SysWOW64\Fefedmil.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfaajnfb.exe | C:\Windows\SysWOW64\Gojiiafp.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgkmgk32.exe | C:\Windows\SysWOW64\Jocefm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ojdgnn32.exe | C:\Windows\SysWOW64\Onmfimga.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmihfl32.dll | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fmcjpl32.exe | C:\Windows\SysWOW64\Ebnfbcbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fefedmil.exe | C:\Windows\SysWOW64\Fpimlfke.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdifpa32.dll | C:\Windows\SysWOW64\Gblbca32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ioolkncg.exe | C:\Windows\SysWOW64\Imnocf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hplbickp.exe | C:\Windows\SysWOW64\Hibjli32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipgijcij.dll | C:\Windows\SysWOW64\Lpfgmnfp.exe | N/A |
| File created | C:\Windows\SysWOW64\Npgmpf32.exe | C:\Windows\SysWOW64\Njjdho32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dddjmo32.dll | C:\Windows\SysWOW64\Ppahmb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aokkahlo.exe | C:\Windows\SysWOW64\Agdcpkll.exe | N/A |
| File created | C:\Windows\SysWOW64\Fenpmnno.dll | C:\Windows\SysWOW64\Nfcabp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gbalopbn.exe | C:\Windows\SysWOW64\Gpbpbecj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfodeohd.exe | C:\Windows\SysWOW64\Glipgf32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dkqaoe32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eblimcdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hpnoncim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mqafhl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nggnadib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkphhgfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ekmhejao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gfeaopqo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jokkgl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ljceqb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofmdio32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ekodjiol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fijkdmhn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kjeiodek.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ljqhkckn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lcimdh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdaniq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aopemh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgqlcg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Emanjldl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpgpgfmh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hibjli32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jnlkedai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Phonha32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgelgi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ebnfbcbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iipfmggc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iidphgcn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jilfifme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Onmfimga.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpkmal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gblbca32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Illfdc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kgiiiidd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Onapdl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ocaebc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qjiipk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpdcag32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Glipgf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oghghb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Akdilipp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ckbemgcp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ennqfenp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eiokinbk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eehicoel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ipgbdbqb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jleijb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njfkmphe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqbpojnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Npgmpf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Emhkdmlg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dahmfpap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkgeainn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fefedmil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fiaael32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gfodeohd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hifcgion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfnoqc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mogcihaj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nfaemp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Flkdfh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfoann32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdojjo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgbpaipl.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaofbcjo.dll" | C:\Windows\SysWOW64\Ebgpad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jiiicf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kpoalo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojdgnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhkafda.dll" | C:\Windows\SysWOW64\Illfdc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kcidmkpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll" | C:\Windows\SysWOW64\Apaadpng.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Emanjldl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjembbd.dll" | C:\Windows\SysWOW64\Llodgnja.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ngjkfd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll" | C:\Windows\SysWOW64\Pplobcpp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bacjdbch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chkobkod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gemkelcd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iebngial.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mnegbp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqlnnkp.dll" | C:\Windows\SysWOW64\Emhkdmlg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" | C:\Windows\SysWOW64\Fbpchb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll" | C:\Windows\SysWOW64\Gfodeohd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll" | C:\Windows\SysWOW64\Iebngial.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lfbped32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll" | C:\Windows\SysWOW64\Hpchib32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Klfaapbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amqhbe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dpkmal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hbhboolf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll" | C:\Windows\SysWOW64\Hibjli32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jocefm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll" | C:\Windows\SysWOW64\Mjodla32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njjdho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll" | C:\Windows\SysWOW64\Ckebcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ibaeen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iefgbh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhegobpi.dll" | C:\Windows\SysWOW64\Imnocf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Imnocf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kcidmkpq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ljqhkckn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cdmfllhn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hbhboolf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dgcihgaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Emanjldl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iipfmggc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nopfpgip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nqpcjj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fijkdmhn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll" | C:\Windows\SysWOW64\Gojiiafp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kgiiiidd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ofmdio32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iipfmggc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" | C:\Windows\SysWOW64\Iidphgcn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lobjni32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" | C:\Windows\SysWOW64\Npgmpf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Phonha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qjiipk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll" | C:\Windows\SysWOW64\Gbalopbn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibhkfm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ieidhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fpgpgfmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll" | C:\Windows\SysWOW64\Oghghb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll" | C:\Windows\SysWOW64\Akdilipp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ekmhejao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll" | C:\Windows\SysWOW64\Eehicoel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gblbca32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe
"C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe"
C:\Windows\SysWOW64\Dngjff32.exe
C:\Windows\system32\Dngjff32.exe
C:\Windows\SysWOW64\Emhkdmlg.exe
C:\Windows\system32\Emhkdmlg.exe
C:\Windows\SysWOW64\Eofgpikj.exe
C:\Windows\system32\Eofgpikj.exe
C:\Windows\SysWOW64\Eiokinbk.exe
C:\Windows\system32\Eiokinbk.exe
C:\Windows\SysWOW64\Ekmhejao.exe
C:\Windows\system32\Ekmhejao.exe
C:\Windows\SysWOW64\Ebgpad32.exe
C:\Windows\system32\Ebgpad32.exe
C:\Windows\SysWOW64\Ekodjiol.exe
C:\Windows\system32\Ekodjiol.exe
C:\Windows\SysWOW64\Ennqfenp.exe
C:\Windows\system32\Ennqfenp.exe
C:\Windows\SysWOW64\Eehicoel.exe
C:\Windows\system32\Eehicoel.exe
C:\Windows\SysWOW64\Epmmqheb.exe
C:\Windows\system32\Epmmqheb.exe
C:\Windows\SysWOW64\Eblimcdf.exe
C:\Windows\system32\Eblimcdf.exe
C:\Windows\SysWOW64\Emanjldl.exe
C:\Windows\system32\Emanjldl.exe
C:\Windows\SysWOW64\Ebnfbcbc.exe
C:\Windows\system32\Ebnfbcbc.exe
C:\Windows\SysWOW64\Fmcjpl32.exe
C:\Windows\system32\Fmcjpl32.exe
C:\Windows\SysWOW64\Fbpchb32.exe
C:\Windows\system32\Fbpchb32.exe
C:\Windows\SysWOW64\Fijkdmhn.exe
C:\Windows\system32\Fijkdmhn.exe
C:\Windows\SysWOW64\Fpdcag32.exe
C:\Windows\system32\Fpdcag32.exe
C:\Windows\SysWOW64\Fealin32.exe
C:\Windows\system32\Fealin32.exe
C:\Windows\SysWOW64\Flkdfh32.exe
C:\Windows\system32\Flkdfh32.exe
C:\Windows\SysWOW64\Fpgpgfmh.exe
C:\Windows\system32\Fpgpgfmh.exe
C:\Windows\SysWOW64\Fiodpl32.exe
C:\Windows\system32\Fiodpl32.exe
C:\Windows\SysWOW64\Fpimlfke.exe
C:\Windows\system32\Fpimlfke.exe
C:\Windows\SysWOW64\Fefedmil.exe
C:\Windows\system32\Fefedmil.exe
C:\Windows\SysWOW64\Fiaael32.exe
C:\Windows\system32\Fiaael32.exe
C:\Windows\SysWOW64\Fpkibf32.exe
C:\Windows\system32\Fpkibf32.exe
C:\Windows\SysWOW64\Gfeaopqo.exe
C:\Windows\system32\Gfeaopqo.exe
C:\Windows\SysWOW64\Gmojkj32.exe
C:\Windows\system32\Gmojkj32.exe
C:\Windows\SysWOW64\Gblbca32.exe
C:\Windows\system32\Gblbca32.exe
C:\Windows\SysWOW64\Gmafajfi.exe
C:\Windows\system32\Gmafajfi.exe
C:\Windows\SysWOW64\Gncchb32.exe
C:\Windows\system32\Gncchb32.exe
C:\Windows\SysWOW64\Gemkelcd.exe
C:\Windows\system32\Gemkelcd.exe
C:\Windows\SysWOW64\Gpbpbecj.exe
C:\Windows\system32\Gpbpbecj.exe
C:\Windows\SysWOW64\Gbalopbn.exe
C:\Windows\system32\Gbalopbn.exe
C:\Windows\SysWOW64\Glipgf32.exe
C:\Windows\system32\Glipgf32.exe
C:\Windows\SysWOW64\Gfodeohd.exe
C:\Windows\system32\Gfodeohd.exe
C:\Windows\SysWOW64\Gojiiafp.exe
C:\Windows\system32\Gojiiafp.exe
C:\Windows\SysWOW64\Hfaajnfb.exe
C:\Windows\system32\Hfaajnfb.exe
C:\Windows\SysWOW64\Hlnjbedi.exe
C:\Windows\system32\Hlnjbedi.exe
C:\Windows\SysWOW64\Hbhboolf.exe
C:\Windows\system32\Hbhboolf.exe
C:\Windows\SysWOW64\Hibjli32.exe
C:\Windows\system32\Hibjli32.exe
C:\Windows\SysWOW64\Hplbickp.exe
C:\Windows\system32\Hplbickp.exe
C:\Windows\SysWOW64\Hoobdp32.exe
C:\Windows\system32\Hoobdp32.exe
C:\Windows\SysWOW64\Hehkajig.exe
C:\Windows\system32\Hehkajig.exe
C:\Windows\SysWOW64\Hpnoncim.exe
C:\Windows\system32\Hpnoncim.exe
C:\Windows\SysWOW64\Hblkjo32.exe
C:\Windows\system32\Hblkjo32.exe
C:\Windows\SysWOW64\Hifcgion.exe
C:\Windows\system32\Hifcgion.exe
C:\Windows\SysWOW64\Hpqldc32.exe
C:\Windows\system32\Hpqldc32.exe
C:\Windows\SysWOW64\Hfjdqmng.exe
C:\Windows\system32\Hfjdqmng.exe
C:\Windows\SysWOW64\Hiipmhmk.exe
C:\Windows\system32\Hiipmhmk.exe
C:\Windows\SysWOW64\Hpchib32.exe
C:\Windows\system32\Hpchib32.exe
C:\Windows\SysWOW64\Ibaeen32.exe
C:\Windows\system32\Ibaeen32.exe
C:\Windows\SysWOW64\Iliinc32.exe
C:\Windows\system32\Iliinc32.exe
C:\Windows\SysWOW64\Iebngial.exe
C:\Windows\system32\Iebngial.exe
C:\Windows\SysWOW64\Illfdc32.exe
C:\Windows\system32\Illfdc32.exe
C:\Windows\SysWOW64\Ipgbdbqb.exe
C:\Windows\system32\Ipgbdbqb.exe
C:\Windows\SysWOW64\Iipfmggc.exe
C:\Windows\system32\Iipfmggc.exe
C:\Windows\SysWOW64\Ilnbicff.exe
C:\Windows\system32\Ilnbicff.exe
C:\Windows\SysWOW64\Ibhkfm32.exe
C:\Windows\system32\Ibhkfm32.exe
C:\Windows\SysWOW64\Iefgbh32.exe
C:\Windows\system32\Iefgbh32.exe
C:\Windows\SysWOW64\Imnocf32.exe
C:\Windows\system32\Imnocf32.exe
C:\Windows\SysWOW64\Ioolkncg.exe
C:\Windows\system32\Ioolkncg.exe
C:\Windows\SysWOW64\Ieidhh32.exe
C:\Windows\system32\Ieidhh32.exe
C:\Windows\SysWOW64\Iidphgcn.exe
C:\Windows\system32\Iidphgcn.exe
C:\Windows\SysWOW64\Ipoheakj.exe
C:\Windows\system32\Ipoheakj.exe
C:\Windows\SysWOW64\Jcmdaljn.exe
C:\Windows\system32\Jcmdaljn.exe
C:\Windows\SysWOW64\Jleijb32.exe
C:\Windows\system32\Jleijb32.exe
C:\Windows\SysWOW64\Jocefm32.exe
C:\Windows\system32\Jocefm32.exe
C:\Windows\SysWOW64\Jgkmgk32.exe
C:\Windows\system32\Jgkmgk32.exe
C:\Windows\SysWOW64\Jiiicf32.exe
C:\Windows\system32\Jiiicf32.exe
C:\Windows\SysWOW64\Jilfifme.exe
C:\Windows\system32\Jilfifme.exe
C:\Windows\SysWOW64\Jcdjbk32.exe
C:\Windows\system32\Jcdjbk32.exe
C:\Windows\SysWOW64\Jinboekc.exe
C:\Windows\system32\Jinboekc.exe
C:\Windows\SysWOW64\Jokkgl32.exe
C:\Windows\system32\Jokkgl32.exe
C:\Windows\SysWOW64\Jnlkedai.exe
C:\Windows\system32\Jnlkedai.exe
C:\Windows\SysWOW64\Kcidmkpq.exe
C:\Windows\system32\Kcidmkpq.exe
C:\Windows\SysWOW64\Klahfp32.exe
C:\Windows\system32\Klahfp32.exe
C:\Windows\SysWOW64\Kgflcifg.exe
C:\Windows\system32\Kgflcifg.exe
C:\Windows\SysWOW64\Kjeiodek.exe
C:\Windows\system32\Kjeiodek.exe
C:\Windows\SysWOW64\Kpoalo32.exe
C:\Windows\system32\Kpoalo32.exe
C:\Windows\SysWOW64\Kgiiiidd.exe
C:\Windows\system32\Kgiiiidd.exe
C:\Windows\SysWOW64\Klfaapbl.exe
C:\Windows\system32\Klfaapbl.exe
C:\Windows\SysWOW64\Kfnfjehl.exe
C:\Windows\system32\Kfnfjehl.exe
C:\Windows\SysWOW64\Kgnbdh32.exe
C:\Windows\system32\Kgnbdh32.exe
C:\Windows\SysWOW64\Lpfgmnfp.exe
C:\Windows\system32\Lpfgmnfp.exe
C:\Windows\SysWOW64\Lfbped32.exe
C:\Windows\system32\Lfbped32.exe
C:\Windows\SysWOW64\Lcgpni32.exe
C:\Windows\system32\Lcgpni32.exe
C:\Windows\SysWOW64\Ljqhkckn.exe
C:\Windows\system32\Ljqhkckn.exe
C:\Windows\SysWOW64\Llodgnja.exe
C:\Windows\system32\Llodgnja.exe
C:\Windows\SysWOW64\Lcimdh32.exe
C:\Windows\system32\Lcimdh32.exe
C:\Windows\SysWOW64\Ljceqb32.exe
C:\Windows\system32\Ljceqb32.exe
C:\Windows\SysWOW64\Lfjfecno.exe
C:\Windows\system32\Lfjfecno.exe
C:\Windows\SysWOW64\Lnangaoa.exe
C:\Windows\system32\Lnangaoa.exe
C:\Windows\SysWOW64\Lobjni32.exe
C:\Windows\system32\Lobjni32.exe
C:\Windows\SysWOW64\Lflbkcll.exe
C:\Windows\system32\Lflbkcll.exe
C:\Windows\SysWOW64\Ljhnlb32.exe
C:\Windows\system32\Ljhnlb32.exe
C:\Windows\SysWOW64\Mqafhl32.exe
C:\Windows\system32\Mqafhl32.exe
C:\Windows\SysWOW64\Mcpcdg32.exe
C:\Windows\system32\Mcpcdg32.exe
C:\Windows\SysWOW64\Mfnoqc32.exe
C:\Windows\system32\Mfnoqc32.exe
C:\Windows\SysWOW64\Mnegbp32.exe
C:\Windows\system32\Mnegbp32.exe
C:\Windows\SysWOW64\Mogcihaj.exe
C:\Windows\system32\Mogcihaj.exe
C:\Windows\SysWOW64\Mfqlfb32.exe
C:\Windows\system32\Mfqlfb32.exe
C:\Windows\SysWOW64\Mjodla32.exe
C:\Windows\system32\Mjodla32.exe
C:\Windows\SysWOW64\Mcgiefen.exe
C:\Windows\system32\Mcgiefen.exe
C:\Windows\SysWOW64\Mgbefe32.exe
C:\Windows\system32\Mgbefe32.exe
C:\Windows\SysWOW64\Mnmmboed.exe
C:\Windows\system32\Mnmmboed.exe
C:\Windows\SysWOW64\Nopfpgip.exe
C:\Windows\system32\Nopfpgip.exe
C:\Windows\SysWOW64\Nggnadib.exe
C:\Windows\system32\Nggnadib.exe
C:\Windows\SysWOW64\Njfkmphe.exe
C:\Windows\system32\Njfkmphe.exe
C:\Windows\SysWOW64\Nqpcjj32.exe
C:\Windows\system32\Nqpcjj32.exe
C:\Windows\SysWOW64\Ngjkfd32.exe
C:\Windows\system32\Ngjkfd32.exe
C:\Windows\SysWOW64\Nqbpojnp.exe
C:\Windows\system32\Nqbpojnp.exe
C:\Windows\SysWOW64\Njjdho32.exe
C:\Windows\system32\Njjdho32.exe
C:\Windows\SysWOW64\Npgmpf32.exe
C:\Windows\system32\Npgmpf32.exe
C:\Windows\SysWOW64\Nfaemp32.exe
C:\Windows\system32\Nfaemp32.exe
C:\Windows\SysWOW64\Nnhmnn32.exe
C:\Windows\system32\Nnhmnn32.exe
C:\Windows\SysWOW64\Nfcabp32.exe
C:\Windows\system32\Nfcabp32.exe
C:\Windows\SysWOW64\Onmfimga.exe
C:\Windows\system32\Onmfimga.exe
C:\Windows\SysWOW64\Ojdgnn32.exe
C:\Windows\system32\Ojdgnn32.exe
C:\Windows\SysWOW64\Onocomdo.exe
C:\Windows\system32\Onocomdo.exe
C:\Windows\SysWOW64\Oghghb32.exe
C:\Windows\system32\Oghghb32.exe
C:\Windows\SysWOW64\Onapdl32.exe
C:\Windows\system32\Onapdl32.exe
C:\Windows\SysWOW64\Ofmdio32.exe
C:\Windows\system32\Ofmdio32.exe
C:\Windows\SysWOW64\Opeiadfg.exe
C:\Windows\system32\Opeiadfg.exe
C:\Windows\SysWOW64\Ocaebc32.exe
C:\Windows\system32\Ocaebc32.exe
C:\Windows\SysWOW64\Pfoann32.exe
C:\Windows\system32\Pfoann32.exe
C:\Windows\SysWOW64\Pmiikh32.exe
C:\Windows\system32\Pmiikh32.exe
C:\Windows\SysWOW64\Phonha32.exe
C:\Windows\system32\Phonha32.exe
C:\Windows\SysWOW64\Pfandnla.exe
C:\Windows\system32\Pfandnla.exe
C:\Windows\SysWOW64\Pfdjinjo.exe
C:\Windows\system32\Pfdjinjo.exe
C:\Windows\SysWOW64\Pplobcpp.exe
C:\Windows\system32\Pplobcpp.exe
C:\Windows\SysWOW64\Phcgcqab.exe
C:\Windows\system32\Phcgcqab.exe
C:\Windows\SysWOW64\Pfiddm32.exe
C:\Windows\system32\Pfiddm32.exe
C:\Windows\SysWOW64\Ppahmb32.exe
C:\Windows\system32\Ppahmb32.exe
C:\Windows\SysWOW64\Pdmdnadc.exe
C:\Windows\system32\Pdmdnadc.exe
C:\Windows\SysWOW64\Qjiipk32.exe
C:\Windows\system32\Qjiipk32.exe
C:\Windows\SysWOW64\Qdaniq32.exe
C:\Windows\system32\Qdaniq32.exe
C:\Windows\SysWOW64\Akkffkhk.exe
C:\Windows\system32\Akkffkhk.exe
C:\Windows\SysWOW64\Aogbfi32.exe
C:\Windows\system32\Aogbfi32.exe
C:\Windows\SysWOW64\Aknbkjfh.exe
C:\Windows\system32\Aknbkjfh.exe
C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
C:\Windows\SysWOW64\Agdcpkll.exe
C:\Windows\system32\Agdcpkll.exe
C:\Windows\SysWOW64\Aokkahlo.exe
C:\Windows\system32\Aokkahlo.exe
C:\Windows\SysWOW64\Adhdjpjf.exe
C:\Windows\system32\Adhdjpjf.exe
C:\Windows\SysWOW64\Akblfj32.exe
C:\Windows\system32\Akblfj32.exe
C:\Windows\SysWOW64\Amqhbe32.exe
C:\Windows\system32\Amqhbe32.exe
C:\Windows\SysWOW64\Apodoq32.exe
C:\Windows\system32\Apodoq32.exe
C:\Windows\SysWOW64\Akdilipp.exe
C:\Windows\system32\Akdilipp.exe
C:\Windows\SysWOW64\Aopemh32.exe
C:\Windows\system32\Aopemh32.exe
C:\Windows\SysWOW64\Apaadpng.exe
C:\Windows\system32\Apaadpng.exe
C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
C:\Windows\SysWOW64\Bkgeainn.exe
C:\Windows\system32\Bkgeainn.exe
C:\Windows\SysWOW64\Bdojjo32.exe
C:\Windows\system32\Bdojjo32.exe
C:\Windows\SysWOW64\Bacjdbch.exe
C:\Windows\system32\Bacjdbch.exe
C:\Windows\SysWOW64\Bmjkic32.exe
C:\Windows\system32\Bmjkic32.exe
C:\Windows\SysWOW64\Bgbpaipl.exe
C:\Windows\system32\Bgbpaipl.exe
C:\Windows\SysWOW64\Boihcf32.exe
C:\Windows\system32\Boihcf32.exe
C:\Windows\SysWOW64\Bgelgi32.exe
C:\Windows\system32\Bgelgi32.exe
C:\Windows\SysWOW64\Bkphhgfc.exe
C:\Windows\system32\Bkphhgfc.exe
C:\Windows\SysWOW64\Bajqda32.exe
C:\Windows\system32\Bajqda32.exe
C:\Windows\SysWOW64\Chdialdl.exe
C:\Windows\system32\Chdialdl.exe
C:\Windows\SysWOW64\Ckbemgcp.exe
C:\Windows\system32\Ckbemgcp.exe
C:\Windows\SysWOW64\Cnaaib32.exe
C:\Windows\system32\Cnaaib32.exe
C:\Windows\SysWOW64\Cammjakm.exe
C:\Windows\system32\Cammjakm.exe
C:\Windows\SysWOW64\Chfegk32.exe
C:\Windows\system32\Chfegk32.exe
C:\Windows\SysWOW64\Ckebcg32.exe
C:\Windows\system32\Ckebcg32.exe
C:\Windows\SysWOW64\Coqncejg.exe
C:\Windows\system32\Coqncejg.exe
C:\Windows\SysWOW64\Caojpaij.exe
C:\Windows\system32\Caojpaij.exe
C:\Windows\SysWOW64\Cdmfllhn.exe
C:\Windows\system32\Cdmfllhn.exe
C:\Windows\SysWOW64\Chiblk32.exe
C:\Windows\system32\Chiblk32.exe
C:\Windows\SysWOW64\Cglbhhga.exe
C:\Windows\system32\Cglbhhga.exe
C:\Windows\SysWOW64\Cnfkdb32.exe
C:\Windows\system32\Cnfkdb32.exe
C:\Windows\SysWOW64\Caageq32.exe
C:\Windows\system32\Caageq32.exe
C:\Windows\SysWOW64\Cpdgqmnb.exe
C:\Windows\system32\Cpdgqmnb.exe
C:\Windows\SysWOW64\Chkobkod.exe
C:\Windows\system32\Chkobkod.exe
C:\Windows\SysWOW64\Ckjknfnh.exe
C:\Windows\system32\Ckjknfnh.exe
C:\Windows\SysWOW64\Cnhgjaml.exe
C:\Windows\system32\Cnhgjaml.exe
C:\Windows\SysWOW64\Cacckp32.exe
C:\Windows\system32\Cacckp32.exe
C:\Windows\SysWOW64\Cdbpgl32.exe
C:\Windows\system32\Cdbpgl32.exe
C:\Windows\SysWOW64\Cgqlcg32.exe
C:\Windows\system32\Cgqlcg32.exe
C:\Windows\SysWOW64\Cnjdpaki.exe
C:\Windows\system32\Cnjdpaki.exe
C:\Windows\SysWOW64\Dpiplm32.exe
C:\Windows\system32\Dpiplm32.exe
C:\Windows\SysWOW64\Dgcihgaj.exe
C:\Windows\system32\Dgcihgaj.exe
C:\Windows\SysWOW64\Dahmfpap.exe
C:\Windows\system32\Dahmfpap.exe
C:\Windows\SysWOW64\Dpkmal32.exe
C:\Windows\system32\Dpkmal32.exe
C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6748 -ip 6748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2256-0-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2256-1-0x0000000000432000-0x0000000000433000-memory.dmp
memory/4432-8-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Dngjff32.exe
| MD5 | b92871a76c23ca473f84f84c0fa70075 |
| SHA1 | 067cc9233637a4dd3c79f4cc350e87ba99dab30b |
| SHA256 | 9fc85e74da1e269eff3e181e43426e7e5ccd6b22d829734e883628860cce2167 |
| SHA512 | e5ca9b75e9fb862e3fded58ca049dfef7f1d0fb065c81341b949c95b907fd3deccef31113f784ba200c33e24b0c943978d50d053cd0168c65b8a7254ae686f3c |
C:\Windows\SysWOW64\Emhkdmlg.exe
| MD5 | 00a62288f67cd361475621efcac31576 |
| SHA1 | 4cec5b1979da124de6eccb38872bdc81a310bc83 |
| SHA256 | e35c4f787ebcb8a2a1267d0281eb8f831d2f74271199a09b7e3e96f32ad65e37 |
| SHA512 | 6c69d4a03e2e847ee7071c445e2be3699a95e45b238be1da6ac10df2a73b55981e1117536fbf1d4ee1d7077e7b2519d298099ef7976bdcdbd5e98fee13fc9e95 |
memory/692-16-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4884-24-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Eofgpikj.exe
| MD5 | 9403072b7aca77996ba5299968cb7018 |
| SHA1 | d0ac54f53373b98c63c31a1b089c0a1cb407ec9b |
| SHA256 | e9fd60c95799ba341f939032a1768d64139bd373cc9811fca74d46a435c090bb |
| SHA512 | 68a89f97addb4a4716e726bfa113eaf1e274f93ae9090bd69060c2602c830c61fe02c35f62ca8cc97dd2c378fdf94bba88b7dff721d7e63fc8a7d1376d680ecf |
C:\Windows\SysWOW64\Eiokinbk.exe
| MD5 | 5601489a0d12a22e458f5a32c4bb373e |
| SHA1 | 87e04a2bd71a086fdf8527aa646dbc9d1b1c998c |
| SHA256 | 138d5d4c3807a4d626f757a2989b1771401a5e41e6e7d7fb39821481ad6f0f80 |
| SHA512 | b573365ba6149bfe06f564457d2dfb951b966ee211c0aa66f7bbf8cc8ee4d4b09ce9c864a529cb39255e3df065fad9164a58ad20082f41add12c0ce0aedeb0e6 |
memory/4744-32-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ekmhejao.exe
| MD5 | 2a90a8d7a6954b3077baa68b0d71ac5e |
| SHA1 | 76c6cd6bb8656f75af882586332c124f64bedc83 |
| SHA256 | 1b78460dc5c387324658e45bda9afc81d7b871d5be55fbb0754b7974c32b976b |
| SHA512 | dce4428db95ec724d5f97dfbe20d046e49453653fd6480cff8cb3763fe351e7b5a3033347be389beca23702d7a731597bb5cffca092fbeb903d4279939639681 |
memory/3040-41-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ebgpad32.exe
| MD5 | 7036ef883ccb774c370ad4b2d637d3c7 |
| SHA1 | 9288c9f99cd84e2d8083d4c8e95a06027116208c |
| SHA256 | 3cf239b83150792f5894fc7a987a405e83772cced92192adb3c982865bcf459f |
| SHA512 | ff9b490cb0e62307958c4d37be5b1dc7b4909a1ad2ebd5d62d64f5c20586f19ace2f8762a0461b0eff8fa13444ff1946b14228523b48a93bfd9486ab9a3df399 |
memory/3668-48-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ekodjiol.exe
| MD5 | a2ba619c4133c8e75dadceaa955b1661 |
| SHA1 | 1906cf09845cd20e33313960a6549d1ad72ee5ff |
| SHA256 | c86e5881c3e6758cd77a2860c73309614556126a5162c0e17f2275e1014a6121 |
| SHA512 | f76ceaaf61926b4892745ab1040329358302dc8c5bf22859c728b117e8359425fb934539287c29453eee96e3a24019acac79a0f34239c482bb85ae9e901e8e5a |
memory/2396-57-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ennqfenp.exe
| MD5 | bacd3c7ef75b35a256d6c322947295c2 |
| SHA1 | d205e71577d76f7e426e0e033e584d063355eb99 |
| SHA256 | cb783b1e7c3315d54d48b822e3273b36a716cc451d25162805aa603247e355b7 |
| SHA512 | d22709145436662abe23101d0a7a0839284eb6eb2df40cd49c9693558532ab8fed629d58ff34c042685af898c77aee89b2f6e305f68a825d26986d004549c65d |
memory/2464-64-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Eehicoel.exe
| MD5 | 1032b4c043477786ff46d97e9d9af953 |
| SHA1 | bea5a40f243eea6190e64d027ace81dcb37ab884 |
| SHA256 | afc5d8d1042730dbbfeb9651ba94f1f659a8d38d5d86ff8e2a89daa643d3ed56 |
| SHA512 | 0a728430d7149f9a40bff03ca32a8a4cae3ad0637ab95d7d190367ec3aee023780812668b27e565cbf643958da373ac49645420eadaa3d8768220ebae0299e6b |
memory/416-72-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Epmmqheb.exe
| MD5 | 8a672754219a0bb58d5a00c190af3872 |
| SHA1 | 224bebb9f0b2e892adb24f1876844f7a6f5754d6 |
| SHA256 | 14210450589094ce9482887c14a868d3e93295f26b5e51de8278bc615d5ece45 |
| SHA512 | 7c96166fe0e8181ad4c042256a3b2bc5ba19352905944e6378e8702002851f056709a19c45c1f2d821a980fd2e988b4ce59caa350f15fb587e058de47b897fe0 |
memory/2300-80-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Eblimcdf.exe
| MD5 | aae86053fae24136b398591f5c4f592e |
| SHA1 | 07b554a95594f3a68ff66a6a80b0b8dc75ec78b2 |
| SHA256 | 24ca2819ce728ea9b36cb5c3f401881e731c5888ade45272ce8afceb16c5e124 |
| SHA512 | 4a459d09c408a48b2fb80903657473501b4a96606435daa54cde1f2a03eba18efce235e539efb5fb8dc888a13c9e7744a7832c98e8f4140c8dac75f440acb00b |
memory/5076-88-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Emanjldl.exe
| MD5 | 2100fcabfb7a89a304f16d409325b19b |
| SHA1 | f4601e8d33e0b1dee9e4be5772f455195299546d |
| SHA256 | 804486efd4ffdb87fa5b17d313686c5930f8e42df32e4aca4ef5779579459358 |
| SHA512 | 25042b5d43e63bdf63567acfb5539cf93100b6dfe5bc027fdcd175763b49eeef0b666feccc9f6330f7f081106caaecc2b7955f0da72a8c189f08db76034a6fdb |
memory/1652-97-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ebnfbcbc.exe
| MD5 | 278b1fc4db9794875fb4d9e6300b1548 |
| SHA1 | ca1b583ace3e12b6a9c4f4f650d0767e70c09186 |
| SHA256 | e0e53cc481ea779fa2df53aa1dcf0195a777cb8f64c299624f1505330df70f77 |
| SHA512 | e7d9afa9e79e36e5e03019388e9c11856682bae1bdb9a0680ab62cb858afcc9d1478689a80126dd4493d41763314739cfe936829859cc45ac4bee59ce7286c61 |
memory/4996-104-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fmcjpl32.exe
| MD5 | acaf84a9db980e12c7ee3c570a24dd09 |
| SHA1 | fbe1ac1d2a6698ef0f7e752eb68a4e887a9dcd27 |
| SHA256 | 9c080468545e40d862816a2cc6df4995d1a564217e92bbc56f25af15b77d7d3b |
| SHA512 | 048104e4848cf25c50898a86cfded57492d3ba3c842363dfa608fdad4b3f9a184e6484a4025b57a50e841a17a53a6cfd076871d4f418fe28609bf72340b49edf |
memory/4004-113-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fbpchb32.exe
| MD5 | 717ac58b2ffe6533f33a551471027c8b |
| SHA1 | 4ad9c4619bd9f426e08b400ec1926f0eb2b07bde |
| SHA256 | bb9c178e07e3bee96dcde4e278f5343bb38f9debea0fbaf0eb806b6c831041a9 |
| SHA512 | 2bbe1d02ed23cb751e675c39b746bd2cf1346569f1f8f8ebd554be65758f4676a82b03a13716b91b22ad191ae8361e443354e8bd7d3494b3d07d702f03c60b4a |
memory/4808-121-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fijkdmhn.exe
| MD5 | 27bd85f0fefe07654467ccf3c6ca9654 |
| SHA1 | 62be8a13a816afca975edd2e54e0af2a80c0f06f |
| SHA256 | 2babf865389077219c0a5501916ce439971e0f5c9575d2200f7faf5a5f1dcd81 |
| SHA512 | a41fcf9b8f2c732e1d4c4e62734c2f82322cec254d4e7e2917dc5baadaaead66a3d81ac857a9528963aa1fe7342ba945903df20a9653f7fce3634a2c27f80dc3 |
memory/3756-128-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fpdcag32.exe
| MD5 | 5d423c2bd8d539d0cbec985667f678e0 |
| SHA1 | 55ee70a2a08876a8912a39ccb26531f5325366eb |
| SHA256 | c74a8e1571cf02280a96c562e05237ae33b991daafe76d00f7d0fde8a69568d0 |
| SHA512 | 344f587e64e0873b45ebae0b95339918e10ace1e3ce1bb584ab770765320e7c2c3a88b4d25db4147faff73a3dca0b6f3abaf6a6cd73540a0c3ed76aebda9d801 |
memory/1520-136-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fealin32.exe
| MD5 | ac31e9f2c6397d72100a4ac448358e62 |
| SHA1 | ee04c479df36321344d30830101e8f23bd14b28e |
| SHA256 | 0aa884a40f8c1d4ff102b09dfbaf48f183245862c3540f7f11f7a459c611c22a |
| SHA512 | 1dd7a21eafadb22d0c6c17a620902d338a047001a704abf42bf8ebbf12d3b2b94991fc1fd465847e98d912960472d7e9dc8550eea590a9057ffdff2b34dc0c06 |
memory/1148-144-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Flkdfh32.exe
| MD5 | a3c8e9993399789faf618822b28254a7 |
| SHA1 | 54e5266e940c295deb11b7b8aebb840f613d2700 |
| SHA256 | 7d8ce99651609a3d828c364483e0c80c780bf1b06f95182b2bbe199819afad1c |
| SHA512 | 71b432dc0fd08267884870bff083696d89e6f271b383c3575ca56506b80f764162b0ccd8cabd9588d4e46ea15b7c93b7c63ab6b92fa152bc45516d973e3f9217 |
memory/100-152-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fpgpgfmh.exe
| MD5 | 2b632aafefdd40c954987f8b8f0cd659 |
| SHA1 | 2447bdd9631df16cd2e88742dbff85a003c4041d |
| SHA256 | aa1e7178c753ea14fdfe0a66b36fc9cfbc4c78be596598f2d80e567ea4719ca6 |
| SHA512 | f8ba1f5965d2c69bb3c2f8af5d44026e5a4b9e3f5cd5479484c14da02faadeedabb5bf39813d89ae64c790d5c3f0bfac7197dcb20b938384b6d15827b7b31e35 |
memory/928-160-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fiodpl32.exe
| MD5 | f0535e4085abe28bebf99a88550fcf29 |
| SHA1 | b73beac867d028d8e06568de98d7e9ce9ffceb62 |
| SHA256 | 7501a12ceb2796d7d2f50c4511e1a515f89c516cd9e6c4f6283aad242a1141bf |
| SHA512 | 35758509b7c36323b49265848ac9311d2d657cb5e5413e9a2c94f57460a5fdf3f663792d0de56c8d64b1b42d9735870fd046d078d83bb8aaa55ce03de51b3495 |
memory/3580-168-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fpimlfke.exe
| MD5 | 6b1813853213e0546e550f74b851557e |
| SHA1 | 17352b5c3d295c9cfcf665e6c7356c2362621d10 |
| SHA256 | c587b8ba88a1bf0f9e94e7e3fb9549027c89fa55eff7911199242d934973740e |
| SHA512 | e1ca70bfbef8d983fc27055c15db296c8583a36d496dc5305834bb68ab622d75d6726e32bc1fe8b9f904538b28ad0abf293abdceee683db224ff935fa34b3b12 |
memory/3124-176-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fefedmil.exe
| MD5 | c9914be64939bdf821d25ca83727aff1 |
| SHA1 | c50d980f76d2309e33210b0e8e466974d6e2c3eb |
| SHA256 | 22c0a0ec5f6b32b6be35345059e722a5d2345fdf5532c72f2c5e6a9b72355fde |
| SHA512 | 9b10871fdb3d3a46d54c04dc0f6540d2548f917063e260329356e8852efbf890716f9bbedcfb90051a612c9a4a939f6db30621d82763217ea6805f0aad45f5a7 |
memory/4960-189-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fiaael32.exe
| MD5 | efe88204e1049521aac1397b3e1cdd7b |
| SHA1 | 6cca1f564bda13449c9eae63d1650518c46b82f6 |
| SHA256 | bd3db379618ddb5e7c6650a31be1b992cd0d0c54b4b03dfce0446d3d25cbe5d4 |
| SHA512 | c2b6cd4ac0489652472c976a133e14635c26d895f5e1de850c12ad2e0913c19815895122d7b194ca33571808e204abd065d81df36fa2a0c3f8d62eed255ef04a |
memory/1716-193-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Fpkibf32.exe
| MD5 | defd6e950d571b6b0e72736038bb340f |
| SHA1 | 9cd594cf690410764c20fb760eb0bea9dfc752c7 |
| SHA256 | 52a1f7e5f29b25d9690d58110b18b7c6c8b71a2f5f0c1bb17fc467e8e4590570 |
| SHA512 | a6971ad7f64a4a3fefe263b2f8dc913941b7b729c08dc071143f6590be8942cc5d5b883b4ad2fab66f5f3a274c16eeb819f09bdc8e3db505f066a55f59cceaf9 |
memory/1104-200-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Gfeaopqo.exe
| MD5 | d333c52cd587e69caa87201f9fd40a5a |
| SHA1 | ac90e1165967e654de99738c4b6e54c78bbca3b2 |
| SHA256 | cd682e14761874498de3b7fee2f19bfc14d3474007aa12e49030b6fe6c38850d |
| SHA512 | f30bd6cfc455ff0c4111bee65560c244dc8f72653fa5958a16fff92a04466d87b0dc753edd7363157dc01eaaa0b68d6c27152db0c848c902b99ff814ab7e91f4 |
memory/4072-208-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2860-216-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Gmojkj32.exe
| MD5 | 941d020360cea83331936a31617cc9bb |
| SHA1 | bdb925533316f867d31b34be76410de9dac53452 |
| SHA256 | bcae265648c38e8dec5ec3014426c3eea6ed943086772d2b7377746b8b4489e5 |
| SHA512 | 20bacf23b659f83884d5fc9a397d50e410ca6fef40f01502cfa108e38c37036135992b996fb3d8b15d1a7d551db82999e512c5679e4b2a054a1b8703d86936c1 |
C:\Windows\SysWOW64\Gblbca32.exe
| MD5 | e1ae2ec13d6c9a5818badc0279f7cbea |
| SHA1 | 9a83ff54951e5a3b8bf7a2096d83ed77113c71db |
| SHA256 | cf75ac3959973545b004cd8cb79a8ad8eeb8b7c720c94a418fa05651e761ae51 |
| SHA512 | 4ecd1957ad6ec99dc119b215b83502dd935108042b3ea9ecd1b227f6ee1729fb0eaace2537a904c62591547d6a297ee89fa1a0a87e36f2bbd1646c5513757b6e |
memory/432-225-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Gmafajfi.exe
| MD5 | 1df0d1be4afbbae1285a321454d8b1be |
| SHA1 | 435f36197a951008524ddcfd8e28822b530d5717 |
| SHA256 | 7ef333a9b6e7054aa1323a3aeea6b9f59f3772a47582719f4913c13225c15b7e |
| SHA512 | c084d6fe9c5371eac430accfa6f2e66912d75a31d17977f4c30ef85a5e397aed17c90d2ec72764346f5679806fa9fd8c84caf241af91b9371889967b3da3cfb6 |
memory/5112-232-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Gncchb32.exe
| MD5 | a27bc3994f0dfe2bd6346ebe7795ac95 |
| SHA1 | a3b881eb58bbbdd885b967049af2be3329d00087 |
| SHA256 | 90e4f030e50a624aba62a28061dc93199e77f10f9eba8f7dd35fea520a53bb83 |
| SHA512 | dd10b443c18795ec9a588981d9485b10aa391b2c6aed7e1f464700d15e0e6b90414cd512722315388bb7e183a769ccd26447fd6006d268d57e49b8fb9b16cbf7 |
memory/2040-240-0x0000000000400000-0x000000000043C000-memory.dmp
memory/620-248-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Gemkelcd.exe
| MD5 | 26101c7997cbdd0a32e42c20c8456f76 |
| SHA1 | d8a1e1b591c1b16689bea474f48d06245e4cdfae |
| SHA256 | f6290ff8e74aa0d6f2edaa5d54fdd4876f98e6ec0b6e09c28eb1f48a82f93373 |
| SHA512 | 1741c806fa7615b26a64516d0348f2b91ce2984f53b0397e1473c275c9e10409ae9104643ce6b6fda4cd866c4c7edb211cd0d1617f0288c469f446283db54f5f |
C:\Windows\SysWOW64\Gpbpbecj.exe
| MD5 | 4f48b3dc6f37d4d9565a16ea10315316 |
| SHA1 | eb19f8ef89f54f02e40dc1acc10cc495836209b3 |
| SHA256 | 14bf895d2208f975ea727d1280b1aa820b0ade4fe7f174549ac05dd22417e3bf |
| SHA512 | 2cbbbe6cfd5342b78ca40f736350f79cd75b5bc96f5f98479a19b5ece2704a3fc373e231793795de836999a8b8d49794de30bc3cfd10df564dda3a9458d89ff8 |
memory/1684-257-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2752-263-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1160-269-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3504-275-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1168-281-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4848-287-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4632-293-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1580-299-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3232-305-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3620-311-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3256-317-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Hehkajig.exe
| MD5 | 0e1fa4190db6f88d9bacb9eabcd761bc |
| SHA1 | 4c2ca9b20967357419a083fddfe1fb5ef95b57e3 |
| SHA256 | 27e2d83313d047299165cfec62a9a8b1d139548d692f390658261273b0cbbe52 |
| SHA512 | 2ca1e292d1ad2a15b578dbdd4e911774e95b6133a094c7913800f101613906d3b6cb5f5d956dbaa668a1b0e51e6f014709cdc252513e9c367536dd1efb2ce4aa |
memory/4596-323-0x0000000000400000-0x000000000043C000-memory.dmp
memory/536-329-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2652-335-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2920-341-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4896-347-0x0000000000400000-0x000000000043C000-memory.dmp
memory/772-353-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1108-359-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3156-365-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ibaeen32.exe
| MD5 | 1593ae616f1a3241880b6f01051a8c6e |
| SHA1 | eeb1ebd033e9759d6cc54cf3ede5233c1534ed1a |
| SHA256 | 7dec76757673f03bd0d1368faeedd8ee82b22e7323e0b9c0a788b4094ca4b9d3 |
| SHA512 | 9bf558ee8fb52554b0e84bb24bc524f781d8e287994666eba892aa9b5229f5274075477cc03ce12b885e12802407661a082ffb87a26ec1bd38e46080a9958488 |
memory/2716-371-0x0000000000400000-0x000000000043C000-memory.dmp
memory/372-377-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2180-383-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1256-393-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4112-395-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1812-401-0x0000000000400000-0x000000000043C000-memory.dmp
memory/824-407-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2348-413-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2640-419-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1820-425-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4068-431-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ieidhh32.exe
| MD5 | 8aba61a0f19dc8b9a64eb5fcdf426820 |
| SHA1 | 64dd206f15a3e5842de425d717f04072bc126c77 |
| SHA256 | d34bb1b123037b29bc56b04a87ed7cf9cd89310143d34e157ebb5e7d2c0f656f |
| SHA512 | 8186d41ce74afa5fbb4b863720b4f388c2e869b716097845005075c379a318415b0fed2e3fe4bb746e3bd6cef3ac65704e08124d63c38838de3d48fae761add4 |
memory/4608-437-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4460-443-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4536-449-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4916-455-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2472-461-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4864-467-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2252-473-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1548-479-0x0000000000400000-0x000000000043C000-memory.dmp
memory/848-485-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3612-491-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Jinboekc.exe
| MD5 | 308d5216569c3df91198a6d1097f054e |
| SHA1 | ee7455640800a6f6140ce285c5a41a23ab52e402 |
| SHA256 | 87db6f79b39e97b750c72e9ec52f423005fe6c7ad337ce459105f189b1024668 |
| SHA512 | a16521e63c2f2f9cd5199d23e553270e4c9f3b17a884474c143aefb9c74f9ff87097ef5faf16e04c5b370eaab0057a25d7a6e4f31fcc631dac66a06479f2a118 |
memory/4636-497-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1472-503-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2384-509-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1616-515-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3920-521-0x0000000000400000-0x000000000043C000-memory.dmp
memory/5004-527-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4876-533-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Kpoalo32.exe
| MD5 | 3f1d2f327dee6168589cecae9b747d33 |
| SHA1 | 3bcb2843a7e8f5fef10dc8b2e747c4224fdea046 |
| SHA256 | a82de4721fe43715dd4cb25e81808c12df23e6ac23bcea3a80e67ddc1eb0542d |
| SHA512 | f38e1fef3836f1b0ce6a765a0556418849011c35508d672dc17ecf2e5fc04ad98c9a39b82f21b98f50e5f0f77f284cb62a7766803816cc30ea8d725a4cc90cb6 |
memory/2256-539-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2188-540-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1052-546-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4432-552-0x0000000000400000-0x000000000043C000-memory.dmp
memory/5096-553-0x0000000000400000-0x000000000043C000-memory.dmp
memory/692-559-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4856-560-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4884-566-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1300-567-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4744-573-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3652-574-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3560-581-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3040-580-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3668-587-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3128-588-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Lcgpni32.exe
| MD5 | 295111f1c737e199188a5036c8d4a70d |
| SHA1 | 72b94f300efb0b067d8bb63ee548cd9f2f62b63e |
| SHA256 | 7d5ddb6e31c221a1dfb28ec96e7c818b1bb33e79bbe690e97fd4c94bdd27b151 |
| SHA512 | c1d7002d1d45aa49035ed84aad1751302cea5c38c55f9d7a05fae3e4644f9a7f02a9a93dded14574865b67c1cb367bd155df9f73bc38fea56c393a5fa8b53545 |
memory/2396-594-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mfnoqc32.exe
| MD5 | 12287ff9cc63421ec9461420ccfd4c93 |
| SHA1 | e08538901d1f17353a2a6c0424cc8858546a343d |
| SHA256 | 1c567bce9f06b8f9c04ddbf1d895192c833a26daf56f5477cb73a4a1ecb75ce9 |
| SHA512 | 02ed4c40fe78934d8c18fb18e6b41354daab601bf1791e9ea8b8027ddc0471939203483e52e6ac5d21fcd487993846b6b08db8d20a7654ebf92ad4ba634ca8a2 |
C:\Windows\SysWOW64\Mjodla32.exe
| MD5 | 4498deee25e8868fb84da4a13a6de13f |
| SHA1 | 18ae9bbd6d346ad2fce7103bfe4c0fcf7a2926db |
| SHA256 | e48460d42b3db010fa6f749bc571ebd1fdef3ca3e8d0f11ff9c8d29e34bc2165 |
| SHA512 | 462839af6735249b7bee657fd6636f15f79e6f99cff11d9da0e8f21f03be0922c30dfe2e9501c7615be28baf258d96ab084951b18b4e656127d56797ec29f012 |
C:\Windows\SysWOW64\Nopfpgip.exe
| MD5 | 3004eac2f31e5902d74a84078518db0d |
| SHA1 | b3c9a3790d183307073c49374eab3346d9df1070 |
| SHA256 | de0745e246ef0b53f32eade3469aa26fdae4f497576df1142d7f52dc6524dd35 |
| SHA512 | e20340e7756faafba9fed4c5bfb12e7f89ef37677c14c57e0e0f6d4869eacd226141fc14b82fde009c09fd4b24c60154bf188a37548fbc09ca2bf885225304fa |
C:\Windows\SysWOW64\Njfkmphe.exe
| MD5 | 5f2998154866cdb61dbc3e28916faf67 |
| SHA1 | 0a5275044ba4a86d6ea66a3f0f377b6064a9ef9e |
| SHA256 | cdac5d9d5ad8a164da495e5b0767430d953b76264912d6dca1ec13d892c082db |
| SHA512 | efbcd76bc8920a5c3698c507ec74e3624b8ac6d4e7ad7831e6a989d2e978adab8e1f0d276e3f96957fa61d406f072206616125412ff01b18ffaf370d8196744d |
C:\Windows\SysWOW64\Njjdho32.exe
| MD5 | bade15f7d4b73a5e4ace752c81d3968a |
| SHA1 | eb939df35fdcb14aa68c1f088cd4c8770d237fa3 |
| SHA256 | a6bd49ae1d4139d4105fd992cc644c56fcf0460cd2441bf7589b9190e4bcd3a8 |
| SHA512 | 8ee7cbf9fa0c976f5115befe0d7fa1938d10ea220ad2de0358a5d95ef19f44b618ef91d1ec93785d8c41434f3206e86dfa066610babb3307862ee117b5eef5c9 |
C:\Windows\SysWOW64\Nfaemp32.exe
| MD5 | 9cd4db02068cfff39a842d2f6ce80faa |
| SHA1 | ac283018efb1477162902eb888b4115cd0760cab |
| SHA256 | bc10724a7adcfafe2e66f1606a6d30cfa641e1a6593f40ea96e3133438de912c |
| SHA512 | 2ff907565d94b228d5e2e10bb6dba9a81d44553da3f3ae08cf4d26a2ead6d177bbfa3b07d69ff1e146d82e991312310bf5da9cf85e2308a6e9d222f4dd4c6977 |
C:\Windows\SysWOW64\Nfcabp32.exe
| MD5 | 1ef7c0e9ad6ea9ea8411d3903f192e39 |
| SHA1 | e1acd57cadb0a1bbbcab272f18d6a975c16984c5 |
| SHA256 | dd0041f65c82699b739d70e74b070445d56b737903550caa580b0c99107d1f64 |
| SHA512 | 8fe8074ee92fb63f03b01068c7a7f9bd066d02fa659f30bfc89b775e7613b3db2bffe05863b96a303d495add672e2f47b9b59b904e61c10491abdbd8abe98963 |
C:\Windows\SysWOW64\Oghghb32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Ocaebc32.exe
| MD5 | 6d18c61a574f1f4f7d996051269a4ff5 |
| SHA1 | 5fff63670a577cdbef70358e9f2b4a2595694b2f |
| SHA256 | 1e1d54da10a043a6b7c9a206e2eb0944ac3c4744aa10fef504dbc25a9b8f846a |
| SHA512 | f7eeddf4d6eafb750aab73bcada813ba066fcd3f7c5e7b3ae0e15776fe59410b8b95dd5a1d1914571ff6014ab1688f2d954446214d83e54617d013e00ca858ba |
C:\Windows\SysWOW64\Pplobcpp.exe
| MD5 | 413b8da953ec885374ca691b8994a609 |
| SHA1 | 809f24ac6e02da53ac6ba194a186a422db6e532f |
| SHA256 | 8bdac71b04e5d44df72b378c39390f945e6c002909c98cba35e25a2cd8a47714 |
| SHA512 | e262188817807c4da0bdb30156f1dbdf2fdb8719aa5cec100acb37c352abb622e79b5aa38856120eb8ce51a826ab8f19d7e640b22f546d29ee1cb6008522b8c1 |
C:\Windows\SysWOW64\Pdmdnadc.exe
| MD5 | 8492e881c91ad8a2064b9cb894bd03be |
| SHA1 | 7375a9623abf66de864a31cf65b035dc8b5020a5 |
| SHA256 | ac71c90f43214a80f405ff0d6cb5b550633fc9856f03234422cc4a42a7c684e4 |
| SHA512 | 856728e923d5a5e11748d6cd0cc3bda0adef3eb35d954b651901c5941c1e7af54927a0d828373b213b7ddddb34522d9978e6347c361d155591af0f54fd3d78a3 |
C:\Windows\SysWOW64\Qdaniq32.exe
| MD5 | e9aba5c7583a618a4c60bbc113ec3feb |
| SHA1 | 944155ed7ef945d130939d233d47cfe6b8b2a854 |
| SHA256 | e6d8ccb9b476c3c59e1cec30c27d8f2ce4736671b0437d02738bf3b965d3782a |
| SHA512 | 81e87973b7a8e6f8a4881213ef795843c8af025993115664668418d521182b062ec5aea41c4486feb45469643c9e5f4f2e66d3736a18437eba001721aed589fc |
C:\Windows\SysWOW64\Aokkahlo.exe
| MD5 | 139d1f3a1478c7c98b207dcabf89ef26 |
| SHA1 | 71d959924f1e4a71d8fb7313fe5f54d6924cc72f |
| SHA256 | 39015591229d3426398e479acaaf096d99b1533c57055017c0c62c480820afc5 |
| SHA512 | 5542cf8fed1b4cfe6da74ffc10b724d520fb10fa1b43b740a5209cbf497f6ee89f9a1072f8c8bc56b84ba6603799acbbeab7f775450b3971f3ef52cabb3813ea |
C:\Windows\SysWOW64\Akblfj32.exe
| MD5 | f44071d77c9fa5f4fc887ba39c1b29ea |
| SHA1 | 7e8f089b0b5914adb7ec8ef5f962b6cde2cfd213 |
| SHA256 | 08ceb7f6bc06e1115bfdfd8f9315585f53a2f9af3a53b92dd166e4604da02359 |
| SHA512 | 45476af99701e8f8beafec6b3f0095b1471f1418dd20b84febfedf90479c129e7c8b538b249860333ad19446d888d7e1a00def5c88849c109e395e452240c576 |
C:\Windows\SysWOW64\Aopemh32.exe
| MD5 | 2c7a1561e1cb90aa84bc9f4afcb9d329 |
| SHA1 | e48aa8bdcbec7f4b0b2f0c90f8dcf75b9a8bedb8 |
| SHA256 | 491344ec6bd8a3b4f197d69b0aade4cd143ec56c8935fc5b8611e5e40db9dcd7 |
| SHA512 | 379afcdca1e30d7593b8b4ce4a476f65dc0ad8a66eeabf26b537acba2a539db2a791f5edad0f2d236da09ea2c01cb202803778cbad302f53fa6c4c6c63d87505 |
C:\Windows\SysWOW64\Bgbpaipl.exe
| MD5 | f24434e082baa748c3f27ad4704ffaaa |
| SHA1 | 40ce0d6f72cb20e0f2553a50a477ea85873f7641 |
| SHA256 | ad64545ace8c7d0d61f5f287f7647820e4f0b065a8abe7503503c685763ecdc1 |
| SHA512 | 6c3ff81cec6c80c9b0abde8e025ffc80569fef7c86cf22bb6e4179a0f0e688c278d8e419e659a1b20eba7ccb4948cb4b7af52613661832c01556970d5b09acc3 |
C:\Windows\SysWOW64\Dgcihgaj.exe
| MD5 | 0ffa6a36f953bd6dee2b30e0eec97605 |
| SHA1 | a1f80a7113f4c68a029aa4ee6828a5d857365d42 |
| SHA256 | 6dd5c97528353fd51267429f25e415fed491735773fbf4cfd6574bd73f1e2ee7 |
| SHA512 | cf82cec5c42c9e1b99d0965a05b9e7a7a8042638263a12f2a0e2471a372c298bc6ba8092f095868285b4c1465c3649ecdfed1c7edbc6ce73c9b1288dabd50807 |